n8nauto
Get Started
Back to Blog
n8n1passwordsecurityintegrationautomation

n8n + 1Password Integration: Secure Workflow Credentials

n8nautomation TeamApril 13, 2026
TL;DR: Integrating n8n with 1Password lets you store and retrieve API keys, database passwords, and sensitive credentials securely instead of hardcoding them in workflows. This guide shows you how to set up 1Password Connect Server with n8n, configure external secrets, and build 5 production-ready workflows that keep your data safe.

When you connect n8n to third-party APIs, databases, and services, you need to store credentials somewhere. Hardcoding API keys directly into workflows is a security nightmare—anyone with access to your n8n instance can see them in plain text. The n8n + 1Password integration solves this by letting you store all sensitive credentials in 1Password and pull them into workflows securely when needed.

With n8n's support for 1Password Connect Server as an external secrets provider, you can centralize credential management, enforce access policies, rotate keys without touching workflows, and maintain a complete audit trail of who accessed what and when.

Why Use 1Password with n8n?

1Password integration with n8n provides several critical security advantages for teams running production automations:

  • No hardcoded secrets: API keys, database passwords, and OAuth tokens stay in 1Password vaults, not in workflow JSON files
  • Centralized rotation: Update a credential in 1Password once and all workflows using it automatically get the new value without manual edits
  • Role-based access: Control which team members can view or use specific credentials through 1Password's vault permissions
  • Audit trail: 1Password logs every credential access, so you know exactly when and where secrets were used
  • Compliance ready: Meet SOC 2, ISO 27001, and GDPR requirements by demonstrating secure credential management

Instead of storing your Stripe API key, SendGrid password, or database connection string in n8n's credential store, you reference them from 1Password. If a key is compromised or needs rotation, you update it in one place.

How to Set Up 1Password Connect Server

1Password Connect Server is a REST API that lets applications like n8n retrieve secrets from your 1Password vaults programmatically. Here's how to deploy it:

Step 1: Create a 1Password Connect Server in your 1Password account

Log into your 1Password Business or Teams account, navigate to Integrations, and create a new Connect Server. You'll receive a 1password-credentials.json file and a Connect Server token—store these securely.

Step 2: Deploy 1Password Connect Server

Run Connect Server using Docker on a server your n8n instance can reach:

docker run -d \
  --name 1password-connect \
  -p 8080:8080 \
  -v /path/to/1password-credentials.json:/home/opuser/.op/1password-credentials.json \
  -e OP_SESSION=<your-connect-token> \
  1password/connect-api:latest

Step 3: Verify the connection

Test that Connect Server is running by calling the health endpoint:

curl http://your-connect-server:8080/health

If you see a 200 response, you're ready to connect n8n.

Tip: Deploy Connect Server on the same private network as your n8n instance to avoid exposing it to the public internet. Use a reverse proxy with TLS if you need external access.

Configure n8n to Use External Secrets

Once Connect Server is running, configure n8n to pull credentials from 1Password instead of its local database.

For self-hosted n8n: Add these environment variables to your n8n configuration:

N8N_EXTERNAL_SECRETS_PROVIDER=1password
N8N_EXTERNAL_SECRETS_1PASSWORD_CONNECT_HOST=http://your-connect-server:8080
N8N_EXTERNAL_SECRETS_1PASSWORD_CONNECT_TOKEN=<your-connect-token>
N8N_EXTERNAL_SECRETS_1PASSWORD_VAULT_ID=<vault-id-for-secrets>

For managed n8n on n8nautomation.cloud: Contact support to enable external secrets and provide your Connect Server details. The platform handles environment variable configuration for you.

Restart n8n. Now when you create credentials in n8n, you'll see an option to reference them from 1Password instead of storing them locally.

Workflow 1: Automated API Key Rotation

Many SaaS platforms let you generate new API keys programmatically. This workflow rotates API keys on a schedule and updates 1Password automatically.

Nodes used:

  • Schedule Trigger: Run monthly on the first day at 2 AM
  • HTTP Request: Call the service's API to generate a new key (e.g., Stripe, SendGrid, Twilio)
  • 1Password: Update the existing vault item with the new API key
  • HTTP Request: Revoke the old API key
  • Slack (or email): Notify the team that rotation completed

Set the Schedule Trigger to 0 2 1 * * (2 AM on the 1st of each month). The HTTP Request node calls your API provider's key generation endpoint with admin credentials stored in 1Password. When the new key is generated, the 1Password node uses the Update Item operation to replace the old value. Finally, revoke the old key and send a Slack message to confirm the rotation.

This workflow ensures keys rotate regularly without manual intervention, reducing the risk window if a key is leaked.

Workflow 2: Database Credential Sync

When your database password changes in 1Password, this workflow automatically updates all downstream services that need it—like monitoring tools, backup scripts, and BI platforms.

Nodes used:

  • 1Password Trigger: Fire when a specific vault item is updated
  • 1Password: Retrieve the new database password
  • HTTP Request: Update the password in Grafana
  • HTTP Request: Update the password in your backup service (e.g., Backblaze, AWS)
  • SSH: Update environment variables on application servers
  • Slack: Notify DevOps that the sync completed

The 1Password Trigger listens for changes to the vault item labeled production-db-password. When it fires, the workflow retrieves the new password and pushes it to every service that connects to the database. This eliminates the need to manually update credentials in five different places every time you rotate a password.

Workflow 3: OAuth Token Refresh & Storage

OAuth tokens expire. This workflow refreshes access tokens before they expire and stores the new tokens in 1Password so other workflows can use them.

Nodes used:

  • Schedule Trigger: Run every 6 hours
  • 1Password: Retrieve the current refresh token
  • HTTP Request: Call the OAuth provider's token refresh endpoint (Google, Microsoft, Salesforce, etc.)
  • 1Password: Update the vault item with the new access token and refresh token
  • Set: Store the token expiration timestamp for logging

Set the Schedule Trigger to run well before the token expires (most OAuth tokens last 1 hour, so refresh every 30 minutes). The HTTP Request node exchanges the refresh token for a new access token, and the 1Password node updates both tokens in the vault. Now every workflow that needs to authenticate with Google Drive, Salesforce, or Microsoft Graph can pull the latest token from 1Password instead of managing its own refresh logic.

Workflow 4: Secrets Access Audit Log

Track when credentials are accessed, by whom, and from which workflows for compliance and security monitoring.

Nodes used:

  • 1Password Trigger: Fire on any vault item access
  • Set: Extract timestamp, user, item name, and workflow ID
  • Google Sheets (or PostgreSQL): Append the access event to an audit log
  • Switch: Check if the access was from an unexpected workflow or user
  • Slack: Alert security team if anomalous access detected

The 1Password Trigger monitors all vault activity. Each time a credential is retrieved, the workflow logs the event to Google Sheets with columns for timestamp, user email, credential name, and workflow ID. The Switch node flags access patterns that don't match expected behavior—like a credential being accessed at 3 AM on a weekend—and sends an alert to your security channel.

This gives you a complete audit trail for compliance reviews and helps detect compromised accounts early.

Workflow 5: New Team Member Credential Provisioning

When a new developer or team member joins, this workflow automatically provisions the credentials they need based on their role.

Nodes used:

  • Webhook: Triggered by your HR system or onboarding tool (BambooHR, Workday, etc.)
  • Switch: Route by role (engineer, data analyst, marketing, etc.)
  • 1Password: Add the new user to specific vaults (staging DB for engineers, social media accounts for marketing)
  • HTTP Request: Create accounts in third-party services (GitHub, AWS, Figma)
  • Gmail (or Slack): Send the new team member their onboarding credentials and vault access instructions

When the Webhook receives a new hire event with role engineer, the Switch node routes them to the engineering vault containing staging database credentials, API keys for development tools, and test account logins. The 1Password node grants vault access, and the HTTP Request node provisions accounts in GitHub and AWS. Finally, the new team member receives an email with their 1Password invitation and a link to onboarding docs.

This workflow cuts onboarding time from hours to minutes and ensures no one accidentally gets access to production credentials on their first day.

Note: Never store 1Password Connect Server tokens or admin credentials in n8n's built-in credential store. Use environment variables or a separate secrets manager for the Connect token itself to avoid circular dependency.

Security Best Practices

When integrating 1Password with n8n, follow these best practices to maintain a secure secrets management workflow:

Use separate vaults for different environments: Keep production credentials in a different vault from staging and development. This prevents accidental use of production API keys in test workflows.

Rotate Connect Server tokens regularly: Treat your 1Password Connect token like a master password. Rotate it every 90 days and update the N8N_EXTERNAL_SECRETS_1PASSWORD_CONNECT_TOKEN environment variable.

Enable 1Password activity logs: Turn on detailed logging in your 1Password Business account so you have a record of every credential retrieval, update, and deletion.

Restrict vault access by team: Don't give everyone access to every vault. Use 1Password's role-based permissions to limit which team members can view production credentials.

Deploy Connect Server on a private network: Never expose your Connect Server directly to the internet. Use a VPN, private subnet, or firewall rules to restrict access to your n8n instance only.

Monitor for secrets in workflow logs: Even with 1Password, secrets can leak into execution logs if you accidentally log credential values. Review your workflows to ensure sensitive data isn't printed to stdout or stored in workflow history.

If you're running n8n on n8nautomation.cloud, the managed platform already includes network isolation, encrypted backups, and automatic updates, so you can focus on building workflows instead of hardening infrastructure.

The n8n + 1Password integration transforms how teams handle credentials in automation workflows. Instead of scattering API keys across dozens of workflow files, you centralize them in 1Password, enforce access policies, and maintain a complete audit trail. Whether you're rotating Stripe API keys monthly, syncing database passwords across services, or provisioning credentials for new team members, 1Password gives you the security controls that production workflows demand.

Ready to automate with n8n?

Get affordable managed n8n hosting with 24/7 support.