Authentication Methods
Secure your N8.Chat webhooks with proper authentication to prevent unauthorized access and protect your AI workflows.
Important Security Notice
Without proper authentication, anyone with your webhook URL can send requests to your n8n workflow, potentially causing unwanted API costs and exposing sensitive data. Always secure your webhooks in production.
Method 1: API Key Authentication
The most common method is to use a custom API key sent in the request headers. This is simple to implement and works with both n8n cloud and self-hosted instances.
1. Generate an API Key
Create a strong, random API key. You can use a password generator or run this command:
openssl rand -hex 32This generates a 64-character hexadecimal string
2. Configure N8.Chat to Send the API Key
In your N8.Chat settings, add a custom header with your API key:
Header Name
X-API-KeyHeader Value
your_secret_api_key_here3. Validate in n8n Workflow
Add an IF node after your webhook to validate the API key:
IF Node Configuration:
{{ $json.headers['x-api-key'] }}Equalyour_secret_api_key_hereConnect the true branch to your AI nodes, and the false branch to a Respond to Webhook node that returns an error:
{
"error": "Unauthorized",
"message": "Invalid API key"
}Method 2: HMAC Webhook Signatures
For enhanced security, use HMAC signatures to verify that requests are coming from your N8.Chat instance and haven't been tampered with.
How It Works
- 1.N8.Chat creates a signature by hashing the request body with a shared secret
- 2.The signature is sent in the
X-Webhook-Signatureheader - 3.Your n8n workflow verifies the signature matches the expected value
Implementation Example
Add a Function node in n8n to verify the signature:
const crypto = require('crypto');
const secret = 'your_webhook_secret';
const signature = $json.headers['x-webhook-signature'];
const body = JSON.stringify($json.body);
const expectedSignature = crypto
.createHmac('sha256', secret)
.update(body)
.digest('hex');
if (signature === expectedSignature) {
return { valid: true };
} else {
throw new Error('Invalid signature');
}Method 3: User Session Authentication
If you need to identify individual users, N8.Chat can send user session data with each request.
User Data Sent with Requests
{
"message": "What's my order status?",
"user": {
"id": "user_12345",
"email": "customer@example.com",
"name": "John Doe",
"sessionId": "sess_abc123"
},
"context": {
"page_url": "https://example.com/checkout",
"page_title": "Checkout"
}
}Use this data in your n8n workflow to personalize responses, look up order information, or track conversation history.
Security Best Practices
Use HTTPS Only
Never send API keys or sensitive data over unencrypted HTTP connections
Rotate Keys Regularly
Change your API keys every 90 days or immediately if compromised
Environment Variables
Store secrets in n8n environment variables, not in workflow nodes
Rate Limiting
Implement rate limiting to prevent abuse and control costs
Common Authentication Headers
Reference table for common authentication header patterns:
| Header Name | Purpose | Example Value |
|---|---|---|
X-API-Key | Simple API key authentication | a1b2c3d4e5f6... |
Authorization | Bearer token authentication | Bearer token_here |
X-Webhook-Signature | HMAC signature verification | sha256=abc123... |
X-Session-ID | User session identification | sess_xyz789 |
Testing Your Authentication
Use curl to test your webhook authentication from the command line:
Valid Request (should succeed):
curl -X POST https://your-n8n-instance.com/webhook/chat \
-H "Content-Type: application/json" \
-H "X-API-Key: your_secret_api_key" \
-d '{"message": "Hello, this is a test"}'Invalid Request (should fail):
curl -X POST https://your-n8n-instance.com/webhook/chat \
-H "Content-Type: application/json" \
-H "X-API-Key: wrong_key" \
-d '{"message": "This should be rejected"}'