The 'Invalid API Key' error from OpenAI in n8n means the credential stored in n8n does not match a valid key in your OpenAI account. Fix this by creating a new API key in the OpenAI dashboard, updating the credential in n8n, verifying the key has the correct permissions and billing, and testing with a simple workflow before deploying to production.
Why OpenAI Returns 'Invalid API Key' in n8n
The 'Incorrect API key provided' or 'Invalid API Key' error (HTTP 401) occurs when the API key stored in your n8n OpenAI credential is rejected by OpenAI's authentication system. This happens when the key has been revoked, expired, copied incorrectly (missing characters, extra whitespace), belongs to a deleted organization, or when the key's project or service account does not have access to the requested model. In n8n, this error surfaces in the OpenAI node, OpenAI Chat Model sub-node, or any HTTP Request node calling the OpenAI API.
Prerequisites
- An OpenAI account with API access at platform.openai.com
- A running n8n instance (self-hosted or n8n Cloud)
- An existing workflow that uses the OpenAI node or OpenAI Chat Model sub-node
- Billing set up on your OpenAI account (free trial credits or paid plan)
Step-by-step guide
Verify Your Current API Key in OpenAI Dashboard
Verify Your Current API Key in OpenAI Dashboard
Go to platform.openai.com and sign in. Navigate to API Keys in the left sidebar. Check if the key you are using in n8n is listed. If the key shows as revoked, deleted, or is not present at all, it has been invalidated and must be replaced. Note that OpenAI only shows the last 4 characters of each key, so compare those with the key stored in n8n. Also check the Project column — if the key belongs to a specific project, it may not have access to all models.
Expected result: You have identified whether the key exists and is active in your OpenAI account.
Create a New API Key with Correct Permissions
Create a New API Key with Correct Permissions
If your key is invalid, create a new one. In the OpenAI dashboard, click 'Create new secret key'. Choose a descriptive name like 'n8n-production'. Select the project scope — use 'Default project' unless you have specific project isolation needs. Set permissions to 'All' for full model access. Copy the key immediately — OpenAI will not show it again. Store it securely in a password manager before pasting it into n8n.
Expected result: A new API key is created and copied, ready to be added to n8n.
Update the Credential in n8n
Update the Credential in n8n
In n8n, go to the main menu and click Credentials. Find the OpenAI API credential your workflow uses (it will be named something like 'OpenAI account'). Click on it to edit. Replace the API Key field with your new key. Make sure there are no leading or trailing spaces — this is a common cause of 'invalid key' errors. Click Save. Do not create a new credential unless you want to update multiple workflows separately; updating the existing credential automatically applies to all workflows that reference it.
1// To verify the key works, create a simple test workflow:2// Trigger: Manual Trigger3// Node: OpenAI → Message a Model4// Model: gpt-4o-mini5// Prompt: "Say hello"6// Run the workflow — if it returns a response, the key is valid.Expected result: The OpenAI credential in n8n is updated with a valid API key.
Verify Billing and Usage Limits
Verify Billing and Usage Limits
Even with a valid key, API calls will fail with a 401 or 429 error if your account has no billing method, has exceeded its spending limit, or has run out of free trial credits. Go to platform.openai.com → Settings → Billing. Verify that a payment method is on file, that your current balance is positive, and that your monthly usage limit is set high enough. For free trial accounts, check if your $5 credit has been used up — once it is gone, you need to add a payment method.
Expected result: Your OpenAI account has active billing with available credit or budget remaining.
Handle API Key Rotation in Production
Handle API Key Rotation in Production
For production workflows, you should rotate API keys periodically for security. The safest approach: create a new key in OpenAI before revoking the old one. Update the n8n credential with the new key. Test the workflow. Only then revoke the old key in OpenAI. This ensures zero downtime. If you use environment variables for credentials in self-hosted n8n, update the environment variable and restart n8n. Never hardcode API keys in Code nodes or expressions — always use the credential system.
1// WRONG: Never put API keys in Code nodes2// const apiKey = 'sk-abc123...'; // DO NOT DO THIS34// RIGHT: Use n8n's credential system5// In the HTTP Request node, use Predefined Credential Type → OpenAI API6// Or reference via: {{ $credentials.openAiApi.apiKey }} in expressions7// (only works in HTTP Request node header configuration)Expected result: API keys are rotated without workflow downtime, and old keys are revoked after the new ones are verified.
Complete working example
1// Code node: Run Once for All Items2// Place at the START of your workflow to validate the OpenAI credential3// before making expensive LLM calls4//5// This node makes a lightweight API call to verify the key works6// It uses the models endpoint which is free and fast78// NOTE: This approach requires using an HTTP Request node9// before this Code node to call GET https://api.openai.com/v1/models10// with the OpenAI credential. Then this Code node processes the result.1112const response = $json;1314// Check if the models request succeeded15if (response.error) {16 const errorMessage = response.error.message || 'Unknown error';17 const errorType = response.error.type || 'unknown';18 const errorCode = response.error.code || 'unknown';1920 let diagnosis = 'Unknown issue with API key';21 let action = 'Check the OpenAI credential in n8n';2223 if (errorMessage.includes('Incorrect API key')) {24 diagnosis = 'The API key is invalid or has been revoked';25 action = 'Create a new key at platform.openai.com/api-keys and update the n8n credential';26 } else if (errorMessage.includes('exceeded') || errorCode === 'insufficient_quota') {27 diagnosis = 'The API key is valid but the account has no remaining quota';28 action = 'Add a payment method or increase spending limit at platform.openai.com/settings/billing';29 } else if (errorMessage.includes('deactivated')) {30 diagnosis = 'The OpenAI account has been deactivated';31 action = 'Contact OpenAI support to reactivate your account';32 }3334 return [{35 json: {36 key_valid: false,37 diagnosis: diagnosis,38 action: action,39 raw_error: errorMessage40 }41 }];42}4344// Key is valid — list available models for reference45const models = (response.data || [])46 .map(m => m.id)47 .filter(id => id.startsWith('gpt'))48 .sort();4950return [{51 json: {52 key_valid: true,53 available_gpt_models: models,54 total_models: (response.data || []).length55 }56}];Common mistakes when fixing the Invalid API Key Error from OpenAI in n8n
Why it's a problem: Copying the API key with extra whitespace at the beginning or end
How to avoid: When pasting the key into n8n's credential field, make sure there are no spaces before 'sk-' or after the last character. Double-click to select the entire key and re-copy if unsure.
Why it's a problem: Using a key from a different OpenAI organization that does not have billing set up
How to avoid: Check the organization in your OpenAI dashboard (top-left dropdown). Each organization has separate billing. Make sure the key belongs to the organization with active billing.
Why it's a problem: Creating a key with restricted permissions that does not include chat completions
How to avoid: When creating a new key, set permissions to 'All' unless you have specific security requirements. Restricted keys may block certain models or API endpoints.
Why it's a problem: Not updating all workflows when rotating keys by creating a new credential instead of updating the existing one
How to avoid: Update the existing credential in n8n rather than creating a new one. All workflows referencing that credential will automatically use the new key.
Best practices
- Never hardcode API keys in Code nodes, expressions, or workflow JSON — always use n8n's credential system
- Rotate API keys every 90 days and immediately revoke keys that may have been exposed
- Use project-scoped API keys in OpenAI to limit blast radius if a key is compromised
- Set up billing alerts in OpenAI to get notified before hitting spending limits
- Create separate API keys for development and production n8n instances
- Test new credentials with a simple workflow before deploying to production
- Store a backup of your API key in a secure password manager, not in plain text files
- Monitor the OpenAI usage dashboard for unexpected spikes that could indicate key leakage
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I'm getting an 'Incorrect API key provided' error from the OpenAI node in n8n. How do I verify my API key, create a new one if needed, and update the credential in n8n? Also explain how to handle key rotation in production without workflow downtime.
My n8n OpenAI node says 'Invalid API Key'. Help me update the OpenAI credential in n8n with a new key, verify billing is active, and add a validation step at the start of my workflow that checks if the key works before making expensive LLM calls.
Frequently asked questions
Why does my API key work in the OpenAI Playground but not in n8n?
The most common reasons are: (1) extra whitespace was added when pasting into n8n, (2) you are signed into a different OpenAI organization in the Playground than the one the key belongs to, or (3) the key has project-level restrictions that block the specific model or endpoint n8n uses.
Can I use the same API key across multiple n8n instances?
Yes, a single API key can be used across multiple n8n instances. However, for production environments, create separate keys per environment (dev, staging, production) so you can rotate or revoke them independently.
How do I check if my free trial credits are used up?
Go to platform.openai.com → Settings → Billing → Usage. If you see $0.00 remaining on your free tier and no payment method on file, you need to add billing. Free trial credits expire after 3 months regardless of whether they were used.
Does n8n encrypt API keys stored in credentials?
Yes, n8n encrypts all credential data at rest using an encryption key. For self-hosted instances, this key is stored in the N8N_ENCRYPTION_KEY environment variable. Never share this encryption key or the n8n database file, as it contains all your encrypted credentials.
What happens to running workflows if I update the API key in a credential?
Currently running workflow executions will continue using the old key that was loaded when they started. New executions after the credential update will use the new key. There is no need to restart n8n after updating a credential.
Can RapidDev help set up secure credential management for n8n?
Yes. RapidDev can help configure secure credential storage, set up key rotation workflows, implement credential validation checks, and audit your n8n instance for security best practices.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation