How to handle “401 unauthorized” from OpenAI after rotating keys in n8n?

The direct way to fix “401 unauthorized” from OpenAI in n8n after rotating keys is to update the OpenAI credential inside n8n, make sure all relevant workflows are using that exact credential, test it with the built‑in “Execute node” button, then stop and restart any long‑running executions or webhook-based workflows still holding the old credential in memory. n8n does not automatically reload credentials for already-running executions, so those continue failing until restarted.

 

Why 401 Happens After Key Rotation

 

When you rotate an OpenAI API key, the old key becomes invalid. n8n stores credentials separately from workflows, and running executions keep the older credential value in memory. This means:

• Workflows started before you updated the credential will continue using the old key → they throw 401.
• Any workflow using a duplicated or older version of the credential will also fail.
• Credential not updated everywhere (for example, a node using manual expression “={{$env…}}”) will still point to the old key.

 

How to Fix It Step by Step

 

This is the production-safe way to resolve 401 after rotating OpenAI keys:

• Update the credential in n8n. Go to Credentials → OpenAI → open the one your workflow uses → paste the new key → save.
• Verify which credential the workflow is actually using. n8n allows multiple credentials of the same type. In the node’s “Credentials” section, make sure the dropdown truly references the one you updated.
• Test with “Execute Node”. Open the OpenAI node inside the editor and click “Execute Node”. If it succeeds here, the credential is correct.
• Restart any ongoing executions. A common production issue: scheduled or webhook workflows that started before the credential update keep the old key in memory. Cancel or let them finish, and new ones will load the correct credential.
• Restart the n8n service if using queue mode or long-runners. In queue mode or multi-worker setups, workers keep their own credential cache. A restart forces all workers to load the new key.
• Check if any nodes use a raw header or a manual bearer token. If your workflow uses an HTTP Request node instead of the OpenAI node, update the header manually:

{
  "headers": {
    "Authorization": "Bearer NEW_OPENAI_KEY"
  }
}

• Confirm no wrong key is stored in n8n environment variables. If your credential uses {{$env.OPENAI\_KEY}}, update the environment variable and restart n8n so it reloads env vars.

 

Extra Production Notes

 

If you’re running n8n in Docker or n8n.cloud, remember:

• Docker: after changing environment variables, restart the container.
• n8n.cloud: updating an n8n credential is usually enough, but long executions may still need to finish or be stopped.
• Queue mode workers each hold their own memory copy of credentials; a service restart is the safe way to clear stale keys.

 

Once the credential is updated, the node is using the correct one, and the old execution contexts are cleared, 401 errors stop immediately. This is the normal and expected behavior of n8n’s credential loading model.