Secure n8n with basic authentication by setting N8N_BASIC_AUTH_ACTIVE=true along with N8N_BASIC_AUTH_USER and N8N_BASIC_AUTH_PASSWORD environment variables. Note that basic auth is deprecated in n8n v2 and replaced by built-in user management. For new installations, set up user accounts through the n8n UI instead.
Why Secure n8n with Authentication
By default, a self-hosted n8n instance is accessible to anyone who can reach its URL. Without authentication, anyone on your network or the internet can view, edit, and execute your workflows, including any credentials stored in them. Basic authentication adds a username and password prompt before anyone can access the n8n editor. While this was the standard approach in older n8n versions, n8n v2 introduced built-in user management with proper accounts, roles, and password hashing. This tutorial covers both the legacy basic auth method and the recommended modern approach.
Prerequisites
- A self-hosted n8n instance (npm or Docker)
- Access to the server terminal or Docker configuration
- Ability to set environment variables and restart n8n
- A strong password ready for your n8n account
Step-by-step guide
Enable basic auth with environment variables (legacy)
Enable basic auth with environment variables (legacy)
For n8n versions before v2, set three environment variables to enable basic authentication. N8N_BASIC_AUTH_ACTIVE enables the feature, and the other two set the credentials. After setting these variables, restart n8n. Every request to the n8n UI and API will require these credentials. This method uses HTTP Basic Authentication, which sends credentials in base64-encoded headers. Always use HTTPS in production to prevent credentials from being intercepted.
1# Set basic auth environment variables2export N8N_BASIC_AUTH_ACTIVE=true3export N8N_BASIC_AUTH_USER=admin4export N8N_BASIC_AUTH_PASSWORD=your-strong-password-here56# Restart n8n7n8n startExpected result: n8n starts and immediately prompts for a username and password when you open the editor in your browser.
Configure basic auth in Docker
Configure basic auth in Docker
When running n8n in Docker, pass the basic auth environment variables via docker run flags or a docker-compose.yml file. The compose approach is recommended because it keeps your configuration in a version-controlled file and makes it easy to update. Never put passwords directly in a Dockerfile or commit them to version control. Use a .env file alongside your docker-compose.yml instead.
1# docker-compose.yml with basic auth (legacy)2version: '3.8'3services:4 n8n:5 image: docker.n8n.io/n8nio/n8n6 restart: unless-stopped7 ports:8 - '5678:5678'9 environment:10 - N8N_BASIC_AUTH_ACTIVE=true11 - N8N_BASIC_AUTH_USER=${N8N_USER}12 - N8N_BASIC_AUTH_PASSWORD=${N8N_PASSWORD}13 volumes:14 - n8n_data:/home/node/.n8n1516volumes:17 n8n_data:Expected result: n8n starts in Docker with basic auth enabled. The browser prompts for credentials before showing the editor.
Migrate to user management in n8n v2+
Migrate to user management in n8n v2+
Basic auth is deprecated in n8n v2 and later. Instead, n8n now includes built-in user management with proper account creation, password hashing, and role-based access. When you first start n8n v2 without any users configured, it presents a setup screen where you create an owner account. Remove the basic auth environment variables and let n8n handle authentication natively. This is more secure because passwords are hashed with bcrypt instead of sent as plaintext in HTTP headers.
1# Remove deprecated basic auth variables2# Delete or comment out these lines:3# N8N_BASIC_AUTH_ACTIVE=true4# N8N_BASIC_AUTH_USER=admin5# N8N_BASIC_AUTH_PASSWORD=password67# n8n v2+ uses built-in user management8# Just start n8n — it will prompt you to create an owner account9n8n start1011# To disable user management (NOT recommended):12# export N8N_USER_MANAGEMENT_DISABLED=trueExpected result: n8n starts and shows a setup screen to create the first owner account with email and password. After setup, the login screen appears on every visit.
Add a reverse proxy for additional security
Add a reverse proxy for additional security
Regardless of which authentication method you use, place n8n behind a reverse proxy like Nginx or Caddy for production deployments. A reverse proxy adds TLS encryption (HTTPS), rate limiting, and IP-based access controls. This prevents credentials from being transmitted in plaintext and adds defense-in-depth. The reverse proxy handles SSL termination while n8n runs on HTTP internally.
1# Nginx configuration for n8n with SSL2server {3 listen 443 ssl;4 server_name n8n.example.com;56 ssl_certificate /etc/letsencrypt/live/n8n.example.com/fullchain.pem;7 ssl_certificate_key /etc/letsencrypt/live/n8n.example.com/privkey.pem;89 location / {10 proxy_pass http://localhost:5678;11 proxy_set_header Host $host;12 proxy_set_header X-Real-IP $remote_addr;13 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;14 proxy_set_header X-Forwarded-Proto $scheme;15 proxy_http_version 1.1;16 proxy_set_header Upgrade $http_upgrade;17 proxy_set_header Connection "upgrade";18 }19}Expected result: n8n is accessible only through HTTPS at your domain. All traffic is encrypted, and the reverse proxy forwards requests to n8n on localhost.
Complete working example
1# docker-compose.yml — n8n with modern user management and Caddy reverse proxy2version: '3.8'34services:5 caddy:6 image: caddy:27 restart: unless-stopped8 ports:9 - '80:80'10 - '443:443'11 volumes:12 - ./Caddyfile:/etc/caddy/Caddyfile13 - caddy_data:/data14 - caddy_config:/config1516 n8n:17 image: docker.n8n.io/n8nio/n8n18 restart: unless-stopped19 expose:20 - '5678'21 environment:22 # User management is enabled by default in v2+23 # No basic auth variables needed24 - N8N_HOST=n8n.example.com25 - N8N_PORT=567826 - N8N_PROTOCOL=https27 - WEBHOOK_URL=https://n8n.example.com/28 - N8N_SECURE_COOKIE=true29 - GENERIC_TIMEZONE=America/New_York30 volumes:31 - n8n_data:/home/node/.n8n3233volumes:34 n8n_data:35 caddy_data:36 caddy_config:3738# Caddyfile (save as ./Caddyfile):39# n8n.example.com {40# reverse_proxy n8n:567841# }Common mistakes when securing n8n with Basic Authentication
Why it's a problem: Using basic auth over HTTP without a reverse proxy
How to avoid: Basic auth sends credentials in base64 (not encrypted). Always use HTTPS via a reverse proxy or set N8N_PROTOCOL=https with SSL certificates.
Why it's a problem: Setting basic auth variables on n8n v2+ and wondering why they are ignored
How to avoid: Basic auth is deprecated in n8n v2. Remove the variables and use the built-in user management system instead.
Why it's a problem: Committing passwords to version control in docker-compose.yml
How to avoid: Use environment variable references like ${N8N_PASSWORD} and store actual values in a .env file that is listed in .gitignore.
Why it's a problem: Running n8n on a public IP without any authentication
How to avoid: Always enable either basic auth (legacy) or user management (v2+) before exposing n8n to the internet. Use firewall rules to restrict access.
Best practices
- Use n8n v2+ built-in user management instead of deprecated basic auth
- Always use HTTPS in production to encrypt authentication credentials in transit
- Store passwords in a .env file, never hardcode them in docker-compose.yml or scripts
- Place n8n behind a reverse proxy like Nginx or Caddy for TLS termination and rate limiting
- Use strong passwords with at least 16 characters, mixing letters, numbers, and symbols
- Restrict network access to the n8n port using firewall rules so only the reverse proxy can reach it
- Enable N8N_SECURE_COOKIE=true when running behind HTTPS to prevent cookie hijacking
Still stuck?
Copy one of these prompts to get a personalized, step-by-step explanation.
I have a self-hosted n8n instance running in Docker and I need to add authentication. What is the recommended way to secure it in n8n v2+, and how do I migrate from the deprecated basic auth method?
Help me secure my n8n Docker deployment with user management and a Caddy reverse proxy for HTTPS. I am currently using basic auth and want to upgrade.
Frequently asked questions
Is basic auth still supported in n8n v2?
Basic auth environment variables are deprecated in n8n v2 and may be ignored. n8n v2 uses built-in user management with proper login accounts. Remove the basic auth variables and create a user account through the n8n setup screen.
Can I have multiple user accounts in n8n?
Yes. n8n v2+ supports multiple user accounts with owner and member roles. The owner can invite new users via email from Settings > Users in the n8n editor.
Does basic auth protect webhook endpoints?
No. Basic auth only protects the n8n editor UI and REST API. Webhook endpoints are accessible without authentication unless you add header-based validation in the Webhook node settings.
How do I reset a forgotten password in n8n v2?
Use the password reset flow in the login screen if email is configured. For self-hosted without email, you can reset credentials by accessing the n8n database directly or using the n8n CLI command: n8n user-management:reset.
Is n8n Cloud already secured?
Yes. n8n Cloud includes built-in user management, HTTPS, and access controls by default. You do not need to configure basic auth or a reverse proxy on n8n Cloud.
Can RapidDev help me secure my n8n deployment?
Yes. RapidDev can set up a production-hardened n8n deployment with HTTPS, user management, firewall rules, and monitoring. Contact RapidDev for a free security consultation.
Talk to an Expert
Our team has built 600+ apps. Get personalized help with your project.
Book a free consultation