/n8n-tutorials

How to secure n8n with OAuth?

Discover how to secure your n8n workflows with OAuth, protect access, and improve automation safety using simple, effective setup steps.

Book a free  consultation
Matt Graham, CEO of Rapid Developers

Book a call with an Expert

Starting a new venture? Need to upgrade your web app? RapidDev builds application with your growth in mind.

Book a free consultation

How to secure n8n with OAuth?

The most practical and production‑safe way to “secure n8n with OAuth” is to put n8n behind an external reverse proxy (like OAuth2 Proxy, Cloudflare Access, or a provider's OAuth gateway) and force users to authenticate with OAuth before they can even reach n8n’s UI or webhooks. n8n does not currently provide built‑in OAuth login for its own UI — so the correct approach is securing access at the network/proxy layer.

 

What “Securing n8n with OAuth” Really Means

 

n8n itself does not allow “login with Google” or “login with GitHub” built‑in. The only way to require OAuth before someone reaches the editor, REST API, or webhook endpoints is:

  • Place n8n behind a reverse proxy.
  • Configure that proxy to enforce OAuth login.
  • Only forward authenticated traffic to your n8n instance.

In production, the two most common tools are:

  • OAuth2 Proxy (open‑source, works with Google, GitHub, Azure AD, Okta)
  • Cloudflare Access (OAuth-based access control for apps behind Cloudflare)

This method is used by real companies running n8n because it fully locks down:

  • the n8n editor
  • REST API endpoints
  • manual workflow triggers
  • webhook workflow triggers

 

How to Secure n8n with OAuth Using OAuth2 Proxy

 

This example uses Google OAuth because it’s the most widely used, but the same idea works for GitHub, Azure, Okta, etc.

The flow is simple:

  • User visits your n8n URL
  • OAuth2 Proxy intercepts the request
  • User is redirected to Google for login
  • After successful login, Google returns the user to OAuth2 Proxy
  • Proxy validates the user, then forwards the request to n8n

 

Docker Compose Example (REAL and working)

 

version: "3.8"

services:
  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
    environment:
      OAUTH2_PROXY_PROVIDER: "google"
      OAUTH2_PROXY_CLIENT_ID: "${GOOGLE_CLIENT_ID}"
      OAUTH2_PROXY_CLIENT_SECRET: "${GOOGLE_CLIENT_SECRET}"
      OAUTH2_PROXY_COOKIE_SECRET: "${COOKIE_SECRET}"   // any random 32-byte base64 string
      OAUTH2_PROXY_EMAIL_DOMAINS: "*"                  // restrict by domain if needed
      OAUTH2_PROXY_UPSTREAMS: "http://n8n:5678"
    ports:
      - "8080:4180"   // expose proxy, not n8n
    depends_on:
      - n8n

  n8n:
    image: n8nio/n8n:latest
    environment:
      N8N_HOST: "localhost"
      N8N_PORT: 5678
      N8N_EDITOR_BASE_URL: "https://your-domain.com"
      N8N_WEBHOOK_URL: "https://your-domain.com"
    expose:
      - "5678"

 

In this setup:

  • Your users will access n8n at https://your-domain.com.
  • Requests first hit OAuth2 Proxy (port 8080).
  • Only authenticated traffic is forwarded to n8n.
  • n8n itself is not publicly exposed.

 

Securing Webhooks with OAuth

 

Webhooks are tricky: external services (like Stripe, GitHub, or Notion) cannot perform OAuth login.

To deal with this, you normally do one of these:

  • Allowlist only specific webhook URLs in the proxy (bypass OAuth for them)
  • Restrict to specific IP ranges (Stripe, GitHub, etc.)
  • Place webhooks on a separate subdomain that bypasses OAuth but is still protected by secret URLs + signature validation

This is normal practice because webhooks rely on signatures, not login‑based auth.

 

How to Leave Webhooks Accessible but Protected

 

In OAuth2 Proxy, you can exempt n8n’s webhook endpoints:

OAUTH2_PROXY_SKIP_AUTH_ROUTES: "^/webhook/"

Then you rely on:

  • n8n's automatically generated webhook security tokens
  • the platform's own signature verification (Stripe, GitHub, etc.)

This keeps the editor fully locked behind OAuth without breaking webhook workflows.

 

Additional Production Recommendations

 

  • Always disable n8n’s basic auth if you're using OAuth at the proxy layer.
  • Never expose port 5678 to the public.
  • Put n8n behind HTTPS only.
  • Force all admin access through your OAuth provider.

 

Summary

 

The correct and production‑ready way to secure n8n with OAuth is to put it behind a reverse proxy like OAuth2 Proxy or Cloudflare Access. This proxy forces OAuth login before anyone can reach the n8n editor, API, or any sensitive endpoints. Webhooks can be selectively exempted while remaining secure through tokens and signature validation. n8n does not offer built-in OAuth for its own login, so securing it at the proxy layer is the industry-standard approach and what real production teams use.

Want to explore opportunities to work with us?

Connect with our team to unlock the full potential of no-code solutions with a no-commitment consultation!

Book a Free Consultation

Client trust and success are our top priorities

When it comes to serving you, we sweat the little things. That’s why our work makes a big impact.

Rapid Dev was an exceptional project management organization and the best development collaborators I've had the pleasure of working with. They do complex work on extremely fast timelines and effectively manage the testing and pre-launch process to deliver the best possible product. I'm extremely impressed with their execution ability.

CPO, Praction - Arkady Sokolov

May 2, 2023

Working with Matt was comparable to having another co-founder on the team, but without the commitment or cost. He has a strategic mindset and willing to change the scope of the project in real time based on the needs of the client. A true strategic thought partner!

Co-Founder, Arc - Donald Muir

Dec 27, 2022

Rapid Dev are 10/10, excellent communicators - the best I've ever encountered in the tech dev space. They always go the extra mile, they genuinely care, they respond quickly, they're flexible, adaptable and their enthusiasm is amazing.

Co-CEO, Grantify - Mat Westergreen-Thorne

Oct 15, 2022

Rapid Dev is an excellent developer for no-code and low-code solutions.
We’ve had great success since launching the platform in November 2023. In a few months, we’ve gained over 1,000 new active users. We’ve also secured several dozen bookings on the platform and seen about 70% new user month-over-month growth since the launch.

Co-Founder, Church Real Estate Marketplace - Emmanuel Brown

May 1, 2024 

Matt’s dedication to executing our vision and his commitment to the project deadline were impressive. 
This was such a specific project, and Matt really delivered. We worked with a really fast turnaround, and he always delivered. The site was a perfect prop for us!

Production Manager, Media Production Company - Samantha Fekete

Sep 23, 2022