n8n · AI agents · API key security
n8n AI agent API key: scoping and capping vendor calls
n8n's credential store makes it easy to give your AI Agent node a Stripe, Twilio, or Resend API key — but easy access is a different problem from safe access. This page covers the three gaps n8n's built-in credential management leaves open for autonomous agent runs, and the proxy pattern that closes them without changing your workflow structure.
TL;DR
n8n credentials are encrypted at rest and scoped per workflow — that's good. But they still give an AI Agent node a raw, long-lived key with no per-day dollar cap, no sub-second revoke for a single agent run, and no structured audit log with agent-run context. A vault key proxy sits between the AI Agent node and the vendor API: the node holds a short-lived scoped key, the proxy enforces spend limits and logs every call. Revoking the run's access takes one API call — no credential rotation, no workflow redeploy.
How n8n AI Agent nodes use API keys today
n8n's AI Agent node (and its Tool sub-nodes like the HTTP Request Tool, Stripe Tool, and community tools) resolve credentials through n8n's built-in credential store. You create a credential object once, n8n encrypts it, and any workflow that has access to that credential can use it. The convenience is real: your Stripe secret key lives in one place, not scattered across workflow JSON.
The problem is that the credential object is binary: the AI Agent node either has the full credential or it doesn't. There's no concept of "this agent run gets $200/day on Stripe" or "revoke this run's Stripe access without touching the credential other workflows depend on."
The three gaps n8n credentials don't fill for AI agents
| Gap | What happens in practice | n8n's current answer |
|---|---|---|
| No per-run spend cap | An AI agent in a loop calling Stripe charges or Twilio SMS can run indefinitely — until the daily Stripe Dashboard alert email arrives, typically hours later | None. The credential is unlimited by default; you'd need a separate accounting workflow that checks spend before each call |
| No per-run revoke | If you need to stop a specific agent run from making further Stripe calls, your only option is to disable or delete the credential — which breaks all other workflows using it | None. Credentials are workflow-scoped but not run-scoped |
| No structured audit log | n8n logs execution steps, but doesn't log the actual HTTP bodies sent to Stripe/Twilio or the dollar amounts charged per agent run | Execution log (step-level, not vendor-response-level). No cost parsing. |
Setting up an n8n AI Agent with Stripe via HTTP Request Tool
The typical n8n setup uses an AI Agent node with an HTTP Request Tool configured to call Stripe. A simplified workflow looks like:
AI Agent node
└── Tool: HTTP Request
URL: https://api.stripe.com/v1/payment_intents
Method: POST
Authentication: Stripe API (credential: stripe_prod)
Body: { amount: {{ $json.amount }}, currency: "usd", customer: {{ $json.customer_id }} }This works. The agent can call Stripe. The credential stripe_prod is the full secret key. When you point the HTTP Request Tool's base URL at the Keybrake proxy instead, the agent holds a short-lived vault key and the proxy enforces the policy:
AI Agent node
└── Tool: HTTP Request
URL: https://proxy.keybrake.com/stripe/v1/payment_intents
Method: POST
Authentication: Header Auth (name: Authorization, value: Bearer vault_key_xxx)
Body: { amount: {{ $json.amount }}, currency: "usd", customer: {{ $json.customer_id }} }The vault key vault_key_xxx is created for this agent run — or for this class of agent runs — with a policy:
{
"vendor": "stripe",
"daily_usd_cap": 300,
"allowed_endpoints": ["POST /v1/payment_intents", "GET /v1/customers/*"],
"expires_in": "4h",
"agent_run_label": "n8n-billing-agent"
}If the agent run loops and tries to exceed $300/day, the proxy returns a 429 before the charge hits Stripe. The vault key can be revoked from the Keybrake dashboard in one click — without touching the stripe_prod credential that the rest of your n8n instance depends on.
n8n AI agent patterns where spend capping matters most
Billing agents. A common n8n pattern is an AI agent that reads a CRM or database, decides which customers owe invoices, and fires Stripe charges. If the upstream data has duplicates or the agent reasoning produces a loop, the same customer gets charged repeatedly. A per-run daily cap means the damage is bounded.
Notification agents. Twilio SMS and Resend email are per-message costs. An AI agent that decides "I should re-send the notification" in a loop burns through budget fast. Twilio's per-number rate limits help but they don't stop a stuck agent sending on a number it rarely uses. A vault key spend cap does.
Long-running background workflows. n8n workflows triggered by a cron or webhook and left to run without human oversight are exactly the risk profile that needs spend enforcement. There's no operator watching the console at 3am when a stuck loop starts.
Where this fits in your n8n security posture
n8n's credential encryption and workflow-level access control are the right first layer. They prevent credential leakage and unauthorized workflow access. The vault key proxy is the second layer: it controls what each agent run can spend and provides the audit trail to trace what actually happened when you're reviewing an incident.
The two layers are complementary. You keep using n8n's credential store for human-driven automation where a shared long-lived key is fine. You add vault keys for AI Agent nodes where autonomous execution without a spending boundary is the actual risk.
How Keybrake fits
Keybrake is the proxy layer. You swap the base URL in the HTTP Request Tool from api.stripe.com to proxy.keybrake.com/stripe, create a vault key with your policy, and drop the vault key into an n8n credential (Header Auth type). The real Stripe secret stays on the Keybrake side, never in the workflow. Spend caps, endpoint allowlists, mid-run revoke, and a queryable per-call audit log with agent_run_label are all included.
Related questions
Does this work with the n8n community Stripe node, or only with the HTTP Request Tool?
It works with any tool that lets you configure a custom base URL or authentication header. The n8n community Stripe node uses the official Stripe SDK under the hood; if the node exposes a "base URL" or "API endpoint" field, you can point it at the proxy. If it doesn't expose that field, the HTTP Request Tool with manual endpoint construction is the reliable path — it gives you full URL control.
What happens to the n8n execution log when the proxy blocks a call?
The HTTP Request Tool node receives a 429 Too Many Requests response from the proxy with a body that includes "error": "daily_cap_exceeded" and the amount remaining. n8n records this as a node error in the execution log, and the AI Agent node sees the tool error in its reasoning context. You can add an error handler in n8n to route capped calls to a Slack notification or a human-review queue.
Can I issue a new vault key for each workflow execution?
Yes — the Keybrake API is a single POST to /vault/keys with the policy payload. You can add an HTTP Request node at the top of your workflow to issue a fresh vault key for each execution, pass the key through the execution context as a variable, and the AI Agent node picks it up via an expression. This gives you per-execution spend isolation: each workflow run has its own $N daily cap and its own revokable key.
Further reading
- AI agent kill switch patterns — the four ways to stop a runaway agent and their real stop latencies.
- AI agent audit trail schema — what belongs in a structured per-call log and the SQL queries that matter post-incident.
- Twilio AI agent rate limiting — Twilio-specific spend controls and where vault key caps fit alongside native Messaging Services limits.
- AI agent cost management — the full cost map: LLM spend (LiteLLM's problem), SaaS tool spend (ours), and infra (something else).