How does n8n-mcp secure AI access to n8n?
n8n-mcp secures AI access to n8n by keeping sensitive credentials and outbound network decisions inside the gateway. AI clients receive a platform API key and call a hosted MCP endpoint; the gateway authenticates the request, resolves the user's n8n instance, checks quotas, validates outbound targets and then calls n8n from the server.
Encrypted n8n credentials
n8n API keys are stored server-side and encrypted at rest. AI clients authenticate to the gateway with platform API keys instead of receiving direct n8n credentials.
Outbound request protection
Before the gateway calls a user-configured n8n URL, SSRF checks block private IP ranges, localhost targets and cloud metadata addresses.
Rate limits and quotas
MCP calls pass through gateway rate limiting and quota checks so abuse control stays centralized.
Tenant-aware routing
Each request is tied to an authenticated user and routed only to n8n instances owned by that user.
Workflow Agent policy
Read-only discovery, preview and audit tools are enforced server-side as non-mutating. Disabled operations fail closed, and workflow-changing calls must pass policy checks and confirmation requirements.
Validation before activation
Workflow Agent mode validates workflow structure, node configuration, connections, expressions and explicit default choices before deploy or activation. Errors block deployment; warnings require review.
Diff-first mutation
Existing workflows are updated through previewed diffs and partial patches where possible. Full workflow updates are treated as a high-risk fallback, especially for large or uncertain edits.
Audit, history and rollback
Mutating calls record before/after snapshots, validation results and diff metadata. Operators can inspect workflow history and roll back to a captured state when needed.
Dashboard Agent Console
The Agent Console is the review surface for production workflow work. It separates Code Agent tasks from Workflow Agent tasks and shows the evidence needed before a workflow is changed, activated, tested or rolled back.
- Template match and node knowledge sources
- Validation errors, warnings and Never Trust Defaults checks
- Diff preview, confirmation state and disabled-operation policy results
- Deploy/test result and rollback entry point