Skip to main content

Overview

Credentials store sensitive API keys and authentication tokens for third-party services (OpenAI, Pinecone, etc.). All credential data is encrypted at rest.
All credential endpoints require JWT authentication. See Authentication for details.

List All Credentials

Retrieve all credentials in your workspace.
GET /api/v1/credentials
curl -X GET http://localhost:3000/api/v1/credentials \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"

Query Parameters

credentialName
string
Filter credentials by type (e.g., openAIApi, pineconeApi)

Response

[
  {
    "id": "credential-uuid",
    "name": "Production OpenAI Key",
    "credentialName": "openAIApi",
    "encryptedData": "encrypted-string",
    "workspaceId": "workspace-id",
    "createdDate": "2024-03-15T10:30:00.000Z",
    "updatedDate": "2024-03-15T10:30:00.000Z"
  }
]
id
string
required
Unique identifier for the credential
name
string
required
Display name for the credential
credentialName
string
required
Type of credential (e.g., openAIApi, pineconeApi, huggingFaceApi)
encryptedData
string
required
Encrypted credential data (API keys, secrets, etc.)
workspaceId
string
required
ID of the workspace this credential belongs to
Credential values are encrypted and never returned in plain text through the API.

Get Credential by ID

Retrieve a specific credential by its ID.
GET /api/v1/credentials/:id
curl -X GET http://localhost:3000/api/v1/credentials/CREDENTIAL_ID \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"

Path Parameters

id
string
required
The unique identifier of the credential

Response

Returns a single credential object with the same structure as shown in the list response.

Create Credential

Create a new credential for a third-party service.
POST /api/v1/credentials
curl -X POST http://localhost:3000/api/v1/credentials \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "My OpenAI Key",
    "credentialName": "openAIApi",
    "plainDataObj": {
      "openAIApiKey": "sk-..."
    }
  }'

Request Body

name
string
required
Display name for the credential
credentialName
string
required
Type of credential. Common values:
  • openAIApi - OpenAI API
  • pineconeApi - Pinecone vector database
  • huggingFaceApi - HuggingFace
  • cohereApi - Cohere
  • anthropicApi - Anthropic Claude
  • googleGenAIApi - Google Generative AI
plainDataObj
object
required
Plain-text credential data (will be encrypted before storage)Structure varies by credential type:
// OpenAI
{
  "openAIApiKey": "sk-..."
}

// Pinecone
{
  "pineconeApiKey": "...",
  "pineconeEnv": "us-west1-gcp"
}

// HuggingFace
{
  "huggingFaceApiKey": "hf_..."
}

Response

{
  "id": "credential-uuid",
  "name": "My OpenAI Key",
  "credentialName": "openAIApi",
  "encryptedData": "encrypted-string",
  "workspaceId": "workspace-id",
  "createdDate": "2024-03-15T10:30:00.000Z",
  "updatedDate": "2024-03-15T10:30:00.000Z"
}
Credential data is encrypted using AES-256-GCM. Store credentials securely and never commit them to version control.

Update Credential

Update an existing credential.
PUT /api/v1/credentials/:id
curl -X PUT http://localhost:3000/api/v1/credentials/CREDENTIAL_ID \
  -H "Authorization: Bearer YOUR_JWT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Updated OpenAI Key",
    "plainDataObj": {
      "openAIApiKey": "sk-new-key..."
    }
  }'

Path Parameters

id
string
required
The unique identifier of the credential to update

Request Body

Include only the fields you want to update:
name
string
Updated display name
plainDataObj
object
Updated credential data (will be re-encrypted)

Response

Returns the updated credential object.

Delete Credential

Delete a credential permanently.
DELETE /api/v1/credentials/:id
curl -X DELETE http://localhost:3000/api/v1/credentials/CREDENTIAL_ID \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"

Path Parameters

id
string
required
The unique identifier of the credential to delete

Response

{
  "message": "Credential deleted successfully"
}
Deleting a credential is permanent and will break any chatflows using it. Ensure no active chatflows depend on the credential before deletion.

Credential Types

Flowise supports credentials for numerous integrations:
  • OpenAI (openAIApi) - GPT models
  • Anthropic (anthropicApi) - Claude models
  • Cohere (cohereApi) - Cohere models
  • Google (googleGenAIApi) - Gemini models
  • HuggingFace (huggingFaceApi) - Open-source models
  • Pinecone (pineconeApi)
  • Qdrant (qdrantApi)
  • Weaviate (weaviateApi)
  • Milvus (milvusApi)
  • Chroma (chromaApi)
  • Airtable (airtableApi)
  • Notion (notionApi)
  • Confluence (confluenceApi)
  • Serper (serperApi) - Google Search
  • SerpAPI (serpApi) - Search results
  • Replicate (replicateApi) - Model hosting

Code Examples

// Create a credential
const newCredential = await fetch(
  'http://localhost:3000/api/v1/credentials',
  {
    method: 'POST',
    headers: {
      'Authorization': 'Bearer YOUR_JWT_TOKEN',
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      name: 'Production OpenAI',
      credentialName: 'openAIApi',
      plainDataObj: {
        openAIApiKey: process.env.OPENAI_API_KEY
      }
    })
  }
).then(res => res.json());

// List all credentials
const credentials = await fetch(
  'http://localhost:3000/api/v1/credentials',
  {
    headers: {
      'Authorization': 'Bearer YOUR_JWT_TOKEN'
    }
  }
).then(res => res.json());

// Filter by type
const openAICredentials = await fetch(
  'http://localhost:3000/api/v1/credentials?credentialName=openAIApi',
  {
    headers: {
      'Authorization': 'Bearer YOUR_JWT_TOKEN'
    }
  }
).then(res => res.json());

// Update a credential
const updated = await fetch(
  `http://localhost:3000/api/v1/credentials/${credentialId}`,
  {
    method: 'PUT',
    headers: {
      'Authorization': 'Bearer YOUR_JWT_TOKEN',
      'Content-Type': 'application/json'
    },
    body: JSON.stringify({
      name: 'Updated Name',
      plainDataObj: {
        openAIApiKey: newApiKey
      }
    })
  }
).then(res => res.json());

Security Considerations

Encryption at Rest

All credentials are encrypted using AES-256-GCM before storage

Workspace Isolation

Credentials are scoped to workspaces and cannot be accessed cross-workspace

No Plain Text Retrieval

Encrypted data is never returned in plain text through the API

Audit Trail

Created and updated timestamps track credential lifecycle

Best Practices

  1. Use descriptive names - Make it easy to identify credentials at a glance
  2. One credential per environment - Separate dev, staging, and production credentials
  3. Regular rotation - Update credentials periodically for security
  4. Delete unused credentials - Remove credentials that are no longer needed
  5. Check dependencies - Before deleting, verify no chatflows depend on the credential

Build docs developers (and LLMs) love

Get started for freeTalk to us