Skip to main content

Overview

Credentials in Codika workflows are never hardcoded. Instead, workflows use placeholder tokens that get replaced at deployment time with real credential IDs from n8n. This ensures every user gets their own isolated credentials. There are six credential placeholder types, each serving a different scope:
TypeScopeWho providesFallback
FLEXCREDAI providersOrganization → CodikaCodika’s shared keys
USERCREDPer-user integrationsUser (OAuth)None (required)
ORGCREDOrg-wide integrationsOrganization adminNone (required)
INSTCREDPer-instance databasesUser (at install)None (required)
SYSCREDSSystem-levelCodika platformNone (system-managed)
ORGSECRETOrg configurationOrganization settingsNone (required)

FLEXCRED — Flexible AI credentials

The most common credential type for AI-powered workflows. Uses the organization’s own API key if available, otherwise falls back to Codika’s shared pool (billed via credits). 
"credentials": {
  "anthropicApi": {
    "id": "{{FLEXCRED_ANTHROPIC_ID_DERCXELF}}",
    "name": "{{FLEXCRED_ANTHROPIC_NAME_DERCXELF}}"
  }
}
Supported providers: Anthropic, OpenAI, Tavily, Google Gemini, X AI, Open Router, Mistral, Cohere, Deep Seek The platform automatically decides which key to use based on whether your organization has configured its own API key for that provider.

USERCRED — User integration credentials

OAuth tokens from the user’s connected integrations. Each user connects their own accounts (Gmail, Drive, Sheets, etc.) via the Codika dashboard. 
"credentials": {
  "gmailOAuth2": {
    "id": "{{USERCRED_GOOGLE_GMAIL_ID_DERCRESU}}",
    "name": "{{USERCRED_GOOGLE_GMAIL_NAME_DERCRESU}}"
  }
}
Available integrations: Google Gmail, Google Drive, Google Sheets, Google Calendar, Microsoft (Teams/Outlook), Calendly, Notion These are required — if a user hasn’t connected the integration, the workflow cannot be deployed for them.

ORGCRED — Organization-level credentials

Shared credentials managed by organization admins. Used for services where the entire org shares one account (e.g., company Slack workspace, CRM). 
"credentials": {
  "slackOAuth2Api": {
    "id": "{{ORGCRED_SLACK_ID_DERCGRO}}",
    "name": "{{ORGCRED_SLACK_NAME_DERCGRO}}"
  }
}
Common integrations: Slack, WhatsApp, Pipedrive, Folk CRM

INSTCRED — Instance-level credentials

Per-deployment credentials configured during process installation. Used for database connections or external services that differ per deployment. 
"credentials": {
  "supabaseApi": {
    "id": "{{INSTCRED_SUPABASE_ID_DERCTSNI}}",
    "name": "{{INSTCRED_SUPABASE_NAME_DERCTSNI}}"
  }
}

How credentials appear in workflow JSON

Credentials are always specified on the n8n node that uses them — never on chain/agent wrapper nodes. For LLM workflows, credentials go on the model node, not the chain node: 
{
  "type": "@n8n/n8n-nodes-langchain.lmChatAnthropic",
  "typeVersion": 1.3,
  "parameters": {
    "model": { "__rl": true, "value": "claude-haiku-4-5-20251001", "mode": "list" },
    "options": { "maxTokensToSample": 1024, "temperature": 0.3 }
  },
  "credentials": {
    "anthropicApi": {
      "id": "{{FLEXCRED_ANTHROPIC_ID_DERCXELF}}",
      "name": "{{FLEXCRED_ANTHROPIC_NAME_DERCXELF}}"
    }
  }
}

Integration UIDs

When listing required integrations in config.ts, use these standard UIDs:
UIDService
anthropicAnthropic (Claude)
openaiOpenAI
tavilyTavily Web Search
google_gmailGoogle Gmail
google_driveGoogle Drive
google_sheetsGoogle Sheets
google_calendarGoogle Calendar
slackSlack
folkFolk CRM
pipedrivePipedrive
calendlyCalendly
notionNotion
microsoftMicrosoft (Teams, Outlook, OneDrive)
{
  workflowTemplateId: 'my-workflow',
  integrationUids: ['anthropic', 'google_gmail', 'slack'],
  // ...
}

Validation

The CLI validates credential patterns via the CK-CREDENTIALS rule: 
codika-helper verify use-case ./my-use-case
Common issues:
  • Using raw credential IDs instead of placeholders
  • Wrong suffix for the credential type
  • Credentials on the wrong node (e.g., on chainLlm instead of lmChatAnthropic)