> ## Documentation Index
> Fetch the complete documentation index at: https://doc.codika.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Credentials

> How Codika manages credential isolation across users — FLEXCRED, USERCRED, ORGCRED, and other credential placeholder types

## Overview

Credentials in Codika workflows are never hardcoded. Instead, workflows use placeholder tokens that get replaced at deployment time with real credential IDs from n8n. This ensures every user gets their own isolated credentials.

There are six credential placeholder types, each serving a different scope:

| Type        | Scope                  | Who provides          | Fallback              |
| ----------- | ---------------------- | --------------------- | --------------------- |
| `FLEXCRED`  | AI providers           | Organization → Codika | Codika's shared keys  |
| `USERCRED`  | Per-user integrations  | User (OAuth)          | None (required)       |
| `ORGCRED`   | Org-wide integrations  | Organization admin    | None (required)       |
| `INSTCRED`  | Per-instance databases | User (at install)     | None (required)       |
| `SYSCREDS`  | System-level           | Codika platform       | None (system-managed) |
| `ORGSECRET` | Org configuration      | Organization settings | None (required)       |

## FLEXCRED — Flexible AI credentials

The most common credential type for AI-powered workflows. Uses the organization's own API key if available, otherwise falls back to Codika's shared pool (billed via credits).

```json theme={null}
"credentials": {
  "anthropicApi": {
    "id": "{{FLEXCRED_ANTHROPIC_ID_DERCXELF}}",
    "name": "{{FLEXCRED_ANTHROPIC_NAME_DERCXELF}}"
  }
}
```

**Supported providers:** Anthropic, OpenAI, Tavily, Google Gemini, X AI, Open Router, Mistral, Cohere, Deep Seek

The platform automatically decides which key to use based on whether your organization has configured its own API key for that provider.

## USERCRED — User integration credentials

OAuth tokens from the user's connected integrations. Each user connects their own accounts (Gmail, Drive, Sheets, etc.) via the Codika dashboard.

```json theme={null}
"credentials": {
  "gmailOAuth2": {
    "id": "{{USERCRED_GOOGLE_GMAIL_ID_DERCRESU}}",
    "name": "{{USERCRED_GOOGLE_GMAIL_NAME_DERCRESU}}"
  }
}
```

**Available integrations:** Google Gmail, Google Drive, Google Sheets, Google Calendar, Microsoft (Teams/Outlook), Calendly, Notion

These are required — if a user hasn't connected the integration, the workflow cannot be deployed for them.

## ORGCRED — Organization-level credentials

Shared credentials managed by organization admins. Used for services where the entire org shares one account (e.g., company Slack workspace, CRM).

```json theme={null}
"credentials": {
  "slackOAuth2Api": {
    "id": "{{ORGCRED_SLACK_ID_DERCGRO}}",
    "name": "{{ORGCRED_SLACK_NAME_DERCGRO}}"
  }
}
```

**Common integrations:** Slack, WhatsApp, Pipedrive, Folk CRM

## INSTCRED — Instance-level credentials

Per-deployment credentials configured during process installation. Used for database connections or external services that differ per deployment.

```json theme={null}
"credentials": {
  "supabaseApi": {
    "id": "{{INSTCRED_SUPABASE_ID_DERCTSNI}}",
    "name": "{{INSTCRED_SUPABASE_NAME_DERCTSNI}}"
  }
}
```

## How credentials appear in workflow JSON

Credentials are always specified on the n8n node that uses them — never on chain/agent wrapper nodes. For LLM workflows, credentials go on the **model node**, not the chain node:

```json theme={null}
{
  "type": "@n8n/n8n-nodes-langchain.lmChatAnthropic",
  "typeVersion": 1.3,
  "parameters": {
    "model": { "__rl": true, "value": "claude-haiku-4-5-20251001", "mode": "list" },
    "options": { "maxTokensToSample": 1024, "temperature": 0.3 }
  },
  "credentials": {
    "anthropicApi": {
      "id": "{{FLEXCRED_ANTHROPIC_ID_DERCXELF}}",
      "name": "{{FLEXCRED_ANTHROPIC_NAME_DERCXELF}}"
    }
  }
}
```

## Integration UIDs

When listing required integrations in `config.ts`, use these standard UIDs:

| UID               | Service                              |
| ----------------- | ------------------------------------ |
| `anthropic`       | Anthropic (Claude)                   |
| `openai`          | OpenAI                               |
| `tavily`          | Tavily Web Search                    |
| `google_gmail`    | Google Gmail                         |
| `google_drive`    | Google Drive                         |
| `google_sheets`   | Google Sheets                        |
| `google_calendar` | Google Calendar                      |
| `slack`           | Slack                                |
| `folk`            | Folk CRM                             |
| `pipedrive`       | Pipedrive                            |
| `calendly`        | Calendly                             |
| `notion`          | Notion                               |
| `microsoft`       | Microsoft (Teams, Outlook, OneDrive) |

```typescript theme={null}
{
  workflowTemplateId: 'my-workflow',
  integrationUids: ['anthropic', 'google_gmail', 'slack'],
  // ...
}
```

## Validation

The CLI validates credential patterns via the `CK-CREDENTIALS` rule:

```bash theme={null}
codika verify use-case ./my-use-case
```

Common issues:

* Using raw credential IDs instead of placeholders
* Wrong suffix for the credential type
* Credentials on the wrong node (e.g., on `chainLlm` instead of `lmChatAnthropic`)