Credentials

Credentials store the API keys, tokens, and OAuth connections your workflows need to interact with external services. NodeLoom encrypts credentials at rest and scopes them to your team.

How Credentials Work

Instead of hardcoding secrets in node configuration, you create a named credential once and reference it from any node that needs it. This keeps secrets out of your workflow JSON and lets you rotate keys in one place.

Credentials are team-scoped -- all members of a team can use the credentials created within that team, but they cannot access credentials from other teams. Admins can manage credentials for any team.

Encryption at rest

All credential values are encrypted before being stored. The encryption key is never exposed through the API.

Credential Types and Categories

NodeLoom organizes credentials into categories that match the services they authenticate with:

Category	Examples
AI	OpenAI, Anthropic, Google AI (Gemini), Azure OpenAI, Cohere, Ollama, Hugging Face
Cloud	AWS (IAM credentials), Google Cloud (service account), Azure, DigitalOcean
Databases	PostgreSQL, MySQL, MongoDB, Redis, Elasticsearch, Supabase
Communication	Slack, Discord, Microsoft Teams, Telegram, Twilio, SendGrid, SMTP
Productivity	GitHub, GitLab, Jira, Notion, Airtable, Google Sheets, Trello
CRM / Marketing	Salesforce, HubSpot, Mailchimp, Brevo (Sendinblue), ActiveCampaign
Generic	HTTP Header Auth, HTTP Basic Auth, API Key, Bearer Token, Custom OAuth2

Per-Node Credential Selection

Each node that requires authentication shows a Credential dropdown in its configuration panel. The dropdown lists all credentials of the matching type available to your team. You can create multiple credentials of the same type (e.g., a production and staging Slack token) and choose the right one per node.

Node referencing a credential

{
  "type": "SLACK_SEND_MESSAGE",
  "parameters": {
    "channel": "#alerts",
    "text": "Deployment complete for {{ $json.service }}"
  },
  "credentials": "slack_oauth_production"
}

Multiple credentials per type

You can store as many credentials of the same type as you need. For example, keep separate Slack tokens for your production workspace, staging workspace, and personal test workspace.

Credential Testing

Every credential type supports one-click testing. When you create or edit a credential, click the Test button to verify the connection. NodeLoom makes a lightweight API call (e.g., listing the authenticated user or pinging the service) and reports success or failure immediately.

This eliminates guesswork -- you know the credential works before using it in a workflow.

OAuth Flow

For services that use OAuth 2.0, NodeLoom provides a streamlined connection flow:

Click the Connect with [Provider] button in the credential form.
A popup opens with the provider's OAuth consent screen (e.g., "Sign in with Google").
After you authorize, the popup closes and NodeLoom stores the access token and refresh token securely.
The credential is ready to use immediately.

Automatic Token Refresh

OAuth access tokens expire. NodeLoom automatically refreshes them before they expire using the stored refresh token. This happens in the background -- your workflows never fail because of an expired token.

OAuth Status Tracking

Each OAuth credential has a status indicator so you always know its health:

Status	Meaning	Action Required
`ACTIVE`	Token is valid and auto-refreshing normally	None
`REFRESH_FAILED`	The last token refresh attempt failed (e.g., network error). NodeLoom will retry automatically.	Monitor -- usually resolves on next retry
`NEEDS_REAUTH`	The refresh token has been revoked or expired. Automatic refresh is not possible.	Re-authorize by clicking Connect again

NEEDS_REAUTH

If a credential enters the NEEDS_REAUTH state, any workflow using it will fail at the node that requires it. Re-authorize promptly to restore workflow execution.

Supported OAuth Providers

NodeLoom includes built-in OAuth support for the following providers:

Provider	Scopes / Notes
Google	Gmail, Calendar, Drive, Sheets, Docs -- granular scope selection per credential
Microsoft	Outlook, OneDrive, Teams, SharePoint -- Azure AD application
GitHub	Repos, issues, actions, packages -- fine-grained or classic token
Slack	Bot token scopes -- channels, messages, reactions, users
Salesforce	Full API access, refresh token rotation supported
HubSpot	CRM, Marketing, CMS -- scope-based access
Shopify	Admin API -- store-scoped access
Zoom	Meetings, webinars, users
Notion	Workspace integration
LinkedIn	Profile, posts, organization management

Admin OAuth Configuration

Instance administrators can configure OAuth provider settings (client ID, client secret, redirect URIs) directly through the admin UI instead of setting environment variables. This makes it easier to:

Add new OAuth providers without restarting the server.
Rotate client secrets with zero downtime.
Configure different OAuth apps for different environments (dev, staging, production) from a single admin panel.

Admin panel path

Settings > OAuth Providers > Add Provider

Fields:
  - Provider:      Google (dropdown)
  - Client ID:     your-client-id.apps.googleusercontent.com
  - Client Secret: GOCSPX-...
  - Scopes:        email, profile, gmail.readonly, calendar.events
  - Redirect URI:  https://your-instance.nodeloom.app/oauth/callback

Environment variables still work

If you prefer to manage OAuth configuration via environment variables (e.g., in a Docker deployment), that approach is still fully supported. The admin UI is an alternative, not a replacement.

Expressions

Canvas Editor