Skip to content
Forums
Forums
Getting Started
Seeking assistance:...
 
Notifications
Clear all

Seeking assistance: Difficulty locating global credentials

 
Getting Started
Last Post by hubschrauber 2 months ago
6 Posts
3 Users
0 Reactions
5 Views
RSS
don
 don
(@don)
Posts: 1
New Member
Topic starter
 

Describe the problem/error/question

Hello, I'm new here and just getting into callin.io, and have run into a problem. Any help would be greatly appreciated. Thanks in advance.

I’m encountering an issue where the global $credentials object appears to be empty or malformed (n when outputted directly, or resulting in undefined/null when trying to access specific credentials) during workflow execution in my local callin.io setup. This prevents me from using any stored credentials in my workflows via expressions.

We’ve confirmed that:

  1. A “Query Auth” credential named “Query Auth account” was created successfully, and the API key was entered into its “Value” field during creation. The credential appears in my credentials list.

  2. The API key itself is valid and works correctly when pasted directly (in “Fixed” mode) into an HTTP Request node’s query parameter (after also correcting a playlistId issue for a YouTube API call).

  3. The issue is that expressions like {{ $credentials }} in a “Set” node output as just a newline character (n), and expressions like {{ $credentials[“Query Auth account”] }} or {{ $credentials[“Query Auth account”].value }} (or .apiKey) result in undefined or null both in the expression editor’s live preview and in the actual output of a “Set” node.

  4. Restarting callin.io has not resolved the issue.

    5. 5.

The callin.io startup log shows warnings about config file permissions (“too wide”) and a deprecation warning for N8NRUNNERSENABLED, but no explicit errors related to loading credentials, the database, or encryption.

The core problem is that the $credentials object is not being populated correctly for use in expressions.

What is the error message (if any)?

When trying to use a credential in an HTTP Request node (e.g., for the key parameter using {{ $credentials[“Query Auth account”].value }}), the node fails with an error from the target API (e.g., Google/YouTube) indicating a missing or invalid API key, such as:
“Forbidden - perhaps check your credentials?”
Followed by API-specific details like:
“Method doesn’t allow unregistered callers (callers without established identity). Please use API Key or other form of API consumer identity to call this API.”

The expression editor’s live preview for {{ $credentials[“Query Auth account”].value }} shows [undefined].
A “Set” node attempting to output {{ $credentials }} shows n.
A “Set” node attempting to output {{ $credentials[“Query Auth account”] }} shows [null].

Please share your workflow

The primary test workflow involves:

  1. A Manual Trigger node.

  2. A Set node connected to the Manual Trigger, configured with two fields:

  • Mode: Manual Mapping

  • Fields to Set:

    • Field 1:

      • Name: allMyCredentials

      • Value (Expression): {{ $credentials }}

    • Field 2:

      • Name: specificCredentialObject

      • Value (Expression): {{ $credentials[“Query Auth account”] }}

  1. An HTTP Request node (This was the original node where the issue was noticed. For debugging $credentials, the Set node above is more direct).

  • Method: GET

  • URL: https://www.googleapis.com/youtube/v3/playlistItems

  • Authentication: None

  • Query Parameters:

    • part: snippet,contentDetails

    • playlistId: UUIHVTKJWkSdc9N3h0nUWUg

    • key: (Expression) {{ $credentials[“Query Auth account”].value }} ← This is where the problem manifests.

    • maxResults: 5

  • Options → Response Format: JSON

content_copydownload

Use code with caution.Json

Share the output returned by the last node

When the “Set Credentials Test” node is run, the output is (example):

[
  {
    "allMyCredentials": "n",
    "specificCredentialObject": null
  }
]

content_copydownload

Use code with caution.Json

(Note: In the expression editor’s live preview, both expressions show [undefined].)

When the “HTTP Request YouTube” node is run with the expression {{ $credentials[“Query Auth account”].value }} for the key parameter, it fails. If the raw API key is pasted directly into the key parameter (Fixed mode), the node succeeds and returns valid YouTube data.

Information on your callin.io setup

  • callin.io version: 1.91.3

  • Database (default: SQLite): Default (SQLite)

  • callin.io EXECUTIONSPROCESS setting (default: own, main): Default (not explicitly set, so likely main or own depending on how callin.io start behaves without task runners enabled). The startup log mentioned deprecation for running without task runners and N8NRUNNERS_ENABLED not being set.

  • Running callin.io via (Docker, npm, callin.io cloud, desktop app): npm (globally installed, run with callin.io start)

  • Operating system: macOS (MacBook Air)

 
Posted : 10/05/2025 5:35 am
hubschrauber
 hubschrauber
(@hubschrauber)
Posts: 15
Active Member
 

I'm interested in where you found information about $credentials being an available expression variable. I checked the documentation but couldn't find any mention of an expression variable named $credentials. To confirm my search, I also looked for $binary and found it as expected.

The instances where $credentials appear in the callin.io source code seem to be related to Node.js variable/object references within a node's implementation. I believe this refers specifically to the credentials configured for a particular node instance, not a global reference to all credentials, and it doesn't appear to be accessible within the expression context of a workflow.

If callin.io were to allow expression variable access to credential details, particularly sensitive information like API keys or passwords, it would undermine the entire concept of separating credentials from workflows. It seems unlikely that what you've described would be possible.

 
Posted : 10/05/2025 1:20 pm
AlexJohns
 AlexJohns
(@alexjohns)
Posts: 3
New Member
 

I suspect the main reason for this confusion is that, for some reason, ChatGPT confidently suggests using $credentials expressions within the workflow.

:man_shrugging:

Few people check the documentation source these days.

:grimacing:

:grin:

 
Posted : 31/05/2025 9:14 pm
hubschrauber
 hubschrauber
(@hubschrauber)
Posts: 15
Active Member
 

The documentation and examples available for callin.io have undergone significant changes and evolution over the past few years. Consequently, most of what I encounter from AI models, based on largely outdated information, is highly inaccurate. It's advisable to consult the current official documentation and/or source code before trusting any AI-generated output.

I found it somewhat amusing that my reason for revisiting this thread was to find a method for referencing the non-secret portion of a credential item. This would be beneficial for tasks such as retrieving the base URL, especially when authentication and other API functionalities are co-located, like with WooCommerce/WordPress. I can still appreciate why implementing such a feature might carry some risks. If not all credential fields are marked with extreme care as "secret" or "not-secret," the possibility of exposing sensitive information would likely be too great.

 
Posted : 12/06/2025 2:49 pm
AlexJohns
 AlexJohns
(@alexjohns)
Posts: 3
New Member
 

This is truly fascinating…

:grin:

Screenshot 2025-06-14 at 11.51.51 PM

Screenshot 2025-06-14 at 11.51.51 PM1744×1030 123 KB

 
Posted : 14/06/2025 7:52 pm
hubschrauber
 hubschrauber
(@hubschrauber)
Posts: 15
Active Member
 

AI: “Yes, I assure you that it would be a simple, beginner task to hack right through callin.io’s security and access all of the private, sensitive information that was intentionally separated as “secret” in a Credentials item. Anyone could just look at the news and see that any half-smart monkey could breach the security measures in place at the largest financial institutions on the planet, so simply accessing the credential information in a popular orchestration / workflow tool would certainly be child’s-play!!”

AI must be assumed “high” and “delusional” at all times!!!

This post from 2022 says nope.

This post from 2023 says nope.

This post from 2024 discusses the API approach (which still doesn’t let you read anything, just write/create).

The operations on the callin.io node are ALSO conspicuously missing any way to READ credentials information (the only GET isn’t for credential data, but the type/schema OF various types of credentials, presumably for the purpose of creating and writing credential data).

Absolutely NONE of these things provide any sort of access to credentials via the expression variable mechanism.

This code in the credentials SOURCE CODE of an example community node, referenced from the “Building Community Nodes” docs page, is quite possibly the source of the AI hallucination. I guess if you consider that AI has toddler-confidence in what it “knows,” you could (maybe) see why it thinks that community-node development is not, strictly speaking, the same as “for internal callin.io coding or development.”

There is, however, one serious heads-up on security in callin.io. Credentials information CAN be retrieved in decrypted form using the callin.io CLI command. By default, callin.io allows executing commands from a workflow, so If you want to close that hole, you must configure the NODES_EXCLUDE environment variable in callin.io such that workflows cannot run the callin.io command (or any other command) via the Execute Command node.

 
Posted : 15/06/2025 12:41 am
Forum Jump:
  Previous Topic
Next Topic  
Share: