
node-add-oauth
★ 195,100by n8n-io · part of n8n-io/n8n
Add OAuth2 credential support to an existing n8n node — creates the credential file, updates the node, adds tests, and keeps the CLI constant in sync. Use when…
Add OAuth2 credential support to an existing n8n node — creates the credential file, updates the node, adds tests, and keeps the CLI constant in sync. Use when…
Inspect the full instructions your agent will receiveExpandCollapse
This is the exact playbook injected into your agent when the skill activates — shown here so you can audit it before installing. You don't need to read it to use the skill.
name: n8n:node-add-oauth description: Add OAuth2 credential support to an existing n8n node — creates the credential file, updates the node, adds tests, and keeps the CLI constant in sync. Use when the user says /node-add-oauth. argument-hint: "[node-name] [optional: custom-scopes flag or scope list]"
Overview
Add OAuth2 (Authorization Code / 3LO) support to an existing n8n node. Works for any third-party service that supports standard OAuth2.
Before starting, read comparable existing OAuth2 credential files and tests under
packages/nodes-base/credentials/ to understand the conventions used in this codebase
(e.g. DiscordOAuth2Api.credentials.ts, MicrosoftTeamsOAuth2Api.credentials.ts).
Step 0 — Parse arguments
Extract:
NODE_NAME: the service name (e.g.GitHub,Notion). Try to infer from the argument; if ambiguous, ask the user.CUSTOM_SCOPES: whether the credential should support user-defined scopes. If the argument does not make this clear, ask the user before proceeding:"Should users be able to customise the OAuth2 scopes for this credential, or should scopes be fixed?"
Step 1 — Explore the node
Read the following (adjust path conventions for the specific service):
- Node directory:
packages/nodes-base/nodes/{NODE_NAME}/- Find
*.node.ts(main node) and any*Trigger.node.ts - Find
GenericFunctions.ts(may be named differently) - Check if an
auth/versionsubdirectory exists
- Find
- Existing credentials:
packages/nodes-base/credentials/— look for existing{NODE_NAME}*Api.credentials.tsfiles to understand the naming convention and any auth method already in use. package.jsonatpackages/nodes-base/package.json— find where existing credentials for this node are registered (grep for the node name).
Step 2 — Research OAuth2 endpoints
Look up the service's OAuth2 documentation:
- Authorization URL
- Access Token URL
- Required auth query parameters (e.g.
prompt=consent,access_type=offline) - Default scopes needed for the node's existing operations
- Whether the API requires a cloudId / workspace ID lookup after the token exchange (Atlassian-style gateway APIs do; most services don't)
If you can't determine the endpoints confidently, ask the user to provide them.
Step 3 — Create the credential file
File: packages/nodes-base/credentials/{NODE_NAME}OAuth2Api.credentials.ts
import type { ICredentialType, INodeProperties } from 'n8n-workflow';
const defaultScopes = [/* minimum scopes for existing node operations */];
export class {NODE_NAME}OAuth2Api implements ICredentialType {
name = '{camelCase}OAuth2Api';
extends = ['oAuth2Api'];
displayName = '{Display Name} OAuth2 API';
documentationUrl = '{doc-slug}'; // matches docs.n8n.io/integrations/...
properties: INodeProperties[] = [
// Include service-specific fields the node needs to construct API calls
// (e.g. domain, workspace URL) — add BEFORE the hidden fields below.
{ displayName: 'Grant Type', name: 'grantType', type: 'hidden', default: 'authorizationCode' },
{ displayName: 'Authorization URL', name: 'authUrl', type: 'hidden', default: '{AUTH_URL}', required: true },
{ displayName: 'Access Token URL', name: 'accessTokenUrl', type: 'hidden', default: '{TOKEN_URL}', required: true },
// Only include authQueryParameters if the service requires extra query params:
{ displayName: 'Auth URI Query Parameters', name: 'authQueryParameters', type: 'hidden', default: '{QUERY_PARAMS}' },
{ displayName: 'Authentication', name: 'authentication', type: 'hidden', default: 'header' },
// ── Custom scopes block (ONLY when CUSTOM_SCOPES = yes) ──────────────
{
displayName: 'Custom Scopes',
name: 'customScopes',
type: 'boolean',
default: false,
description: 'Define custom scopes',
},
{
displayName:
'The default scopes needed for the node to work are already set. If you change these the node may not function correctly.',
name: 'customScopesNotice',
type: 'notice',
default: '',
displayOptions: { show: { customScopes: [true] } },
},
{
displayName: 'Enabled Scopes',
name: 'enabledScopes',
type: 'string',
displayOptions: { show: { customScopes: [true] } },
default: defaultScopes.join(' '),
description: 'Scopes that should be enabled',
},
// ── End custom scopes block ───────────────────────────────────────────
{
displayName: 'Scope',
name: 'scope',
type: 'hidden',
// Custom scopes: expression toggles between user value and defaults.
// Fixed scopes: use the literal defaultScopes string instead.
default:
'={{$self["customScopes"] ? $self["enabledScopes"] : "' + defaultScopes.join(' ') + '"}}',
},
];
}Rules:
- No
authenticateblock —oAuth2Apimachinery handles Bearer token injection automatically. - No
testblock — the OAuth dance validates the credential. defaultScopesat module level is the single source of truth: it populates both theenabledScopesdefault and thescopeexpression fallback. Update it in one place.- If the service needs a domain / workspace URL for API call construction, add it as a
visible
stringfield before the hidden fields.
Step 4 — Register the credential in package.json
File: packages/nodes-base/package.json
Find the n8n.credentials array and insert the new entry near other credentials for this
service (alphabetical ordering within the service's block):
"dist/credentials/{NODE_NAME}OAuth2Api.credentials.js",Step 5 — Update GENERIC_OAUTH2_CREDENTIALS_WITH_EDITABLE_SCOPE (custom scopes only)
Only do this step when CUSTOM_SCOPES = yes.
File: packages/cli/src/constants.ts
Add '{camelCase}OAuth2Api' to the GENERIC_OAUTH2_CREDENTIALS_WITH_EDITABLE_SCOPE
array. Without this, n8n deletes the user's custom scope on OAuth2 reconnect.
export const GENERIC_OAUTH2_CREDENTIALS_WITH_EDITABLE_SCOPE = [
'oAuth2Api',
'googleOAuth2Api',
'microsoftOAuth2Api',
'highLevelOAuth2Api',
'mcpOAuth2Api',
'{camelCase}OAuth2Api', // ← add this
];Step 6 — Update GenericFunctions.ts
6a — Standard services (token works directly against the instance URL)
Add an else if branch before the existing else fallback:
} else if ({versionParam} === '{camelCase}OAuth2') {
domain = (await this.getCredentials('{camelCase}OAuth2Api')).{domainField} as string;
credentialType = '{camelCase}OAuth2Api';
} else {6b — Gateway services requiring a workspace/cloud ID lookup
When the OAuth token is scoped for a gateway URL rather than the direct instance URL
(Atlassian's api.atlassian.com is the canonical example), add a module-level cache and
lookup helper before the main request function:
// Module-level cache: normalised domain → site/cloud ID
export const _cloudIdCache = new Map<string, string>();
async function getSiteId(
this: IHookFunctions | IExecuteFunctions | ILoadOptionsFunctions,
credentialType: string,
domain: string,
): Promise<string> {
const normalizedDomain = domain.replace(/\/$/, '');
if (_cloudIdCache.has(normalizedDomain)) return _cloudIdCache.get(normalizedDomain)!;
const resources = (await this.helpers.requestWithAuthentication.call(this, credentialType, {
uri: '{ACCESSIBLE_RESOURCES_ENDPOINT}',
json: true,
})) as Array<{ id: string; url: string }>;
const site = resources.find((r) => r.url === normalizedDomain);
if (!site) {
throw new NodeOperationError(
this.getNode(),
`No accessible site found for domain: ${domain}. Make sure the domain matches your site URL exactly.`,
);
}
_cloudIdCache.set(normalizedDomain, site.id);
return site.id;
}Then in the main request function:
} else if ({versionParam} === '{camelCase}OAuth2') {
const rawDomain = (await this.getCredentials('{camelCase}OAuth2Api')).domain as string;
credentialType = '{camelCase}OAuth2Api';
const siteId = await getSiteId.call(this, credentialType, rawDomain);
domain = `{GATEWAY_BASE_URL}/${siteId}`;
} else {The existing uri: \${domain}/rest${endpoint}`` construction then produces the correct
gateway URL automatically.
Add NodeOperationError to the n8n-workflow import if not already present.
Step 7 — Update the node file(s)
Main node (*.node.ts)
Credentials array — add an entry for the new credential type:
{
name: '{camelCase}OAuth2Api',
required: true,
displayOptions: { show: { {versionParam}: ['{camelCase}OAuth2'] } },
},Version/auth options — add to the {versionParam} (or equivalent) options list:
{ name: '{Display Name} (OAuth2)', value: '{camelCase}OAuth2' },Keep default unchanged — existing workflows must not be affected.
Trigger node (*Trigger.node.ts, if present)
Same two changes. Preserve any displayName label pattern already used by other credential
entries in that trigger node's credentials array.
Step 8 — Write credential tests
File: packages/nodes-base/credentials/test/{NODE_NAME}OAuth2Api.credentials.test.ts
Use ClientOAuth2 from @n8n/client-oauth2 and nock for HTTP mocking. Follow the
structure in MicrosoftTeamsOAuth2Api.credentials.test.ts.
Required test cases:
- Metadata — name, extends array,
enabledScopesdefault, auth URL, token URL,authQueryParametersdefault (if applicable). - Default scopes in authorization URI — call
oauthClient.code.getUri(), assert each default scope is present. - Token retrieval with default scopes — mock the token endpoint with
nock, calloauthClient.code.getToken(...), asserttoken.data.scopecontains each scope. - Custom scopes in authorization URI (skip when CUSTOM_SCOPES = no).
- Token retrieval with custom scopes (skip when CUSTOM_SCOPES = no).
- Minimal / different scope set (skip when CUSTOM_SCOPES = no) — assert scopes not in the set are absent from both the URI and token response.
Lifecycle hooks required:
beforeAll(() => { nock.disableNetConnect(); });
afterAll(() => { nock.restore(); });
afterEach(() => { nock.cleanAll(); });Step 9 — Update GenericFunctions.test.ts
In the credential-routing describe block:
- If a site-ID cache (
_cloudIdCache) was added, import it and call_cloudIdCache.clear()(or equivalent) inafterEach. - Add/update the OAuth2 routing test case:
- Simple routing: assert
getCredentialswas called with the correct credential name andrequestWithAuthenticationwas called with the correct name and URI. - Gateway lookup: mock
requestWithAuthenticationto return the accessible-resources payload on the first call and{}on the second. Assert the first call targets the resources endpoint and the second call uses the gateway base URL with the site ID.
- Simple routing: assert
Step 10 — Verify
# From packages/nodes-base/
pnpm test credentials/test/{NODE_NAME}OAuth2Api.credentials.test.ts
pnpm test nodes/{NODE_NAME}/__test__/GenericFunctions.test.ts
pnpm typecheck
pnpm lint
# Only when constants.ts was changed:
pushd ../cli && pnpm typecheck && popdFix any type errors before finishing. Never skip pnpm typecheck.
npx skills add https://github.com/n8n-io/n8n --skill node-add-oauthRun this in your project — your agent picks the skill up automatically.
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.