Credentials
Voodflow provides a centralised, encrypted credential store so that API keys, tokens, and passwords are never embedded in node configurations. Nodes reference a credential by ID; the actual secret is resolved securely at runtime.
Credential Types
| Type | Use Case |
|---|---|
bearer_token | APIs that use Authorization: Bearer <token> |
api_token | Generic API key injected as Bearer token |
basic_auth | HTTP Basic Authentication (username:password) |
oauth2 | OAuth 2.0 flows (authorization_code, client_credentials) |
smtp | Email SMTP credentials for Send Mail node |
webhook_secret | HMAC signing secrets for outbound webhooks |
Creating a Credential
- Navigate to Voodflow → Credentials
- Click New Credential
- Choose the Type from the dropdown
- Fill in the required fields (token, username/password, etc.)
- Click Test Credential to verify connectivity (where supported)
- Save
Encryption
All credential values are stored using Laravel's encrypted:array cast:
protected $casts = [
'credentials' => 'encrypted:array',
];This means the credentials JSON column is AES-256 encrypted using your APP_KEY. The plaintext is only available in memory after decryption by the PHP process.
Access Logs
Every time a credential is accessed during execution, Voodflow writes a record to voodflow_credential_access_logs:
execution_id | credential_id | node_type | accessed_atThis audit trail is useful for security reviews and GDPR compliance.
Using Credentials in Nodes
Nodes that support credentials expose a Credential select field. When selected, the credential's secrets are injected into the HTTP client or mail driver at execution time without exposing them to the workflow definition.
[HTTP Request Node]
├── URL: https://api.openai.com/v1/chat/completions
├── Method: POST
└── Credential: "OpenAI Production" ← references Credential ID 3The workflow JSON stored in the database contains only credential_id: 3, never the actual API key.
Rate Limiting
Credentials support optional rate limiting fields:
rate_limit_per_minute— maximum requests per minuterate_limit_remaining— updated by the system after each userate_limit_reset_at— when the limit resets
OAuth 2.0
For OAuth 2.0 credentials, Voodflow supports:
- Authorization Code flow with PKCE option
- Client Credentials flow
- Automatic token refresh
- Configurable scopes
- Custom authorize URL and token URL (for non-standard providers)
Security Best Practices
- Never put raw API keys in node URL or header fields; always use Credentials
- Rotate credentials regularly using the Credential edit form
- Use the Access Log to detect unexpected credential usage
- Restrict credential visibility per-user using Filament's policy system