Gitpulse
Merged
Size
M
Change Breakdown
Feature70%
Security25%
Config5%
#27969feat(core): Add static key loading and startup validation for TrustedKeyService (no-changelog)

Trusted keys now validated and loaded at n8n startup

AF
afitzek
·Apr 3, 2026

The token exchange module now validates and loads trusted public keys during startup, rejecting misconfigured keys before they reach production.

The token exchange module in n8n can now load trusted public keys at startup. Previously, the TrustedKeyService was a placeholder that returned nothing — JWT verification couldn't work without actual key material. Now administrators can configure trusted keys via the N8N_TOKEN_EXCHANGE_TRUSTED_KEYS environment variable, and those keys are parsed, validated, and stored in-process before the controller starts accepting requests.

The validation layer catches configuration errors early. Duplicate key IDs throw immediately. Algorithm families must be consistent — an RSA key can't claim ES256 support. Key types must match their algorithms — an EC key can't be used with RS256. HMAC symmetric algorithms and the "none" algorithm are rejected entirely, closing a class of security issues. JWKS sources are recognized and logged but skipped for now, signaling that dynamic key fetching is a planned extension.

In the n8n CLI's token-exchange module, startup now blocks if any trusted key fails validation rather than silently misbehaving at runtime. This shift-left approach means deployment pipelines catch configuration drift before users are affected.

View Original GitHub Description

Summary

  • Implement TrustedKeyService.initialize() to parse, validate, and store trusted public keys from N8N_TOKEN_EXCHANGE_TRUSTED_KEYS config at module startup
  • Add comprehensive key validation: algorithm family consistency checks, PEM parsing, key-type/algorithm compatibility, duplicate kid detection, and HMAC/none algorithm rejection
  • JWKS key sources are recognised but not yet supported — they log a warning and are skipped
  • Add trustedKeys config field to TokenExchangeConfig (supports _FILE variant for secret management)
  • Wire TrustedKeyService.initialize() into TokenExchangeModule.initialize() so keys are loaded before the controller starts

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/IAM-460

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with Backport to Beta, Backport to Stable, or Backport to v1 (if the PR is an urgent fix that needs to be backported)
© 2026 · via Gitpulse