API key auth refactored into pluggable strategy pattern

guillaumejacquart

·Apr 7, 2026·#28008refactor(core): Extract API key auth into AuthStrategy pattern (no-changelog)

Authentication logic for n8n's public API has been decoupled from the key management service, allowing future auth methods to be plugged in without touching core code.

The n8n public API had authentication logic bundled tightly inside the service responsible for managing API keys. That tight coupling made it difficult to add alternative authentication methods — like scoped JWTs for token exchange — without modifying the core auth handler.

A refactor introduces a strategy pattern that separates how authentication works from how it's applied. The existing API key logic moves into a dedicated class, registered with a new that evaluates strategies sequentially. Additional auth methods can be registered later without touching existing code — they simply append to the registry during their own module initialization.

Telemetry for the public-api-invoked event moved from the auth handler to the OpenAPI validator wrapper, where version information is directly available without parsing req.baseUrl.

This work lives in the @n8n/cli package's public API layer and supports future auth extensibility as part of a broader identity and access management initiative.

View Original GitHub Description

Summary

Extract the existing API key authentication logic from PublicApiKeyService.getAuthMiddleware() into a dedicated ApiKeyAuthStrategy class registered via an AuthStrategyRegistry. This introduces a strategy pattern so additional auth strategies (e.g. scoped JWT for token exchange) can be registered without modifying the core auth handler.

New ApiKeyAuthStrategy class with the same auth logic (header check, key validation, user loading, JWT expiry, legacy key support)
New AuthStrategyRegistry that evaluates strategies sequentially — first non-null result wins
Telemetry (public-api-invoked) moved to the OpenAPI validator handler wrapper, where version is directly available (no req.baseUrl parsing hack)
Constants (API_KEY_AUDIENCE, API_KEY_ISSUER, PREFIX_LEGACY_API_KEY) exported from PublicApiKeyService for reuse
Integration tests for the new strategy; all 492 existing public API tests pass unchanged

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/IAM-463

Review / Merge checklist

PR title and summary are descriptive. (conventions)
Docs updated or follow-up ticket created.
Tests included.