n8n Integration

Use Sirr as a secret store inside your n8n workflows. The @sirrlock/n8n-nodes-sirr community node gives you full access to secrets, audit logs, webhooks, and principal key management — all from the n8n canvas.

The n8n node uses the same authenticated HTTP API as the CLI and SDKs. TTL enforcement, read limits, and burn-after-read all work exactly the same.

Installation

Install the community node from npm into your n8n instance, or use the n8n UI.

npm

Install via npm

npm install @sirrlock/n8n-nodes-sirr

Restart n8n after installing. The Sirr node will appear in the node picker.

n8n UI

Go to Settings → Community Nodes, search for @sirrlock/n8n-nodes-sirr, and click Install.

Verify installation

# Check the node is available
n8n list:installed
# Should include @sirrlock/n8n-nodes-sirr

Credentials

Create a Sirr API credential in n8n before using the node.

  • Name
    Server URL
    Type
    string
    Description

    Base URL of your Sirr server. Defaults to http://localhost:39999.

  • Name
    API Token
    Type
    string
    Description

    Bearer token — your master key or a principal API key.

The credential uses Authorization: Bearer <token> for all requests except health checks, which are unauthenticated.

For multi-tenant mode, set the Organization ID field to route all operations to a specific org.

  • Name
    Organization ID
    Type
    string
    Description

    Org ID for multi-tenant mode. When set, secret, audit, and webhook operations are scoped to this org. The API Token must be a principal key with appropriate permissions. Leave empty for public bucket mode.

Credential fields

{
  "serverUrl": "https://sirr.example.com",
  "apiToken": "your-principal-key",
  "org": "your-org-id"
}

Operations

The Sirr node uses a resource/operation dropdown pattern. Select a resource, then pick an operation.

Secrets

Get — Retrieve a secret by key. Increments the read counter; burns the secret if max_reads is reached.

Push — Store a new secret with an optional TTL and max read count.

List — List all secret metadata (keys, TTLs, read counts). No values returned.

Delete — Delete a secret immediately regardless of TTL or read count.

Prune — Remove all expired secrets from the vault.

  • Name
    key
    Type
    string
    Description

    Secret key name (Get, Delete).

  • Name
    value
    Type
    string
    Description

    Secret value (Push).

  • Name
    ttl_seconds
    Type
    number
    Description

    Time-to-live in seconds. 0 = no expiry (Push).

  • Name
    max_reads
    Type
    number
    Description

    Maximum reads before burn. 0 = unlimited (Push).

Audit

Query — Search the audit log for recent events. Filter by timestamp, action type, and limit.

  • Name
    since
    Type
    number
    Description

    Only return events after this Unix timestamp.

  • Name
    action
    Type
    string
    Description

    Filter by action, e.g. secret.create, secret.read.

  • Name
    limit
    Type
    number
    Description

    Max events to return. Defaults to 50.

Webhooks

Create — Register a URL to receive event notifications. Returns a signing secret (shown once — save it).

List — List registered webhooks. Signing secrets are redacted.

Delete — Remove a webhook by ID.

  • Name
    url
    Type
    string
    Description

    Endpoint URL (Create).

  • Name
    events
    Type
    string
    Description

    Comma-separated event types. Empty = all events (Create).

  • Name
    webhookId
    Type
    string
    Description

    Webhook ID (Delete).

Principal (multi-tenant)

Get Me — Return the current principal's identity, org, role, and effective permissions. Requires a principal key.

Update Me — Set arbitrary key-value metadata on your principal record.

Create Key — Create a new named API key for the current principal. The raw token is returned once — save it immediately. Supports optional validity windows.

Delete Key — Revoke one of the current principal's keys by ID.

  • Name
    metadata
    Type
    object
    Description

    Key-value pairs to set on the principal (Update Me). Entered as repeatable Key / Value rows in the n8n UI.

  • Name
    name
    Type
    string
    Description

    Human-readable name for the new key (Create Key).

  • Name
    valid_for_seconds
    Type
    number
    Description

    Key validity duration in seconds from the moment of creation. Omit or set 0 for no expiry (Create Key).

  • Name
    valid_before
    Type
    number
    Description

    Hard expiry as a Unix timestamp — the key cannot be used after this point. Omit or set 0 for no limit (Create Key).

  • Name
    keyId
    Type
    string
    Description

    Key ID to revoke (Delete Key).

When the Organization ID credential field is set, all Secrets, Audit, Webhook, and Prune operations are automatically routed to the org-scoped endpoints (/orgs/{org_id}/...). Principal and Server operations are always global. No changes to existing workflows are needed beyond setting the credential field.

Server

Health Check — Verify the Sirr server is reachable. No authentication required.

Example workflow

A common pattern is to push a one-time secret, pass the key to a downstream service, and let Sirr handle expiration automatically.

Workflow: one-time secret handoff

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│   Trigger    │────▶│ Sirr: Push  │────▶│ HTTP Request│
│ (schedule)   │     │ Secret      │     │ (send key)  │
└─────────────┘     └─────────────┘     └─────────────┘
                    key: "deploy-token"
                    ttl: 3600
                    max_reads: 1
  1. Sirr → Push Secret — store a generated token with ttl_seconds: 3600 and max_reads: 1
  2. HTTP Request — send the secret key to a downstream service
  3. The downstream service calls Sirr to retrieve the secret once — it burns automatically

For CI/CD pipelines, combine with the Audit → Query operation to verify that secrets were consumed as expected.

Was this page helpful?