I built a free, open-source tool to anonymize n8n workflow JSON before sharing (runs 100% in your browser)
▲ 15 r/n8n_ai_agents+2 crossposts

I built a free, open-source tool to anonymize n8n workflow JSON before sharing (runs 100% in your browser)

There are a few tools out there that do something like this, but they're closed source, and a couple even send your workflow to a server or an LLM to do the "sanitizing." That kind of defeats the whole point: if you have to hand your private data to someone else in the first step, it was never private. For a tool whose entire job is protecting sensitive data, "trust us, we won't look" isn't good enough.

So I made n8nRedact. Paste or drop a workflow, get a sanitized copy back.

First, the problem. n8n doesn't strip anything on export. Even though your actual credentials aren't in the JSON, a surprising amount still leaks: credential names, cURL auth headers in HTTP Request nodes, Airtable base/table IDs, Postgres table names, Notion page IDs, Telegram chat IDs, hardcoded URLs and emails, your instance ID, and webhook tokens buried inside URLs.

What it does:

- Detects and replaces the sensitive stuff: credentials/keys, emails, URLs, UUIDs and hex IDs, Airtable/DB resource IDs, Telegram chat IDs (string and numeric), phone numbers, instance IDs, and more.

- Format-preserving. john@acme.com becomes user1@example.com, not [REDACTED]. The output stays a valid, importable workflow.

- Deterministic. The same value always maps to the same fake, so cross-node references still line up.

- Side-by-side diff so you see exactly what changed.

- Toggle rules on/off, with live counts of what was found.

- n8n expressions (={{ $json.foo }}) are preserved, not mangled.

Why you should be able to trust it:

- 100% client-side. Nothing is uploaded, and it can't be. There's a Content-Security-Policy with connect-src 'none' that physically blocks the browser from making any network request. Even a compromised dependency couldn't exfiltrate your paste. There's an automated test that fires a fetch and asserts the browser blocks it.

- Open source, so you can verify all of the above instead of taking my word for it.

- Works offline after first load.

Free, no accounts, no analytics, no cookies.

Repo: https://github.com/Shuffzord/n8nRedact

Live: https://shuffzord.github.io/n8nRedact/

Would love feedback, especially edge cases where it misses something or over-scrubs. If you've got a weird node type that leaks in a way I haven't handled, drop an example (anonymized 😉) and I'll add a rule.

u/No_Ad_9338 — 17 hours ago