How to Secure Your n8n Chatbot

You've built an n8n chatbot and embedded it on your site. But if you open your browser's network tab and send a message, you'll see exactly which endpoint it's talking to, fully visible to anyone who looks. Without any protection, your n8n workflow is open to spam, unauthorized access, and abuse from anywhere in the world.

The typical workaround is to put something in front of your n8n instance like Cloudflare, a custom proxy, or your own auth layer. But setting all of that up takes time, configuration, and usually code.

In this guide, you'll learn how to secure your n8n chatbot with authentication, domain restriction, geofencing, and rate limiting, all from a single dashboard, without writing a single line of code.

Why Your n8n Chatbot Needs Security

A typical n8n chatbot setup has the chat widget in the browser talking directly to your n8n webhook. This works fine for internal tools or quick prototypes. But for any public-facing deployment, it leaves your workflow exposed.

Anyone who opens the browser network tab can find the webhook endpoint. From there, they can send arbitrary requests to your n8n workflow, flooding it with spam, triggering unexpected executions, or simply putting unnecessary load on your infrastructure.

Unless you already have Cloudflare or a custom proxy in front of your n8n, your workflow has no protection.

Standalone vs Managed Chatbots

On n8nchatui.com, you get two types of chatbots. Understanding the difference is the key to getting security right.

With a Standalone chatbot, the widget in the browser talks directly to your n8n webhook. It's simple to set up and free to use, but the connection is exposed on the client side.

With a Managed chatbot, a secure proxy sits between your widget and your n8n backend. The widget never talks to your n8n workflow directly. Instead, all messages go through the proxy, which forwards them to your n8n. Your backend stays completely private.

The Managed type is also what unlocks the advanced security controls covered in this guide.

Step 1: Create a Managed Chatbot

Head to your dashboard and click Add Widget. When prompted, select Managed as the widget type and give it a name.

Once created, you'll land in the visual editor with a default chatbot ready to go. This is where you can customize every aspect of the design including colors, fonts, icons, and layout to match your brand. Everything updates in real time in the preview panel.

Step 2: Configure Security Settings

The security controls are available from the settings panel right after you create your Managed chatbot. You don't need to connect your backend first.

Domain Restriction

Specify exactly which domains are allowed to run your chatbot. If someone copies your embed code and tries to use it on their own site, the chatbot won't load. This is the first line of defense against unauthorized use.

Geofencing

Control which countries can see and interact with your chatbot. By default, access is worldwide. You can switch to an allowlist and select only the countries you want to serve. Users from all other regions won't see the chatbot at all.

Rate Limiting

Set a maximum number of messages a user can send within a specific time window. You can also configure the error message shown when the limit is hit. This protects your n8n workflow from being overwhelmed by rapid-fire requests from a single user or a bot.

Step 3: Connect Your n8n Backend

Head to the Embed section and paste your n8n webhook URL into the connection field. By default, authentication is set to none, meaning any request can reach your webhook. For production, you'll want to add JWT authentication.

Setting Up JWT Authentication

To use JWT auth, you configure it in both n8n and the n8nchatui.com dashboard using the same secret and algorithm.

In n8n:

1. Open the webhook node in your workflow
2. Go to Authentication and select JWT Auth
3. Create a new credential, set a strong secret, and choose an algorithm (HS512 recommended)
4. Save and publish your workflow

In n8nchatui.com:

1. Enter the same secret you used in n8n
2. Select the same algorithm (HS512)
3. Click Test Connection and Save

The dashboard makes a test request to your webhook to confirm the credentials match before you go live. Once verified, the embed code shown in the dashboard uses the proxy endpoint, not your n8n webhook, so your actual backend is never exposed.

Step 4: Embed the Chatbot on Your Site

With everything configured, click Save and Publish and copy the embed code from the dashboard. Paste it into your website before the closing </body> tag.

This works on any platform:

• WordPress — paste into a Custom HTML block or the theme footer
• Framer — add it via Custom Code settings
• Wix — use the Embed HTML element
• Static HTML — paste directly into your HTML file

The URL in the embed code points to the proxy endpoint, not your n8n workflow. If you open the network tab and send a message, you'll see the proxy URL in the requests. Your actual backend is never visible.

Real-Time Dashboard Updates

Once the chatbot is live on your site, you can make changes from the dashboard and have them reflect instantly. No need to update the embed code or touch your site again.

Update colors, adjust the layout, change the welcome message, or tweak any security setting. Click Save and Apply and the live chatbot updates in real time.

Analytics and Workflow Health

Managed chatbots on n8nchatui.com include a built-in analytics dashboard. Once your chatbot is live and receiving messages, you get real-time visibility into how it's being used, who's using it, and where your traffic is coming from. You can also monitor your n8n workflow health and catch errors from chatbot interactions directly from the same dashboard.

For the full breakdown of what's available, see our n8n chatbot analytics guide.

Wrapping Up

Securing your n8n chatbot doesn't have to mean setting up a custom proxy, writing authentication middleware, or managing infrastructure. With Managed chatbots on n8nchatui.com, you get JWT authentication, domain restriction, geofencing, rate limiting, real-time analytics, and centralized management. All configured from a single dashboard, with no code required.