n8n workflow JSON validator

Paste an n8n workflow export (the JSON you get from Download in the workflow menu, or from the n8n API). The validator runs a structural lint in your browser: missing fields, broken connections, orphan nodes, leaked credentials, deprecated node types. Nothing leaves the page. Share the result with a URL that reproduces your workflow on the other end.

Workflow JSON

Upload .json

Checks: JSON parse / required top-level fields / node shape / duplicate names & IDs / connection targets / orphan nodes / trigger presence / hardcoded secrets / HTTP timeout & retry / webhook responseMode / deprecated nodes / disabled triggers / expression references

Paste a workflow JSON on the left and hit Validate. Or load the sample to see a clean run.

What this validator checks

Structure

Valid JSON. Surfaces the parser's error position so you can jump to the bad character.
Top-level shape. nodes must be an array, connections must be an object. Optional but expected: name, settings.
Node shape. Each entry must have name (string), type (string), typeVersion (number), position (two-element array), parameters (object), and id (string). Missing fields are flagged as errors.
Uniqueness. Duplicate node names or duplicate node IDs are both errors; n8n itself refuses to import duplicates but partial merges sneak them in.

Wiring

Connection targets exist. Every source and destination in connections must reference an existing node name. A common dead-end after renaming a node by hand in the JSON.
At least one trigger. Workflows with no trigger node (manual, webhook, schedule, etc.) will never auto-run. Flagged as a warning - some testing workflows are intentionally manual-only.
Orphan nodes. Non-trigger nodes with no incoming connection are unreachable. Either a leftover from a deleted branch, or a node you forgot to wire up.
Disabled triggers. A trigger with disabled: true is fine in dev but a footgun in production. Surfaced as info.

Security & ops

Hardcoded secrets. Scans node parameters for patterns that look like API keys, OAuth tokens, JWTs, or AWS keys. n8n credentials reference IDs (encrypted on the server), so a literal sk-... in a parameter is almost always a leak. Re-key any secret this finds before sharing the workflow.
HTTP Request retries & timeouts. HTTP Request nodes without an explicit timeout or retry-on-failure setting can hang or silently drop transient errors. Warned, not errored - sometimes the default is what you want.
Webhook responseMode. Webhook nodes with responseMode set to lastNode on a long workflow will hold the connection open. Flagged as info so you can confirm it's intentional.

Drift

Deprecated node types. Catches the most common legacy types: n8n-nodes-base.function (use Code node), n8n-nodes-base.functionItem (use Code node), n8n-nodes-base.start (use Manual Trigger). These still run today but signal the workflow has not been touched in a while.
Old typeVersion. If a node's typeVersion is 1 on a node whose current version is 3+, that's a parameter-schema drift hazard. Surfaces as info - the validator does not have an exhaustive version map; treat it as a prompt to re-open the node and re-save.
Expression references. Scans parameter values for ={{ $node["Name"]... }} and {{ $('Name')... }} references. If the referenced node name does not exist in this workflow, you get a broken expression at runtime.

What this validator does not do

Run the workflow. No HTTP calls go out, no credentials are tested. Use n8n's own Execute Workflow for that.
Validate node-specific parameter schemas. There are hundreds of node types; we lint the workflow envelope, not each node's domain rules.
Send your JSON anywhere. Everything runs in the page. The share link encodes the workflow into the URL fragment (#w=...), which browsers never send to a server.

FAQ

Is my workflow JSON uploaded anywhere?

No. The validator runs entirely client-side; the page never makes a network call with your workflow. The share link puts the (gzipped, base64-encoded) JSON in the URL fragment after #, which browsers never send to a server. Of course, anyone you share the link with can read it - sanitise credentials and PII before sharing.

Why does it flag a hardcoded secret on an obviously fake string?

The secret scan is regex-based and intentionally noisy. It looks for shapes that match real keys (sk- prefixes, AWS access key patterns, JWT triple-dots, generic 32+ char hex blobs). Mark the warning as expected and move on - or replace the string with a credential reference for cleanliness.

An "orphan node" is on purpose - I keep a parked branch. Is that fine?

Yes. Orphans are surfaced because they're usually accidental, but parking a draft branch in the same workflow is a legitimate pattern. The validator can't tell intent; treat the warning as informational.

Where do I get the workflow JSON from n8n?

In the n8n editor, click the workflow menu (three dots top-right) and choose Download. Programmatically, GET /workflows/:id on the n8n REST API returns the same shape. Either format works here.

What's the #w= in the URL?

It's your workflow JSON, gzipped and base64-encoded into the URL fragment. The "Copy shareable link" button puts your current input into that fragment, so a teammate opening the link sees the same workflow loaded into the validator. Fragments never reach a server, so even on a shared link the JSON only lives between the two browsers that see the URL.

What does "Copy as Markdown" produce?

A short report you can paste into Slack, a GitHub issue, or a code review: pass/fail summary, error / warning / info counts, and a bulleted list of each issue with the node it points to. Same content as the on-screen result, in plain Markdown.

Want your n8n workflows reviewed?

AutomateLab does production-grade n8n workflow audits: structure, retries, error handling, observability, secret hygiene. Two-week engagement, written report, fix PRs against your repo.

Tell us about your setup