Guide intermediate

n8n's April Update Turns Its MCP Server Into a Workflow Builder, Plus 1Password and SSRF Hardening

n8n's April 2026 release lets agents create and update workflows through MCP, adds 1Password as an external secrets provider, and ships SSRF protection. Here's what changes for ops teams.

Published April 30, 2026 · Updated May 1, 2026 by Pondero Editorial
Table of Contents
Pondero, operated by Hildebrandt AI LLC, earns a commission from some links on this page. This does not influence our editorial decisions. Read our affiliate disclosure

n8n’s April Update Turns Its MCP Server Into a Workflow Builder, Plus 1Password and SSRF Hardening

In brief: n8n’s April 2026 release adds MCP workflow tools (agents can now create, update, publish, and unpublish workflows over MCP), 1Password Connect as an external secrets provider, and SSRF protection. Together these change how ops teams build and govern automations: agents move from running workflows to authoring them.

What Changed

The headline change is the MCP workflow tools. Previous versions of n8n’s MCP server let an agent execute existing workflows, but the agent couldn’t compose new ones. The April release flips that. With the new tools, an MCP client (Claude Code, Cursor, Windsurf, or any other MCP-aware agent) can now create new workflows, update existing ones, and publish or unpublish them through MCP. We tested this in n8n 2.14.0 beta, where the create/update workflow tools first appeared, and the publish/unpublish tools landed in the late-April releases shipped through April 22 to 29.

The second change is on the secrets side. n8n now supports 1Password Connect Server as an external secrets provider, joining HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager. Secrets are fetched at runtime and never persisted inside n8n, so 1Password stays the single source of truth. This is on the Enterprise tier, which keeps it aimed squarely at teams that already have a 1Password Business deployment.

Third: SSRF protection ships as a configurable security setting. Server-Side Request Forgery is a real risk in any platform that takes user-supplied URLs and fetches them server-side, which is essentially every workflow node that hits an HTTP endpoint. The new config lets self-hosted operators block requests to internal IP ranges and metadata endpoints. Cloud customers get this enabled by default. The same release also tightened credential handling and shipped behavior fixes across Chat, Form, Slack, Notion, Todoist, and Facebook nodes, plus new role mapping and workflow archive/unarchive endpoints in the public API.

Why It Matters

For ops teams, the MCP workflow tools are the move that matters. Until this release, “AI-built automations” meant a human typed a prompt, a model generated a JSON spec, and someone hand-imported it into n8n. Now an agent can sit inside the loop. A Claude Code session can ask “audit our error-handling workflows,” fetch the workflow definitions through MCP, propose patches, and ship them, all without leaving the chat. That collapses the gap between “we want this automation” and “this automation is running” from a multi-step manual process to a single agent turn.

It also raises the governance question fast. If an agent can publish workflows, who reviews them? n8n’s role mapping and archive endpoints in the same release are not a coincidence; they’re the audit-trail scaffolding you need before you let an MCP client touch production. Pair the MCP tools with role mapping and you have a real path to a “draft via agent, approve via human, publish via API” pipeline.

The 1Password integration matters more than it looks. For mid-market ops teams, the secret-management story has been the friction point that kept n8n out of regulated environments. Most of those teams already use 1Password Business and don’t want to stand up Vault just to satisfy compliance. SSRF protection in the same release removes the other obvious objection from a security review.

How to Use It

To enable MCP workflow tools, upgrade to the latest n8n release (anything from the late-April 2026 batch, meaning 2.14.0 or newer). The MCP server is exposed through n8n’s instance-level MCP endpoint. Point your agent’s MCP client at it and you’ll see the new create_workflow, update_workflow, publish_workflow, and unpublish_workflow tools alongside the existing execute tools. Full reference is on n8n’s MCP server tools docs.

For 1Password: you’ll need n8n Enterprise plus a 1Password Connect Server deployment. Configure the external secrets provider in n8n’s settings, point it at your Connect endpoint with a service account token, and reference vault items in your credentials by path. Secrets resolve at runtime per execution.

For SSRF: self-hosted operators set the SSRF config via environment variables. The default-deny list covers loopback, link-local, and cloud metadata IPs. If your workflows legitimately call internal services, allow-list those ranges explicitly rather than disabling the protection.

A practical starting workflow we like: stand up an MCP connection from Cursor or Claude Code to your n8n instance, then ask the agent to audit existing workflows for missing error handling. Have it propose patches via update_workflow, but leave publish_workflow gated behind a manual review until you’ve built confidence in the agent’s edits.

This post is part of Pondero’s daily coverage of AI tool updates. See all guides →