feat(API): Add patch method for credentials public API

[guillaumejacquart]

Summary

Adds PATCH /credentials/:id to the public API for updating existing credentials.

Implementation:

• New PATCH endpoint with partial update support
• Validates data against credential type schemas
• Supports updating: name, type, data, isGlobal, isResolvable
• Added credential:update scope to permissions

isPartialData field behavior

Overview

Added optional isPartialData boolean field to the PATCH endpoint request body to control how credential data is updated.

Behavior

isPartialData: false (default)

• Replaces the entire data object with the provided data
• Only fields specified in the request will exist after the update
• Other fields are removed

isPartialData: true

• Merges provided data with existing decrypted credential data
• Preserves fields not included in the request
• Unredacts blanked values (e.g., fields with CREDENTIAL_BLANKING_VALUE keep their original values)
• Useful for updating specific fields without losing other credential data

Example

Replace mode (default):

PATCH /credentials/:id
{
  "data": {
    "apiKey": "new-key"
  }
}
// Result: Only apiKey exists, all other fields removed

Merge mode:

PATCH /credentials/:id
{
  "data": {
    "apiKey": "new-key"
  },
  "isPartialData": true
}
// Result: apiKey updated, all other fields preserved

Related Linear tickets, Github issues, and Community forum posts

Review / Merge checklist

• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

[codecov]

Codecov Report

❌ Patch coverage is 85.56701% with 14 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
.../v1/handlers/credentials/credentials.middleware.ts	74.35%	10 Missing ⚠️
...api/v1/handlers/credentials/credentials.handler.ts	90.00%	2 Missing ⚠️
...api/v1/handlers/credentials/credentials.service.ts	94.44%	2 Missing ⚠️

📢 Thoughts on this report? Let us know!

[currents-bot]

✅

E2E Tests: n8n tests passed after 12m 56.6s

🟢 600 · 🔴 0 · ⚪️ 28 · 🟣 2

View Run Details

Run Details

• Project: n8n

• Groups: 2

• Framework: Playwright

• Run Status: Passed

• Commit: 5962761

• Spec files: 136

• Overall tests: 628

• Duration: 12m 56.6s

• Parallelization: 9

Groups

GroupId	Results	Spec Files Progress
multi-main:e2e	🟢 543 · 🔴 0 · ⚪️ 28 · 🟣 2	127 / 127
multi-main:e2e:isolated	🟢 57 · 🔴 0 · ⚪️ 0	9 / 9

---

This message was posted automatically by currents.dev | Integration Settings

[cubic-dev-ai]

5 issues found across 11 files

Prompt for AI agents (all 5 issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/cli/src/public-api/v1/handlers/credentials/credentials.service.ts">

<violation number="1" location="packages/cli/src/public-api/v1/handlers/credentials/credentials.service.ts:150">
P2: Rule violated: **Prefer Typeguards over Type casting**

Type narrowing with `as CredentialsEntity` violates the rule to prefer type guards over type casting. The `getCredentials` function returns `ICredentialsDb | null`, but the repository actually returns `CredentialsEntity`. Consider updating `getCredentials` return type to `CredentialsEntity | null` to avoid the cast, or create a type guard if runtime validation is needed.</violation>

<violation number="2" location="packages/cli/src/public-api/v1/handlers/credentials/credentials.service.ts:168">
P1: OAuth token data is not preserved when `isPartialData` is false/undefined. Unlike the partial update branch which preserves `oauthTokenData`, the full replace branch will cause loss of OAuth tokens. This should preserve existing `oauthTokenData` like the partial mode does, consistent with the main `CredentialsService.prepareUpdateData` pattern.</violation>
</file>

<file name="packages/cli/src/public-api/v1/handlers/credentials/credentials.handler.ts">

<violation number="1" location="packages/cli/src/public-api/v1/handlers/credentials/credentials.handler.ts:75">
P2: Rule violated: **Prefer Typeguards over Type casting**

Avoid using `as CredentialsEntity` for type narrowing. The `updateCredential` function returns `ICredentialsDb | null`, while `sanitizeCredentials` expects `CredentialsEntity`. Instead of casting, consider updating `updateCredential`&#39;s return type to `CredentialsEntity | null` to match its actual behavior, or use a type guard if runtime validation is needed.</violation>

<violation number="2" location="packages/cli/src/public-api/v1/handlers/credentials/credentials.handler.ts:80">
P2: Error handling doesn&#39;t preserve `httpStatusCode` from errors that extend `ResponseError`. If underlying service methods throw errors with specific HTTP status codes, they&#39;ll incorrectly return 500. Consider checking for `httpStatusCode` property on errors to match the pattern used in `createCredential`.</violation>
</file>

<file name="packages/cli/src/credentials/credentials.service.ts">

<violation number="1" location="packages/cli/src/credentials/credentials.service.ts:466">
P2: Rule violated: **Prefer Typeguards over Type casting**

Use type annotation instead of `as` for type specification. According to the coding guidelines, prefer `const x: Type = value` over `const x = value as Type`.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[ireneea]

Looks good to me 👍 (just a nitpicking comment)

[ireneea]

[NIT] Is it worth mentioning that this is only relevant if they have the sharing license & the user has global scope.

Even if this is a patch endpoint I wonder if some users would just treat it as a post endpoint and pass the entire payload?

[n8n-assistant]

Got released with n8n@2.3.0