Step by Step Guide to solve n8n MySQL Node Authentication Error
Who this is for: n8n developers and ops engineers who need a reliable MySQL connection in production workflows. We cover this in detail in the n8n Node Specific Errors Guide.
Quick Diagnosis
| Step | Action | Result |
|---|---|---|
| 1. | Verify username, password, host, and port in the MySQL credential record (Settings → Credentials → MySQL) | Correct credentials are saved |
| 2. | Test the connection outside n8n (e.g., mysql -u <user> -p -h <host> -P <port>). If it fails, adjust MySQL user privileges or host whitelist. |
Confirms MySQL server accepts the login |
| 3. | For MySQL 8, set the authentication plugin to mysql_native_password or enable caching_sha2_password via the node’s authPlugin option. |
Node negotiates the right auth method |
Re‑run the workflow after the appropriate step – the node should connect without error.
1. What Triggers the “Authentication Error” in n8n?
If you encounter any n8n google sheets node auth failure resolve them before continuing with the setup.
| n8n Error Message | Typical MySQL Cause |
|---|---|
| Access denied for user ‘user’@’host’ (using password: YES) | Wrong password, wrong user, or host not allowed in MySQL grant table |
| ER_ACCESS_DENIED_ERROR | Same as above, plus possible mismatched authentication plugin (MySQL 8 default) |
| Could not connect to MySQL server | Wrong host/port, firewall, or DNS resolution issue |
| SSL connection is required | Server forces TLS but node is not configured for SSL |
These messages appear before any query runs, so the problem lies in the connection handshake, not the workflow logic.
2. Verify the MySQL Credential Record in n8n
If you encounter any n8n smtp node authentication error resolve them before continuing with the setup.
Micro‑summary: Ensure the credential fields match exactly what MySQL expects.
| Field | Example | Common Pitfalls |
|---|---|---|
| User | app_user | Typos, case‑sensitivity |
| Password | S3cureP@ss! | Leading/trailing spaces, hidden characters |
| Host | db.example.com or 127.0.0.1 | localhost inside Docker resolves to the container, not the host |
| Port | 3306 | Non‑standard ports (e.g., 3307) must be set |
| Database | analytics | Optional – can be left blank for cross‑DB queries |
| SSL | Enabled + certs | Required only if server forces TLS |
EEFA Note: Never store plaintext passwords in the UI when running n8n in production. Use environment variables (
MYSQL_USER,MYSQL_PASSWORD) and enable Credential Secrets in the n8n config.
2.1. Using Environment Variables
# .env (do NOT commit this file) MYSQL_HOST=db.example.com MYSQL_PORT=3306 MYSQL_USER=app_user MYSQL_PASSWORD=S3cureP@ss!
In the n8n UI, set each credential field to the corresponding expression, e.g. {{ $env.MYSQL_USER }}. This keeps secrets out of the UI and version control.
3. Test the Connection Outside n8n
Micro‑summary: Validate that the MySQL server accepts the credentials from the same host/container where n8n runs.
3.1. Basic connectivity test
mysql -u app_user -p -h db.example.com -P 3306 -e "SELECT 1;"
3.2. SSL‑required test
mysql -u app_user -p -h db.example.com -P 3306 \ --ssl-mode=REQUIRED \ --ssl-ca=/path/to/ca.pem \ -e "SELECT 1;"
*If both commands succeed, the server accepts the login; the issue is likely n8n‑specific.*
3.3. Grant access when the test fails
-- Allow the n8n host (replace 'n8n_host_ip') CREATE USER 'app_user'@'n8n_host_ip' IDENTIFIED BY 'S3cureP@ss!'; GRANT SELECT, INSERT, UPDATE ON analytics.* TO 'app_user'@'n8n_host_ip'; FLUSH PRIVILEGES;
EEFA Warning: Grant only the privileges required by the workflow. Avoid
GRANT ALLon*.*in production.
4. MySQL 8 Authentication Plugin Mismatch
If you encounter any n8n slack node permission denied resolve them before continuing.
MySQL 8 defaults to caching_sha2_password. Older n8n versions may still expect mysql_native_password.
4.1. Switch the MySQL user to mysql_native_password
ALTER USER 'app_user'@'%' IDENTIFIED WITH mysql_native_password BY 'S3cureP@ss!'; FLUSH PRIVILEGES;
4.2. Tell n8n to use caching_sha2_password
{
"authPlugin": "caching_sha2_password"
}
EEFA Tip: When using managed services (AWS RDS, Azure Database for MySQL), the default plugin is often
caching_sha2_password. Prefer using the driver‑native method rather than forcingmysql_native_password.
5. Host and Network Nuances (Docker, Kubernetes, Cloud)
| Environment | Common Host Issue | Fix |
|---|---|---|
| Docker (single‑container) | localhost points to the container itself, not the host DB. | Use host.docker.internal (Mac/Win) or the host’s IP address. |
| Docker‑Compose (multiple services) | Service name not reachable due to missing network alias. | Reference the MySQL service name defined in docker-compose.yml. |
| Kubernetes | Pods have distinct IPs; MySQL service may be ClusterIP. |
Use the service DNS (mysql.default.svc.cluster.local) and ensure the MySQL pod allows connections from the n8n pod’s service account. |
| Cloud (AWS RDS, GCP Cloud SQL) | Public IP blocked by security group or VPC firewall. | Add the n8n instance’s IP to the RDS “Authorized Networks” list. |
5.1. Example Docker‑Compose (split for readability)
MySQL service definition
mysql:
image: mysql:8
environment:
MYSQL_ROOT_PASSWORD: rootPass!
MYSQL_DATABASE: n8n
MYSQL_USER: ${MYSQL_USER}
MYSQL_PASSWORD: ${MYSQL_PASSWORD}
ports:
- "3306:3306"
n8n service definition
n8n:
image: n8nio/n8n
environment:
- DB_TYPE=mysqldb
- DB_MYSQLDB_HOST=mysql
- DB_MYSQLDB_PORT=3306
- DB_MYSQLDB_USER=${MYSQL_USER}
- DB_MYSQLDB_PASSWORD=${MYSQL_PASSWORD}
ports:
- "5678:5678"
depends_on:
- mysql
In this setup, the host field for the MySQL credential should be mysql, not localhost.
6. SSL/TLS Configuration (When Required)
- Obtain the CA certificate (
ca.pem), client certificate (client-cert.pem), and client key (client-key.pem). - Upload them in Credentials → MySQL → SSL or mount them into the container and reference via environment variables.
{
"ssl": {
"ca": "/secrets/ca.pem",
"cert": "/secrets/client-cert.pem",
"key": "/secrets/client-key.pem",
"rejectUnauthorized": true
}
}
EEFA Reminder: Setting
rejectUnauthorized: falsedisables server‑certificate verification – never use in production.
7. Full Troubleshooting Checklist
| Steps | Check | How to Verify |
|---|---|---|
| 1 | Username & password correct in n8n UI | Re‑enter, then test via CLI |
| 2 | Host resolves from n8n container | ping db.example.com inside container |
| 3 | Port open (default 3306) | nc -zv db.example.com 3306 |
| 4 | MySQL user allowed from n8n IP | SELECT host FROM mysql.user WHERE user='app_user'; |
| 5 | Authentication plugin compatible | SELECT plugin FROM mysql.user WHERE user='app_user'; |
| 6 | SSL/TLS settings match server requirement | Compare SHOW VARIABLES LIKE '%ssl%'; |
| 7 | No firewall / security‑group block | Verify inbound rule for n8n IP |
| 8 | Credentials stored as env vars (prod) | echo $MYSQL_PASSWORD inside container |
| 9 | n8n logs show detailed error (n8n start --log-level debug) |
Look for mysql2 stack trace |
Fix any failing item, then re‑run the workflow.
8. Re‑creating the MySQL Credential via n8n API (Advanced)
Micro‑summary: Automate credential provisioning for CI/CD pipelines.
8.1. POST request (header section)
curl -X POST "https://n8n.example.com/rest/v1/credentials" \ -H "Authorization: Bearer $API_TOKEN" \ -H "Content-Type: application/json" \
8.2. Payload (credential data)
{
"name": "MySQL Production",
"type": "mySql",
"nodes": [],
"data": {
"user": "{{ $env.MYSQL_USER }}",
"password": "{{ $env.MYSQL_PASSWORD }}",
"host": "{{ $env.MYSQL_HOST }}",
"port": "{{ $env.MYSQL_PORT }}",
"database": "analytics",
"ssl": false
}
}
After creation, select Credential → MySQL Production in the MySQL node.
9. Capture the Raw Driver Error (Last‑resort Debug)
Enable debug logging for the underlying mysql2 driver:
export NODE_DEBUG=mysql2 n8n start
The console will display the exact packet exchange, helping you pinpoint mismatched authentication plugins or SSL handshake failures.
Conclusion
The MySQL node authentication error in n8n almost always stems from one of three root causes: incorrect credential fields, network/host mismatches, or an authentication‑plugin conflict introduced by MySQL 8. By systematically verifying credentials, testing connectivity from the same runtime environment, and aligning the authentication plugin (or configuring SSL when required), you can resolve the error quickly and keep your workflows running reliably. Apply the checklist, store secrets via environment variables, and use the API for reproducible credential management to maintain a secure, production‑grade n8n installation.
