NodeBridge #5: The Prod Checklist, Part 2 (10 More Items)

Issue 5 • January 13, 2026

Last week we covered 16 items for error handling, data validation, and monitoring. Your workflows now catch failures, validate input, and log everything.

But they still might:

• Crash your n8n instance by processing 10,000 items at once
• Get your API accounts banned by exceeding rate limits
• Process the same order twice when a webhook fires multiple times
• Expose API keys in your workflow exports
• Leave you stranded when something breaks because there's no documentation

This week we finish the production checklist with 10 more items across Performance & Limits, Security, and Deployment. Plus the complete 26-item checklist you can print and use for every workflow you deploy.

The Checklist (Part 2 of 2)

This week covers the final 3 categories: Performance & Limits, Security, and Deployment.

4. Performance & Limits (4 Items)

4.1 Rate Limiting

What it is: Limit how many API calls or executions happen per minute to avoid hitting external rate limits.

Why it matters: APIs have rate limits (100 requests/minute, 10,000/day). Exceeding them bans your account or throttles requests.

How to implement: Add delays between API calls, batch operations, or use n8n's rate limit settings.

Example:

Loop through 1000 items
  |
Call API for each item
  |
Wait 100ms between calls (ensures max 600 calls/minute)

Test: Process large batch. Verify rate stays under limit.

4.2 Batch Processing

What it is: Process items in batches (100 at a time) instead of all at once.

Why it matters: Processing 10,000 items simultaneously will crash n8n or hit memory limits. Batching keeps resource usage manageable.

How to implement: Use Split In Batches node or custom code to chunk arrays.

Example:

Fetch 10,000 records
  |
Split In Batches (100 items per batch)
  |
Process batch
  |
Loop back until all batches done

Test: Process 1000+ items. Verify batching works and memory stays stable.

4.3 Timeout Settings

What it is: Set maximum execution time for workflows and nodes.

Why it matters: A stuck API call or infinite loop can hang workflows forever. Timeouts force failure and free resources.

How to implement: Node settings -> Timeout (ms). Workflow settings -> Execution Timeout.

Recommended: HTTP requests: 30s. Workflow: 5-10 minutes (adjust based on use case).

Test: Call an API that times out. Verify workflow fails gracefully after timeout.

4.4 Idempotency (Prevent Duplicate Processing)

What it is: Ensure the same webhook or trigger processed twice produces the same result without duplicates.

Why it matters: Webhooks can fire multiple times. Users can double-click submit buttons. Without idempotency, you'll process the same order twice.

How to implement: Use unique IDs. Before processing, check if ID already exists in database. If yes, skip.

Example:

Webhook receives order_id
  |
Check database: Does order_id exist?
  | (yes) Skip processing (already done)
  | (no) Process order, write order_id to database

Test: Send same webhook twice. Verify only one execution processes it.

5. Security (3 Items)

5.1 Webhook Authentication

What it is: Require authentication (API key, signature verification) for webhook endpoints.

Why it matters: Public webhooks can be abused. Anyone can send data to them. Authentication ensures only authorized sources trigger workflows.

How to implement: Check for API key in headers or verify webhook signature.

Example:

const expectedKey = 'your-secret-key';
const receivedKey = $('Webhook').item.json.headers['x-api-key'];
if (receivedKey !== expectedKey) {
  throw new Error('Unauthorized');
}

Test: Call webhook without API key. Verify it's rejected.

5.2 Environment Variables for Secrets

What it is: Store API keys, passwords, and tokens in environment variables, not hardcoded in workflows.

Why it matters: Hardcoded secrets are visible to anyone with workflow access. They're version-controlled and exposed in logs.

How to implement: Use n8n environment variables or credential system.

Example:

// Bad
const apiKey = 'sk_live_abc123';

// Good
const apiKey = $env.STRIPE_API_KEY;

Test: Export workflow JSON. Verify no secrets are visible.

5.3 Principle of Least Privilege

What it is: Use API credentials with minimum required permissions.

Why it matters: If credentials are compromised, limited permissions reduce damage. Don't use admin keys for read-only operations.

How to implement: Create service accounts or API keys with specific scopes (read-only, write to specific tables, etc.).

Example: Use "Read Contacts" permission for CRM sync, not "Full Account Access."

Test: Try to perform unauthorized action with limited credentials. Verify it's denied.

6. Deployment (3 Items)

6.1 Version Control for Workflows

What it is: Export and save workflow JSON to git after every significant change.

Why it matters: When a workflow breaks, you can roll back to the last working version.

How to implement: Export workflow JSON. Commit to git with descriptive message.

Example:

# Export workflow from n8n
# Save as workflows/customer-onboarding-v3.json
git add workflows/customer-onboarding-v3.json
git commit -m "Add email validation to customer onboarding"
git push

Test: Make breaking change. Verify you can restore from previous version.

6.2 Staging Environment

What it is: Test workflows in a staging environment before deploying to production.

Why it matters: Catches issues before they affect real users or data.

How to implement: Run a separate n8n instance (staging) that connects to test databases and test API accounts.

Best practice: Deploy to staging first. Test thoroughly. Then deploy to production.

Test: Break something in staging. Verify production is unaffected.

6.3 Deployment Documentation

What it is: Document what each workflow does, when it runs, what it depends on, and how to troubleshoot it.

Why it matters: Six months from now, you'll forget how it works. If someone else needs to maintain it, documentation is critical.

How to implement: Create a README for each workflow with:

• Purpose and trigger
• Input and output data
• External dependencies (APIs, databases)
• Common errors and fixes
• Last updated date

Example:

# Customer Onboarding Workflow

**Purpose:** When a new customer signs up, create accounts in CRM, email them, and notify sales team.

**Trigger:** Webhook from signup form

**Dependencies:**
- HubSpot API (CRM)
- SendGrid API (email)
- Slack API (notifications)

**Common Errors:**
- "Email failed": Check SendGrid API key
- "CRM sync failed": Check HubSpot rate limits

**Last Updated:** 2026-01-14

Test: Hand documentation to colleague. Verify they can understand and troubleshoot workflow.

The Complete Production Checklist (All 26 Items)

Print this. Use it for every workflow you deploy.

Error Handling (6 items):

• [ ] Error notifications configured
• [ ] Try/catch blocks on critical operations
• [ ] Graceful degradation for non-critical failures
• [ ] Retry logic with exponential backoff
• [ ] Dead letter queue for failed items
• [ ] Circuit breaker pattern for repeated failures

Data Validation (5 items):

• [ ] Input validation on webhooks
• [ ] Sanitize user input
• [ ] Null/undefined checks
• [ ] Data type validation
• [ ] Length and size limits

Monitoring & Logging (5 items):

• [ ] Execution logging
• [ ] Performance metrics tracking
• [ ] Health check endpoint
• [ ] Alerts on unusual patterns
• [ ] Weekly summary reports

Performance & Limits (4 items):

• [ ] Rate limiting configured
• [ ] Batch processing for large datasets
• [ ] Timeout settings on nodes and workflows
• [ ] Idempotency (prevent duplicate processing)

Security (3 items):

• [ ] Webhook authentication
• [ ] Environment variables for secrets
• [ ] Principle of least privilege (limited API permissions)

Deployment (3 items):

• [ ] Version control for workflows
• [ ] Staging environment testing
• [ ] Deployment documentation