Monitoring for your self-hosted n8n.
If you self-host n8n, you don't want a monitoring tool reaching into your network. Keel works the other way around: a lightweight agent runs next to your instance and only makes outbound calls — nothing inbound, nothing exposed.
Monitoring shouldn't mean opening your network
Most monitoring assumes it can reach in to your instance. For self-hosted n8n behind a firewall, that means exposing ports or punching holes you'd rather not — and handing a third party access to your environment.
How Keel monitors self-hosted n8n
Outbound-only agent
Runs next to your n8n and makes outbound HTTPS calls only. No inbound ports, no exposure.
Your API key stays local
The agent holds the n8n API key on your box and uses it locally; it never reaches the SaaS.
Redacted metadata only
Secrets are stripped on the agent before anything leaves — only version-state and metadata are forwarded.
Works behind a firewall
Because it's outbound-only, it just works on-prem, in a VPC, or behind NAT.
Find out what changed before your client does.
Keel runs a lightweight agent next to your n8n — snapshots, diffs, alerts, and rollback, with your secrets and API key never leaving your box. Free forever on one instance.
Questions
Do I need to open ports to monitor self-hosted n8n?
No. Keel's agent is outbound-only — it makes HTTPS calls out and opens no inbound ports.
Does my n8n API key leave my server?
Never. The agent uses it locally to read workflow metadata; only redacted version-state is forwarded.
Will it work behind a firewall or NAT?
Yes — outbound-only means it works on-prem, in a VPC, or behind NAT with no network changes.
See every change before it breaks a client.
Point Keel at your n8n estate this week. Free 14-day trial, no card, your keys never leave your infrastructure.