Skip to main content

What's New

Latest releases, features, and improvements to apptor flow.

v1.3.0 — February 2026

Webhooks

Receive events from external services and trigger workflows automatically. The webhook module is a complete, production-grade inbound event pipeline.

New

  • 14 built-in providers — GitHub, GitLab, Bitbucket, Shopify, WooCommerce, Stripe, Paddle, Slack, Razorpay, Square, BigCommerce, Standard Webhooks, Bearer Token, and No-Auth. Each provider has a verified signature algorithm — no configuration required.
  • Custom Provider wizard — for any service not on the list. Configure auth method (HMAC-SHA256/SHA1/SHA512, Bearer Token, Basic Auth, Custom Header, IP Whitelist, or None), signature header, signing input template, and payload mapping through a step-by-step UI wizard.
  • AES-256-GCM secret encryption — secrets encrypted at rest with a random IV per secret. Secrets are never logged or exposed after creation.
  • Secret rotation with zero-downtime overlap — generate a new secret while the old one stays active. Both work simultaneously during the grace period. Mark the old secret rotated only after confirming the new one works.
  • Event log — every inbound request is logged regardless of outcome. View headers (auth values redacted), full payload, event type, provider event ID, and trace ID.
  • Idempotency — duplicate events from the same provider (same provider event ID) are automatically detected and skipped.
  • Retry with exponential backoff — transient failures retried 7 times (1 min → 5 min → 15 min → 1 hr → 6 hr → 24 hr → DLQ).
  • Circuit breaker — endpoint automatically disabled after 5 consecutive verification failures. In-app notification sent to org. Manual reset after investigating.
  • Rate limiting — 100 requests/minute per endpoint, 1,000/minute per organization.
  • Test Mode — validate your signature configuration end-to-end without triggering flows.
  • Signature Validator — given a raw body and headers, compute and compare the expected signature.
  • Wait Node — pause a running flow and resume it when an external HTTP callback arrives. Supports configurable timeout with a separate timeout branch.
  • Audit log — immutable, append-only record of all configuration and security events. 13 action types. 7-year retention. Secrets never written.
  • GDPR tools — full data export (JSON download) and hard purge for compliance.
  • In-app notifications — bell icon in the admin header shows unread alerts for circuit breaker trips and DLQ accumulation.

Improved

  • Webhook endpoint URLs now use a random endpoint token (/webhook/receive/{token}) instead of exposing the registration ID.
  • Provider registry managed in the database — providers can be promoted from Beta to GA or deprecated without a code deployment.

v1.2.0 — January 2026

Voice, Knowledge Base & Public Workflows

New

  • Voice Task — automate outbound phone calls with Twilio and OpenAI voice models. Configure scripts, collect spoken responses, and branch based on what callers say. Responses are available as flow variables.
  • Knowledge Base (RAG) — upload documents (PDF, DOCX, TXT), chunk and embed them into a vector store, and query them from any AI Task using semantic search. Supports multiple knowledge bases per organization.
  • Memory Action node — persist and retrieve AI conversation context across flow executions. Useful for multi-turn chatbot workflows where context must survive between sessions.
  • Public Workflows — publish any workflow as a form accessible at /w/:slug with no login required. Supports A2UI-generated forms, file uploads, and real-time status feedback via SSE.
  • Tool Node — connect MCP (Model Context Protocol) servers to AI tasks. Expose any external capability (database lookup, API call, calculation) as a callable tool in your AI prompts.

Improved

  • AI Task now supports streaming responses via SSE for long-running generation tasks.
  • Knowledge base sync from Google Drive — documents updated in Drive are automatically re-chunked and re-indexed.
  • Process monitoring redesigned with per-node timing, token usage, and cost breakdown.

Fixed

  • Loop node variable isolation — variables set inside a loop no longer leak into the parent scope after the loop completes.
  • Subprocess timeout now correctly triggers boundary event when the subprocess itself has pending nodes.

v1.1.0 — December 2025

AI Tasks, Scripting & SQL

New

  • AI Task node — call any LLM (OpenAI, Anthropic, Mistral, Gemini) directly from a flow node. Configure model, system prompt, user prompt, and output variable. Supports JSON mode and structured output schemas.
  • Script Task — execute JavaScript or Python inline in a flow node using GraalVM Polyglot. Full access to flow variables. Useful for transformations, calculations, and light data processing without an external service.
  • SQL Plugin — execute SQL queries against PostgreSQL, MySQL, or SQL Server from a flow node. Supports parameterized queries with flow variables, and an AI-assisted mode that generates SQL from a natural language description.
  • Domain Task — integration layer for CRM and HRIS providers (HubSpot, Salesforce, Workday, etc.). Perform domain actions (create contact, update deal, sync employee) without writing provider-specific API code. Provider mappings are managed centrally.
  • Cron Scheduler — trigger flows on a cron schedule. Supports standard cron expressions with timezone configuration. Managed via the Triggers panel in the designer.

Improved

  • Service Task (REST) now supports OAuth2 token refresh — expired tokens are automatically refreshed using the stored refresh token before the request is sent.
  • Set Variable node now supports computed expressions using JUEL syntax for simple arithmetic and string operations.
  • Designer canvas performance improved for flows with more than 50 nodes.

Fixed

  • API Key rate limiting now correctly resets at the top of each minute window instead of rolling window drift.
  • Parallel gateway (split) correctly waits for all branches before proceeding when branches have different depths.

v1.0.0 — November 2025

Initial Release

New

  • Visual workflow designer — drag-and-drop canvas built on GoJS. Connect nodes with typed connections (sequence flow, success flow, error flow, timeout flow). Save drafts and publish versions.
  • Core node types — Start Event, End Event, Service Task (REST, Email, SMS), Set Variable, If-Else gateway, Parallel gateway, Loop node, Call Process, Subprocess, Input Node, Output Node.
  • Execution engine — actor-based asynchronous execution. Each node type runs in its own thread pool. Configurable thread counts per actor. Execution state fully persisted in PostgreSQL — restartable after crash.
  • Variable system{varName} template syntax in node properties. ${expression} JUEL syntax for conditions. Nested access ({order.customer.email}). Environment variable injection ({env.SECRET_NAME}).
  • Multi-tenant architecture — complete data isolation per organization. Every entity scoped to organizationId.
  • RBAC — role-based access control with granular permissions (Workflow, User, Organization, API Key, Secret, Execution, Admin). Roles are composable and org-scoped.
  • JWT authentication — OIDC-based login for the UI. Supports custom identity providers per organization.
  • API Key authenticationapk_ prefixed keys for machine-to-machine access. Rate limited, scoped by org, bcrypt-hashed at rest.
  • Secret management — encrypted secret storage with AWS Secrets Manager, file, or environment variable backends. Secrets resolved at execution time via {env.SECRET_NAME}.
  • Process monitoring — view all executions, per-node status, timing, error messages, and full variable state at any point in the execution.
  • Real-time log streaming — SSE endpoint streams live node execution logs to the UI during execution.
  • Version management — flows are versioned. Draft → Publish. Published version is the default for all triggers. Previous versions accessible for comparison and rollback.
  • REST Service Task — HTTP client supporting Basic Auth, OAuth2, and API Key authentication. Response body available as flow variable.
  • Email Service Task — send emails via Nylas API. Supports HTML templates with flow variable interpolation.
  • SMS Service Task — send SMS via configured provider.
  • Integrations — connect external services (Google Drive, CRM, HRIS) with OAuth credentials managed per organization.