If your deployment only uses FlowX through Designer and the shipped renderer SDKs, you can skim this page. If you have custom API clients, custom integrations, or scripts that call the FlowX REST API directly, or if you wrote JavaScript or Python business rules / workflow scripts in your project, work through every section.
Process start metadata endpoint renamed
The endpoint that returns the JSON shape required to start a process was renamed and its response extended.
The response gains a
hasEmailTriggerStart boolean field that tells the caller whether the process can be started by an inbound email trigger. Existing response fields are unchanged.
Update any direct API clients, Postman collections, scripts, or upstream integration code that hard-codes the old path. The old path returns a 404 after upgrade.
Configure Environment Info feature deprecated
The Configure Environment Info feature, which let operators set a human-readable environment name (Dev / Staging / Production) from the Designer Platform Status page, is deprecated. Environment name now comes from organization registration and workspace types instead.PATCH /api/platform/environment endpoint removed
The endpoint that updated the environment name is removed. Any caller that issues a PATCH against this path receives a 404.
Fx-Organization-Id header mandatory for REST clients
Self-hosted deployments now run in single-organization mode by default. Every REST request that targets an organization-scoped endpoint must include the organization UUID as a request header:
Script runtime change for JavaScript and Python business rules
The default execution engine for JavaScript and Python business rules and workflow scripts moves from GraalVM polyglot contexts to a native subprocess pool (Node.js for JavaScript, CPython 3.11 for Python). The change is transparent for the vast majority of scripts, but a small subset that relied on GraalVM-specific behavior must be adapted, or kept on GraalVM via an opt-out environment variable.What you do not need to change
Scripts that only read frominput, write to output, and use language built-ins (object/dict access, arithmetic, string methods, JSON, the pre-loaded Python modules above) keep working without modification.
What to audit before upgrading
- Python
importstatements. Search Python business-rule and workflow scripts forimportlines that pull in modules outside the curated allowlist above. Narrow the script to use only allowed modules, or plan to stay on GraalVM via the opt-out env var below. - JavaScript
require(...),process,globalreferences. Search JavaScript scripts for these tokens. They were not officially part of the supported surface area but may have worked under GraalVM. Rewrite to use only the provided bindings, or stay on GraalVM. - Polyglot calls into Java classes. Search for
Java.type,java.util.,org.springframework.in scripts. These only worked under GraalVM and have no equivalent on the native engine. Stay on GraalVM if you depend on them.
How to keep the GraalVM engine
Set the following on bothprocess-engine and integration-designer:
Direct API clients using opaque tokens must switch to JWT
FlowX services moved to validating signed JWT bearer tokens against Keycloak’s public key. Opaque reference tokens, session cookies, and other non-JWT bearer strings are no longer accepted as the default and may not be supported at all on the affected services. Confirm with your FlowX representative if your integrations rely on them. This change is transparent for callers that already use JWT bearer tokens issued by Keycloak (Designer, renderer SDKs, anything using the standard OIDC flow). It only affects direct API clients that obtain non-JWT credentials. Such clients must obtain a signed JWT access token from Keycloak (standardclient_credentials or password grants returning a JWT) and pass it as Authorization: Bearer <jwt>.
See Authentication & IAM migration for the full Keycloak two-realm architecture and the service-account client renames that go alongside this change.
Pre-upgrade audit
For each of your custom API clients and integrations, confirm:1
Endpoint paths
Search your codebase, Postman collections, API gateway rules, and shell scripts for the strings
get-input-json and /api/platform/environment. Update the first to get-start-metadata; remove any PATCH calls to the second.2
Request headers
Confirm every REST call from custom code includes
Fx-Organization-Id. Add it via your HTTP client’s default-header configuration if not already centralized.3
Token format
Confirm every custom API client uses a JWT bearer token from Keycloak. Not an opaque reference token, session cookie, or API key. Update token-acquisition code if necessary.
4
JavaScript and Python scripts
Search business-rule and workflow scripts for: Python
import statements pulling modules outside the curated allowlist; JavaScript require(...), process, or global references; calls into Java classes (Java.type, java.util., org.springframework.). Adapt the scripts or set APPLICATION_SCRIPTENGINE_PROVIDER=graalvm on process-engine and integration-designer to keep the GraalVM engine.Related resources
Authentication & IAM migration
Keycloak two-realm architecture, service-account client renames, opaque-token removal.
Organization & deployment configuration
Organization UUID, single-org default mode, removed env-info env vars.
Kafka migration
Fx-Organization-Id on Kafka producers; new topics and ownership moves.Migration overview
Return to the migration hub.

