Skip to main content

Dependencies

Before setting up the plugin, ensure you have the following dependencies:
  • A MongoDB database for storing notification templates and records
  • Access to the Kafka instance used by the FlowX.AI Engine
  • A Redis instance for caching notification templates
  • An S3-compatible file storage solution (for example MinIO) if you need to attach documents to notifications

Authorization configuration

The Notifications plugin validates incoming tokens with the JWT public key mechanism. It does not initiate service-to-service calls, so it has no service-account client registration:
Upgrading from 5.1.x? Remove the legacy opaque-token env vars: SECURITY_OAUTH2_REALM, SECURITY_OAUTH2_CLIENT_CLIENTID, and SECURITY_OAUTH2_CLIENT_CLIENTSECRET. These belong to the removed introspection model and prevent the service from starting on 5.9.x. See the authentication and IAM migration guide for the full list.

MongoDB configuration

The only thing that needs to be configured is the DB access info, the rest will be handled by the plugin.

Redis configuration

Notification Plugin uses Redis for caching. Configure Redis connection using the standard Redis environment variables. Quick reference:
Both SPRING_DATA_REDIS_* and SPRING_REDIS_* variable prefixes are supported. The SPRING_DATA_REDIS_* prefix is the modern Spring Boot standard and is recommended for new deployments.
For advanced Redis deployment modes (Sentinel, Cluster) and SSL/TLS setup, see the Redis Configuration guide. Note that Sentinel and Cluster modes are only supported by the Events Gateway service.

Kafka configuration

Core Kafka settings

Consumer error handling

OAuth authentication (when using SASL_PLAINTEXT)

When using the kafka-auth profile, the security protocol will automatically be set to SASL_PLAINTEXT and the SASL mechanism will be set to OAUTHBEARER.

Topic naming configuration

Topic configurations

Each action in the service corresponds to a Kafka event on a specific topic. Configure the following topics:

OTP topics

Notification topics

Audit topic

Resource usages topics


File storage configuration

Based on use case you can use directly a file system or an S3 compatible cloud storage solution (for example min.io). The file storage solution can be configured using the following environment variables:
When using S3-compatible storage for notifications with attachments, the S3 user configured through APPLICATION_FILESTORAGE_S3_ACCESSKEY and APPLICATION_FILESTORAGE_S3_SECRETKEY must have read access to multiple buckets beyond its own:Required bucket access:
  • Own bucket - defined by APPLICATION_FILESTORAGE_S3_BUCKETPREFIX
  • Documents Plugin bucket - defined in the Documents Plugin configuration via APPLICATION_FILESTORAGE_S3_BUCKETPREFIX
  • CMS Core public bucket - defined in the CMS Core configuration via APPLICATION_FILESTORAGE_S3_BUCKETNAME
  • Integration Designer bucket - defined in the Integration Designer configuration via APPLICATION_FILESTORAGE_S3_BUCKETPREFIX
Ensure your S3 user has appropriate read permissions to all releva dnt buckets to avoid attachment failures.

SMTP setup

The Notifications plugin sends email over SMTP only. It does not support Microsoft 365 / Microsoft Graph authentication (Azure AD client secret or certificate). To send through Microsoft 365, configure a Microsoft Outlook data source in the Integration Designer — that path runs through the email-gateway and uses the MS Graph API. See Microsoft Outlook.
Configure SMTP settings for sending email notifications:

Advanced SMTP options

The notification plugin sends email through the simple-java-mail library, which auto-binds every simplejavamail.* property — set them as environment variables the same way as the values above. The options below come up most often when connecting to corporate SMTP relays:
These defaults load into the library’s global configuration, so they apply to all mailers the plugin creates — including the ones built dynamically for Email Sender systems configured in the Integration Designer, whose settings override only the connection fields (host, port, username, password, transport strategy). Changing SIMPLEJAVAMAIL_DEFAULTS_VERIFYSERVERIDENTITY or SIMPLEJAVAMAIL_DEFAULTS_TRUSTALLHOSTS therefore affects every configured email system.
For the full list of available properties (connection pooling, embedded image resolution, and more), see the simple-java-mail configuration reference.

Email attachments configuration

Configure handling of email attachments:

OTP configuration

Configure One-Time Password generation and validation:

Logging configuration

Control logging levels for different components:

CAS lib configuration


Usage notes

Topic naming convention

Topics follow a standardized naming convention:
  • Example: ai.flowx.plugin.notification.trigger.generate.otp.v1
  • Structure: {package}{environment}.{component}.{action}.{subject}.{version}

Consumer error handling

When KAFKA_CONSUMER_ERRORHANDLING_ENABLED is set to true:
  • The application will retry processing failed messages according to KAFKA_CONSUMER_ERRORHANDLING_RETRIES
  • Between retries, the application will wait for the duration specified by KAFKA_CONSUMER_ERRORHANDLING_RETRYINTERVAL
For example, if KAFKA_CONSUMER_ERRORHANDLING_RETRYINTERVAL is set to 5000 (5 seconds) and KAFKA_CONSUMER_ERROR_HANDLING_RETRIES is set to 5, the consumer application will make up to 5 attempts, waiting 5 seconds between each attempt.

Message size configuration

The KAFKA_MESSAGE_MAX_BYTES setting affects multiple Kafka properties:
  • spring.kafka.producer.properties.message.max.bytes
  • spring.kafka.producer.properties.max.request.size
  • spring.kafka.consumer.properties.max.partition.fetch.bytes

OAuth authentication

When using the ‘kafka-auth’ profile, the security protocol changes to ‘SASL_PLAINTEXT’ and requires OAuth configuration via the KAFKA_OAUTH_* variables.

Ingress and CORS

The Notification plugin is exposed externally on the admin host. Routing is configured through the FlowX Helm chart, which renders either a Kubernetes Ingress (default) or a Gateway API HTTPRoute per service. CORS handling lives in the service code; only the allowed-origins list is deployment-specific.

Service route

The path is set through services.notification-plugin.ingress.admin.path (or services.notification-plugin.gateway.admin.paths) in the chart values.

CORS configuration

Allowed methods, allowed headers (including Authorization, Content-Type, Fx-Workspace-Id), and credential handling are baked into the service’s application.yaml with safe defaults. Override these only if you have a non-standard requirement. For the complete route reference, Gateway API HTTPRoute configuration, and route customization, see the ingress configuration guide.

Troubleshooting

Common issues

Symptoms: Notification requests are accepted but emails or messages are never delivered.Solutions:
  1. Verify Kafka topics are correctly configured and the notification plugin is consuming from KAFKA_TOPIC_NOTIFICATION_INTERNAL_IN
  2. Check SMTP configuration (SIMPLEJAVAMAIL_SMTP_HOST, port, credentials) and ensure the SMTP server is reachable from the pod
  3. If using the Email Gateway for forwarding, verify KAFKA_TOPIC_NOTIFICATION_EXTERNAL_OUT is configured and the Email Gateway is running
  4. Check application logs for delivery errors by setting LOGGING_LEVEL_APP to DEBUG
Symptoms: OTP requests return errors or no OTP is generated.Solutions:
  1. Verify OTP configuration values (FLOWX_OTP_LENGTH, FLOWX_OTP_EXPIRETIMEINSECONDS) are set correctly
  2. Check that Kafka topics KAFKA_TOPIC_OTP_GENERATE_IN and KAFKA_TOPIC_OTP_GENERATE_OUT are created and accessible
  3. Ensure MongoDB is reachable and the notification plugin database has write permissions
  4. Verify Kafka consumer group SPRING_KAFKA_CONSUMER_GROUPID is not conflicting with another instance
Symptoms: Notifications are sent but contain raw template syntax or missing values.Solutions:
  1. Verify substitution tags in the template match the keys provided in the notification request payload
  2. Check that the Thymeleaf engine is functioning by reviewing logs at LOGGING_LEVEL_THYMELEAF set to DEBUG
  3. Ensure the template exists in MongoDB and is in the correct format
  4. Verify Redis cache is not serving stale templates — clear the cache or restart the plugin if templates were recently updated
Symptoms: Push notifications are not delivered to mobile devices.Solutions:
  1. Verify Firebase Cloud Messaging credentials are correctly configured
  2. Check that the target device has a valid FCM registration token
  3. Enable FCM client logging by setting LOGGING_LEVEL_FCM_CLIENT to DEBUG to inspect request/response details
  4. Ensure network policies allow outbound HTTPS traffic to Firebase servers (fcm.googleapis.com)

Sending Notifications

Learn how to configure and send notifications from your processes

Email Gateway Setup

Configure the Email Gateway for inbound and outbound email processing

Redis Configuration

Complete Redis setup including Sentinel and Cluster modes
Last modified on July 16, 2026