Skip to main content
After upgrading to a new platform version, always ensure that your installed component versions match the versions specified in the release notes. To verify this, navigate to FlowX.AI Designer > Platform Status.
Upgrading from 5.1.x LTS? This page describes the steady-state 5.9.0 deployment. For the architecture delta, deprecation list, and upgrade steps, see Migrating from 5.1 LTS.
Deployment packaging. 5.9.x is the last LTS release distributed as a multi-chart deployment, where each FlowX service is installed from its own Helm chart.
Platform Status screen showing component versions

Component versions

The following tables list component versions per FlowX.AI release. Verify your installed versions against the 5.9.0 column in FlowX.AI Designer → Platform Status.
Component5.9.05.8.05.7.05.6.05.5.05.4.0
process-engine10.135.010.106.010.96.010.77.010.60.010.38.0
admin10.116.010.93.010.83.010.66.010.53.010.38.0
designer10.230.210.181.010.164.010.127.310.91.010.59.1
cms-core10.86.010.67.010.58.010.43.010.35.010.22.0
scheduler-core10.70.010.53.010.45.010.31.010.25.010.15.0
events-gateway10.72.010.55.010.47.010.33.110.27.010.17.0
notification-plugin10.83.010.64.010.56.010.42.110.35.010.22.0
document-plugin10.94.010.75.010.64.010.46.010.35.010.23.0
task-management-plugin10.84.010.66.010.57.010.41.110.35.010.25.0
data-search10.69.010.52.010.44.010.30.110.25.010.14.0
audit-core10.79.010.63.010.54.010.40.010.31.010.21.0
advancing-controller10.73.010.55.010.45.010.33.110.27.010.16.0
integration-designer10.162.010.128.010.113.010.84.010.63.010.38.0
application-manager10.123.010.97.010.88.010.69.110.53.010.37.0
runtime-manager10.123.010.97.010.88.010.69.110.53.010.37.0
data-sync10.81.010.58.010.50.010.38.010.31.110.20.1
authorization-system10.96.110.77.010.68.010.51.010.42.110.28.0
nosql-db-runner10.75.010.56.010.48.010.34.010.27.010.17.0
email-gateway10.74.010.56.010.47.010.32.110.24.010.9.0
organization-manager10.71.010.53.010.44.010.26.110.19.2-
webhook-gateway10.44.010.25.010.15.010.1.1--
file-gateway10.8.0-----
license10.63.010.46.010.36.0---

Embedded components

  • SpiceDB

Renderers

Component5.9.05.8.05.7.05.6.05.5.05.4.0
@flowx/angular-sdk10.230.210.181.010.164.010.127.310.68.010.59.1
@flowx/angular-theme10.230.210.181.010.164.010.127.310.68.010.59.1
@flowx/angular-ui-toolkit10.230.210.181.010.164.010.127.310.68.010.59.1
@flowx/react-sdk10.230.210.181.010.164.010.127.310.68.010.59.1
@flowx/react-theme10.230.210.181.010.164.010.127.310.68.010.59.1
@flowx/react-ui-toolkit10.230.210.181.010.164.010.127.310.68.010.59.1
@flowx/react-native-sdk10.230.2-----
@flowx/react-native-theme10.230.2-----
@flowx/react-native-ui-toolkit10.230.2-----
@flowx/core-sdk10.230.210.181.010.164.010.127.310.68.010.59.1
@flowx/core-theme10.230.210.181.010.164.010.127.310.68.010.59.1
react-saas10.230.2-----
iOS renderer10.4.110.3.010.3.010.3.010.3.010.2.0
Android renderer10.5.010.3.010.3.010.3.010.3.010.2.0
The react-saas container app tracks the designer version.

Plugins

Component5.9.05.8.05.7.05.6.05.5.05.4.0
ocr-plugin1.0.191.0.171.0.171.0.171.0.171.0.17
reporting-plugin0.2.60.2.30.2.30.2.30.2.30.2.3

AI components

FlowX.AI groups AI services into four tiers by deployment role. AI Base components are the foundation; AI Runtime and AI Dev Time components both require Base to be installed first; AI Extensions are optional add-ons layered on top.

AI Base components

Foundation services. Install these before any Runtime or Dev Time component.
Component5.9.05.8.05.7.05.6.05.5.05.4.0
ai-platform-knowledgebase-indexer-v210.7.010.7.010.6.210.6.010.2.0-
ai-platform-knowledgebase-rag10.7.010.7.010.6.210.6.010.2.0-
ai-platform-embedder10.7.010.7.010.6.2---
doc-parser10.9.010.7.010.6.210.5.1--
qdrant------

AI Runtime components

Requires AI Base. Services that execute AI workloads at runtime.
Component5.9.05.8.05.7.05.6.05.5.05.4.0
ai-platform-agent-builder10.7.010.7.010.6.210.6.010.4.010.1.3
data-privacy10.1.010.1.010.0.8---
doc-converter10.2.310.2.310.2.310.2.2--
evals-judge10.1.1-----
speech-to-text10.3.4-----
web-crawler10.3.510.3.510.3.2---

AI Dev Time components

Requires AI Base. Services used at design time inside the Designer.
Component5.9.05.8.05.7.05.6.05.5.05.4.0
ai-gateway10.7.0-----
ai-platform-ai-analyst10.7.010.7.010.6.210.6.010.4.010.1.3
ai-platform-ai-assistant10.7.010.7.010.6.2---
ai-platform-ai-designer10.7.010.7.010.6.210.6.010.4.010.1.3
ai-platform-ai-developer10.7.010.7.010.6.210.6.010.4.010.1.3
ai-platform-planner10.7.010.7.010.6.210.6.010.4.010.1.3
di-platform10.3.110.3.010.3.010.3.010.2.610.2.5
flowx-docs5.9.0-----

AI Extensions (Plugins++)

Optional add-ons layered on the AI Platform.
Component5.9.05.8.05.7.05.6.05.5.05.4.0
modpod10.0.710.0.710.0.7---
ai-observatory10.3.2-----
FlowX.AI Version3rd Party DependencySupported VersionsDropped
5.9.0Keycloak26+
5.9.0Kafka3.9 - 4.23.8
5.9.0PostgreSQL16 - 18
5.9.0Oracle Database21c, 23ai
5.9.0MongoDB7 - 8
5.9.0Redis8.2+Versions older than 8.2
5.9.0Elasticsearch Sink Connector (*)15+
5.9.0Angular (Web SDK)20.3
5.9.0React (Web SDK)1918.x
Note that versions will be dropped from the supported list as support upstream is no longer provided. (*) Required only if using indexing via Kafka. Multiple sink connector implementations also work, as long as they are compatible with both the deployed Kafka and Elasticsearch version deployed.
LTS support policy. FlowX 5.9.x LTS family is supported for 2 years. Within that window, support for any third-party dependency is contingent on that dependency remaining supported by its upstream vendor. Once a version reaches upstream end-of-life, it is removed from the supported list and customers are expected to upgrade to a still-supported version, even if the FlowX LTS itself remains supported.

Kafka topics

Document-plugin archive and extract listeners

5.9.0 exposes four Kafka topics for the document-plugin archive and extract operations. Both follow the encrypt/decrypt trigger and reply pattern: document-plugin consumes the trigger.*.file topic and process-engine consumes the matching engine.receive.*.file.results reply.
TopicProducerConsumer
ai.flowx.plugin.document.trigger.archive.file.v1process-enginedocument-plugin
ai.flowx.engine.receive.plugin.document.archive.file.results.v1document-pluginprocess-engine
ai.flowx.plugin.document.trigger.extract.file.v1process-enginedocument-plugin
ai.flowx.engine.receive.plugin.document.extract.file.results.v1document-pluginprocess-engine
The four topic names are exposed as env vars on the document-plugin side (KAFKA_TOPIC_FILE_ARCHIVE_IN, KAFKA_TOPIC_FILE_ARCHIVE_OUT, KAFKA_TOPIC_FILE_EXTRACT_IN, KAFKA_TOPIC_FILE_EXTRACT_OUT). See Documents plugin setup → File archive / File extract. Two new thread-pool entries are added: KAFKA_CONSUMER_THREADPOOLS_THREADPOOLGENERIC_THREADCOUNTPERCONTAINER_FILEARCHIVEIN and ..._FILEEXTRACTIN, both defaulting to 5.

Document-plugin encrypt and decrypt listeners

The encrypt and decrypt operations follow the same trigger-and-reply pattern: process-engine produces the trigger.*.file topic and document-plugin replies on the matching engine.receive.*.file.results topic.
TopicProducerConsumer
ai.flowx.plugin.document.trigger.encrypt.file.v1process-enginedocument-plugin
ai.flowx.engine.receive.plugin.document.encrypt.file.results.v1document-pluginprocess-engine
ai.flowx.plugin.document.trigger.decrypt.file.v1process-enginedocument-plugin
ai.flowx.engine.receive.plugin.document.decrypt.file.results.v1document-pluginprocess-engine
The topic names are exposed as env vars on the document-plugin side: KAFKA_TOPIC_FILE_ENCRYPT_IN, KAFKA_TOPIC_FILE_ENCRYPT_OUT, KAFKA_TOPIC_FILE_DECRYPT_IN, KAFKA_TOPIC_FILE_DECRYPT_OUT.

AI Platform job topics

integration-designer dispatches asynchronous jobs to the standalone AI services over Kafka, using a request/response pair per service. Provision these topics when you deploy the corresponding AI service (see AI components above).
TopicProducerConsumer
ai.flowx.ai-platform.doc-parser.job.request.v1integration-designerdoc-parser
ai.flowx.ai-platform.doc-parser.job.response.v1doc-parserintegration-designer
ai.flowx.ai-platform.evals-judge.job.request.v1integration-designerevals-judge
ai.flowx.ai-platform.evals-judge.job.response.v1evals-judgeintegration-designer
ai.flowx.ai-platform.speech-to-text.job.request.v1integration-designerspeech-to-text
ai.flowx.ai-platform.speech-to-text.job.response.v1speech-to-textintegration-designer
On integration-designer the topic names are set via KAFKA_TOPIC_AI_<SERVICE>_JOB_REQUEST_OUT and ..._RESPONSE_IN (for example KAFKA_TOPIC_AI_EVALSJUDGE_JOB_REQUEST_OUT). Each service also has a dead-letter topic — ai.flowx.ai-platform.<service>.job.dlq.v1, set via KAFKA_TOPIC_AI_<SERVICE>_JOB_DLQ_IN — that integration-designer consumes for failed jobs.

UI Flow runtime triggers

process-engine consumes two trigger topics that back the UI Flow runtime cache and expiration features. update invalidates a cached UI Flow when its definition changes; expire removes expired UI Flow runtime data.
TopicProducerConsumer
ai.flowx.core.trigger.ui-flow.update.v1document-plugin, integration-designerprocess-engine
ai.flowx.core.trigger.expire.ui-flow.v1scheduler-coreprocess-engine
On process-engine these are set via KAFKA_TOPIC_UIFLOW_UPDATE_IN and KAFKA_TOPIC_UIFLOW_EXPIRE_IN; the producers expose KAFKA_TOPIC_UIFLOW_UPDATE_OUT. The expire trigger uses the platform scheduler: when a UI Flow session is created, process-engine registers a delayed message with scheduler-core, which publishes it back to this topic at the expiry time. It is consumed by a dedicated consumer group (KAFKA_CONSUMER_GROUPID_PROCESS_UIFLOWEXPIRE, default ui-flow-expire).

Environment variables

A configuration that blocks startup is a required configuration. If a service fails to start and its logs report a missing or empty configuration value, treat that value as required and provide it, even when it is not flagged as required here. These guides document the most common variables; they are not an exhaustive list of every value your deployment topology requires.

Data-sync: Keycloak admin credentials

The data-sync job provisions FlowX-managed end-user groups and runtime roles in Keycloak on first run, using the Keycloak admin API. Configure the following on the data-sync job:
Environment VariableDescriptionDefault ValueComponent
FLOWX_OPENID_PROVIDEROpenID provider type. Set to keycloak (the only supported provider).keycloakdata-sync
FLOWX_OPENID_SERVERURLBase URL of the Keycloak server, including the /auth/ path.-data-sync
FLOWX_OPENID_USERUsername of a Keycloak admin account that can manage groups and roles in the FlowX realm.-data-sync
FLOWX_OPENID_PASSWORDPassword for the admin account above. Store in a Kubernetes Secret.-data-sync
FLOWX_OPENID_CLIENTIDKeycloak admin client used to obtain the admin token. Typically admin-cli for standard Keycloak deployments. Must be set explicitly. There is no default.-data-sync
For full data-sync configuration, see Data-sync job setup.

Anonymous service account: shared client secret

5.9.x introduces a single shared service-account client, flowx-anonymous-sa, used by FlowX backend services for inter-service calls on anonymous (unauthenticated) runtime flows. One client secret is reused across all consumers — it must be provided in two places. On authorization-system — passed to Liquibase so the client is provisioned with the correct secret when FlowX manages Keycloak:
Environment VariableDescriptionDefault ValueComponent
SPRING_LIQUIBASE_PARAMETERS_SECRETS_SERVICEACCOUNTS_FLOWXANONYMOUSSAClient secret used by Liquibase to create the flowx-anonymous-sa client in the service-accounts realm at first boot. Required when SECURITY_KEYCLOAKADMINENABLED=true.-authorization-system
On every consuming service — the Spring Security OAuth2 client registration for the anonymousidentity alias resolves the same secret at runtime:
Environment VariableDescriptionDefault ValueComponent
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_ANONYMOUSIDENTITY_CLIENTSECRETClient secret for the anonymousidentity registration. Must be the same value across every service — it is a single shared service account.-admin, application-manager, authorization-system, document-plugin, email-gateway, events-gateway, file-gateway, integration-designer, license, mock-server, nosql-db-runner, organization-manager, process-engine, scheduler-core, task-management-plugin, webhook-gateway
This is a secret. Store it in your secrets management solution (e.g., Kubernetes Secret, Vault) and reference it from there. Never commit it to version control.
For the Keycloak-side context (flowx-anonymous-sa client, SA_FLOWX_ANONYMOUS realm role, manual-configuration recipe for deployments without Keycloak admin access), see Manual Keycloak configuration.

Knowledgebase-rag: Qdrant search tuning

Two env vars control the fanout of dense and sparse Qdrant queries inside the knowledgebase-rag service. Defaults are tunable per environment.
Environment VariableDescriptionDefault ValueComponent
QDRANT_PREFETCH_LIMITMaximum points returned by each dense/sparse prefetch stage in a hybrid search before fusion.100knowledgebase-rag
QDRANT_FUSION_LIMITMaximum points returned after RRF fusion (hybrid search) or by a single-stage dense/keyword search. Caps the reranker input.80knowledgebase-rag
Raise both when recall is insufficient on very large or long-tailed Knowledge Bases. Lower them when Qdrant pods report memory pressure or filter-heavy queries time out.

CORS handling: APPLICATION_CORS_ALLOWORIGIN

CORS is enforced at the application layer. Each backend service exposed via admin or public URLs reads its allowed-origin list from a single environment variable. Allowed methods, allowed headers, exposed headers, and credential handling are baked into each service’s application.yaml with safe defaults. The 5.9.x default allow-headers set is Accept, Content-Type, Authorization, Fx-Workspace-Id, Fx-Client-Host, Referer, User-Agent, Flowx-Platform, X-Fx-Anonymous-Session-Id, Fx-BuildId, Fx-AppId, and X-Fx-Anonymous-Session-Id is exposed to the browser for anonymous runtime sessions. Only APPLICATION_CORS_ALLOWORIGIN is deployment-specific.
Environment VariableDescriptionDefault ValueComponent
APPLICATION_CORS_ALLOWORIGINComma-separated list of origins allowed to call this service from the browser. Supports wildcard subdomains (https://*.yourcompany.com). Must include every Designer, runtime renderer, and integration domain that calls FlowX APIs.-admin, ai-gateway, application-manager, audit-core, authorization-system, cms-core, document-plugin, events-gateway, file-gateway, integration-designer, license, notification-plugin, organization-manager, process-engine, runtime-manager, task-management-plugin, webhook-gateway
APPLICATION_CORS_EXPOSEDHEADERSResponse headers exposed to browser JavaScript. The default carries the anonymous-session header; override only if you need to expose additional custom headers.X-Fx-Anonymous-Session-Idall services (shared security library)
For migration guidance and the full list of removed NGINX CORS annotations, see Ingress routing and CORS.

Process-engine and integration-designer: native script engine

The default script engine for JavaScript and Python execution is a native subprocess pool. Scripts run in isolated Node.js and Python worker processes.
Environment VariableDescriptionDefault ValueComponent
APPLICATION_SCRIPTENGINE_PROVIDERScript engine providernativeprocess-engine, integration-designer
APPLICATION_SCRIPTENGINE_NATIVEENGINE_JS_POOLSIZENode.js worker pool size16process-engine, integration-designer
APPLICATION_SCRIPTENGINE_NATIVEENGINE_JS_EXECUTIONTIMEOUTMSJS script execution timeout (ms)5000process-engine, integration-designer
APPLICATION_SCRIPTENGINE_NATIVEENGINE_PYTHON_POOLSIZEPython worker pool size8process-engine, integration-designer
APPLICATION_SCRIPTENGINE_NATIVEENGINE_PYTHON_EXECUTIONTIMEOUTMSPython script execution timeout (ms)10000process-engine, integration-designer
To use GraalVM instead of the native engine, set APPLICATION_SCRIPTENGINE_PROVIDER=graalvm on both services.
Last modified on June 11, 2026