Skip to main content
FlowFn
IntegrationsTemplatesPricingDocsBlogSign inStart free
All documentation

v1.4.0

UpdatedMay 28, 2026Reading time5 min read

Released 2026-05-28. Agent guardrails + MCP setup. The interactive (public chat) surface gets serious prompt-injection defences, the team can finally bind Notion + a handful of other OAuth tools as MCP servers without admin help, and per-message max_tokens moves to a layered system with plan caps.

MCP for OAuth tools

Notion, Linear, Asana, PayPal, Intercom, Sentry, and Canva all publish hosted MCP servers that accept your existing OAuth token. With this release each of those tools can be bound to any agent as an MCP server directly — no extra credentials, no manual endpoint URL. The MCP endpoint is pre-configured at the platform level; you just connect via OAuth as usual.

The custom MCP path (Custom MCP tool with your own URL) still works the same way for self-hosted MCP servers. On the platform-tool detail page each tool shows an MCP server capability chip when MCP is enabled, and the connection drawer surfaces an optional MCP server URL (override) field for self-hosting.

Per-message max_tokens controls

Output token caps move out of a hardcoded UI value and into a three-layer system:

  1. Per-agent — the Max tokens per message input on the agent edit page is the explicit override.
  2. Per-connection default — set a preferred default on each team AI connection (Team Settings → AI) or on your personal API key (My Account → AI assistant). The agent inherits this when no per-agent override is set.
  3. Model registry default — falls back to the model's recommended value (8k for Claude Opus, 16k for GPT-4o, etc.) when neither of the above is set.

All three are clamped at runtime by per-source plan caps (system AI / team AI / custom AI). Free tier caps system AI tightly; team and custom modes get progressively higher ceilings since you're paying your provider. The cap applies on every LLM call the agent makes, so a stale agent doc saved before the plan tightened still works correctly.

Agent-restricted actions

Interactive agents now refuse a curated list of high-impact actions to defuse prompt injection on public chat surfaces. The pattern is conservative — author-controlled surfaces (webhook / schedule / playground) keep full access to everything; only the interactive (public chat) surface is gated:

  • Destructive — every delete_* action across every tool (48 actions total).
  • Financial — refunds, payments, subscriptions, coupons, void invoices.
  • Mass broadcast — social posts (Twitter, LinkedIn, Reddit, Meta, Threads, Pinterest, Bluesky), Mailchimp campaign sends.
  • Telephony — SMS, MMS, WhatsApp template messages, voice calls.
  • Permission / membership — role assignments, Discord bans, employee provisioning, account creation.
  • Legal — e-signature send (DocuSign, Adobe Sign, PandaDoc, Dropbox Sign).
  • Personal-identity email — Gmail send / reply / forward.

Some platforms are gated off the interactive surface entirely — Stripe, PayPal, accounting tools (Wave, Xero, QuickBooks, FreshBooks), payroll systems, AWS, raw databases (MySQL, Postgres, BigQuery, MongoDB, Firebase), arbitrary HTTP (Custom API, Custom Webhook, Custom MCP), FTP, and heavy media pipelines (video / audio / image processing, PDF utils, Canva, Cloudinary).

The platform-tool detail page now shows an Agent-restricted pill on each action that's gated, with a per-agent-type breakdown in the action drawer. Webhook, schedule, and playground agents can still bind any of these — only the interactive (public chat) surface refuses.

Security & compliance hardening

  • Webhook agents — signature now required. If a webhook agent has a signing secret configured, inbound requests must carry the matching X-FlowFn-Signature header. Unsigned requests are refused with missing_signature. Previously the signature was checked only when present; that fallback is gone so a leaked URL alone can't trigger the agent. Action: roll out the signature header on every caller before the upgrade lands. The signed-payload format is documented on the agent's webhook page.
  • Right to object (GDPR Art. 21) is enforced at runtime. Marking Object to AI processing in My Account → Privacy Rights now blocks agent runs owned by that account, not just future signups. Pause your objection if you need an agent you own to continue running.
  • BYOK activity covers playgrounds. Every Bring-Your-Own-Key call from a playground binding (AI action and platform tool action) now records a metadata-only row in Team Settings → BYOK activity, matching agents and workflows. 90-day retention.
  • DSR submissions are audited per-team. When a Data Subject Request comes in for a linked account, the event is recorded on every team that account belongs to so admins can see when one of their users opened a request.
  • Cross-site request forgery defence. State-mutating dashboard API calls now require a matching Origin / Referer header. Public surfaces (forms, visualizers, playgrounds, agent widget, agent webhook, OAuth callbacks) are exempt — embeds and webhooks keep working unchanged.
  • Authentication code comparison. OTP verification now uses a constant-time compare to remove a theoretical timing side-channel.
  • Login rate limiting. The OTP-request endpoint is now throttled at 5 requests / 5 min per IP and 10 requests / hour per email. Either ceiling trips an HTTP 429 with a Retry-After header. Defuses inbox flooding, enumeration via timing, and brute-forcing the 6-digit code via repeated regeneration.
  • Audit log coverage expanded to platform tool connection delete, AI provider connection delete, app delete, and subscription plan change / cancel / resume — visible under each team's audit log.

Agent embed branding

  • Custom launcher icon. The interactive agent's Embed & branding tab now takes a second optional image — a launcher icon for the floating button on the host site — separate from the header logo shown inside the open chat. Leave it blank and the launcher falls back to the built-in speech-bubble emoji. Useful for pairing a monochrome launcher with a full-colour header logo without forcing a single image to serve both roles.

Dashboard — agent stats

  • Agent runs widgets on the dashboard mirror the workflow side: Today, This month, Active agents, and a 30-day daily series with total / failed / successful breakdown. The two run charts share an axis so you can compare workflow vs agent volume at a glance.

Editor quality of life

  • Cmd+S / Ctrl+S saves. The standard save shortcut now works in the workflow, agent, playground, visualizer and form editors. The browser's Save Page As dialog no longer steals the keystroke.

Notes

  • The action and tool restrictions are admin-tunable per agent type from /admin/platforms/<tool>/edit if your deployment needs a different set.
  • Plan caps for max_tokens appear on every plan tier (Free through Business). The pricing page does not surface the raw numbers — they're per-call engineering limits rather than headline features.

Spotted an issue or have feedback?

support@flowfn.com
Back to docs hub →