Changelog

Mutual TLS (mTLS) is now available on Workato’s API Platform, further strengthening our enterprise-grade security offering for regulated industries and public sector use cases.

• Client-level mTLS enforcement with granular certificate attribute validation.
• New Truststore to manage client certificates, with automated expiry reminders and Developer API support.
• Enables secure, certificate-based authentication—essential for customers in healthcare, finance, manufacturing, and government.
• Available to all customers with API Platform (requires API custom domain setup).

Learn more in the mTLS documentation.

Workato’s API Platform now supports OAuth 2.0 token introspection, enabling the gateway to validate opaque access tokens issued by external identity providers (IdPs).

• Enhances OpenID Connect support for broader compatibility with enterprise IdP architectures.

Learn more in the OAuth 2.0 Token Introspection documentation.

As part of our transition to industry-standard token-based security, legacy API key authentication will be fully deprecated on July 14, 2025.

• API requests using legacy API key + email authentication will no longer be supported after this date.
• Customers must migrate to API client authentication using bearer tokens.
• Required steps include creating a new API client, assigning appropriate roles, generating a new token, and updating applications to use the new Authorization: Bearer header.
• We recommend deleting any legacy “Migrated API Client” after confirming all systems are updated.

Learn more in the Workato API migration docs.

API Traffic Mirroring enables enterprises to mirror all API traffic—including requests and responses—from API endpoints to an external API Security Platform like SALT Security. This feature enhances API discovery, threat protection, and posture management, providing greater security and compliance capabilities.

• Real-Time API Traffic Mirroring: Capture API requests and responses for external security analysis.
• Seamless Security Integration: Natively connect to API Security Platforms for endpoint monitoring and attack remediation.
• Enterprise-Grade Protection: Supports security requirements, including IP blacklisting to mitigate threats in real time.

Learn more in our API Traffic Mirroring documentation.

Introducing API Proxy Transformation, which helps modernize your APIs and increase the robustness of your API integrations with:

• Request and response transformation capabilities: Configure request and response transformations with drag-and-drop functionality.
• Schema Mapping & Key-Value Pair Mapping: Define schemas, map data, and apply formulas for seamless data transformation between systems.
• Conditional Response Mapping: Route API responses based on HTTP status codes with conditional logic to improve error handling and flexibility.
• In-Line Formulas: Manipulate data using formulas and expressions.

Benefits include faster integrations, reduced development effort, enhanced compatibility, and secure data transformations.

This feature is in private release. Contact your Customer Success Manager to enable this feature.

We are excited to announce we now provide schema validation for API endpoints to improve data integrity.

This new functionality validates API requests for presence of fields and their field type for API recipe endpoints, allowing users to 'filter out' or reject API requests that don't meet pre-defined constraints.

Learn more in our API platform documentation.

API custom authorization allows you to enforce an additional set of authorization claims on API endpoints. Workato’s API Gateway evaluates the custom authorization expression after an API request is made to an endpoint and authenticated with a valid token. This feature adds an extra layer of security by enabling you to create additional role-based access control, locale restriction, and business logic rules.

This feature is in private release. Contact your Customer Success Manager to enable this feature. Learn more in our API Platform documentation.

API collections and endpoints have been updated with the following UI enhancements:

• Updated endpoint UI to include request & response schema, recipe actions, and key endpoint configuration that previously required opening the recipe separately to see
• New endpoint settings tab to provide a persistent view of key endpoint configuration settings, without having to navigate into the 'edit endpoint' pop-up
• Updated collections UI with new icons to easily distinguish API recipe collections and API proxy collection

The new Recipe Operations triggers for policy quota and rate limit violations are instrumental in giving administrators visibility and the ability to proactively monitor their client's API usage. With these new triggers, administrators can now receive active alerts about violations, and move quickly to address.

With this new settings menu, you can control how to handle requests during periods of high concurrency - to either queue requests and set queue sizes, or reject requests when the limit is reached. Additionally, our concurrency documentation has been updated to provide more insight on how concurrency works, and how to use these new settings to manage your concurrency strategy.