Changelog

We shipped four features this week: organization-level feature flags, OAuth2 authentication for endpoints, a billing module, and better test infrastructure.

Organization Feature Flags

Feature flags used to be all-or-nothing across your entire Convoy instance. You can now manage feature flags at the organization level. Go to Settings → Early Adopter Features to enable features like OAuth2 token exchange and mTLS for your organization. Instance admins can also override feature flags for specific organizations from the admin panel.

OAuth2 Authentication for Endpoints

Some endpoints require OAuth2 authentication. Endpoints now support OAuth2 client credentials authentication with shared secret or JWT client assertion. Configure your OAuth2 settings in the endpoint form, and Convoy handles token exchange automatically. This feature requires an enterprise license and the OAuth Token Exchange early adopter feature flag enabled.

Billing Module

We added a billing module that calculates usage from your Convoy data. View monthly usage, manage subscriptions, handle invoices, and set up payment methods, all from the Convoy dashboard. Go to Settings → Usage and Billing to get started. This feature requires a billing module license and billing admin or organization admin role.

E2E Test Infrastructure

We rebuilt our end-to-end test infrastructure to make it more reliable and easier to maintain. Tests now use Docker containers for Redis and PostgreSQL, making them faster and more consistent across environments.

Other Improvements

• UI refresh: We refreshed the dashboard UI with a cleaner design and better navigation
• Batch tracking: Track progress when retrying multiple event deliveries at once
• Admin UI: Instance admins can manage feature flags and circuit breaker configurations from a dedicated admin panel
• Job IDs: All queue jobs now use ULID-based job IDs for better tracking

All features are available now. See the endpoints documentation for OAuth2 configuration details.

We shipped three features this week that make Convoy more reliable for production workloads: broker message ID tracking, mTLS client certificates, and better content type handling.

Broker Message ID Tracking

When events flow through message brokers like Kafka, Google Pub/Sub, SQS, or AMQP, tracking them back to their source message used to be tricky. You'd see an event in Convoy but couldn't easily trace it to the original broker message.

We now capture and store the broker message ID for every event ingested from these brokers. This means you can filter events and deliveries by their original broker message ID, making debugging and tracing much simpler.

mTLS Client Certificate Support

Some endpoints require mutual TLS (mTLS) authentication. You can now configure client certificates directly on your endpoints. When Convoy delivers webhooks, it presents the client certificate for authentication.

Configure your client certificate and key in the endpoint settings. This feature requires an enterprise license.

Form-Encoded Content Type

We added support for application/x-www-form-urlencoded content types. If your endpoint expects form-encoded data instead of JSON, you can now set that in the endpoint configuration.

Other Improvements

• TLS for Redis: Redis connections now support TLS encryption. Set CONVOY_REDIS_TLS_ENABLED=true to enable it.
• Circuit breaker notifications: Fixed an issue where email notifications weren't being sent when circuit breakers activated.
• Configurable root path: You can now configure the root path for Convoy deployments using CONVOY_ROOT_PATH.

All features are available now. See the sources documentation for details on broker message tracking, and the endpoints documentation for mTLS configuration.

We released two features this week: Google SSO and a complete rewrite of how permissions work.

Google SSO

Google Workspace users can sign into Convoy using their Google account, eliminating the need for separate passwords.

Click "Sign in with Google" on the login page. The authentication flow redirects through Google and back to Convoy. First-time users will set up their organization name during the process. Existing accounts with the same email are automatically linked.

Role-Based Access Control

The old permissions setup worked for smaller teams but started breaking down as teams grew. We rebuilt it with five roles:

• Instance Admin — Controls everything across your Convoy instance
• Organization Admin — Runs the organization and all its projects
• Billing Admin — Handles billing only
• Project Admin — One project's settings and resources
• Project Viewer — View-only access to project data

This gives you granular control over who can access and modify resources in your Convoy instance.

Both features are available now. See the Google SSO docs and RBAC guide for implementation details.