External API Credentials & API Request Component

A new External API Credentials section under Settings → External API Credentials provides a secure, centralized way to store and reuse credentials across multiple integrations. Combined with the new api_request component, it enables fully managed, authenticated communication with external services.

Key capabilities:

• Centralized credential storage – create reusable authentication profiles referenced by alias.
• Supported auth types: None, Basic, API Key, OAuth2.
• Role-based access control – granular permissions for View, Create, Edit, and Delete per admin user role.

API Request Execution

The new api_request component lets you make authenticated HTTP requests directly in your templates, using credentials stored in External API Credentials.

Example usage

{% component type:"api_request", method:"GET", url:"https://example.com/api", auth:"my_alias", body:"{ "limit": 10 }", headers:"{ "header name": "header value" }", layout:"", collectionVariable:"result" %}

Highlights:

• Added API Request to the Components menu.
• Supports GET, POST, PUT, PATCH methods.
• Returns parsed JSON data assignable to a variable through collectionVariable.
• Optional layout parameter allows templating of API responses.

Availability: Both External API Credentials and API Request are available in the Pro plan.

API Application Scopes

Add support for API scope management based on Swagger specifications.

In API Applications → SCOPES, scopes are now grouped by API type (Admin v1, Admin v2 and Frontend v2) with searchable, collapsible lists and per-entity permissions (Read, Write, Delete).

Scopes are automatically generated from API paths following the pattern v2__ (e.g., v2_contacts_read, v2_orders_write).

If permissions are missing, an error message is triggered:

• “The request is not authorized. Missing required scope: <scope>.”

This update improves API access control, making it clearer and easier to manage granular permissions across admin and frontend integrations.

Open API type for server-side, mobile app

Add support for optional HMAC-SHA256 signing of outgoing webhooks to ensure authenticity and data integrity.

To enable signing, append the ?sk={{ClientSecret}} parameter (or a custom secret) to the External URL field; for example: {{URL}}/api/webhook?sk={{ClientSecret}}.

When enabled, each webhook request includes timestamp, event name, and signature headers generated with the provided secret, allowing the receiver to verify that the payload is authentic and unmodified.

HMAC Signature for Outgoing Webhooks

Add Type selection to API Applications to distinguish between Server-to-Server and iOS integrations.

A new Type field (available on create and edit) defines the application’s usage context:

• Server-to-Server – default option, requires no additional fields.
• iOS – displays BundleId and TeamId fields for app identification.

iOS applications are verified through their associated keys, ensuring secure and authentic integration between the mobile app and the Open API.

Special Characters in File Names

Improve file upload and rendering to ensure images with special characters or spaces in file names display correctly across both the admin and front end. File names are now normalized during upload (invalid characters replaced with -) and properly URL-encoded when rendered to prevent broken paths.

Examples:

• emoji🔥.png → emoji-.png → /emoji%F0%9F%94%A5.png
• file name.png → file-name.png → /file%20name.png
• imag#e.png → imag-e.png → /imag%23e.png
• multi   space.png → multi---space.png → /multi%20%20%20space.png

This ensures consistent image display and eliminates broken links caused by unsupported characters.

Bugfixes

The following issues have been resolved:

• Shipping integrations – Australia Post: Fixed an issue where entering a ZIP code on the shopping cart caused an error with the Australia Post integration.
• Portal – file upload: Resolved a problem that prevented file uploads in project chat when no text message was included.
• On-Site Editor – multiple data source: Fixed an issue where the Multiple Data Source property could not be populated correctly through the On-Site Editor.
• File Manager – quick code editing: Corrected a bug where the cursor jumped back to the first line after editing a file in quick-view mode.
• Events – follow-up email sending: Fixed an error that blocked follow-up notification emails from being sent for events.
• Products – import process: Resolved a problem with product import on sites where feature sets didn’t match the columns in the uploaded Excel file.
• Member Activity Tracking – clear button: Added a Clear Activity button that allows admins to manually reset tracked member activity data.
• Email templates – test email sending: Fixed an issue where the selected email template was not applied when sending a test email.
• Portal – bell notifications: Resolved an incorrect alert that appeared in the portal about an expired paid extension.
• Shipping options – disabled feature visibility: Fixed an issue where disabled shipping options were still displayed in the shopping cart.
• System emails – delivery options reset: Fixed a bug where delivery option settings for system emails were reset after editing files via FTP.
• Mailing lists – deletion error: Resolved an internal error that occurred when deleting imported mailing lists from the admin panel.
• Module items – list filtering: Fixed filtering behavior for module items by Expired State to ensure accurate list results.
• Security – nonce attribute for analytics: Fixed an issue where the nonce attribute was not applied to Google Analytics scripts, improving compliance and security consistency.