Skip to main content
Feedback

API Management Release Notes for May 2026

Platform Release

May 30 2026

API Control Plane

New
We added these features

  • The MCP Registry provides a centralized catalog of MCP servers built on the Boomi Platform, imported from public registries, or registered by administrators. It enables organizations to discover, manage, and expose the tools available to AI agents built in Boomi or with third-party agent frameworks. (ACP-2809)

    Refer to MCP Registry.

  • The API Control Plane discovery agent SDK contains a set of interfaces and classes that enable the independent creation of API gateway integrations. Using the SDK, developers can implement functionality to support custom gateway types. (ACP-3897)

    Refer to API Control Plane Discovery Agent SDK.

  • The Kong agent now allows you to discover APIs managed by Kong Konnect. (ACP-3406)

    Refer to How to Connect to Kong.

  • You can discover plans, API products, and applications with subscriptions that were created in Cloud API Management. (ACP-3458)

    Refer to How to Connect to Cloud API Management.

note

Retirement notice: The ability to create standalone/Docker API Control Plane agents for discovering Cloud API Management services will be retired in an upcoming release. It is recommended to remove standalone agents before retirement.

Fix
We fixed these issues
  • The formatting of the email that users received after creating a key in the developer portal was incorrect. (ACP-3401, ACP-3774)
  • When an application was deleted from the developer portal in API Control Plane, it was still visible in the Boomi API Gateway. (ACP-3396)

Known Issues

  • The MCP Registry is not available for self-hosted developer portals. This will be fixed in an upcoming release.
  • If a user that was created in Cloud API Management has spaces in the username, they are not able to create a standalone Cloud API Management agent.

API Gateway

New
We added these features

  • The API Proxy component supports outbound OAuth 2.0 authorization, specifically the client credentials flow. By automatically fetching and injecting tokens into outgoing calls, the Gateway simplifies the process of exposing secured APIs. (APIM-18835)

    Refer to Creating and configuring an API Proxy component.

  • The API Gateway Settings UI accurately reflects Gateway-level permissions. This ensures that visibility and edit capabilities for Gateway settings are determined solely by your Gateway privileges, removing previous dependencies on Runtime Management roles. (APIM-19485)

    Refer to Properties panel under Boomi API Gateway Configuration and Settings.

Fix
We fixed these issues
  • When multiple APIs shared the same Published API Title, the Total Calls metrics displayed inconsistently between the Left Panel and Graph Header on the API Dashboard. With this fix, the metrics now display consistently across both locations. (APIM-18978)
  • After updates were made to input and output types for Web Services Server processes, the changes did not correctly display in the UI when editing API endpoints. This update ensures these changes are now accurately reflected in the UI as expected. (APIM-18972)
  • When querying the Runtime object using the Platform API, the response incorrectly included deprecated 'ghost' Broker entries due to an issue with the container query logic. This update ensures Brokers are explicitly excluded from the response, providing accurate API results that match the Platform UI regardless of whether filters are applied. (APIM-18983)

May 19 2026

Cloud API Management

New
We added these features

  • Boomi Cloud API Management now supports three new Threat Protection Policies - JSON, XML, and Regex to protect your APIs against malicious payloads. With this, you can now configure threat protection policies at the endpoint level, giving you granular control over the types of content your APIs accept. (EIN-23110)

    Refer to the JSON Threat Protection Policy, XML Threat Protection Policy, and Regex Threat Protection Policy for more information on configuring threat protection policies on the Call Transformations page.

  • For the Regex Threat Protection policy, we have implemented a DoS (Denial of Service) solution for mitigating potential Denial of Service vulnerabilities by automatically stopping regex evaluation when the request timeout is reached. (EIN-23713)

  • Optimized memory utilization for Regex, XML, and JSON Threat Protection policies to minimize memory usage during high-load request processing. (EIN-23713)

  • Added Brotli-compressed (Content-Encoding: br) and Deflate-compressed (Content-Encoding: deflate) encodings to the Response filter pipeline to handle backend responses. If the backend returns a response with any of these encodings, the filtered response is returned without errors. (EIN-23498), (EIN-23930)

    Refer to the Response Filters for more information.

Fix
We fixed this issue
  • Previously, API calls using the OAuth2 Backend Authenticator failed with a decryption error when processing client credentials for calls combined with SOAP security connector calls. Once the error occurred, it persisted until the service was restarted. This issue has now been fixed. The OAuth2 Backend Authenticator now correctly decrypts client credentials without errors, regardless of the other connectors used. (EIN-23921)
On this Page