Composio Release Notes

What

Manual version bump for @composio/cli → 0.2.31, replacing the broken changeset-bot flow.

Bumps ts/packages/cli/package.json 0.2.30 → 0.2.31

Adds the 0.2.31 entry to ts/packages/cli/CHANGELOG.md

Consumes (deletes) the 5 CLI changesets it covers:

• composio upgrade <version> (#3428)
• x-cli-session-id header (#3430)
• refreshed approval fallback page (#3431)
• LLM-friendly output (#3450)
• fish completion paths (#3162) + 1-hour permission expiry (#3449)

Leaves the @composio/core changesets untouched for the bot.

Why manual

The changeset release bot (ts.release.yml → changesets/action) has been failing on HttpError: Bad credentials on every run since 2026-06-04 — its CI_BOT_TOKEN secret is expired/invalid — so it can no longer regenerate the "Release: update version" PR (#3429, stale since 2026-05-20).

build-cli-binaries.yml is healthy and independent of that token: on merge to next it compares ts/packages/cli/package.json against the previous commit, detects the version change, and builds + publishes the stable @composio/[email protected] GitHub release (cross-platform binaries). The CLI is "private": true, so it ships only as the GitHub binary release, not npm — this path fully covers it.

Validated

The pinned-actions binary pipeline was already validated green end-to-end (all 4 platform binaries built + full install-test matrix passed) on a build-beta run. Local binary (built from this same source) passed version/whoami/help, LLM-friendly stdout, upgrade <version>, and the full Slack + experimental_subAgent integration test.

Follow-up (separate)

CI_BOT_TOKEN needs refreshing to restore the changeset bot (recommend a GitHub App installation token over a personal PAT to avoid future expiry). Tracked outside this PR.

🤖 Generated with Claude Code

Co-authored-by: Claude Opus 4.8 (1M context) [email protected]

What's Changed

• Fix fish completion install paths by @CryogenicPlanet in #3162
• fix: correct typos 'sucessfull' and 'satus' in callbackUrl JSDoc by @yosinn1-blip in #3478
• fix(security): bump authlib to 1.7.2 (GHSA-wvwj-cvrp-7pv5) by @zen-agent in #3469
• fix(security): pin protobufjs to 7.5.5 (Socket.dev critical CVE) by @zen-agent in #3467
• fix(core): defer telemetry sends by @CryogenicPlanet in #3447
• chore(deps): bump next from 16.2.1 to 16.2.6 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #3497
• changelog: api security updates (2026-06-04) by @palash-c in #3517
• changelog: link Workbench session reference to the sessions doc by @palash-c in #3519
• feat(toolchain): introduce mise.toml as single source of truth by @jkomyno in #3492
• fix(mastra): tolerate dangling $ref in tool schemas [PLEN-2451] by @jkomyno in #3400
• feat(py): remove legacy custom tools by @jkomyno in #3508
• feat(core): remove legacy TypeScript custom tools by @jkomyno in #3509
• docs: remove legacy custom tools references and retarget redirects by @jkomyno in #3510
• chore(ci): pin GitHub Actions to SHAs by @jkomyno in #3531
• add project api key permissions docs by @shamsharoon in #3532
• chore: CLI 0.2.31 patch release by @CryogenicPlanet in #3536
• chore(cli): release 0.2.31 by @CryogenicPlanet in #3538

New Contributors

• @yosinn1-blip made their first contribution in #3478

Full Changelog

https://github.com/ComposioHQ/composio/compare/@composio/[email protected]...@composio/[email protected]

What

Manual version bump for @composio/cli → 0.2.31, replacing the broken changeset-bot flow.

Bumps ts/packages/cli/package.json 0.2.30 → 0.2.31

Adds the 0.2.31 entry to ts/packages/cli/CHANGELOG.md

Consumes (deletes) the 5 CLI changesets it covers:

• composio upgrade <version> (#3428)
• x-cli-session-id header (#3430)
• refreshed approval fallback page (#3431)
• LLM-friendly output (#3450)
• fish completion paths (#3162) + 1-hour permission expiry (#3449)

Leaves the @composio/core changesets untouched for the bot.

Why manual

The changeset release bot (ts.release.yml → changesets/action) has been failing on HttpError: Bad credentials on every run since 2026-06-04 — its CI_BOT_TOKEN secret is expired/invalid — so it can no longer regenerate the "Release: update version" PR (#3429, stale since 2026-05-20).

build-cli-binaries.yml is healthy and independent of that token: on merge to next it compares ts/packages/cli/package.json against the previous commit, detects the version change, and builds + publishes the stable @composio/[email protected] GitHub release (cross-platform binaries). The CLI is "private": true, so it ships only as the GitHub binary release, not npm — this path fully covers it.

Validated

The pinned-actions binary pipeline was already validated green end-to-end (all 4 platform binaries built + full install-test matrix passed) on a build-beta run. Local binary (built from this same source) passed version/whoami/help, LLM-friendly stdout, upgrade <version>, and the full Slack + experimental_subAgent integration test.

Follow-up (separate)

CI_BOT_TOKEN needs refreshing to restore the changeset bot (recommend a GitHub App installation token over a personal PAT to avoid future expiry). Tracked outside this PR.

🤖 Generated with Claude Code

Co-authored-by: Claude Opus 4.8 (1M context) [email protected]

What's Changed

Fix fish completion install paths by @CryogenicPlanet in #3162

fix: correct typos 'sucessfull' and 'satus' in callbackUrl JSDoc by @yosinn1-blip in #3478

fix(security): bump authlib to 1.7.2 (GHSA-wvwj-cvrp-7pv5) by @zen-agent in #3469

fix(security): pin protobufjs to 7.5.5 (Socket.dev critical CVE) by @zen-agent in #3467

fix(core): defer telemetry sends by @CryogenicPlanet in #3447

chore(deps): bump next from 16.2.1 to 16.2.6 in /docs in the npm_and_yarn group across 1 directory by @dependabot[bot] in #3497

changelog: api security updates (2026-06-04) by @palash-c in #3517

changelog: link Workbench session reference to the sessions doc by @palash-c in #3519

New Contributors

@yosinn1-blip made their first contribution in #3478

Full Changelog

https://github.com/ComposioHQ/composio/compare/@composio/[email protected]...@composio/[email protected]

What's Changed

• docs: reapply Algolia docs search by @CryogenicPlanet in #3454
• docs: tidy welcome page, fix playground link, hide ugly Ask AI tab by @CryogenicPlanet in #3455
• docs: merge and group guide content by @CryogenicPlanet in #3456
• docs: update CLI and reference navigation by @CryogenicPlanet in #3462
• docs: rework welcome page with v2 hero and homepage sections by @Malayvasa in #3464
• docs: dark mode, navbar polish, scroll reset, platform→dashboard rename by @Malayvasa in #3465

Full Changelog: https://github.com/ComposioHQ/composio/compare/@composio/[email protected]...@composio/[email protected]

A summary of recent security, API, and platform changes you may need to act on. Most won't apply to you, so skim for the ones that do. We are continuing to ship more.

Legacy MCP Config routes

• MCP requests now require an API key or Authorization: Bearer token. We recommend moving to composio.create

API Keys

• IP whitelisting, choose which ip address can work from your api keys.
• Scoped API Key are slowly being rolled out with first preset for proxyExecute. You will be able to control what actions your api keys can take.

Proxy Execute

• Proxy Execute is disabled on v3 api, please use v3.1 or update your sdks.
• Proxy Execute is now an opt-in capability on an API key, it is a superset of regular capabilities + proxy execute.
• Proxy Execute requests have a 250MB payload cap.

Connections

• Connected-account tokens are redacted in API responses, for both Composio-managed and custom auth configs. Please use Proxy Execute instead. If you need this for some special case please reach out to support.
• Reiterating: Composio-managed OAuth connections are moving from initiate to link. The cutover for remaining organizations is July 3, 2026.

Workbench

• Code execution through the remote workbench (COMPOSIO_REMOTE_WORKBENCH, COMPOSIO_REMOTE_BASH_TOOL) now runs only inside a Composio session. If your code execution stopped working, run it within a Composio session.

Webhooks

• Webhook URLs must be publicly reachable; internal and loopback targets are now rejected.
• Deliveries are now signed (verify the webhook-signature header), and there is a new composio.trigger.disabled event. Manage subscriptions with the Webhook Subscriptions API.

Rate limits

• Per-IP rate limits now apply; requests that exceed them receive 429 responses.

Endpoints

• The legacy v1 and v2 endpoints, deprecated last year, have now been removed. Any calls to /v1 or v2 endpoints now return 410, please use the class of v3 and v3.1 endpoints, if you need a guide to migration you can use this.

You can now programmatically revoke a connected account's OAuth 2.0 tokens at the upstream provider, giving you explicit control over when credentials are killed at the third-party — instead of relying on deletion or natural token expiry.

On success, the connection transitions to REVOKED and the response reports which token subjects were killed at the provider on this call.

Example request

POST /api/v3.1/connected_accounts/{nanoid}/revoke

Example response (200 OK)

{
  "revoked_tokens": ["access_token", "refresh_token"],
  "connected_account": {
    "id": "ca_1a2b3c4d5e6f",
    "status": "REVOKED"
  }
}

The revoked_tokens array lists the subjects revoked at the provider during this call. An empty array means the connection was already in a revoked state and no upstream dispatch was issued.

Status Codes

• 200 - Connection revoked (or already revoked — see revoked_tokens)
• 400 - Revoke is not supported for this toolkit
• 404 - Connected account does not exist
• 409 - Connection is not in a revokable state (only ACTIVE and already-REVOKED are accepted)
• 500 - Server error — revocation could not be completed

Revoke Is Not Automatic on Delete

Deleting a connected account or a project does not revoke tokens at the upstream provider — the credentials are removed from Composio but may remain live at the third-party until they expire naturally. If you need credentials killed at the provider, follow revoke-then-delete semantics: call POST /revoke first, then issue the delete.

Revoke Is Best-Effort

Some providers do not expose a programmatic way to revoke one or both token subjects (for example, an access token but no refresh-token revoke route, or no revoke endpoint at all). In those cases, Composio revokes whatever the provider supports and the revoked_tokens array reflects exactly what was killed. Always read revoked_tokens to confirm which subjects were affected — do not assume both access_token and refresh_token were revoked on every call.

Externally Revoked Tokens

If a user revokes the connection directly with the provider (for example, removing the app from their account on the provider's website), the upstream revoke call from this endpoint may return an error. Handle this case by treating the connection as already revoked on your side.

composio.create() now returns a new session ID on every call, even for identical configs, for better isolation and observability. For multi-turn conversations, store the session ID and reuse it with composio.use().

Custom tools can also be attached when reusing a session. See Reusing a session and Custom tools.

Update session config with session.update()

Modify a session's toolkits, auth configs, connected accounts, and other settings without creating a new session. Only the fields you pass are changed:

session.update(
  toolkits = ["gmail", "slack"],
  auth_configs = {"gmail": "ac_new_config"},
)

See Updating a session.

connectedAccounts accepts arrays

connectedAccounts (TypeScript) and connected_accounts (Python) now accept an array of connected account IDs per toolkit. A single string is still accepted for backwards compatibility and is automatically coerced to an array.

Only one account per toolkit is allowed when multi-account mode is disabled.

Sessions now support preloading frequently used tools into session.tools() and the session MCP tool list, so agents can call them without searching each time.

This works for Composio-managed tools, while SDK custom tools can be exposed directly from session.tools() with preload: true.

Keep the preloaded set focused, generally fewer than 20 tools, to avoid context bloat.

SDK versions

TypeScript @composio/core minimum version 0.9.0

Python composio minimum version 0.13.0

Example usage with Python and TypeScript shown.

Direct tools preset

Specialized agents with a narrow tool set can use the direct tools preset to load every tool allowed by session filters into the session's tool list and disable session meta tools by default.

For agents that still need selected helper behavior, supported meta tool groups can be enabled alongside the preset.

composio.connectedAccounts.link() (TypeScript) and composio.connected_accounts.link() (Python) now match the multi-connection guard that initiate() already had. With Composio-managed redirectable-OAuth callers being migrated off POST /api/v3/connected_accounts onto POST /api/v3/connected_accounts/link, the guard moves with them — so the migration doesn't quietly drop the duplicate-connection check.

Behavior change

Before:

link() would happily create a second ACTIVE connection for the same (user_id, auth_config_id) pair without checking for an existing ACTIVE connection first.

After:

link() first calls connectedAccounts.list({ userIds, authConfigIds, statuses: ['ACTIVE'] }). If any active connection exists, link() throws ComposioMultipleConnectedAccountsError unless the caller passes allowMultiple: true / allow_multiple=True.

Two scenarios that need attention:

1. You intentionally create multiple connections per (user, auth_config) — for example, two Gmail accounts for the same user. Opt in:

connection_request = composio.connected_accounts.link(
  user_id = "user_123",
  auth_config_id = "ac_xxx",
  alias = "work-gmail",
  allow_multiple = True,
)

Pair with a session-level multiAccount / multi_account config so the agent can disambiguate at execution time. See Managing multiple connected accounts for the session shape.

1. You're migrating from initiate() to link() as part of the Composio-managed OAuth migration. Pass allow_multiple / allowMultiple through unchanged — same flag name, same default (False), same exception (ComposioMultipleConnectedAccountsError).

Webhook Triggers V2 introduces a first-class webhook_endpoints resource with a dedicated ingress URL per OAuth app. V2 is opt-in and scoped to new trigger slugs — existing V1 triggers, URLs, and payload formats are unchanged.

Summary

• New webhook_endpoints API: None (opt-in)
• New ingress path /api/v3.1/webhook_ingress/{toolkit}/{we_*}/trigger_event: None (opt-in)
• Ingress-level signature verification: Automatic for V2 endpoints
• New Slack V2 slugs (SLACK_CHANNEL_MESSAGE_RECEIVED, SLACK_DIRECT_MESSAGE_RECEIVED, SLACK_MESSAGE_REACTION_ADDED): Opt-in
• V1 ingress path and all legacy trigger slugs: None — unchanged

What's in V2

• Dedicated endpoint per OAuth app, keyed by (toolkit_slug, project_id, client_id) and exposes its own URL containing a random we_* identifier.
• Signature verification at ingress using HMAC-SHA256, Ed25519, or shared-token matching depending on the toolkit.
• Per-user authorization for app-level events on toolkits with per-user visibility (Slack first).
• Automatic handshakes and cleanup for provider verification challenges.

API reference

• All endpoints require a project API key (x-api-key).
• Methods include GET, POST, PATCH, DELETE for webhook subscriptions and endpoints.

Migration walkthrough (Slack)

• Slack is the first toolkit on V2.
• Steps include discovering required fields, creating the endpoint, storing the signing secret, adding an app-level token for private-scope events, pointing your Slack app at the V2 URL, and creating V2 trigger instances.

Heads up: OAuth apps are project-scoped on V2. Action required if you share a single OAuth app across multiple Composio projects or organizations today.

Backward compatibility

• Your V1 endpoints are unaffected.
• Existing trigger slugs continue to route through V1.
• You only need to set up a V2 webhook endpoint in two cases: to use new V2 trigger slugs or to move an OAuth app shared across multiple projects onto V2.

What's Changed

• fix(python-sdk): handle file upload list unions by @shreysingla11 in #3373
• docs(py): add 0.13.1 entry to CHANGELOG by @jkomyno in #3427
• fix(ts-sdk): handle file upload list unions by @shreysingla11 in #3374
• docs: add Shared Connections page under Authentication by @venkat82 in #3406
• feat(cli): refresh approval fallback page by @CryogenicPlanet in #3431

Full Changelog

https://github.com/ComposioHQ/composio/compare/@composio/[email protected]...@composio/[email protected]