Skip to content
Novu Copilot is live in BETA - describe a workflow, ship it the same day
Novu logoNovu

Changelog

Product updates, improvements, and fixes

Follow us on X

All changelog posts

  • Account Security Upgrades: Passkeys, Smarter Client Trust, zxcvbn, Turnstile

    Sign in with a passkey, skip Client Trust when 2FA is on, get real password-strength scoring at signup, and run into bot challenges only when traffic looks suspicious.

    Author:Dima Grossman
    Dima Grossman

    Four account-security improvements ship together today: passkey login, Client Trust deferring to 2FA, zxcvbn-ts password scoring, and a smart CAPTCHA on sign-up.

    Existing sessions are unaffected.

    Passkey Login

    Passkeys are now a supported authentication method for Novu accounts.

    Sign up with email and password or SSO as usual, then add a passkey from Account settings → Security.

    Your platform authenticator (Touch ID, Windows Hello, a hardware security key or a password manager like 1Password or iCloud Keychain) handles the rest.

    On your next sign-in, pick Sign in with passkey.

    Passkeys are built on WebAuthn. The private key never leaves your device, so there's nothing phishable for an attacker to capture on our side.

    You can register up to 10 passkeys per account, and they stack alongside your password and 2FA. Passkeys are an additional method, not a replacement.

    Client Trust Now Defers to 2FA

    Client Trust is our defense against credential stuffing: when someone signs in with a valid password from a new device, we send a one-time code to their email or phone.

    The catch was that this fired even on accounts with 2FA already enabled. Signing in from a new laptop meant two prompts: enter your TOTP code, then approve the new device.

    That's now collapsed into the regular MFA flow.

    If you have 2FA configured (TOTP, SMS or backup codes), Client Trust skips automatically. Your second factor already covers the new device.

    If you don't have 2FA enabled, behavior is unchanged: new devices still require a verification code by email or phone.

    This only applies to password sign-ins. Passkeys, OAuth and email links bypass Client Trust entirely.

    If you've been meaning to turn on 2FA, this is the nudge.

    Stronger Password Feedback via zxcvbn

    Password strength at signup, change and reset is now scored with zxcvbn-ts, the OWASP-recommended library for measuring real password entropy rather than pattern-matching "8 characters, one number, one symbol."

    You'll see live strength feedback as you type, and a prompt when a password technically meets the basic rules but is still weak (Password1!, qwerty123, dictionary words with predictable substitutions).

    This sits on top of our existing NIST-based minimum requirements.

    Smarter Bot Protection on Sign-up

    Sign-up is where bots show up first.

    We've moved off the old invisible CAPTCHA and onto a smart variant that uses CDN-level signals to decide whether a sign-up attempt looks suspicious.

    If it does, the user gets a quick interactive challenge (typically a checkbox). If it doesn't, which is most of the time, the challenge stays out of the way.

    Less friction for real users, more for the scripted ones.

  • Novu Copilot

    Describe the notification journey you want. Copilot builds the workflow inside Novu, ready for you to review and ship.

    Author:Paweł Tymczuk
    Paweł Tymczuk
    Novu Copilot - describe a notification journey, get back a working workflow

    Describe a notification Workflow in plain English and Novu Copilot builds it for you, ready to review and ship from the dashboard.

    Novu Copilot generating a Workflow from a plain-English prompt

    Tell Copilot the journey you want - a re-engagement sequence, a trial conversion flow, a milestone celebration - and it assembles the Workflow and required steps inside Novu.

    Channels, timing and conditions are picked to match what you described, shaped by patterns Novu has seen work across thousands of production setups.

    Generated Workflows land in your Development Environment as real Novu Workflows. Keep them, discard them or re-run with a tweaked prompt. Promote to production the same way you promote any other Workflow - nothing ships until you say so.

    Copilot is in BETA and we ship improvements weekly based on what teams ask for. Generate your first Copilot Workflow in your dashboard.

  • Novu MCP Server

    Describe a notification flow in plain English and let your AI build, trigger, and debug it against your live Novu environment. 20+ tools, one Bearer token, live in two minutes.

    Author:Emil Pearce
    Emil Pearce
    Novu MCP Server - your AI client, wired to your notification infrastructure

    Describe a notification flow in plain English and let your AI build, trigger, and debug it against your live Novu environment.

    No SDK. No dashboard clicking. No guessing at workflow IDs.

    AI prompt describing a multi-channel notification flow being turned into a Novu Workflow that ships across In-App, Email, Push, SMS and Slack

    The Novu MCP Server is now generally available.

    We first shipped it as a preview last July, then kept adding to it quietly. It now exposes 20+ tools - roughly ten more than launch day - covering subscriber CRUD, bulk triggering, event cancellation, and integration management.

    If you've been meaning to connect your AI to Novu, this is the version to try. The model stops generating code from training data and starts reading your actual environment.

    Build workflows in plain English

    Instead of scaffolding a workflow in the dashboard and wiring each channel step by hand, describe the outcome. The AI reads your environment, picks real providers, and stitches the steps together. Ask it to iterate and it edits the same workflow in place.

    "Create a workflow called order-shipped that sends an in-app notification when an order ships, then follows up with an email after 24 hours if the user hasn't seen it."
    Novu Workflow built from an AI prompt, fanning out across Email, Push, SMS, Slack and In-App on the free tier's 10k events per month

    Debug, inspect, and bulk-operate from chat

    Once a workflow is live, keep the assistant in the loop. Because it reads live delivery data and subscriber state, routine investigation, maintenance, and triage stop requiring a second tab:

    "Why didn't the order-confirmation notification reach subscriber user_123?"
    "Find subscriber user_789 and mute their Slack notifications, but keep email and push active."
    "Bulk trigger the re-engagement workflow for these 500 subscribers."
    "List my active integrations and tell me which are primary for each channel."

    The last two hit tools we shipped in this release. Bulk triggering, event cancellation, integration inspection, and primary-provider management all came online after the original preview.

    Connect your tool in two minutes

    Copy a Secret Key from dashboard.novu.co/settings/api-keys and point your AI tool at the Novu server. Claude Code is one command:

    claude mcp add --transport http novu https://mcp.novu.co/ \
  --header "Authorization: Bearer your-novu-api-key"

    Cursor uses Settings > Tools & Integrations. Codex reads ~/.codex/config.toml. Claude Desktop connects through npx mcp-remote (Node.js 18+). EU environments use https://mcp.novu.co/?region=eu. Any other MCP-compatible client works with the same URL and Bearer auth pattern.

    Novu MCP authorize dialog - one-time consent to let an AI client act on a Novu workspace

    Missing a tool? Request it

    The server is a living product. If there's an action you want to drive from your AI client that isn't covered yet, request it on the Novu roadmap and we'll prioritize based on demand.

    Available on every plan, cloud and open-source. Explore Novu MCP.

  • Code Steps

    Every channel step in a Novu Workflow can now be managed as TypeScript in your codebase - email, SMS, push, chat, and in-app.

    Author:Adam Chmara
    Adam Chmara
    Novu Code Steps cover image showing the npx novu step publish CLI command at the center, connected to five notification channels: Email (step.email()), In-App (step.inApp()), SMS (step.sms()), Chat (step.chat()), and Push (step.push())

    Each step now has two modes: Editor (visual) and Custom Code (developer-managed via code). Switch any step to Custom Code mode, and the dashboard shows a pre-filled CLI command.

    Novu dashboard showing an In-App step editor switched to Custom Code mode, displaying the pre-filled npx novu step publish CLI command and a "Waiting for first deployment" state with an empty preview panel on the right.
    Switch any step to Custom Code mode and the dashboard shows the publish command, pre-filled and ready to run.

    Run it to scaffold a placeholder handler and deploy it:

    npx novu step publish \
  --workflow your-workflow-id \
  --step your-step-id \
  --secret-key nv-sk-...

    React Email for Email Steps

    For email steps, pass --template to wire a React Email component directly:

    npx novu step publish \
  --workflow onboarding \
  --step welcome-email \
  --template ./emails/welcome.tsx \
  --secret-key nv-sk-...

    Your React Email components stay in your repo, go through PR review, and are versioned alongside your application code.

    Controls: Dashboard Editing Without Code Changes

    Define a controlSchema in your code steps to expose editable fields in the Novu dashboard. Developers set the structure and defaults - non-technical teammates override copy without touching code.

    Novu dashboard showing a published In-App Code Step with a controlSchema-defined ButtonText field editable in the dashboard. The right panel previews the live in-app notification with the "Let's begin" button rendered in real time.
    Once published, controls defined in your handler appear as editable fields in the dashboard - no code change needed to update copy.

    Mix Custom Code steps and Editor steps freely within the same Workflow.

    Switch any step to Custom Code mode and copy the pre-filled command from the step editor to get started.

    Get started with Code Steps →

  • <Subscription /> component

    Give users control over what notifications they receive - at the topic level. Create subscribe/unsubscribe flows that fit the context. Set workflow preferences and use advanced conditional rules. All of this can be done with a customizable React component.

    Authors:
    Paweł TymczukGeorge DjabarovAdam Chmara
    Paweł T., George D., Adam C.
    <Subscription /> component
    Requirements

    v3.12.0 or higher

    We've introduced Subscriptions, a new way to manage notification delivery at the topic level. Now with full context-awareness, giving subscribers precise control over what they receive and when.

    States of <Subscription /> component

    The new <Subscription /> React component makes it easy to add subscription features to your app. You can use it for a simple “follow” button on a resource or a complete preferences view.

    Breakdown of the <Subscription /> component
    • Subscribe or unsubscribe to topics (e.g., projects, issues)
    • Enable or disable specific workflows within a topic
    • Support conditional delivery rules (e.g., owner-only, thresholds, filters)
    • Context-aware preferences: manage subscriptions differently across environments, tenants, or custom contexts using contextKeys
    • Multiple subscriptions per topic with different conditions
    • Fully customizable UI with theming, localization, and headless hooks
    • Works seamlessly with Inbox and existing workflow/global preferences

    Previously, subscribers could only control notifications at the workflow or channel level.

    Subscriptions now unlock:

    • Topic-level muting (e.g., turn off updates for project:43)
    • Context-scoped preferences: filter and match subscriptions by context, with behavior safely gated behind the feature flag
    • Advanced, structured preferences stored as JSON conditions
    • Contextual subscription management directly on entities like projects or tasks
    Read more

    Behind the scene, we've added robust support for contextKeys throughout the inbox and subscription modules. Sorted for consistency, validated across commands, and integrated into identifier logic for uniqueness.

    This lays the groundwork for granular notification preferences in multi-context environments while maintaining backward compatibility when context features are disabled.

    Learn more about <Subscription /> component

    Improvements (5)
    • Removed the default custom font URL from block-based email content. Now, it uses system default fonts instead.
    • Subscriber preferences now support context-aware binding. You can set and retrieve preferences for specific contexts, such as tenants or environments. If there's no context-specific value, it will use the global preferences instead.
    • Pagination preferences now persist across sessions. When you change how many items show per page, it saves your choice. The next time you visit, your selection will be restored.
    • Webhook messages now include workflow and step identifiers. Each webhook payload now includes workflowId and stepId. This gives you better context for tracking and routing events.
    • You can now configure digest lookback windows directly in the workflow editor. When digest mode is on, you’ll find new options for how far back to look. You can pick from quick presets: immediately, 5 minutes, or 30 minutes. You can also enter a custom value.
    Fixes (1)
    • Fixed the problem where duplicating a workflow didn't copy schema fields. This includes payloadSchema, validatePayload, and severity. These properties are now correctly preserved when workflows are duplicated.

  • Native Slack and Microsoft Teams Integration

    Route notifications to Slack or Microsoft Teams channels and DMs using your app identity. One integration, simple OAuth per customer, and Novu handles the rest.

    Author:Adam Chmara
    Adam Chmara
    Native Slack and Microsoft Teams Integration

    Notify Slack channels, Microsoft Teams, and users through DMs using your app identity.

    The new chat integrations let you connect your Slack app or Microsoft Teams bot to Novu. You can then route notifications to the exact destinations your users choose.

    Messages go where they’re needed. You can alert teams about server problems. You can update hiring managers on candidates. You can send operational alerts to specific channels.

    Both integrations work the same way:

    • First, set up your app credentials in Novu.
    • Then, let users connect their workspaces via OAuth.
    • Finally, register endpoints for channels or users.

    Novu handles token management. It routes messages and delivers them. All this happens across different customer tenants using a single integration.

    Slack integration beta

    The Slack chat integration bot is currently in beta. Contact [email protected] to enable it for your organization.

    Multi-tenant by design

    A single Slack app or Teams bot can serve all your customers. Each customer connects their own workspace through a one-time OAuth consent flow.

    Novu keeps the connection for you. It sends messages on your app's behalf.

    You won't need to manage tokens. Also, you won't have to set up separate integrations for each customer.

    In Microsoft Teams, your customers grant admin consent only once. Then, Novu can send messages to any team or user with your app installed.

    Users authorize their Slack workspace, so you can quickly route messages to channels or DMs.

    Flexible delivery targets

    Create Channel Endpoints to define exactly where notifications should land:

    • Channels: Post to `#alerts`, `#engineering`, or any channel where your app has access
    • Direct messages: Send personal notifications to individual users
    • Webhooks: Use Slack incoming webhooks or Teams Workflows. They allow easy channel-only delivery without needing a full bot setup.
    // Create a Slack channel endpoint
await novu.channelEndpoints.create({
  type: 'slack_channel',
  subscriberId: 'user-123',
  integrationIdentifier: 'slack',
  connectionIdentifier: 'conn_slack_acme',
  context: { tenant: 'acme' },
  endpoint: {
    channelId: 'C01234567'
  }
});

    When you trigger a Workflow, Novu matches the subscriber and context to the right endpoints and delivers messages through the appropriate workspace connection.


    See the Slack integration guide and Microsoft Teams integration guide to get started.

Free to start, ready to scale

10K events/month free forever. From weekend projects to enterprise scale, we've got you covered.

Get startedSee our plans