Release 25.5

Designer Web security changes

It is necessary to update development mode security settings for Designer Web and Runtime server ACE_OIDC_ISSUER_BASE_URL is renamed to ACE_DEV_JWT_VALIDATION_OPENID_ISSUER ACE_OIDC_AUDIENCE is renamed to ACE_DEV_JWT_VALIDATION_AUDIENCE

SAP IQ step removal

In this release the SAP IQ step is removed from ACE.

Configuration changes

See configuration for more details.

Runtime server

Azure Key Vault

Added following environment variables to support Azure Key Vault, see Config sources for details.

• ACE_CONFIG_SOURCE
• ACE_AZURE_KEY_VAULT_URL
• ACE_AZURE_KEY_VAULT_PREFIX

Security

Added following environment variables for Dynamic API security:

• ACE_JWT_VALIDATION_ENABLED
• ACE_JWT_VALIDATION_OPENID_ISSUER
• ACE_JWT_VALIDATION_SECRET
• ACE_JWT_VALIDATION_AUDIENCE
• ACE_JWT_VALIDATION_ALGORITHM
• ACE_JWT_VALIDATION_MAX_TOKEN_AGE
• ACE_JWT_VALIDATION_CLOCK_TOLERANCE
• ACE_JWT_VALIDATION_CACHE_MAX_AGE

Added following environment variables for development API security:

• ACE_DEV_JWT_VALIDATION_ENABLED
• ACE_DEV_JWT_VALIDATION_OPENID_ISSUER
• ACE_DEV_JWT_VALIDATION_SECRET
• ACE_DEV_JWT_VALIDATION_AUDIENCE
• ACE_DEV_JWT_VALIDATION_ALGORITHM
• ACE_DEV_JWT_VALIDATION_MAX_TOKEN_AGE
• ACE_DEV_JWT_VALIDATION_CLOCK_TOLERANCE
• ACE_DEV_JWT_VALIDATION_CACHE_MAX_AGE

Removed following environment variables:

• ACE_OIDC_ISSUER_BASE_URL - use ACE_DEV_JWT_VALIDATION_OPENID_ISSUER with the same value instead.
• ACE_OIDC_AUDIENCE - use ACE_DEV_JWT_VALIDATION_AUDIENCE with the same value instead.
• ACE_DEV_API_AUTH_DISABLE - use ACE_DEV_JWT_VALIDATION_ENABLED instead if necessary

Other

• ACE_FORM_FIELD_SIZE_LIMIT_MB is added to change the maximum size of form fields for file upload.

Designer Web

Security

Added following environment variables:

• ACE_DEV_JWT_VALIDATION_ENABLED
• ACE_DEV_JWT_VALIDATION_OPENID_ISSUER
• ACE_DEV_JWT_VALIDATION_SECRET
• ACE_DEV_JWT_VALIDATION_AUDIENCE
• ACE_DEV_JWT_VALIDATION_ALGORITHM
• ACE_DEV_JWT_VALIDATION_MAX_TOKEN_AGE
• ACE_DEV_JWT_VALIDATION_CLOCK_TOLERANCE
• ACE_DEV_JWT_VALIDATION_CACHE_MAX_AGE

Removed following environment variables:

• ACE_OIDC_SIGNING_ALG
• ACE_OIDC_SIGNING_SECRET
• ACE_DISABLE_TOKEN_VALIDATION

Changes for Keycloak based authentication:

• ACE_OIDC_ISSUER_BASE_URL is not used for Keycloak anymore, use ACE_DEV_JWT_VALIDATION_OPENID_ISSUER instead.
• ACE_OIDC_AUDIENCE is not used for Keycloak anymore, use ACE_DEV_JWT_VALIDATION_AUDIENCE instead.

Azure Key Vault

Added following environment variables to support Azure Key Vault, see Config sources for details.

• ACE_CONFIG_SOURCE
• ACE_AZURE_KEY_VAULT_URL
• ACE_AZURE_KEY_VAULT_PREFIX

Deployment server

Security

Added following environment variables:

• ACE_DEPLOYMENT_JWT_VALIDATION_ENABLED
• ACE_DEPLOYMENT_JWT_VALIDATION_OPENID_ISSUER
• ACE_DEPLOYMENT_JWT_VALIDATION_SECRET
• ACE_DEPLOYMENT_JWT_VALIDATION_AUDIENCE
• ACE_DEPLOYMENT_JWT_VALIDATION_ALGORITHM
• ACE_DEPLOYMENT_JWT_VALIDATION_MAX_TOKEN_AGE
• ACE_DEPLOYMENT_JWT_VALIDATION_CLOCK_TOLERANCE
• ACE_DEPLOYMENT_JWT_VALIDATION_CACHE_MAX_AGE

Azure Key Vault

Added following environment variables to support Azure Key Vault, see Config sources for details.

• ACE_CONFIG_SOURCE
• ACE_AZURE_KEY_VAULT_URL
• ACE_AZURE_KEY_VAULT_PREFIX

Bull board

Azure Key Vault

Added following environment variables to support Azure Key Vault, see Config sources for details.

• ACE_CONFIG_SOURCE
• ACE_AZURE_KEY_VAULT_URL
• ACE_AZURE_KEY_VAULT_PREFIX

Release notes

See docker images below.

ACE 25.5.4

September 8, 2025

Bug Fixes

• DIG2022-65952
  Unable to use $headers directly in expressions

ACE 25.5.3

August 22, 2025

Features

• DIG2022-65345
  Disable built-in JWT validation by default

ACE 25.5.1

August 18, 2025

Features

• DIG2022-65023
  Use single value for JWT validation audience
• DIG2022-65034
  Diagnostics check for JWT OpenId configuration endpoints

ACE 25.5.0

August 14, 2025

ACE Azure Key Vault integration

Support for Azure Key Vault is added to ACE. It allows storing and retrieving secrets directly from Azure Key Vault without setting them in the environment variables.

• DIG2022-63782
  Clear environment variable cache endpoint
• DIG2022-63781
  ACE Bull board support for Azure Key Vault
• DIG2022-59912
  Configure test4201 environment to use Azure Key Vault
• DIG2022-59481
  Multiple environment support
• DIG2022-58578
  Read variables from Azure Key Vault

Built-in JWT validation

ACE now supports built-in JWT validation for APIs. JWT validation is enabled by default, and can be disabled by setting the ACE_JWT_VALIDATION_ENABLED environment variable to false. It is essential to protect APIs by other means, like API gateway, if JWT validation is disabled.

• DIG2022-64808
  Remote JWK caching
• DIG2022-64687
  Use _ENABLED variable naming to enable/disable JWT validation
• DIG2022-64656
  Access API "Public" in $api context
• DIG2022-63947
  Unified JWT validation for ACE development APIs
• DIG2022-60477
  Runtime server JWT validation
• DIG2022-64685
  JWT validation documentation
• DIG2022-60991
  Built-in Deployment API server JWT validation

Upgrade to Node 22

All ACE services are upgraded to Node.js 22.

• DIG2022-61588
  Upgrade to Node 22

• DIG2022-63934
  Update node engines and node types to latest node version

Open telemetry PoC

This ACE release has beta support for OpenTelemetry.

• DIG2022-58557
  Add Open Telemetry metrics
• DIG2022-58554
  Telemetry infrastructure in ACE dev environment
• DIG2022-58560
  Network call correlation

Other features

• DIG2022-62654
  JWT header support
• DIG2022-63783
  SAP IQ step removal
• DIG2022-62759
  Add runtime server to OpenAPI servers list automatically
• DIG2022-64126
  Show message if Designer is on default branch
• DIG2022-14351
  Typescript upgrade to 5.x
• DIG2022-62760
  Ability to add securityScheme through template

Bug Fixes

• DIG2022-62761
  Invalid securityScheme is added for every operation
• DIG2022-64132
  Unable to handle the errors for Non-existent Flows in case of Change flow (aceApiFlow)
• DIG2022-64004
  Cannot copy data from read only JSON/JSONATA fields
• DIG2022-64003
  Validation errors in JSONATA exerciser
• DIG2022-63850
  Multer throws error if field size is too long
• DIG2022-62953
  Open debug from APIs page doesn't populate first step
• DIG2022-62724
  Infinite loop check false positive on array processing
• DIG2022-62619
  Runtime cache is not invalidated if deployed package is deleted
• DIG2022-62456
  HTTP header access in ACE is case sensitive
• DIG2022-62454
  Previous branch flow is kept open after switching branches in ACE Designer
• DIG2022-64727
  Security: CVE-2025-54798 (tmp-0.0.33)
• DIG2022-63786
  Security: CVE-2025-7338 (multer-2.0.1)
• DIG2022-63785
  Security: CVE-2025-7339 (on-headers-1.0.2)
• DIG2022-63784
  Security: CVE-2025-7783 (form-data-4.0.0)
• DIG2022-63271
  Security: CVE-2025-5889 (brace-expansion 2.0.1, 1.1.11)

Docker images

Designer Web

Hash: sha256:b9b5f99cb4777aaa5b269b86525cb49e5d566cbc482dc258d6f06f0064c676e0

docker pull euadigportalcoredev02acr.azurecr.io/ace-designer:25.5.4

Runtime server

Hash: sha256:ffd609e542fa9968d967732ed9ac508327b6e4daf206d93e281e8d8e2e3eab79

docker pull euadigportalcoredev02acr.azurecr.io/ace-runtime-server:25.5.4

Deployment API server

Hash: sha256:289d12f84431b745e82e6d6d48538ab4751dd3e0ecd3ca05f2ce7aba976df260

docker pull euadigportalcoredev02acr.azurecr.io/ace-deployment-server:25.5.4

Scheduled job (BullMQ) administration

Hash: sha256:356fdb3d43575b360fc1065bd92432809f7637397960cd8e6e418cf6d80f743f

docker pull euadigportalcoredev02acr.azurecr.io/bull-board:25.5.4

Developer API portal

Hash: sha256:43fae10008cdb345b6aa775f0a4ffc26f563964c9dabb6132c9d5c2aa3cf7c4d

docker pull euadigportalcoredev02acr.azurecr.io/api-developer-portal:25.5.4

Designer Desktop

ACE Designer Desktop is available here