Floh
Workflow Engine

Design forms, route approvals, provision access —
with full audit.

Floh is an enterprise orchestration platform that brings visual form authoring, multi-step workflows, runtime task management, and identity-aware provisioning together — with a tamper-evident audit trail across every action.

Visual Designer Approvals & Tasks Email & SMS OIDC & RBAC Hash-Chained Audit
PRODUCT OVERVIEW
Workflow Engine — Why Floh

Why Floh

Enterprise work falls into a predictable shape: collect information, route it for review, take action across connected systems, and prove it happened. Most teams glue that shape together from spreadsheets, ticket queues, ad-hoc scripts, and inboxes. Floh replaces that stack with a single platform — one where forms, approvals, tasks, provisioning, and audit are first-class citizens of the same model.

Design

Author forms and workflows visually

A drag-and-drop workflow graph editor and an embedded JSON-Forms-based form designer let business owners model end-to-end processes without writing code — with Markdown content, context tokens, and live preview.

Route

Approvals, tasks & escalation

Single, sequential, and parallel approvals with mandatory reasons. Runtime tasks support claim / assign / hold / unhold with threaded comments and admin + portal inboxes — so work is never stuck on a single owner.

Deliver

Provision access & reach users

Business-role definitions linked to entitlements push grants and revocations across Active Directory, SCIM, Google Workspace, S3, Postgres / MySQL, and any HTTP API. Reach users by templated email or SMS, with OTP-backed verification.

Prove

Tamper-evident audit by default

Every action lands in an append-only audit log enforced by database triggers and a SHA-256 hash chain. HMAC-signed checkpoints export to S3 or SIEM; integrity can be verified end-to-end on demand. Compliance is not a follow-up — it ships in the box.

24
Workflow Step Types
150+
API Endpoints
12+
Built-in Connectors
256-bit
AES-GCM Encryption
Page 2 of 5
Workflow Engine — Platform Capabilities

Platform Capabilities

Visual Workflow Designer

Drag-and-drop graph editor with 24 step types — approvals, conditions, forks/joins, connectors, user lifecycle, and sub-workflows.

Visual Form Builder

JSON-Forms-based form designer embedded in the Workflow Designer. Markdown content, context tokens, output-variable mapping, and live preview ship in the box.

Task Lifecycle & Inbox

Claim, assign, hold, and unhold with threaded comments. Admin and public-portal task inboxes show the same workload from inside or outside the firewall.

Smart Approvals

Single, sequential, parallel, and AND-of-list patterns with escalation timeouts, group-based routing, and mandatory rejection reasons.

Document Lifecycle

Collect, review, approve, and track documents with expiration policies. Expired documents automatically trigger role revocation.

Identity Lifecycle

Native steps for user creation, profile updates, manager linkage, email rotation, OTP-backed verification, and first-password invitations.

Roles, Entitlements & PAM

Define business roles with linked entitlements. Auto-provision and deprovision access; a Privileged Access category covers privileged-session checkouts.

Email & SMS Notifications

Handlebars-templated email and SMS via Twilio or Vonage. STOP/UNSTOP opt-out, delivery webhooks, and OTP verification all built in.

Connector Framework

Pluggable architecture with built-ins for HTTP, LDAP / AD, S3, Postgres, MySQL, SCIM, Google Workspace. Secrets encrypted at rest with AES-256-GCM.

Dashboard & Reports

Real-time metrics, run-status charts, SLA tracking, approver performance, and an Assigned Roles & Entitlements report — filterable by project.

AI / MCP Integration

A standalone Model Context Protocol server lets AI agents author and inspect workflows, schemas, and connectors via typed, audited tool calls.

Page 3 of 5
Workflow Engine — Workflows & Compliance

Workflow Orchestration

Workflow Lifecycle
  • Version control — draft, publish, deprecate with new-version branching and import/export
  • Variable interpolation{{var}}, {{submitter.*}}, {{date.*}}, {{org.*}}, {{env.*}}
  • Failure routing — per-step stop / skip / retry plus explicit failure-edge lint and runbook
  • Scheduling — cron triggers with timezone support via BullMQ
  • Categories — user, group, project, general, and Privileged Access for privileged sessions
  • On-behalf-of submission — permission-gated, audited submission for other users
  • Auto-refresh — live updates of run status across the admin console
Step Type Catalog
start end action approval condition case fork join notification connector document_submission role_grant role_revoke sub_workflow transform consent user_create profile_update verify_contact first_password_invitation send_sms user_prompt identity_link pam_checkout

Step authors get inline help icons in connector config, named approval policies, and shared-store resend cooldowns for OTP-backed verification.

Security & Compliance

Audit & Integrity
  • Append-only audit log — enforced by database triggers; no updates or deletes
  • SHA-256 hash chain — each entry cryptographically linked to its predecessor
  • HMAC-signed checkpoints — exportable snapshots to S3 or SIEM with key rotation
  • Integrity verification API — validate the entire chain on demand
  • PII-safe metadata — comment bodies, hold reasons, and decrypted recipients never enter audit JSON
Data Protection
  • AES-256-GCM encryption — connector secrets, workflow variables, and SMS recipients at rest
  • OIDC SSO — Keycloak, Auth0, Entra ID, Okta, Authifi
  • Granular permissions — per-action checks plus row-level scope predicates
  • SSRF defences — DNS pinning, manual redirect mode, private-IP block-list on every connector
  • Entitlement reconciliation — detect & remediate access drift (log, flag, or sync)
Page 4 of 5
Workflow Engine — Integrations & Architecture

Integrations & Connectors

Identity Providers

Keycloak, Entra ID, Okta, Auth0, Authifi

Active Directory / LDAP

User lookup, group mgmt, password set

Twilio & Vonage

SMS, OTP Verify, opt-out webhooks

Amazon S3

list, head, get, put, delete

PostgreSQL / MySQL

Typed query + DDL via Kysely + drivers

HTTP / REST

Generic connector with SSRF guards

Email (SMTP)

Handlebars templates with attachments

SCIM (outbound)

User + group sync to upstream IdPs

Google Workspace

OAuth-backed directory + groups

OpenAPI / Swagger

Full Swagger UI with live introspection

AI / MCP Server

Standalone MCP for AI-authored workflows

Docker

Compose stack with separate SPA workers

Additional Capabilities

Public Portal
  • Task inbox — claim, hold, comment, complete from outside the firewall
  • User picker — scoped directory typeahead for User-typed catalog variables
  • First-password landing — self-service activation page for invitation-only users
  • Stateless BFF proxy — firewall-friendly with route whitelisting and scope enforcement
Config Transfer & AI
  • Export / import — portable JSON for workflows, forms, roles, entitlements, connectors, templates
  • Import strategies — create-only, upsert, skip-existing with dry-run preview
  • MCP authoring — AI assistants create workflows via typed, audited tool calls
  • Architectural tests — category-record exhaustiveness, validation boundaries enforced in CI

Built for Enterprise.

Floh brings workflow orchestration, form authoring, runtime task management, and identity-aware provisioning together in a single, modern platform — with audit baked in from day one.

Open Architecture TypeScript End-to-End Self-Hosted or Cloud
Fastify 5 Angular 21 JSON Forms PostgreSQL Redis + BullMQ Kysely MCP SDK Docker
Page 5 of 5