A full REST API for triggering workflows programmatically. Long lived access tokens with custom scopes so every integration gets exactly the permissions it needs. IP allowlisting and domain allowlisting for network level protection. Trusted signature verification on every incoming webhook. Rate limiting at the API and the workflow layer. Encryption at rest for every variable and every secret. A workflow automation platform where flexibility and security are the same feature instead of a trade off.
Generate a long lived access token in the API settings with exactly the scopes the integration needs. Allowlist the source addresses or domains the calls will come from. Trigger any workflow from any external system through the REST endpoints. Every request gets authenticated, scope checked, signature verified where applicable, rate limited, and audit logged before any workflow runs.
Long Lived Tokens
Open the API settings and create a new access token for the integration that will be calling the platform. Pick exactly the scopes the integration needs read access to specific workflows, trigger access to a specific category, full access to a specific workspace, anything narrower or broader as the situation requires. Tokens are long lived so the integration does not need to refresh constantly, and each token can be rotated or revoked independently at any time.
Network Allowlisting
Configure which IP address ranges and which domains can use each token. The integration running in your production environment gets allowlisted with its specific address ranges, the partner service gets allowlisted with theirs, the development environment gets allowlisted with the engineering team's office address range. Tokens that arrive from anywhere else get rejected before any workflow runs, which means a leaked token outside the allowlist is useless to whoever obtained it.
REST API Endpoints
The REST API exposes endpoints for triggering any workflow from any external system. Send a request with the trigger payload, the platform validates the token and the scope, the workflow fires immediately, and the response returns the run identifier and the initial status so the caller can track it. Every standard operation listing workflows, fetching run history, retrieving execution logs, managing webhooks has its own clean endpoint with predictable responses and consistent error handling.
Multi Layer Security
Every incoming webhook gets trusted signature verification so events that did not really come from your source get rejected before any workflow runs. Rate limiting at the API layer and the workflow layer protects the platform from runaway clients and protects your downstream systems from being overwhelmed by automated workflows. Every variable and every secret in the workspace is encrypted at rest, so the data sitting on disk is protected even if someone somehow gained physical access to it.
Once a team has programmatic access through a real REST API behind tokens with custom scopes, network level allowlisting, trusted signature verification on every webhook, multi layer rate limiting, and encryption at rest for every secret, the conversation with the security team stops being can we use this and starts being this is how we use it. These are the changes that show up first.
Every workflow in the workspace can be triggered through the REST API, which means automation is no longer something only the platform's own triggers can start. The internal application that needs to kick off an onboarding workflow when a new customer signs up, the partner service that wants to fire a workflow when a specific event happens, the scheduled job in your existing infrastructure that already runs reliably all of them become valid trigger sources without rewriting them.
Each token has exactly the permissions the integration calling with it actually needs and nothing more. The integration that only triggers one specific workflow cannot list other workflows, cannot see runs from unrelated workflows, cannot do anything outside its narrow purpose. The principle of least privilege that every security framework recommends becomes the default rather than an aspiration.
IP allowlisting and domain allowlisting per token mean a leaked credential is not enough on its own to access the platform the caller also needs to be in the right place on the network. The integration running in your production environment gets allowlisted to its specific address ranges, the partner service gets allowlisted to theirs, and a token that ends up somewhere it should not be becomes immediately useless rather than immediately dangerous.
Every incoming webhook gets verified against the signed signature attached to the request, so fake events from somebody who guessed the webhook address get rejected before any workflow runs. The reassurance that an event genuinely came from your source and not from somebody trying to manipulate the system is built in rather than something the team has to implement at every endpoint.
Rate limits apply at the API layer to protect the platform from runaway clients, and at the workflow layer to protect downstream systems from being overwhelmed by an automated workflow that suddenly tries to fire ten thousand times in a minute. The configurable limits give the team control over both inbound and outbound traffic, so neither side ever becomes a denial of service vector for the other.
Every variable, every secret, every credential, every piece of data the workspace stores is encrypted at rest with workspace specific keys. The compliance question that used to be how is the data protected gets a clear answer that satisfies every framework the team needs to satisfy, and the security review that used to take weeks now closes in a single meeting.
Every workflow in the workspace can be triggered through the REST API, which means automation is no longer something only the platform's own triggers can start. The internal application that needs to kick off an onboarding workflow when a new customer signs up, the partner service that wants to fire a workflow when a specific event happens, the scheduled job in your existing infrastructure that already runs reliably all of them become valid trigger sources without rewriting them.
Each token has exactly the permissions the integration calling with it actually needs and nothing more. The integration that only triggers one specific workflow cannot list other workflows, cannot see runs from unrelated workflows, cannot do anything outside its narrow purpose. The principle of least privilege that every security framework recommends becomes the default rather than an aspiration.
IP allowlisting and domain allowlisting per token mean a leaked credential is not enough on its own to access the platform the caller also needs to be in the right place on the network. The integration running in your production environment gets allowlisted to its specific address ranges, the partner service gets allowlisted to theirs, and a token that ends up somewhere it should not be becomes immediately useless rather than immediately dangerous.
Every incoming webhook gets verified against the signed signature attached to the request, so fake events from somebody who guessed the webhook address get rejected before any workflow runs. The reassurance that an event genuinely came from your source and not from somebody trying to manipulate the system is built in rather than something the team has to implement at every endpoint.
Rate limits apply at the API layer to protect the platform from runaway clients, and at the workflow layer to protect downstream systems from being overwhelmed by an automated workflow that suddenly tries to fire ten thousand times in a minute. The configurable limits give the team control over both inbound and outbound traffic, so neither side ever becomes a denial of service vector for the other.
Every variable, every secret, every credential, every piece of data the workspace stores is encrypted at rest with workspace specific keys. The compliance question that used to be how is the data protected gets a clear answer that satisfies every framework the team needs to satisfy, and the security review that used to take weeks now closes in a single meeting.
Full REST API. Long lived tokens with custom scopes. IP and domain allowlisting. Trusted signature verification. Multi layer rate limiting. Encryption at rest. The security posture your platform engineering and security teams have always wanted.
7600+
Teams integrating with
Revo through the secure REST API
Platform engineering teams integrating Revo into their existing systems, security teams responsible for the compliance posture of the workspace, infrastructure leads who need network level controls over every external touchpoint, automation engineers building cross system workflows that have to pass an audit, and founders selling into regulated industries where the security review is a real gate all use Revo's REST API and security layer as the part of the platform their counterparts in security can actually approve. Every team a small business connecting a handful of internal applications or a larger organisation orchestrating hundreds of business process automations across a regulated stack gets the same API surface, the same scope based access control, and the same encryption guarantees.
API
Scopes
at Rest
Controls
A full REST API for triggering workflows programmatically, listing and managing workflows, retrieving runs and logs, and handling webhooks. Long lived access tokens with custom scopes give every integration exactly the permissions it needs. Predictable endpoints, consistent error handling, and clean response shapes that read like documentation even before you find the documentation.
A complete API and security toolkit built into the same workflow automation platform your team already uses. A full REST API, long lived access tokens with custom scopes, IP and domain allowlisting, trusted webhook signature verification, multi layer rate limiting, and encryption at rest come together so external systems can integrate cleanly and security teams can sign off quickly.
REST endpoints for triggering any workflow programmatically, listing and managing workflows, retrieving runs and execution logs, configuring webhooks, and every other standard operation. Predictable responses, consistent error handling, and clean endpoint design that reads like documentation even before you find the actual documentation.
Generate long lived access tokens with exactly the scopes each integration needs read access to specific workflows, trigger access to a specific category, full access to a specific workspace, or anything narrower. Each token can be rotated or revoked independently, with the full audit log capturing every issuance and revocation.
Configure which IP address ranges and which domains can use each token. A leaked credential is no longer enough on its own to access the platform the caller also needs to be in the right place on the network. Each token has its own allowlist, so different integrations can have different network boundaries appropriate to their context.
Every incoming webhook is verified against the signed signature attached to the request before any workflow runs. Fake events from somebody who guessed the webhook address get rejected at the door, so workflows only ever react to events that genuinely came from the source they claim to come from.
Rate limits at the API layer protect the platform from runaway clients. Rate limits at the workflow layer protect your downstream systems from being overwhelmed by automated workflows. Both layers are configurable, so the team can tune the protection that matches their context without compromising either inbound or outbound traffic patterns.
Every variable, every secret, every credential, every piece of data the workspace stores is encrypted at rest with workspace specific keys. The compliance question of how data is protected gets a clear answer that satisfies every framework, and the security review that used to be a weeks long project compresses into a single conversation with concrete answers.
REST endpoints for triggering any workflow programmatically, listing and managing workflows, retrieving runs and execution logs, configuring webhooks, and every other standard operation. Predictable responses, consistent error handling, and clean endpoint design that reads like documentation even before you find the actual documentation.
Generate long lived access tokens with exactly the scopes each integration needs read access to specific workflows, trigger access to a specific category, full access to a specific workspace, or anything narrower. Each token can be rotated or revoked independently, with the full audit log capturing every issuance and revocation.
Configure which IP address ranges and which domains can use each token. A leaked credential is no longer enough on its own to access the platform the caller also needs to be in the right place on the network. Each token has its own allowlist, so different integrations can have different network boundaries appropriate to their context.
Every incoming webhook is verified against the signed signature attached to the request before any workflow runs. Fake events from somebody who guessed the webhook address get rejected at the door, so workflows only ever react to events that genuinely came from the source they claim to come from.
Rate limits at the API layer protect the platform from runaway clients. Rate limits at the workflow layer protect your downstream systems from being overwhelmed by automated workflows. Both layers are configurable, so the team can tune the protection that matches their context without compromising either inbound or outbound traffic patterns.
Every variable, every secret, every credential, every piece of data the workspace stores is encrypted at rest with workspace specific keys. The compliance question of how data is protected gets a clear answer that satisfies every framework, and the security review that used to be a weeks long project compresses into a single conversation with concrete answers.
Common questions about what the REST API actually exposes, how token scopes are configured, how IP and domain allowlisting works in practice, how webhook signature verification protects against fake events, what rate limit options are available, and exactly how data is encrypted at rest.
The REST API exposes every standard operation a team integrating with Revo could reasonably need triggering any workflow programmatically with a payload, listing all workflows in a workspace, fetching detailed run history for any workflow, retrieving full execution logs for any specific run, registering and managing webhook destinations, querying the analytics metrics that drive the dashboard, and managing tokens and allowlists themselves. Every endpoint follows REST conventions with predictable URL patterns, standard request and response shapes, and consistent error handling that makes the API easy to read even before you find the documentation.
Full REST API. Long lived tokens with custom scopes. IP and domain allowlisting. Trusted signature verification. Multi layer rate limiting. Encryption at rest. The security posture your platform engineering and security teams have always wanted.