Feature ideas

Fields for display can be moved around. They can also be hidden. It would be great if we were able to edit the field order on the Form. It would make it easier to create/edit entity.

Currently, when an admin impersonates a user and initiates a self-service action, the triggered by field reflects the admin rather than the impersonated user. This causes issues when supporting users. It would be beneficial to default this field to the impersonated user or provide a prompt to select the user when starting the action.

The port-ocean Helm chart hardcodes backoffLimit: 0 in the CronJob job template (cron.yaml L28). This value is not exposed as a configurable Helm value. In Kubernetes environments with node autoscalers (Karpenter, Cluster Autoscaler), pods can be evicted at any time due to node consolidation or scale-down events. When a resync pod is evicted mid-execution, it exits non-zero, and with backoffLimit: 0 the entire Job is marked as permanently failed — no retry is attempted. This makes the self-hosted CronJob integration inherently fragile on autoscaled clusters, which represent the majority of production EKS/GKE/AKS deployments. Requested change: Expose backoffLimit as a configurable Helm value under workload.cron, e.g.: workload: cron: backoffLimit: 3 # default: 0 (current behavior, for backward compat) And in cron.yaml: backoffLimit: {{ .Values.workload.cron.backoffLimit | default 0 }} Why this matters: backoffLimit: 0 means any transient pod failure (node eviction, OOM kill, spot interruption, network blip during image pull) permanently fails the Job. Users currently cannot work around this without either (a) adding karpenter.sh/do-not-disrupt annotations — which only covers Karpenter and doesn't help with spot interruptions or OOM — or (b) forking the chart. A modest default like 3 would allow Kubernetes to retry the resync pod automatically while still bounding runaway retries. The existing activeDeadlineSeconds already provides a time-based safety net

Enterprise customers need Port to support access to internal MCP servers behind private network boundaries. A Port Agent–style proxy (deployable via Helm) would enable secure connectivity and unlock a major use case currently blocked by the platform’s push-based architecture. This would also allow teams to integrate internal tools (e.g., on-prem systems and private APIs) through Port’s MCP interface at scale.

Add support for ingesting ServiceNow user-group membership records to drive. This would help to leverage membership data to establish a User-Groups relationship pattern natively within the Ocean integration.

Currently, the Bitbucket integration UI only supports username/password authentication. However, token-based authentication (client ID/secret) appears to already be supported at the Helm chart level. This suggests the limitation may be UI-only. It would be helpful to expose client ID/secret auth in the UI to align with existing backend capabilities and improve security/flexibility. If this is just a UI gap, it could be a relatively quick win if prioritized.

Summary Support for concurrent (overlapping) client secrets with configurable time-to-live (TTL) to enable automated, zero-downtime secret rotation. Problem When rotating a Port client secret, the old secret is immediately invalidated upon replacement. In distributed systems, consuming services need time to pick up the new secret value. During this propagation window, services still using the old secret experience authentication failures, causing downtime or errors. Currently, the same secret name cannot hold two valid values simultaneously, and there is no built-in mechanism to set an expiry/lifetime on a secret. While a custom automation can partially work around this, the lack of native support makes automated rotation fragile and error-prone. Proposed Solution Concurrent secrets: Allow at least two valid secrets to coexist for the same credential (e.g., a "primary" and "secondary" key pattern, similar to Azure AD app registrations or AWS IAM access keys). Both secrets should be accepted for authentication until the older one is explicitly revoked or expires. Secret TTL / expiry: Allow an optional time-to-live to be set when creating or rotating a secret. Once the TTL elapses, the secret is automatically invalidated. This enables a "create new → wait for propagation → old expires" workflow without manual cleanup. Rotation API: Expose a secret rotation endpoint (or extend the existing secrets API) that creates a new secret while keeping the previous one valid for a configurable grace period. This would integrate naturally with self-service actions for automated rotation schedules. Use Case As a platform team operating Port integrations across multiple Kubernetes services (Ocean integrations, CronJobs, Lambda functions), we want to automate client secret rotation on a regular cadence via a self-service action. The rotation flow would be: Generate a new secret (old secret remains valid) Propagate the new secret to consuming services (via K8s secrets, SSM parameters, etc.) Old secret expires after a configured grace period (e.g., 24 hours) Without concurrent secret support and TTL, there is always a window where some consumers hold a stale secret, resulting in failed API calls. Alternatives Considered Custom automation with rapid propagation: Rotate the secret and immediately push to all consumers. This is brittle — any delay or failure in propagation causes outages. - Scheduled maintenance window: Coordinate rotation during low-traffic periods. This doesn't scale and defeats the purpose of automation.

Port's URL and Labeled URL properties are fundamentally different types, once a URL property is created, it cannot be converted to a Labeled URL in place. The only path to migration requires creating a new property, deploying, migrating data, updating all integrations, and deleting the old property, a process that can take ~2 hours for what should be a trivial display change. Proposed Solution Allow a display-layer transformation (e.g., via JQ expression or a simple label mapping) on existing URL string properties, so that: The underlying data remains a plain URL string (no schema change, no integration updates required). The display layer renders the URL with a human-readable label, equivalent to the current Labeled URL behavior. Why It Matters Eliminates data duplication and integration dependencies caused by property recreation. Reduces a ~2-hour migration to a seconds-long configuration change. Aligns with the spirit of the already-shipped Labeled URL feature.

Request for an API endpoint that can retrieve account-level information. This will allow us to retrieve all orgs associated with our account at once, and to edit account name, which isn't currently possible

The MyTeams option should appear in the filter value dropdown whenever the selected filter property resolves to a team, regardless of whether that property is: A native owning team property on the directly filtered entity A computed team property on the directly filtered entity An owning team property or relation on a related entity (i.e. filtering Entity A by Entity B's owning team) This can currently be achieved using JSON mode filters, but not in the form view with MyTeams.