Twenty 2.0: The open-source CRM follows up

Contents

With version 2.0.0, the open-source CRM Twenty receives a comprehensive update. The release focuses on AI integration, performance optimizations, and infrastructure for self-hosting and cloud deployments. It also bundles improvements to the SDK, expands mechanisms for authentication and integration, and brings numerous optimizations to the user interface and stability.

Twenty is an open-source software for Customer Relationship Management and positions itself as a developer-friendly alternative to established CRM systems like Salesforce. The focus is on a modular structure, its SDK, self-hosting, and the connection of external services.

AI Integration via MCP

An important aspect of the release is the expansion of AI functions and their integration into external systems. Internally, Agent is renamed to Ai, supplemented by new error codes for typical states such as missing threads or messages. Twenty also improves the connection of external AI clients via OAuth and the Model Context Protocol. MCP standardizes the connection of AI models with applications – for example, via OAuth-secured interfaces. In practice, an LLM client like Claude can directly access CRM data, secured via established authentication mechanisms.

Slimmer SDK and New Deployment Options

For developers, version 2.0 primarily brings profound changes to the SDK. It is now divided into subpaths, allowing applications to load only the necessary modules. This drastically reduces the bundle size for Logic Functions – by a factor of 700, according to the developers. Users benefit particularly in serverless environments: smaller bundles reduce cold starts and improve performance. Additionally, new functions for app manifests are introduced, for example, for defining sorting logic.

Twenty is also enhancing its infrastructure. New Docker targets and configurations simplify deployments, especially in conjunction with AWS EKS. Twenty is also expanding its commercial functions for self-hosting: the release adds processes for licensing and billing, including checkout, activation, status queries, and seat management.

Hardening of Authentication and Performance

There are several changes in security and authentication that are particularly relevant for production use. Public clients now mandatorily secure OAuth with PKCE (Proof Key for Code Exchange). This makes attacks on Authorization Codes more difficult. Furthermore, the implementations now follow specifications RFC 9728 and MCP. For browser-based clients, Twenty corrects the WWW-Authenticate header. The release also addresses specific vulnerabilities, such as those related to Prototype Pollution and infinitely growing attachments in socket.io.

Performance improvements primarily affect backend and serverless operations. Twenty now uses a cache for ESM modules across multiple Lambda invocations, thus reducing the costs of repeated initialization. Further optimizations fix inefficient database queries that could previously lead to timeouts due to unintended Cartesian products.

Revised User Interface and Further Innovations

The Twenty team has also revised the user interface. Under the slogan “Hero 2.0”, it presents a new design. Functional improvements include reset options for layouts, an icon picker for tabs, and more consistent UI components. The admin panel now runs via its GraphQL endpoint, which clarifies responsibilities.

Additionally, Twenty introduces SVG export and improves the control of metadata and events. The latter are now more closely tied to individual users, allowing notifications and data streams to be isolated more precisely.

The release is accompanied by extensive i18n updates for the user interface and documentation, as well as a revised website including sitemap and robots.txt. Numerous smaller bug fixes, refactorings, and stability improvements are also included. The complete list of changes can be found in the Release Notes on GitHub.

(fo)