Shortcut vs Rocket.Chat
Side-by-side trajectory, velocity, and editorial themes.
Shortcut redesigns its API for AI agents and pushes Korey beyond its own walls.
Shortcut is making concrete bets on agent-based work. API v4 entered alpha on May 12 with explicit framing around expanded capabilities and 'agent compatibility' — a positioning shift, not just a version bump. Their in-house AI assistant Korey is expanding outward: right-click access in February, then a dedicated Chrome extension in April that runs on any webpage. Around the strategic work, smaller improvements (Teams on Roadmap, March's SLA Alerts) keep shipping, alongside feed-noise from brand-guide pages being scraped as if they were releases.
Shortcut is positioning itself as the project-management surface that AI agents naturally operate against, not just a PM tool with AI features bolted on. Korey is being pushed from in-app helper toward general-purpose web assistant; the API is being redesigned with external agent consumers in mind. That's a coherent strategic stance the bigger PM players — Jira, Linear, Asana — have not yet made as explicitly. Underlying release cadence stays steady, suggesting these are strategic plays, not panicked pivots.
Expect API v4 to surface MCP-style tooling endpoints and structured action surfaces aimed squarely at agent frameworks. Korey's Chrome extension is likely a stepping stone toward a 'Korey anywhere' positioning — deeper integrations with browser, email, and calendar are the natural next dominoes.
Rocket.Chat hardens for regulated buyers: phishing-resistant MFA, ABAC governance, and a quiet client-architecture pivot.
The 8.4 line is finishing its RC cycle while 8.5.0-rc.0 lands, carrying a server-side OAuth rewrite with CSRF/PKCE, 2FA-on-OAuth flows, and four new admin permissions for the ABAC panel. Around those headline items sits a layer of plumbing work — an opt-in SDK-over-DDP transport behind a meta-tag/localStorage/URL flag, a room-scoped text-index toggle for large workspaces, and image-URL sanitization closing an XSS vector — alongside the usual stack of patch fixes.
Two trends dominate. First, security and enterprise governance are the gravitational center: ABAC keeps gaining surfaces (panel visibility, app reads, Virtru as a Policy Decision Point in 8.4), OAuth is being rebuilt server-side, and 2FA is being enforced even through identity providers. Second, the team is modernizing the legacy Meteor underbelly — an SDK transport that bypasses Meteor's DDP layer is shipping dormant, and a flag is staging for Babel's removal in 9.0.0.
Expect 8.5 to graduate to GA with the OAuth/MFA hardening as its headline, and for the SDK-over-DDP transport to become the default in 9.0.0 once the dormant period exposes incompatibilities. ABAC will keep accreting admin controls until it's a coherent enterprise governance story alongside SSO and audit logs.
See more alternatives to Shortcut →
See more alternatives to Rocket.Chat →