New from Zuplo - February 2026

February 2026 delivers a packed set of updates across the Zuplo platform, with a new HTTP Deprecation policy for API lifecycle management, major Dev Portal enhancements including Algolia DocSearch integration and a redesigned authentication experience, and powerful new navigation and content authoring tools. This month also introduces a rate limiting bypass capability that gives you more control over which requests count against your limits.

Whether you’re signaling API deprecation to consumers, building rich developer documentation, or fine-tuning rate limiting behavior, this release makes your API management workflow more powerful and flexible.

Highlights

HTTP Deprecation Policy

Zuplo now offers an HTTP Deprecation outbound policy that automatically adds standards-compliant deprecation headers to your API responses following the IETF HTTP Deprecation Header standard. This makes it easy to communicate endpoint deprecation, sunset dates, and migration documentation to your API consumers — all without writing custom code.

When API consumers make requests to deprecated endpoints, they’ll receive clear signals via HTTP headers that help them plan their migration. This is essential for API providers managing multiple versions or sunsetting legacy endpoints.

Key capabilities:

• Deprecation header: Signal that an endpoint is deprecated using a simple boolean, a specific date (ISO 8601), or a Unix timestamp
• Sunset header: Communicate when an endpoint will be permanently removed
• Link header: Point consumers to migration documentation or release notes

Configuration example:

{
  "name": "deprecate-v1-endpoint",
  "policyType": "http-deprecation-outbound",
  "handler": {
    "export": "HttpDeprecationOutboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "deprecation": "2026-03-01T00:00:00Z",
      "sunset": "2026-06-30T23:59:59Z",
      "link": "https://example.com/docs/v2-migration"
    }
  }
}

This configuration adds the following headers to responses:

• Deprecation: Sat, 01 Mar 2026 00:00:00 GMT
• Sunset: Tue, 30 Jun 2026 23:59:59 GMT
• Link: <https://example.com/docs/v2-migration>; rel="deprecation"; type="text/html"

For endpoints that are already deprecated without a specific date, set deprecation to true:

{
  "options": {
    "deprecation": true,
    "link": "https://example.com/docs/v2-migration"
  }
}

See the HTTP Deprecation Policy documentation for full configuration options.

Runtime Improvements

Rate Limiting: Bypass for Specific Requests

Zuplo’s rate limiting policies now support bypassing rate limits for specific requests by returning null or undefined from a custom rate limit function. Previously, every request that passed through the rate limiter would hit Redis and create a bucket — even if the request should be exempt. Now, returning null or undefined from your custom function skips the rate limiter entirely with zero overhead.

This is useful for whitelisting internal services, health check endpoints, or specific IP addresses from rate limiting.

Example:

import {
  CustomRateLimitFunction,
  CustomRateLimitDetails,
} from "@zuplo/runtime";

export const customRateLimitWithSkip: CustomRateLimitFunction = async (
  request,
  context,
): Promise<CustomRateLimitDetails | undefined> => {
  // Skip rate limiting for whitelisted IPs or internal services
  const clientIp = request.headers.get("cf-connecting-ip");
  if (isWhitelisted(clientIp)) {
    return undefined; // Skip rate limiting entirely — no Redis call
  }

  return {
    key: `user-${request.user?.sub}`,
    requestsAllowed: 100,
    timeWindowMinutes: 60,
  };
};

This works with custom rate limiting functions only.

See the Rate Limiting Policy documentation for more details, or the Dynamic Rate Limiting guide for advanced configuration.

Dev Portal Highlights

Algolia DocSearch Integration

The Dev Portal now supports Algolia DocSearch as a search plugin, giving you access to one of the most popular and powerful search solutions for documentation sites. Customers who already use Algolia or need a more robust search experience can now integrate it directly into their Dev Portal with a first-class plugin.

Key capabilities:

• Powerful full-text search: Leverage Algolia’s indexing and ranking capabilities for fast, accurate search results
• DocSearch UI: Includes the familiar DocSearch modal and keyboard shortcuts
• Easy setup: Install the @zudoku/plugin-search-algolia package and configure your Algolia credentials

See the Search configuration documentation for setup instructions.

Seamless Protected Routes Authentication

The Dev Portal authentication experience received a significant upgrade this month. When users navigate to a protected route, they now see a non-intrusive login dialog overlaid on the current page — instead of being redirected away. After successful authentication, navigation automatically proceeds to the protected content.

Key capabilities:

• In-context login dialog: Users stay on the current page while authenticating, maintaining their context
• Reason codes: Distinguish between users who need to sign in (UNAUTHORIZED) and users who lack permission (FORBIDDEN) for role-based access control
• Automatic navigation: After login, users are seamlessly taken to their intended destination

Configuration example:

// zudoku.config.ts
{
  // ...
  protectedRoutes: {
    // Members-only page: unauthenticated users see a login prompt
    "/only-members": ({ auth, reasonCode }) =>
      auth.isAuthenticated ? true : reasonCode.UNAUTHORIZED,

    // VIP page: unauthenticated users see login,
    // authenticated users without permission see "Access Denied"
    "/vip-lounge": ({ auth, reasonCode }) =>
      !auth.isAuthenticated
        ? reasonCode.UNAUTHORIZED
        : auth.profile?.email?.endsWith("@example.com")
          ? true
          : reasonCode.FORBIDDEN,
  },
  // ...
}

See the Protected Routes documentation for configuration options.

Draft Documents

Documentation authors can now mark pages as drafts by adding draft: true to the page’s frontmatter. Draft documents are visible during local development but completely hidden from production builds. They won’t appear in navigation, be accessible via URL, or be rendered at all. This enables iterative writing workflows and prevents incomplete content from being published.

---
title: My New Feature
draft: true
---

This page is a work in progress and will only be visible in development.

See the Documentation configuration for all frontmatter options.

Other Dev Portal Updates

February was a massive month for Dev Portal updates. If the above wasn’t enough, we’re excited to now have all of these features out there too:

CodeTabs Component

A new CodeTabs MDX component lets documentation authors present multiple code examples in a clean, tabbed interface. This is especially useful for showing installation commands across package managers or code examples in multiple languages.

Key capabilities:

• Tabbed code blocks: Group related code snippets into a single tabbed container
• Synced tabs: Use the syncKey property to keep tabs in sync across the page — selecting “pnpm” in one code tab automatically switches all synced tabs
• Language icons: Automatic icons for npm, pnpm, yarn, bun, and more

See the CodeTabs documentation for usage examples.

Navigation Rules

The Dev Portal introduces a powerful navigationRules configuration for declaratively transforming navigation items. Instead of restructuring your file system or writing custom code, you can now insert, modify, remove, sort, and move navigation items through configuration.

Supported rule types:

• insert: Add new navigation items at specific positions
• modify: Change properties of existing items
• remove: Remove items from navigation
• sort: Reorder items within a section
• move: Move items between categories

Rules match items by label or index path (e.g., Shipments/Domestic), making it easy to target specific sections of your navigation.

See the Navigation configuration documentation for rule syntax and examples.

New Navigation Item Types

Three new navigation item types provide more granular control over sidebar structure:

• section: Group items into collapsible sections for hierarchical organization
• separator: Add visual dividers between navigation groups
• filter: Let users filter navigation items dynamically

See the Navigation configuration documentation for details on each item type.

Audio Player in API Playground

APIs that return audio content (such as text-to-speech or AI audio generation endpoints) now show an inline audio player in the API Playground. Developers can listen to audio responses directly in the documentation instead of downloading files. This is a quality-of-life improvement for the growing category of audio-related APIs.

JSX Components in Headings

Documentation headings can now contain JSX components like <Badge> and <Alert>, and they render correctly in both the Table of Contents and the navigation sidebar. This enables patterns like marking endpoints as beta or deprecated directly in headings:

# My Endpoint <Badge>Beta</Badge>

Improved OpenAPI Tag Sorting

When using x-tagGroups in an OpenAPI specification, grouped and ungrouped tags now interleave alphabetically in the sidebar instead of grouped tags always appearing first. This produces a more natural navigation experience for large API documentation.

Additionally, tags and x-tagGroups that share the same name are now merged into a single sidebar category instead of appearing as duplicates. This follows the enhanced tags behavior from OpenAPI 3.2.0.

Expose Full OpenID UserInfo Data

The Dev Portal now exposes all data from the OpenID userInfo endpoint, including custom fields like app_metadata and user_metadata. This is important for customers who use Auth0 or other OpenID providers and need to customize the portal experience based on user attributes, such as showing different content based on subscription tier.

See the Authentication configuration documentation for details.

Navigation Display in Frontmatter

Documentation authors can now control how a page appears in the navigation sidebar directly from the page’s frontmatter, including custom labels and icons. This provides per-page control over navigation presentation without modifying a central navigation configuration file.

See the Documentation configuration for available frontmatter options.

API Key Description Display

The Dev Portal’s API key management component now displays the key’s description alongside each key, making it easier for developers who manage multiple API keys to distinguish between them (e.g., “Production key” vs. “Testing key”).

See the API Key Management documentation for more information.

Verified Email in ID Tokens

The Dev Portal now supports the verifiedEmail claim in OpenID ID tokens, useful for implementing email verification checks or conditional UI based on whether a user’s email has been verified by the identity provider.

Plugin Developer: transformConfig Hook

Plugin authors can now use a new transformConfig hook to programmatically modify the Dev Portal configuration at build time. This enables more powerful and dynamic plugin behaviors.

See the Custom Plugins documentation for details on writing plugins.

Portal Updates

Redesigned Project Creation Flow

The Zuplo Portal’s project creation experience has been redesigned for a smoother, faster workflow.

Key improvements:

• Simplified project type selection: The project type selector now features API Management as the primary choice.
• Dialog overlay pattern: The new project dialog now overlays the project list instead of navigating away, so you can dismiss it to return to your projects
• Random name generator: A name refresh button generates random project names for quick project creation

Documentation Updates

This month we added or improved documentation for:

• HTTP Deprecation Policy - New policy documentation for adding deprecation headers to API responses
• Guides - Guides were reorganized into category-based sidebar navigation with five categories: Authentication & Security, OpenAPI & API Design, Routing & Backends, Performance & Data, and Testing & Development
• WAF Documentation - Improved clarity and formatting for Web Application Firewall documentation