---
title: "New from Zuplo - February 2026"
description: ""
canonicalUrl: "https://zuplo.com/changelog/2026/03/01/monthly-changelog"
pageType: "changelog"
date: "2026-03-01"
tags: "runtime, dev-portal, portal, policy"
---
February 2026 delivers a packed set of updates across the Zuplo platform, with a
new HTTP Deprecation policy for API lifecycle management, major Dev Portal
enhancements including Algolia DocSearch integration and a redesigned
authentication experience, and powerful new navigation and content authoring
tools. This month also introduces a rate limiting bypass capability that gives
you more control over which requests count against your limits.

Whether you're signaling API deprecation to consumers, building rich developer
documentation, or fine-tuning rate limiting behavior, this release makes your
API management workflow more powerful and flexible.

## Highlights

### HTTP Deprecation Policy

Zuplo now offers an HTTP Deprecation outbound policy that automatically adds
standards-compliant deprecation headers to your API responses following the
[IETF HTTP Deprecation Header](https://datatracker.ietf.org/doc/html/draft-ietf-httpapi-deprecation-header)
standard. This makes it easy to communicate endpoint deprecation, sunset dates,
and migration documentation to your API consumers — all without writing custom
code.

When API consumers make requests to deprecated endpoints, they'll receive clear
signals via HTTP headers that help them plan their migration. This is essential
for API providers managing multiple versions or sunsetting legacy endpoints.

**Key capabilities:**

- **Deprecation header**: Signal that an endpoint is deprecated using a simple
  boolean, a specific date (ISO 8601), or a Unix timestamp
- **Sunset header**: Communicate when an endpoint will be permanently removed
- **Link header**: Point consumers to migration documentation or release notes

**Configuration example:**

```json
{
  "name": "deprecate-v1-endpoint",
  "policyType": "http-deprecation-outbound",
  "handler": {
    "export": "HttpDeprecationOutboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "deprecation": "2026-03-01T00:00:00Z",
      "sunset": "2026-06-30T23:59:59Z",
      "link": "https://example.com/docs/v2-migration"
    }
  }
}
```

This configuration adds the following headers to responses:

- `Deprecation: Sat, 01 Mar 2026 00:00:00 GMT`
- `Sunset: Tue, 30 Jun 2026 23:59:59 GMT`
- `Link: <https://example.com/docs/v2-migration>; rel="deprecation"; type="text/html"`

For endpoints that are already deprecated without a specific date, set
`deprecation` to `true`:

```json
{
  "options": {
    "deprecation": true,
    "link": "https://example.com/docs/v2-migration"
  }
}
```

See the
[HTTP Deprecation Policy documentation](https://zuplo.com/docs/policies/http-deprecation-outbound)
for full configuration options.

---

## Runtime Improvements

### Rate Limiting: Bypass for Specific Requests

Zuplo's rate limiting policies now support bypassing rate limits for specific
requests by returning `null` or `undefined` from a custom rate limit function.
Previously, every request that passed through the rate limiter would hit Redis
and create a bucket — even if the request should be exempt. Now, returning
`null` or `undefined` from your custom function skips the rate limiter entirely
with zero overhead.

This is useful for whitelisting internal services, health check endpoints, or
specific IP addresses from rate limiting.

**Example:**

```typescript
import {
  CustomRateLimitFunction,
  CustomRateLimitDetails,
} from "@zuplo/runtime";

export const customRateLimitWithSkip: CustomRateLimitFunction = async (
  request,
  context,
): Promise<CustomRateLimitDetails | undefined> => {
  // Skip rate limiting for whitelisted IPs or internal services
  const clientIp = request.headers.get("cf-connecting-ip");
  if (isWhitelisted(clientIp)) {
    return undefined; // Skip rate limiting entirely — no Redis call
  }

  return {
    key: `user-${request.user?.sub}`,
    requestsAllowed: 100,
    timeWindowMinutes: 60,
  };
};
```

This works with custom rate limiting functions only.

See the
[Rate Limiting Policy documentation](https://zuplo.com/docs/policies/rate-limit-inbound)
for more details, or the
[Dynamic Rate Limiting guide](https://zuplo.com/docs/articles/step-5-dynamic-rate-limiting)
for advanced configuration.

---

## Dev Portal Highlights

### Algolia DocSearch Integration

The Dev Portal now supports [Algolia DocSearch](https://docsearch.algolia.com/)
as a search plugin, giving you access to one of the most popular and powerful
search solutions for documentation sites. Customers who already use Algolia or
need a more robust search experience can now integrate it directly into their
Dev Portal with a first-class plugin.

**Key capabilities:**

- **Powerful full-text search**: Leverage Algolia's indexing and ranking
  capabilities for fast, accurate search results
- **DocSearch UI**: Includes the familiar DocSearch modal and keyboard shortcuts
- **Easy setup**: Install the `@zudoku/plugin-search-algolia` package and
  configure your Algolia credentials

See the
[Search configuration documentation](https://zuplo.com/docs/dev-portal/zudoku/configuration/search)
for setup instructions.

### Seamless Protected Routes Authentication

The Dev Portal authentication experience received a significant upgrade this
month. When users navigate to a protected route, they now see a non-intrusive
login dialog overlaid on the current page — instead of being redirected away.
After successful authentication, navigation automatically proceeds to the
protected content.

**Key capabilities:**

- **In-context login dialog**: Users stay on the current page while
  authenticating, maintaining their context
- **Reason codes**: Distinguish between users who need to sign in
  (`UNAUTHORIZED`) and users who lack permission (`FORBIDDEN`) for role-based
  access control
- **Automatic navigation**: After login, users are seamlessly taken to their
  intended destination

**Configuration example:**

```typescript
// zudoku.config.ts
{
  // ...
  protectedRoutes: {
    // Members-only page: unauthenticated users see a login prompt
    "/only-members": ({ auth, reasonCode }) =>
      auth.isAuthenticated ? true : reasonCode.UNAUTHORIZED,

    // VIP page: unauthenticated users see login,
    // authenticated users without permission see "Access Denied"
    "/vip-lounge": ({ auth, reasonCode }) =>
      !auth.isAuthenticated
        ? reasonCode.UNAUTHORIZED
        : auth.profile?.email?.endsWith("@example.com")
          ? true
          : reasonCode.FORBIDDEN,
  },
  // ...
}
```

See the
[Protected Routes documentation](https://zuplo.com/docs/dev-portal/zudoku/configuration/protected-routes)
for configuration options.

### Draft Documents

Documentation authors can now mark pages as drafts by adding `draft: true` to
the page's frontmatter. Draft documents are visible during local development but
completely hidden from production builds. They won't appear in navigation, be
accessible via URL, or be rendered at all. This enables iterative writing
workflows and prevents incomplete content from being published.

```markdown
---
title: My New Feature
draft: true
---

This page is a work in progress and will only be visible in development.
```

See the
[Documentation configuration](https://zuplo.com/docs/dev-portal/zudoku/configuration/docs)
for all frontmatter options.

## Other Dev Portal Updates

February was a _massive_ month for Dev Portal updates. If the above wasn't
enough, we're excited to now have all of these features out there too:

### CodeTabs Component

A new `CodeTabs` MDX component lets documentation authors present multiple code
examples in a clean, tabbed interface. This is especially useful for showing
installation commands across package managers or code examples in multiple
languages.

**Key capabilities:**

- **Tabbed code blocks**: Group related code snippets into a single tabbed
  container
- **Synced tabs**: Use the `syncKey` property to keep tabs in sync across the
  page — selecting "pnpm" in one code tab automatically switches all synced tabs
- **Language icons**: Automatic icons for npm, pnpm, yarn, bun, and more

See the
[CodeTabs documentation](https://zuplo.com/docs/dev-portal/zudoku/components/code-tabs)
for usage examples.

### Navigation Rules

The Dev Portal introduces a powerful `navigationRules` configuration for
declaratively transforming navigation items. Instead of restructuring your file
system or writing custom code, you can now insert, modify, remove, sort, and
move navigation items through configuration.

**Supported rule types:**

- **`insert`**: Add new navigation items at specific positions
- **`modify`**: Change properties of existing items
- **`remove`**: Remove items from navigation
- **`sort`**: Reorder items within a section
- **`move`**: Move items between categories

Rules match items by label or index path (e.g., `Shipments/Domestic`), making it
easy to target specific sections of your navigation.

See the
[Navigation configuration documentation](https://zuplo.com/docs/dev-portal/zudoku/configuration/navigation)
for rule syntax and examples.

### New Navigation Item Types

Three new navigation item types provide more granular control over sidebar
structure:

- **`section`**: Group items into collapsible sections for hierarchical
  organization
- **`separator`**: Add visual dividers between navigation groups
- **`filter`**: Let users filter navigation items dynamically

See the
[Navigation configuration documentation](https://zuplo.com/docs/dev-portal/zudoku/configuration/navigation)
for details on each item type.

### Audio Player in API Playground

APIs that return audio content (such as text-to-speech or AI audio generation
endpoints) now show an inline audio player in the API Playground. Developers can
listen to audio responses directly in the documentation instead of downloading
files. This is a quality-of-life improvement for the growing category of
audio-related APIs.

### JSX Components in Headings

Documentation headings can now contain JSX components like `<Badge>` and
`<Alert>`, and they render correctly in both the Table of Contents and the
navigation sidebar. This enables patterns like marking endpoints as beta or
deprecated directly in headings:

```mdx
# My Endpoint <Badge>Beta</Badge>
```

### Improved OpenAPI Tag Sorting

When using `x-tagGroups` in an OpenAPI specification, grouped and ungrouped tags
now interleave alphabetically in the sidebar instead of grouped tags always
appearing first. This produces a more natural navigation experience for large
API documentation.

Additionally, tags and `x-tagGroups` that share the same name are now merged
into a single sidebar category instead of appearing as duplicates. This follows
the enhanced tags behavior from OpenAPI 3.2.0.

### Expose Full OpenID UserInfo Data

The Dev Portal now exposes all data from the OpenID `userInfo` endpoint,
including custom fields like `app_metadata` and `user_metadata`. This is
important for customers who use Auth0 or other OpenID providers and need to
customize the portal experience based on user attributes, such as showing
different content based on subscription tier.

See the
[Authentication configuration documentation](https://zuplo.com/docs/dev-portal/zudoku/configuration/authentication)
for details.

### Navigation Display in Frontmatter

Documentation authors can now control how a page appears in the navigation
sidebar directly from the page's frontmatter, including custom labels and icons.
This provides per-page control over navigation presentation without modifying a
central navigation configuration file.

See the
[Documentation configuration](https://zuplo.com/docs/dev-portal/zudoku/configuration/docs)
for available frontmatter options.

### API Key Description Display

The Dev Portal's API key management component now displays the key's description
alongside each key, making it easier for developers who manage multiple API keys
to distinguish between them (e.g., "Production key" vs. "Testing key").

See the
[API Key Management documentation](https://zuplo.com/docs/articles/api-key-management)
for more information.

### Verified Email in ID Tokens

The Dev Portal now supports the `verifiedEmail` claim in OpenID ID tokens,
useful for implementing email verification checks or conditional UI based on
whether a user's email has been verified by the identity provider.

### Plugin Developer: `transformConfig` Hook

Plugin authors can now use a new `transformConfig` hook to programmatically
modify the Dev Portal configuration at build time. This enables more powerful
and dynamic plugin behaviors.

See the
[Custom Plugins documentation](https://zuplo.com/docs/dev-portal/zudoku/custom-plugins)
for details on writing plugins.

---

## Portal Updates

### Redesigned Project Creation Flow

The Zuplo Portal's project creation experience has been redesigned for a
smoother, faster workflow.

**Key improvements:**

- **Simplified project type selection**: The project type selector now features
  API Management as the primary choice.
- **Dialog overlay pattern**: The new project dialog now overlays the project
  list instead of navigating away, so you can dismiss it to return to your
  projects
- **Random name generator**: A name refresh button generates random project
  names for quick project creation

![Redesigned project creation dialog](../public/media/changelog/2026-03/project-create-dialogue.png)

---

## Documentation Updates

This month we added or improved documentation for:

- [HTTP Deprecation Policy](https://zuplo.com/docs/policies/http-deprecation-outbound) -
  New policy documentation for adding deprecation headers to API responses
- [Guides](https://zuplo.com/docs/guides/overview) - Guides were reorganized
  into category-based sidebar navigation with five categories: Authentication &
  Security, OpenAPI & API Design, Routing & Backends, Performance & Data, and
  Testing & Development
- [WAF Documentation](https://zuplo.com/docs/articles/waf-ddos) - Improved
  clarity and formatting for Web Application Firewall documentation