New from Zuplo - May 2026

May 2026 brings the public beta of the MCP Gateway, Zuplo’s fully-managed proxy for Model Context Protocol servers, built on a policy-composed architecture and compatible with ChatGPT, Claude, Cursor, and more. New AI Gateway, MCP, and Agents analytics dashboards give you deep visibility into AI-powered traffic, and the Dev Portal adds GraphQL endpoint support with an integrated GraphiQL playground.

Highlights

MCP Gateway: Public Beta

Zuplo’s MCP Gateway is now in public beta: a fully-managed proxy that lets you expose upstream MCP servers to AI clients securely, with authentication, capability filtering, and analytics built in.

The MCP Gateway uses a policy-composed architecture: each upstream MCP server is a standard Zuplo route with composable inbound policies for authentication, credential injection, and capability filtering, the same patterns you already use for REST APIs.

Key capabilities:

• Policy-composed proxy: Each upstream server is a single route using the McpProxyHandler, with gateway auth, upstream credentials, and capability filtering applied as standard inbound policies
• ChatGPT and Claude compatibility: OAuth flows work with ChatGPT Apps SDK, Claude Desktop, Claude Code, Cursor, VS Code, and other MCP clients
• Capability filtering: The new MCP Capability Filter policy selectively exposes specific tools, prompts, and resources while blocking access to hidden capabilities
• 10+ identity providers: Configure gateway authentication with Auth0, WorkOS, Google, Okta, Microsoft Entra, Amazon Cognito, Keycloak, Logto, OneLogin, or Ping, all from the Portal UI
• White-labeled consent pages: Gateway-hosted consent, sign-in, and OAuth callback pages use a clean, unbranded design ready for your custom domain
• End-user analytics: MCP events attribute usage to individual end users, powering user-level breakdowns in analytics dashboards

Get started with the MCP Gateway quickstart in the Zuplo Portal. See the MCP Gateway documentation for architecture details and client connection guides.

Zuplo MCP Server

The Zuplo MCP server is now live at https://dev.zuplo.com/mcp. It exposes the full Zuplo Developer API as Model Context Protocol tools, so an agent can list deployments, roll API keys, add custom domains, query audit logs, and anything else the Developer API supports.

Point any MCP-compatible client (Claude Code, Cursor, VS Code) at the endpoint with a scoped API key as a bearer token. The key’s permissions determine which accounts, projects, and operations show up as tools. Read more in Introducing the Zuplo MCP Server.

Analytics Dashboards: AI Gateway, MCP, and Agents

The Zuplo Portal now features dedicated analytics dashboards for every product line, giving you visibility into AI-powered traffic alongside traditional REST analytics.

• AI Gateway: Total requests, tokens consumed, estimated cost, and cache hit rate, with model and provider breakdowns, latency percentiles, and prompt-vs-completion token splits
• MCP: A unified gateway and server view with tool calls, active sessions, error rate, and p95 latency, plus top tools, resources, and prompts breakdown tables
• Agents: Identifies which AI applications (ChatGPT, Claude, Cursor, Perplexity, Copilot, and others) are calling your APIs. Click any agent to filter all other analytics tabs by that agent. Read more in Introducing Agents Analytics

All dashboards are available on the Analytics page at both account and project scope. See the MCP Analytics documentation for event types and how to interpret the data.

GraphQL Endpoint Support

Zuplo now supports GraphQL endpoints end-to-end, from the OpenAPI designer in the Portal through to interactive GraphiQL in the Dev Portal.

In the Portal, a new “Mark as GraphQL” option in the operation editor flags any OpenAPI operation as a GraphQL endpoint, persisted via the x-graphql vendor extension. In the Dev Portal, flagged operations automatically render a GraphiQL panel instead of the standard HTTP playground, inheriting the user’s current credentials as default headers so authenticated GraphQL queries work out of the box.

# In your OpenAPI spec
paths:
  /graphql:
    post:
      operationId: graphql
      x-graphql:
        endpoint: "https://api.example.com/graphql"

Runtime Improvements

Client mTLS Authentication

Zuplo now supports client-side mutual TLS (mTLS) authentication as an Enterprise add-on. The new mtls-auth-inbound policy verifies client certificates at the edge, rejecting requests that don’t present a valid certificate signed by one of your uploaded CA certificates. Parsed certificate metadata (subject, issuer, fingerprint, validity) is available on request.user.data.mtlsAuth, and zero-downtime CA rotation is supported.

CA certificates are managed with the new zuplo ca-certificate command group (create, list, describe, update, delete), with client-side validation that catches common mistakes before the network call:

zuplo ca-certificate create --name myRootCA --cert ./root-ca.pem

See the Client mTLS Authentication guide for setup instructions.

Set Upstream API Key Policy

A new purpose-built inbound policy for the most common upstream authentication pattern: attaching a secret API key header before forwarding requests to your backend. It defaults to the Authorization header and supports the $env() syntax for sourcing secrets from environment variables.

{
  "name": "set-upstream-key",
  "policyType": "set-upstream-api-key-inbound",
  "handler": {
    "export": "SetUpstreamApiKeyInboundPolicy",
    "module": "$import(@zuplo/runtime)",
    "options": {
      "value": "Bearer $env(UPSTREAM_API_KEY)"
    }
  }
}

See the Set Upstream API Key documentation for all options.

Also released this month:

• Monetization entitlement gating: The monetization inbound policy supports a requiredEntitlements option that gates access to premium features by plan tier without incrementing metered usage, returning 403 Forbidden when an entitlement is missing. See the Monetization documentation
• API Key policy bucketId option: The preferred way to specify which API key bucket to authenticate against, replacing the legacy bucketName option and using the faster v2 key-auth endpoint. Existing configurations continue to work without changes
• MCP policies now public: Four MCP Gateway policies (OAuth, Auth0 OAuth, Token Exchange, and Capability Filter) are now visible in the policy catalog under the MCP Gateway product category
• Header validation fix: Required headers declared with canonical mixed case (e.g., X-API-Key) are no longer incorrectly reported as missing. Lookups are now case-insensitive per RFC 7230
• OpenID JWT JWKS recovery: The OpenIdJwtInboundPolicy no longer becomes permanently stuck when a JWKS fetch returns a key set missing the expected kid (e.g., during IdP key rotation). It now drops the cached verifier and retries

Dev Portal Updates

Authenticated Code Snippets

Code snippets in the Dev Portal sidecar (cURL, fetch, Python, etc.) now support authenticated requests. An identity/scheme picker next to the language dropdown automatically populates the correct auth headers and query parameters in the generated snippet. The selection stays in sync with the API playground, and secret values are kept out of the cache.

Invite-Only Sign-Up and Custom Auth Flows

Portal operators get fine-grained control over sign-up flows this month:

• disableSignUp on Firebase and Supabase providers restricts registration to admin-only (invite-only) flows: the sign-up form is replaced with an “Invitation required” message and /signup redirects to sign in
• signUp.url on every provider redirects the Register button to a custom URL, with signUp.authorizationParams for provider-specific hints like Keycloak’s kc_action=register
• authorizationParams and forwardAuthorizationParams on OpenID and Auth0 providers send extra params with every authorize request. Auth0 forwards organization, invitation, and connection by default, so Auth0 Organizations and invitation links work without extra configuration

// zudoku.config.ts
const config: ZudokuConfig = {
  authentication: {
    type: "firebase",
    disableSignUp: true,
    // ... other Firebase config
  },
};

See the Authentication documentation for all provider options.

Modernized Admonitions

Callout components have been redesigned with a cleaner card layout and improved accessibility. Six new types join the existing set: :::sparkles, :::rocket, :::settings, :::zap, :::lock, and :::megaphone. A new icon prop lets you swap the icon on any callout while keeping its color scheme. Per-type colors are driven by CSS variables, fully customizable via your theme. (zuplo/zudoku#2494)

See the Admonitions documentation for all types and customization options.

Also released this month:

• URL-encoded body mode: The API playground supports application/x-www-form-urlencoded request bodies, useful for testing OAuth token endpoints (zuplo/zudoku#2427)
• Full-width page layout: Opt-in full-width documentation pages with a compact “On this page” popover when the sidebar is hidden (zuplo/zudoku#2365)
• Schema download filename: A new schemaDownload.fileName option customizes the downloadable OpenAPI spec filename, globally or per API (zuplo/zudoku#2450)
• Monetization pricing cards: Refined with a standardized component, tax information display, and a simplified phase selector for multi-phase plans (zuplo/zudoku#2434)
• Fixes: SSG auth on page refresh, sidebar filter reset when switching sections, allOf flattening with incompatible anyOf branches, and improved schema documentation rendering

Portal & CLI Updates

Redesigned Log Viewer Histogram

The log viewer histogram now behaves as a scrubbable timeline range-selector: a vertical hover line follows your cursor, clicking locks a time reference with a “Zoom to time” button, and a hover panel shows the bucket’s time range and stats. Drag-to-zoom is preserved as a power-user shortcut.

Also released this month:

• Collapsible file sidebar: The code editor’s file sidebar defaults to collapsed with a VS Code-style vertical “FILES” rail, giving more room to the editor. Your preference persists via localStorage
• MCP tool annotations: The route editor surfaces readOnlyHint, destructiveHint, idempotentHint, and openWorldHint annotations that help MCP clients understand each tool’s behavior. See the MCP Server Tools documentation
• Deep link shortcuts: New /+/ URLs auto-resolve to your active account and project, e.g., portal.zuplo.com/+/account/settings/general. Great for documentation links and support tickets
• CLI: zuplo project list: Lists all projects in your account, as a table or with --output json for scripting. See the project list documentation
• CLI: improved help: Running any group command (tunnel, project, etc.) without a subcommand now displays the full help menu
• Monetization workflow improvements: Publish confirmation dialogs, one-click meter slug copying, plan duplication, invoice retry/delete actions, and finite last-phase durations (e.g., a single-phase 7-day trial)

Documentation Updates

• MCP Gateway: Comprehensive new documentation section with 35+ pages covering quickstarts, architecture, authentication with 12 identity providers, capability filtering, and client connection guides
• Client mTLS Authentication: New guide for setting up client-side mutual TLS with CA certificate management
• Monetization: Going to Production: New production readiness guide; beta labels removed across all monetization docs, signaling general availability
• API Key Best Practices: New guide covering API key security, rotation, and management patterns
• Build with AI: New section covering AI coding assistant integration, MCP server documentation, and Zuplo skills
• Getting Started Overhaul: Restructured quickstart with symmetrical Portal and local CLI tracks