--- title: "New from Zuplo - May 2026" description: "" canonicalUrl: "https://zuplo.com/changelog/2026/06/01/monthly-changelog" pageType: "changelog" date: "2026-06-01" tags: "runtime, dev-portal, portal, cli, policy, security" --- May 2026 brings the public beta of the **MCP Gateway**, Zuplo's fully-managed proxy for Model Context Protocol servers, built on a policy-composed architecture and compatible with ChatGPT, Claude, Cursor, and more. New **AI Gateway, MCP, and Agents analytics dashboards** give you deep visibility into AI-powered traffic, and the Dev Portal adds **GraphQL endpoint support** with an integrated GraphiQL playground. ## Highlights ### MCP Gateway: Public Beta Zuplo's MCP Gateway is now in public beta: a fully-managed proxy that lets you expose upstream MCP servers to AI clients securely, with authentication, capability filtering, and analytics built in. The MCP Gateway uses a **policy-composed architecture**: each upstream MCP server is a standard Zuplo route with composable inbound policies for authentication, credential injection, and capability filtering, the same patterns you already use for REST APIs. **Key capabilities:** - **Policy-composed proxy**: Each upstream server is a single route using the `McpProxyHandler`, with gateway auth, upstream credentials, and capability filtering applied as standard inbound policies - **ChatGPT and Claude compatibility**: OAuth flows work with ChatGPT Apps SDK, Claude Desktop, Claude Code, Cursor, VS Code, and other MCP clients - **Capability filtering**: The new MCP Capability Filter policy selectively exposes specific tools, prompts, and resources while blocking access to hidden capabilities - **10+ identity providers**: Configure gateway authentication with Auth0, WorkOS, Google, Okta, Microsoft Entra, Amazon Cognito, Keycloak, Logto, OneLogin, or Ping, all from the Portal UI - **White-labeled consent pages**: Gateway-hosted consent, sign-in, and OAuth callback pages use a clean, unbranded design ready for your custom domain - **End-user analytics**: MCP events attribute usage to individual end users, powering user-level breakdowns in analytics dashboards Get started with the [MCP Gateway quickstart](https://zuplo.com/docs/mcp-gateway/quickstart) in the Zuplo Portal. See the [MCP Gateway documentation](https://zuplo.com/docs/mcp-gateway/introduction) for architecture details and client connection guides. ![New MCP Gateway virtual server wizard with upstream MCP server library](../public/media/changelog/2026-06/mcp-gateway-setup.png) --- ### Zuplo MCP Server The Zuplo MCP server is now live at `https://dev.zuplo.com/mcp`. It exposes the full Zuplo Developer API as Model Context Protocol tools, so an agent can list deployments, roll API keys, add custom domains, query audit logs, and anything else the Developer API supports. Point any MCP-compatible client (Claude Code, Cursor, VS Code) at the endpoint with a scoped API key as a bearer token. The key's permissions determine which accounts, projects, and operations show up as tools. Read more in [Introducing the Zuplo MCP Server](https://zuplo.com/blog/introducing-the-zuplo-mcp-server). --- ### Analytics Dashboards: AI Gateway, MCP, and Agents The Zuplo Portal now features dedicated analytics dashboards for every product line, giving you visibility into AI-powered traffic alongside traditional REST analytics. - **AI Gateway**: Total requests, tokens consumed, estimated cost, and cache hit rate, with model and provider breakdowns, latency percentiles, and prompt-vs-completion token splits - **MCP**: A unified gateway and server view with tool calls, active sessions, error rate, and p95 latency, plus top tools, resources, and prompts breakdown tables - **Agents**: Identifies which AI applications (ChatGPT, Claude, Cursor, Perplexity, Copilot, and others) are calling your APIs. Click any agent to filter all other analytics tabs by that agent. Read more in [Introducing Agents Analytics](https://zuplo.com/blog/introducing-agents-analytics) All dashboards are available on the Analytics page at both account and project scope. See the [MCP Analytics documentation](https://zuplo.com/docs/mcp-gateway/observability/analytics) for event types and how to interpret the data. ![MCP analytics top capabilities breakdown with call volume, error rate, and p95 latency per tool](../public/media/changelog/2026-06/mcp-analytics-dashboard.png) ![Agents analytics dashboard with agent breakdown](../public/media/changelog/2026-06/agents-analytics-dashboard.png) --- ### GraphQL Endpoint Support Zuplo now supports GraphQL endpoints end-to-end, from the OpenAPI designer in the Portal through to interactive GraphiQL in the Dev Portal. In the Portal, a new "Mark as GraphQL" option in the operation editor flags any OpenAPI operation as a GraphQL endpoint, persisted via the `x-graphql` vendor extension. In the Dev Portal, flagged operations automatically render a **GraphiQL panel** instead of the standard HTTP playground, inheriting the user's current credentials as default headers so authenticated GraphQL queries work out of the box. ```yaml # In your OpenAPI spec paths: /graphql: post: operationId: graphql x-graphql: endpoint: "https://api.example.com/graphql" ``` --- ## Runtime Improvements ### Client mTLS Authentication Zuplo now supports client-side mutual TLS (mTLS) authentication as an Enterprise add-on. The new `mtls-auth-inbound` policy verifies client certificates at the edge, rejecting requests that don't present a valid certificate signed by one of your uploaded CA certificates. Parsed certificate metadata (subject, issuer, fingerprint, validity) is available on `request.user.data.mtlsAuth`, and zero-downtime CA rotation is supported. CA certificates are managed with the new `zuplo ca-certificate` command group (`create`, `list`, `describe`, `update`, `delete`), with client-side validation that catches common mistakes before the network call: ```bash zuplo ca-certificate create --name myRootCA --cert ./root-ca.pem ``` See the [Client mTLS Authentication guide](https://zuplo.com/docs/articles/securing-the-gateway-with-client-mtls) for setup instructions. ### Set Upstream API Key Policy A new purpose-built inbound policy for the most common upstream authentication pattern: attaching a secret API key header before forwarding requests to your backend. It defaults to the `Authorization` header and supports the `$env()` syntax for sourcing secrets from environment variables. ```json { "name": "set-upstream-key", "policyType": "set-upstream-api-key-inbound", "handler": { "export": "SetUpstreamApiKeyInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "value": "Bearer $env(UPSTREAM_API_KEY)" } } } ``` See the [Set Upstream API Key documentation](https://zuplo.com/docs/policies/set-upstream-api-key-inbound) for all options. Also released this month: - **Monetization entitlement gating**: The monetization inbound policy supports a `requiredEntitlements` option that gates access to premium features by plan tier without incrementing metered usage, returning `403 Forbidden` when an entitlement is missing. See the [Monetization documentation](https://zuplo.com/docs/articles/monetization) - **API Key policy `bucketId` option**: The preferred way to specify which API key bucket to authenticate against, replacing the legacy `bucketName` option and using the faster v2 key-auth endpoint. Existing configurations continue to work without changes - **MCP policies now public**: Four MCP Gateway policies (OAuth, Auth0 OAuth, Token Exchange, and Capability Filter) are now visible in the [policy catalog](https://zuplo.com/docs/policies) under the MCP Gateway product category - **Header validation fix**: Required headers declared with canonical mixed case (e.g., `X-API-Key`) are no longer incorrectly reported as missing. Lookups are now case-insensitive per RFC 7230 - **OpenID JWT JWKS recovery**: The `OpenIdJwtInboundPolicy` no longer becomes permanently stuck when a JWKS fetch returns a key set missing the expected `kid` (e.g., during IdP key rotation). It now drops the cached verifier and retries --- ## Dev Portal Updates ### Authenticated Code Snippets Code snippets in the Dev Portal sidecar (cURL, fetch, Python, etc.) now support **authenticated requests**. An identity/scheme picker next to the language dropdown automatically populates the correct auth headers and query parameters in the generated snippet. The selection stays in sync with the API playground, and secret values are kept out of the cache. ### Invite-Only Sign-Up and Custom Auth Flows Portal operators get fine-grained control over sign-up flows this month: - **`disableSignUp`** on Firebase and Supabase providers restricts registration to admin-only (invite-only) flows: the sign-up form is replaced with an "Invitation required" message and `/signup` redirects to sign in - **`signUp.url`** on every provider redirects the Register button to a custom URL, with `signUp.authorizationParams` for provider-specific hints like Keycloak's `kc_action=register` - **`authorizationParams` and `forwardAuthorizationParams`** on OpenID and Auth0 providers send extra params with every authorize request. Auth0 forwards `organization`, `invitation`, and `connection` by default, so Auth0 Organizations and invitation links work without extra configuration ```typescript // zudoku.config.ts const config: ZudokuConfig = { authentication: { type: "firebase", disableSignUp: true, // ... other Firebase config }, }; ``` See the [Authentication documentation](https://zuplo.com/docs/dev-portal/zudoku/configuration/authentication) for all provider options. ### Modernized Admonitions Callout components have been redesigned with a cleaner card layout and improved accessibility. Six new types join the existing set: `:::sparkles`, `:::rocket`, `:::settings`, `:::zap`, `:::lock`, and `:::megaphone`. A new `icon` prop lets you swap the icon on any callout while keeping its color scheme. Per-type colors are driven by CSS variables, fully customizable via your theme. ([zuplo/zudoku#2494](https://github.com/zuplo/zudoku/pull/2494)) See the [Admonitions documentation](https://zuplo.com/docs/dev-portal/zudoku/markdown/admonitions) for all types and customization options. Also released this month: - **URL-encoded body mode**: The API playground supports `application/x-www-form-urlencoded` request bodies, useful for testing OAuth token endpoints ([zuplo/zudoku#2427](https://github.com/zuplo/zudoku/pull/2427)) - **Full-width page layout**: Opt-in full-width documentation pages with a compact "On this page" popover when the sidebar is hidden ([zuplo/zudoku#2365](https://github.com/zuplo/zudoku/pull/2365)) - **Schema download filename**: A new `schemaDownload.fileName` option customizes the downloadable OpenAPI spec filename, globally or per API ([zuplo/zudoku#2450](https://github.com/zuplo/zudoku/pull/2450)) - **Monetization pricing cards**: Refined with a standardized component, tax information display, and a simplified phase selector for multi-phase plans ([zuplo/zudoku#2434](https://github.com/zuplo/zudoku/pull/2434)) - **Fixes**: SSG auth on page refresh, sidebar filter reset when switching sections, `allOf` flattening with incompatible `anyOf` branches, and improved schema documentation rendering --- ## Portal & CLI Updates ### Redesigned Log Viewer Histogram The log viewer histogram now behaves as a scrubbable timeline range-selector: a vertical hover line follows your cursor, clicking locks a time reference with a "Zoom to time" button, and a hover panel shows the bucket's time range and stats. Drag-to-zoom is preserved as a power-user shortcut. ![Log viewer histogram with locked time bucket and "Zoom to time" button](../public/media/changelog/2026-06/log-viewer-histogram.png) Also released this month: - **Collapsible file sidebar**: The code editor's file sidebar defaults to collapsed with a VS Code-style vertical "FILES" rail, giving more room to the editor. Your preference persists via localStorage - **MCP tool annotations**: The route editor surfaces `readOnlyHint`, `destructiveHint`, `idempotentHint`, and `openWorldHint` annotations that help MCP clients understand each tool's behavior. See the [MCP Server Tools documentation](https://zuplo.com/docs/mcp-server/tools) - **Deep link shortcuts**: New `/+/` URLs auto-resolve to your active account and project, e.g., `portal.zuplo.com/+/account/settings/general`. Great for documentation links and support tickets - **CLI: `zuplo project list`**: Lists all projects in your account, as a table or with `--output json` for scripting. See the [project list documentation](https://zuplo.com/docs/cli/project-list) - **CLI: improved help**: Running any group command (`tunnel`, `project`, etc.) without a subcommand now displays the full help menu - **Monetization workflow improvements**: Publish confirmation dialogs, one-click meter slug copying, plan duplication, invoice retry/delete actions, and finite last-phase durations (e.g., a single-phase 7-day trial) --- ## Documentation Updates - [MCP Gateway](https://zuplo.com/docs/mcp-gateway/introduction): Comprehensive new documentation section with 35+ pages covering quickstarts, architecture, authentication with 12 identity providers, capability filtering, and client connection guides - [Client mTLS Authentication](https://zuplo.com/docs/articles/securing-the-gateway-with-client-mtls): New guide for setting up client-side mutual TLS with CA certificate management - [Monetization: Going to Production](https://zuplo.com/docs/articles/monetization/going-to-production): New production readiness guide; beta labels removed across all monetization docs, signaling general availability - [API Key Best Practices](https://zuplo.com/docs/articles/api-key-best-practices): New guide covering API key security, rotation, and management patterns - [Build with AI](https://zuplo.com/docs/build-with-ai): New section covering AI coding assistant integration, MCP server documentation, and Zuplo skills - [Getting Started Overhaul](https://zuplo.com/docs/articles/step-1-setup-basic-gateway): Restructured quickstart with symmetrical Portal and local CLI tracks