Zuplo Changelog

This release introduces powerful JWT authentication capabilities with the new JWT service plugin and upstream policy, enhances MCP (Model Context Protocol) support with improved URL pattern handling and custom tools, improves developer portal redirect handling, and includes numerous documentation updates across our policy suite.

New Features 🎉#

• JWT Service Plugin - Added a new JWT service plugin that enables advanced JWT token generation and management capabilities within Zuplo. This plugin provides developers with tools to create, sign, and manage JWT tokens directly in their API gateway workflows. Learn more about JWT authentication

• Zuplo JWT Auth Upstream Policy - Introduced a new upstream policy specifically designed for JWT authentication. This policy simplifies the process of securing backend services with JWT tokens, providing seamless integration with existing authentication systems. Read about Policy

• MCP Spec Support for 2025-06-18 - Updated MCP (Model Context Protocol) support to comply with the latest specification version 2025-06-18, ensuring compatibility with the newest features and improvements in the protocol. Explore MCP Capabilities

• Enhanced MCP Server Logging - Improved logging capabilities for MCP servers, providing better visibility into server operations and making it easier to debug and monitor MCP-based integrations. Explore MCP Capabilities

• Multi-Factor Authentication (MFA) Support - Enhanced security with new MFA configuration endpoints and login validation. This includes the ability to enforce MFA at the account level and manage MFA settings through dedicated API endpoints. Read about MFA

Bug Fixes 🐛#

• MCP URL Path Pattern Unification - Fixed inconsistencies in URL path pattern handling when invoking routes on the gateway, ensuring more reliable routing for MCP-based services.

• Developer Portal Redirect Issue - Resolved an issue with developer portal redirects that was causing incorrect navigation behavior in certain scenarios. Migrating to the new Zuplo developer portal

• MCP Schema Defaults Update - Updated the default values for includeOutputSchema and includeStructuredContent to better align with common use cases and improve developer experience.

• OpenMeter Policy Fix - Resolved issues with the OpenMeter policy to ensure accurate metering and usage tracking for API monetization scenarios.

Documentation 📚#

Comprehensive documentation updates were made across multiple policy configurations to improve clarity and provide better examples.

This release introduces Model Context Protocol (MCP) support for API development, new policies for query parameter manipulation and API metering, enhanced CLI commands, and improvements to console logging in the runtime.

New Features 🎉#

• Query Parameter to Header Inbound Policy - New policy that allows transforming query parameters into HTTP headers, enabling more flexible request handling and backend compatibility.

• Model Context Protocol (MCP) Support - Added comprehensive MCP server handler for local editing experience with improved schema validation, URL pattern support, parameter descriptions and examples. MCP enables AI-powered tools to interact with your APIs more effectively.

• Console Logging Support in Runtime (preview) - Developers can now use console logging directly in the runtime environment, making debugging and monitoring easier during development.

• OpenMeter Metering Inbound Policy - New integration with OpenMeter for API usage metering, enabling precise tracking and billing of API consumption.

• Enhanced Prompt Injection Policy - Added "strict" mode with more granular logging capabilities to better protect APIs from prompt injection attacks in AI-powered applications.

• Improved CLI Commands:

  • New zuplo source command replaces the deprecated zuplo project command
  • Added interactive selection for account, project, and environment values in authenticated commands
  • Environment variables from public vars are now written to .env files for better local development experience

Summary#

This release brings significant improvements to the Dev Portal's usability and consistency. Key highlights include enhanced error messaging for navigation configuration, fixes for code block rendering in the API documentation sidebar, improved UI consistency in the OpenAPI playground, and a major refactoring that standardizes terminology from "page" to "site" throughout the codebase. These updates make the Dev Portal more intuitive for developers configuring their API documentation and provide a smoother experience for API consumers exploring your documentation.

Bug Fixes 🐛#

Fixed Sidecar Embedded Code Blocks#

Fixed an issue where code blocks embedded in the API documentation sidebar were not rendering correctly. The fix removes unnecessary rounded corners and ensures proper embedded behavior for syntax highlighting, creating a cleaner visual presentation that better integrates with the surrounding content. #1224

Improvements 🚀#

Enhanced Navigation Configuration Error Messages#

Improved error messaging when configuring navigation items in the Dev Portal. The enhanced error messages now provide clear guidance when a navigation item points to a missing file, suggesting alternative navigation types like 'link' or 'custom-page' and including a direct link to the configuration documentation. This helps developers quickly identify and resolve configuration issues. #1225

Updated Navigation Documentation#

The navigation configuration documentation has been updated to improve clarity and flexibility. The id field has been renamed to file in examples and type definitions, better reflecting its purpose. Additionally, an optional path property has been added to the NavigationDoc type, and a new "Custom paths" section provides examples for advanced navigation configurations. #1226

OpenAPI Playground UI Improvements#

Enhanced the consistency of the OpenAPI playground interface by standardizing input placeholders across all parameter types. Query parameter inputs now display "Name" placeholders, while value fields consistently show "Value" placeholders. The update also removes redundant wrapper elements and refines the layout of collapsible sections, resulting in a cleaner and more intuitive user interface. #1230

Standardized "Site" Terminology#

Completed a comprehensive refactoring to standardize naming conventions throughout the Dev Portal codebase. All references to "page" have been systematically renamed to "site" to better reflect the scope and context of the configuration. This change affects variable names, prop names, type definitions, configuration keys, and documentation, providing more consistent and intuitive naming across the entire Dev Portal. #1231

This release brings significant enhancements to the Dev Portal's documentation capabilities, API playground experience, and OpenAPI schema handling. Key highlights include new documentation features for tracking content freshness and enabling community contributions, improved UI consistency with a new Typography component, and critical fixes for OpenAPI v3.1 compatibility and schema rendering.

New Features 🎉#

Enhanced Documentation Experience
The Dev Portal now displays "last modified" timestamps on documentation pages, helping users understand content freshness. Additionally, a new "suggest edit" feature enables users to contribute documentation improvements directly from the portal. These features improve documentation transparency and encourage community collaboration. #1208

Typography Component for Consistent Text Rendering
A new Typography component provides standardized text rendering across the Dev Portal. This component ensures consistent typography throughout custom pages and documentation, with configurable prose rendering options. The component defaults to non-prose mode for better control over text presentation. #1218

Improved API Playground User Interface
The API Playground received significant usability improvements, including a streamlined response panel that removes unnecessary tab wrappers and introduces inline syntax highlighting powered by Shiki. The update also refines focus styles on form elements and ensures responses are always visible, creating a more intuitive testing experience. #1198

Bug Fixes 🐛#

Accurate Last Modified Timestamps
Fixed an issue where last modified timestamps could display incorrect dates due to git operations like rebasing or cherry-picking. The system now uses author dates instead of committer dates, ensuring timestamps accurately reflect when changes were originally made. #1215

Robust Font Variable Handling
Resolved styling issues that occurred when font CSS variables were undefined. The Dev Portal now provides default font families (Geist for sans-serif, Playfair Display for serif, and Geist Mono for monospace) ensuring consistent typography even with partial theme configurations. #1216

Full OpenAPI v3.1 Reference Support
Implemented complete support for OpenAPI v3.1's ability to use $ref alongside sibling properties like description and summary. This fix prevents loss of metadata when using schema references and ensures all documentation context is preserved and displayed correctly. #1219

Proper Handling of Falsy Values in Schemas
Fixed a bug where boolean false values were ignored in schema examples and defaults. The system now correctly displays all falsy values, ensuring accurate API documentation for boolean fields. #1222

Complete Schema Description Display
Removed line clamping restrictions on schema parameter descriptions, allowing full documentation to be visible without truncation. This improvement ensures complex schema descriptions are fully accessible to developers. #1221

Enhanced Schema Type Validation
Improved type checking to properly handle array-based type definitions, including nullable schemas defined as ["string", "null"]. This fix prevents misclassification of complex schema types and improves overall schema rendering accuracy. #1220

Dependency Updates 📦#

• Updated glob from 11.0.2 to 11.0.3 for improved file pattern matching #1211
• Updated @graphql-codegen/client-preset from 4.8.0 to 4.8.2 for enhanced GraphQL code generation #1213

This release brings significant improvements to the Zuplo Developer Portal, including enhanced theme customization, improved authentication support, and a major navigation system overhaul. The highlight is the new unified navigation configuration that provides more flexibility for customizing your developer portal experience.

Key Highlights#

• Breaking Change: Completely redesigned navigation system with a unified configuration approach
• Enhanced Theme Support: Advanced theme customization with shadcn registry integration
• Azure B2C Authentication: Full support for Azure B2C as an authentication provider
• Improved Mobile Experience: Better navigation rendering on mobile devices
• Security Enhancements: New warnings to prevent accidental secrets exposure
• Better Defaults: Static error pages now enabled by default for optimal hosting

Breaking Changes 🛠#

Navigation Configuration Restructure #1174#

The Dev Portal navigation system has been completely redesigned to provide a more flexible and consistent configuration experience. The previous separate properties for topNavigation, sidebar, and customPages have been unified into a single navigation array structure.

Migration Required: If you have customized navigation in your Dev Portal, you'll need to update your configuration. See the migration guide for detailed instructions.

New Features 🎉#

Enhanced Theme Support with shadcn Registry #1160#

The Dev Portal now offers more granular theme customization options, including automatic shadcn registry style imports and Google Fonts auto-import capability. A new theme playground helps you test and preview your design changes with live theme invalidation. Learn more about customizing your Dev Portal theme.

Google Tag Manager Integration Example #1161#

Added comprehensive documentation and examples for integrating Google Tag Manager with your Dev Portal, making it easier to implement analytics tracking for your API documentation.

Bug Fixes 🐛#

Azure B2C Authentication Support #1159#

Fixed an issue where Azure B2C was not recognized as a valid authentication provider. The configuration validation schema now properly includes Azure B2C-specific fields (clientId, tenantName, policyName, issuer), enabling seamless authentication with Azure B2C. See our authentication setup guide for configuration details.

Mobile Navigation Rendering #1165#

Resolved an issue where the top-navigation-side slot wasn't rendering on mobile devices, ensuring a consistent navigation experience across all device sizes.

OAuth Callback Route History #1172#

Fixed the OAuth callback flow to prevent the /oauth/callback route from remaining in browser history, providing a cleaner user experience by using React Router's replace navigation.

Security & Documentation 📚#

Security Warnings for Configuration #1169#

Added important security warnings to prevent accidental exposure of secrets in Dev Portal configurations. The documentation now clearly states that only environment variables prefixed with ZUDOKU_PUBLIC_ are exposed to the client.

Documentation Improvements #1117#

Comprehensive documentation updates including grammar corrections, fixed component names (e.g., ZudokContext → ZudokuContext), and improved code snippet accuracy across all Dev Portal guides.

Other Improvements 🔄#

Default Expiration for Rolling Keys #1142#

Simplified API key management by removing the explicit expiresOn field when rolling keys. The system now automatically uses server-side default expiration policies, reducing complexity in key management workflows.

Static Error Pages Enabled by Default #1143#

Static HTML error pages for HTTP status codes (404, 500, etc.) are now enabled by default, providing a better out-of-the-box experience for hosting on platforms like Vercel, Netlify, and Zuplo. The enableStatusPages configuration now defaults to true.

Dependency Updates 📦#

This release includes various dependency updates to ensure compatibility and security:

• Updated React types (@types/react to 19.1.8, @types/react-dom to 19.1.6)
• Upgraded development tools (lint-staged to 16.1.0, vitest to 3.2.2, postcss to 8.5.4)
• Updated core dependencies (yaml to 2.8.0, zustand to 5.0.5, piscina to 5.0.0)
• GraphQL tooling updates (@graphql-codegen/cli to 5.0.7)

This release introduces powerful new features for API management including internal route invocation and improved authentication policies.

Breaking Changes 🛠#

• Removed the deprecated Aserto authorization policy due to Aserto shutting down. If you're currently using this policy, please migrate to an alternative authorization solution.

New Features 🎉#

• Internal Route Invocation: Added context.invokeRoute capability that allows you to internally invoke a route without making an external HTTP request. This enables more efficient internal API calls and better performance for complex routing scenarios.

• Enhanced Client IP Parsing: Improved parsing of client IP addresses from the X-Forwarded-For header, providing more accurate client identification for rate limiting and analytics.

• CLI Log Verbosity Control: Added a new flag to control log verbosity levels in the Zuplo CLI, making debugging and troubleshooting easier during local development.

• Custom Domain Aliases: Introduced support for custom domain aliases, allowing you to map multiple domains to a single API deployment for more flexible domain management.

• Web Bot Authentication: New policy for authenticating and managing web bot traffic, helping you control automated access to your APIs. See the policy docs for more details

• API Key Management Enhancement: You can now delete the default API key, providing more flexibility in API key lifecycle management. See documentation

Bug Fixes 🐛#

• Fixed an issue that prevented changing deployments for custom domains.
• Increased the body size limit on GitHub webhooks to support larger payloads.
• Enhanced error handling in mock API policy to support single example responses.

Documentation 📚#

• Updated documentation for the Auth0 JWT authentication policy.