Zuplo Changelog

This changelog covers all releases from Monday, 2025-07-28 to Sunday, 2025-08-03.

Summary#

This week's releases introduce several important improvements to the Dev Portal. The most notable enhancement is the improved rendering of complex OpenAPI schema types (anyOf and oneOf), making API documentation clearer and more intuitive. We've also added support for the x-displayName extension, allowing for better customization of API property names in documentation.

Key fixes include resolving issues with the create-zudoku CLI tool and syntax highlighting errors. We've also improved redirect behavior by switching to JavaScript-based redirects for better reliability. Under the hood, we've migrated to Biome for code formatting and linting, and updated several dependencies including Zod v4, which brings improved TypeScript support.

Features 🎉#

Enhanced Schema Rendering#

• Improved rendering of anyOf and oneOf schema types in API documentation, providing clearer representation of complex schema relationships and making it easier to understand API requirements #1412

Custom Display Names#

• Added support for the x-displayName OpenAPI extension, allowing you to customize how property names appear in your API documentation while maintaining the original schema property names #1396

Fixes 🐛#

CLI Tool Restoration#

• Fixed the create-zudoku command-line tool that was previously broken, restoring the ability to quickly scaffold new Dev Portal projects #1429

Syntax Highlighting#

• Resolved Shiki syntax highlighting errors that were causing code blocks to fail to render properly in documentation #1398

Improved Redirects#

• Replaced HTML meta tag redirects with JavaScript-based redirects for better compatibility and more reliable page navigation #1394

Other Changes 🔄#

Development Improvements#

• Migrated the codebase to use Biome for code formatting and linting, improving development workflow and code consistency #1399
• Added smoke tests for preview publishing to ensure releases are properly validated before deployment #1395
• Updated the managing API keys and identities documentation for clarity #1414
• Removed the changelog trigger workflow #1419

Dependency Updates 📦#

• Updated Zod from v3.25.74 to v4.0.7, bringing improved TypeScript support and performance enhancements #1384
• Updated Rollup from v4.45.0 to v4.46.1 for better build performance #1408, #1402
• Updated GraphQL Yoga from v5.14.0 to v5.15.1 #1372
• Updated @pothos/core from v4.7.0 to v4.8.0 #1401
• Updated lucide-react from v0.525.0 to v0.526.0 #1409
• Updated @types/express from v5.0.2 to v5.0.3 #1410
• Updated esbuild from v0.25.6 to v0.25.8 #1403

This release introduces significant improvements to the Zuplo CLI, rate limiting capabilities, and developer portal experience. Key highlights include a new CLI command for migrating to the redesigned developer portal, enhanced rate limiting with adaptive timeouts, and support for wildcard subdomains in CORS policies.

New Features 🎉#

• New Developer Portal Migration Command - Added zuplo source migrate dev-portal CLI command to help users migrate to the new Zuplo Developer Portal built on the Zudoku framework. This simplifies the transition to the enhanced portal experience.

• Enhanced Rate Limiting with Adaptive Timeouts - The rate limiter policy now supports adaptive and configurable timeouts, providing more flexible control over API rate limiting behavior and improved performance under varying load conditions.

• CLI Project Creation - New CLI command for creating Zuplo projects directly from the command line, streamlining the project setup workflow. See the CLI documentation for usage details.

Bug Fixes 🐛#

• OpenAPI Transpiler Type Handling - Fixed an issue where the OpenAPI transpiler now correctly defaults to "type: object" when properties are defined, ensuring proper schema generation and type safety.

• CLI Tunnel Command Validation - Added missing account argument validation for the create tunnel command in the Zuplo CLI, preventing errors when setting up local development tunnels.

Improvements 🔄#

• Wildcard Subdomain Support for CORS - The CORS policy now supports wildcard subdomains, enabling more flexible cross-origin configurations for APIs serving multiple subdomains or multi-tenant applications.

• Enhanced SSO and MFA Security - Improved security for enterprise accounts by enforcing SSO and MFA requirements, ensuring better access control and compliance with enterprise security policies.

Summary#

This release brings significant improvements to the Dev Portal, including enhanced authentication documentation, better cross-platform compatibility, and a new API key plugin feature. Key highlights include:

• Enhanced Authentication Support: Added comprehensive setup guides for 6 major authentication providers
• Improved Documentation System: Reverted to file-based routing for better performance and added admonition formatting validation
• Cross-Platform Fixes: Resolved Windows path issues for better developer experience
• API Key Enhancement: New ability to access user authentication context during API key creation

New Features 🎉#

ApiKeyPlugin Enhancement (#1360) The API key plugin now passes the auth object into the createKey callback, enabling API key services to access user authentication context during key creation. This allows for more sophisticated key generation workflows that can leverage user-specific data and permissions.

Documentation & Development Experience 📚#

Enhanced Authentication Documentation (#1258) Added comprehensive setup guides for integrating the Dev Portal with 6 major authentication providers:

• Auth0
• Azure AD
• Clerk
• Firebase
• PingFederate
• Supabase

Each guide includes step-by-step configuration instructions and best practices. Learn more about authentication setup →

Documentation Cleanup (#1265) General documentation improvements including formatting consistency and clarity enhancements across multiple pages.

Bug Fixes 🐛#

File-Based Routing Restoration (#1341) Reverted to file-based routing for documentation pages with a new serveAllFiles configuration option. This change improves performance and simplifies the documentation serving architecture.

Cross-Platform Path Resolution (#1357) Fixed a critical issue where Windows file paths (using backslashes) were not properly normalized to POSIX format (forward slashes). This ensures the Dev Portal works correctly across all operating systems.

BuildCheck Environment Type (#1356, #1358) Resolved an issue where precompiled components couldn't access environment-specific configurations. The environment type is now properly passed through the build process, enabling correct behavior in different deployment environments.

Template Link Correction (#1355) Fixed broken links in the Dev Portal template and added proper redirects for renamed configuration options to maintain backward compatibility.

Dependency Updates 📦#

Updated various dependencies to their latest versions for improved security and performance:

• zustand: 5.0.5 → 5.0.6
• @supabase/supabase-js: 2.50.0 → 2.51.0
• Shiki syntax highlighting dependencies (5 packages)
• Build tools: esbuild, fast-glob, ci-info
• Nx workspace dependencies (4 packages)

This release introduces configurable memory sizing for the MemoryZoneReadThroughCache, improves runtime OpenAPI path handling, and fixes environment variable support for Zudoku dev portals.

New Features 🎉#

• Configurable memory size for MemoryZoneReadThroughCache - The runtime's MemoryZoneReadThroughCache now supports configurable memory size limits. This enhancement provides developers with greater control over memory allocation for cached data, helping to optimize performance while avoiding out-of-memory errors in memory-constrained environments.

Bug Fixes 🐛#

• Support for ZUDOKU_PUBLIC_ environment variables - Fixed an issue preventing the use of ZUDOKU_PUBLIC_ prefixed environment variables in Zudoku dev portals. These variables can now be properly exposed to the client-side for use in configuration and React components.

• Ignore non-method properties on OpenAPI operations - The runtime now properly ignores properties on OpenAPI opertations that are not methods. Perviously this could cause build errors.

This release introduces powerful JWT authentication capabilities with the new JWT service plugin and upstream policy, enhances MCP (Model Context Protocol) support with improved URL pattern handling and custom tools, improves developer portal redirect handling, and includes numerous documentation updates across our policy suite.

New Features 🎉#

• JWT Service Plugin - Added a new JWT service plugin that enables advanced JWT token generation and management capabilities within Zuplo. This plugin provides developers with tools to create, sign, and manage JWT tokens directly in their API gateway workflows. Learn more about JWT authentication

• Zuplo JWT Auth Upstream Policy - Introduced a new upstream policy specifically designed for JWT authentication. This policy simplifies the process of securing backend services with JWT tokens, providing seamless integration with existing authentication systems. Read about Policy

• MCP Spec Support for 2025-06-18 - Updated MCP (Model Context Protocol) support to comply with the latest specification version 2025-06-18, ensuring compatibility with the newest features and improvements in the protocol. Explore MCP Capabilities

• Enhanced MCP Server Logging - Improved logging capabilities for MCP servers, providing better visibility into server operations and making it easier to debug and monitor MCP-based integrations. Explore MCP Capabilities

• Multi-Factor Authentication (MFA) Support - Enhanced security with new MFA configuration endpoints and login validation. This includes the ability to enforce MFA at the account level and manage MFA settings through dedicated API endpoints. Read about MFA

Bug Fixes 🐛#

• MCP URL Path Pattern Unification - Fixed inconsistencies in URL path pattern handling when invoking routes on the gateway, ensuring more reliable routing for MCP-based services.

• Developer Portal Redirect Issue - Resolved an issue with developer portal redirects that was causing incorrect navigation behavior in certain scenarios. Migrating to the new Zuplo developer portal

• MCP Schema Defaults Update - Updated the default values for includeOutputSchema and includeStructuredContent to better align with common use cases and improve developer experience.

• OpenMeter Policy Fix - Resolved issues with the OpenMeter policy to ensure accurate metering and usage tracking for API monetization scenarios.

Documentation 📚#

Comprehensive documentation updates were made across multiple policy configurations to improve clarity and provide better examples.

This release introduces Model Context Protocol (MCP) support for API development, new policies for query parameter manipulation and API metering, enhanced CLI commands, and improvements to console logging in the runtime.

New Features 🎉#

• Query Parameter to Header Inbound Policy - New policy that allows transforming query parameters into HTTP headers, enabling more flexible request handling and backend compatibility.

• Model Context Protocol (MCP) Support - Added comprehensive MCP server handler for local editing experience with improved schema validation, URL pattern support, parameter descriptions and examples. MCP enables AI-powered tools to interact with your APIs more effectively.

• Console Logging Support in Runtime (preview) - Developers can now use console logging directly in the runtime environment, making debugging and monitoring easier during development.

• OpenMeter Metering Inbound Policy - New integration with OpenMeter for API usage metering, enabling precise tracking and billing of API consumption.

• Enhanced Prompt Injection Policy - Added "strict" mode with more granular logging capabilities to better protect APIs from prompt injection attacks in AI-powered applications.

• Improved CLI Commands:

  • New zuplo source command replaces the deprecated zuplo project command
  • Added interactive selection for account, project, and environment values in authenticated commands
  • Environment variables from public vars are now written to .env files for better local development experience