Zuplo Changelog

This release introduces powerful JWT authentication capabilities with the new JWT service plugin and upstream policy, enhances MCP (Model Context Protocol) support with improved URL pattern handling and custom tools, improves developer portal redirect handling, and includes numerous documentation updates across our policy suite.

New Features 🎉#

• JWT Service Plugin - Added a new JWT service plugin that enables advanced JWT token generation and management capabilities within Zuplo. This plugin provides developers with tools to create, sign, and manage JWT tokens directly in their API gateway workflows. Learn more about JWT authentication

• Zuplo JWT Auth Upstream Policy - Introduced a new upstream policy specifically designed for JWT authentication. This policy simplifies the process of securing backend services with JWT tokens, providing seamless integration with existing authentication systems. Read about Policy

• MCP Spec Support for 2025-06-18 - Updated MCP (Model Context Protocol) support to comply with the latest specification version 2025-06-18, ensuring compatibility with the newest features and improvements in the protocol. Explore MCP Capabilities

• Enhanced MCP Server Logging - Improved logging capabilities for MCP servers, providing better visibility into server operations and making it easier to debug and monitor MCP-based integrations. Explore MCP Capabilities

• Multi-Factor Authentication (MFA) Support - Enhanced security with new MFA configuration endpoints and login validation. This includes the ability to enforce MFA at the account level and manage MFA settings through dedicated API endpoints. Read about MFA

Bug Fixes 🐛#

• MCP URL Path Pattern Unification - Fixed inconsistencies in URL path pattern handling when invoking routes on the gateway, ensuring more reliable routing for MCP-based services.

• Developer Portal Redirect Issue - Resolved an issue with developer portal redirects that was causing incorrect navigation behavior in certain scenarios. Migrating to the new Zuplo developer portal

• MCP Schema Defaults Update - Updated the default values for includeOutputSchema and includeStructuredContent to better align with common use cases and improve developer experience.

• OpenMeter Policy Fix - Resolved issues with the OpenMeter policy to ensure accurate metering and usage tracking for API monetization scenarios.

Documentation 📚#

Comprehensive documentation updates were made across multiple policy configurations to improve clarity and provide better examples.

This release introduces Model Context Protocol (MCP) support for API development, new policies for query parameter manipulation and API metering, enhanced CLI commands, and improvements to console logging in the runtime.

New Features 🎉#

• Query Parameter to Header Inbound Policy - New policy that allows transforming query parameters into HTTP headers, enabling more flexible request handling and backend compatibility.

• Model Context Protocol (MCP) Support - Added comprehensive MCP server handler for local editing experience with improved schema validation, URL pattern support, parameter descriptions and examples. MCP enables AI-powered tools to interact with your APIs more effectively.

• Console Logging Support in Runtime (preview) - Developers can now use console logging directly in the runtime environment, making debugging and monitoring easier during development.

• OpenMeter Metering Inbound Policy - New integration with OpenMeter for API usage metering, enabling precise tracking and billing of API consumption.

• Enhanced Prompt Injection Policy - Added "strict" mode with more granular logging capabilities to better protect APIs from prompt injection attacks in AI-powered applications.

• Improved CLI Commands:

  • New zuplo source command replaces the deprecated zuplo project command
  • Added interactive selection for account, project, and environment values in authenticated commands
  • Environment variables from public vars are now written to .env files for better local development experience

This release introduces powerful new features for API management including internal route invocation and improved authentication policies.

Breaking Changes 🛠#

• Removed the deprecated Aserto authorization policy due to Aserto shutting down. If you're currently using this policy, please migrate to an alternative authorization solution.

New Features 🎉#

• Internal Route Invocation: Added context.invokeRoute capability that allows you to internally invoke a route without making an external HTTP request. This enables more efficient internal API calls and better performance for complex routing scenarios.

• Enhanced Client IP Parsing: Improved parsing of client IP addresses from the X-Forwarded-For header, providing more accurate client identification for rate limiting and analytics.

• CLI Log Verbosity Control: Added a new flag to control log verbosity levels in the Zuplo CLI, making debugging and troubleshooting easier during local development.

• Custom Domain Aliases: Introduced support for custom domain aliases, allowing you to map multiple domains to a single API deployment for more flexible domain management.

• Web Bot Authentication: New policy for authenticating and managing web bot traffic, helping you control automated access to your APIs. See the policy docs for more details

• API Key Management Enhancement: You can now delete the default API key, providing more flexibility in API key lifecycle management. See documentation

Bug Fixes 🐛#

• Fixed an issue that prevented changing deployments for custom domains.
• Increased the body size limit on GitHub webhooks to support larger payloads.
• Enhanced error handling in mock API policy to support single example responses.

Documentation 📚#

• Updated documentation for the Auth0 JWT authentication policy.

This release introduces new logging integrations with New Relic and Splunk, fixes several issues with the CLI and runtime, and improves documentation for fine-grained authorization policies.

New Features 🎉#

• Added New Relic logging and metrics plugin - Enable comprehensive observability by sending logs and metrics to New Relic for monitoring and analysis
• Added Splunk log transport - Stream your API logs directly to Splunk for centralized log management and analysis

Bug Fixes 🐛#

• Fixed excessive error logging in rate limiter - Rate limiter failures no longer generate unnecessary error logs, reducing log noise
• Fixed typos in CLI OpenAPI merge functionality - Corrected command syntax issues that prevented proper OpenAPI specification merging
• Fixed tunnel list command authentication - The tunnel-list command now properly supports the updated authentication mechanism
• Fixed AWS Lambda handler query string handling - Multi-value query strings are now correctly parsed and passed to Lambda functions

Documentation 📚#

• Added documentation for Fine-Grained Authorization (FGA) policy - Learn how to implement fine-grained access control using OpenFGA

Other Changes 🔄#

• Added build script to Zudoku template - The developer portal template now includes a build script for easier deployment
• Fixed API quota documentation - Updated quota configuration examples and clarified usage limits

Federated Identity increases the security of your Zuplo API by removing the need to share sensitive service account keys with your Zuplo API. Instead, Zuplo will use the Zuplo Identity Token to authenticate with Google Cloud Services on your behalf.

A new policy has been added to Zuplo that enables Federated Identity with Google Cloud Services. By utilizing this policy developers can secure their GCP API or other Google Cloud Resources (Storage, Pub/Sub, etc.) with GCP IAM and allow Zuplo to call these services on their behalf.

Federated Identity with GCP is available as a paid-addon to customers on enterprise plans. Contact your account manager or sales@zuplo.com to inquire about pricing.

For more information on how to configure Federated Identity with GCP, see the Federated Identity with GCP documentation.

We added a new plugin for API Brownouts, which allows developers to simulate outages of their API. This is useful for migrating users off of old versions of their API. You can read more about API Brownouts in our blog post here.

To learn more, please view our Policy documentation.