Concepts

Request Lifecycle

Every request that reaches Zuplo passes through a well-defined pipeline of stages. Click any stage below to learn what it does, when to use it, and find relevant documentation.

Client Request

Inbound Policies

Per-route

When to use

The primary extension point for request processing. Add authentication, rate limiting, request validation, or any custom logic. Policies are reusable across routes and execute in order.

How it works

Each policy can modify the request or short-circuit by returning a Response. This is how auth policies block unauthenticated requests before they reach your backend.

Configured via x-zuplo-route.policies.inbound in your OpenAPI spec. Defined in config/policies.json.

Learn more

Policy Fundamentals →How inbound and outbound policies work All Policies →Browse 60+ built-in policies Custom Policies →Write your own policy in TypeScript Authentication →Auth methods and how request.user works

Client Response

Client Request

Client Response

Inbound Policies

Per-route

When to use

The primary extension point for request processing. Add authentication, rate limiting, request validation, or any custom logic. Policies are reusable across routes and execute in order.

How it works

Each policy can modify the request or short-circuit by returning a Response. This is how auth policies block unauthenticated requests before they reach your backend.

Configured via x-zuplo-route.policies.inbound in your OpenAPI spec. Defined in config/policies.json.

Learn more

Short-circuiting

At several stages, the pipeline can be short-circuited by returning a Response instead of passing the request through:

Pre-routing hooks can return a Response to skip routing entirely
Request hooks can return a Response to skip policies and the handler
Inbound policies can return a Response (e.g., 401 Unauthorized) to skip the handler and outbound policies

This is how authentication policies work: they check credentials and return an error response if the request is not authorized, preventing it from reaching your backend.

Choosing the right extension point

Use a policy when you need reusable logic that applies to multiple routes. Policies are configured per-route in your OpenAPI spec and can be shared across any number of routes. Examples: authentication, rate limiting, request validation, header manipulation.

Use a handler when you need to define the core behavior of a route - forwarding to a backend, generating a response, or implementing business logic. Each route has exactly one handler.

Use a hook when you need logic that runs on every request globally, regardless of route. Examples: adding correlation IDs, security headers, logging, analytics.

I want to...	Use
Authenticate requests	Inbound policy
Rate limit requests	Inbound policy
Validate request bodies	Inbound policy
Forward to a backend	URL Forward Handler
Return custom responses	Function Handler
Transform response bodies	Outbound policy
Add headers to all responses	Response hook
Log every request	Response final hook
Normalize URLs before routing	Pre-routing hook

Edit this page

Last modified on March 27, 2026

How Zuplo Works Project Structure

Concepts

Request Lifecycle

Every request that reaches Zuplo passes through a well-defined pipeline of stages. Click any stage below to learn what it does, when to use it, and find relevant documentation.

Client Request

Inbound Policies

Per-route

When to use

The primary extension point for request processing. Add authentication, rate limiting, request validation, or any custom logic. Policies are reusable across routes and execute in order.

How it works

Each policy can modify the request or short-circuit by returning a Response. This is how auth policies block unauthenticated requests before they reach your backend.

Configured via x-zuplo-route.policies.inbound in your OpenAPI spec. Defined in config/policies.json.

Learn more

Client Response

Client Request

Client Response

Inbound Policies

Per-route

When to use

The primary extension point for request processing. Add authentication, rate limiting, request validation, or any custom logic. Policies are reusable across routes and execute in order.

How it works

Each policy can modify the request or short-circuit by returning a Response. This is how auth policies block unauthenticated requests before they reach your backend.

Configured via x-zuplo-route.policies.inbound in your OpenAPI spec. Defined in config/policies.json.

Learn more

Short-circuiting

At several stages, the pipeline can be short-circuited by returning a Response instead of passing the request through:

Pre-routing hooks can return a Response to skip routing entirely
Request hooks can return a Response to skip policies and the handler
Inbound policies can return a Response (e.g., 401 Unauthorized) to skip the handler and outbound policies

This is how authentication policies work: they check credentials and return an error response if the request is not authorized, preventing it from reaching your backend.

Choosing the right extension point

Use a handler when you need to define the core behavior of a route - forwarding to a backend, generating a response, or implementing business logic. Each route has exactly one handler.

Use a hook when you need logic that runs on every request globally, regardless of route. Examples: adding correlation IDs, security headers, logging, analytics.

I want to...	Use
Authenticate requests	Inbound policy
Rate limit requests	Inbound policy
Validate request bodies	Inbound policy
Forward to a backend	URL Forward Handler
Return custom responses	Function Handler
Transform response bodies	Outbound policy
Add headers to all responses	Response hook
Log every request	Response final hook
Normalize URLs before routing	Pre-routing hook

Edit this page

Last modified on March 27, 2026

How Zuplo Works Project Structure