zuplo 6.67.32 → 6.68.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -0
- package/docs/_index.md +44 -0
- package/docs/ai-gateway/apps.mdx +28 -0
- package/docs/ai-gateway/custom-providers.mdx +54 -0
- package/docs/ai-gateway/getting-started.mdx +224 -0
- package/docs/ai-gateway/guardrails.mdx +65 -0
- package/docs/ai-gateway/integrations/ai-sdk.mdx +109 -0
- package/docs/ai-gateway/integrations/claude-code.mdx +49 -0
- package/docs/ai-gateway/integrations/codex.mdx +78 -0
- package/docs/ai-gateway/integrations/goose.mdx +104 -0
- package/docs/ai-gateway/integrations/langchain.mdx +66 -0
- package/docs/ai-gateway/integrations/openai.mdx +99 -0
- package/docs/ai-gateway/introduction.mdx +85 -0
- package/docs/ai-gateway/managing-apps.mdx +46 -0
- package/docs/ai-gateway/managing-providers.mdx +66 -0
- package/docs/ai-gateway/managing-teams.mdx +63 -0
- package/docs/ai-gateway/policies/akamai-ai-firewall.mdx +125 -0
- package/docs/ai-gateway/policies/comet-opik-tracing.mdx +139 -0
- package/docs/ai-gateway/policies/galileo-tracing.mdx +147 -0
- package/docs/ai-gateway/providers.mdx +32 -0
- package/docs/ai-gateway/teams.mdx +38 -0
- package/docs/ai-gateway/universal-api.mdx +43 -0
- package/docs/ai-gateway/usage-limits.mdx +89 -0
- package/docs/api-management/introduction.md +127 -0
- package/docs/articles/accounts/audit-logs.mdx +227 -0
- package/docs/articles/accounts/billing.mdx +25 -0
- package/docs/articles/accounts/default-api-key.mdx +30 -0
- package/docs/articles/accounts/delete-account.mdx +36 -0
- package/docs/articles/accounts/enterprise-sso.mdx +116 -0
- package/docs/articles/accounts/managing-account-members.mdx +45 -0
- package/docs/articles/accounts/managing-project-members.mdx +37 -0
- package/docs/articles/accounts/members-and-roles.mdx +21 -0
- package/docs/articles/accounts/roles-and-permissions.mdx +115 -0
- package/docs/articles/accounts/zuplo-api-keys.mdx +94 -0
- package/docs/articles/add-api-to-backstage.mdx +216 -0
- package/docs/articles/advanced-path-matching.mdx +139 -0
- package/docs/articles/api-key-administration.mdx +47 -0
- package/docs/articles/api-key-api.mdx +220 -0
- package/docs/articles/api-key-authentication.mdx +195 -0
- package/docs/articles/api-key-buckets.mdx +61 -0
- package/docs/articles/api-key-end-users.mdx +52 -0
- package/docs/articles/api-key-leak-detection.mdx +75 -0
- package/docs/articles/api-key-management.mdx +100 -0
- package/docs/articles/api-key-react-component.mdx +90 -0
- package/docs/articles/api-key-service-limits.mdx +14 -0
- package/docs/articles/archiving-requests-to-storage.mdx +119 -0
- package/docs/articles/branch-based-deployments.mdx +184 -0
- package/docs/articles/bypass-policy-for-testing.mdx +117 -0
- package/docs/articles/check-ip-address.mdx +17 -0
- package/docs/articles/ci-cd-azure/basic-deployment.mdx +49 -0
- package/docs/articles/ci-cd-azure/deploy-and-test.mdx +47 -0
- package/docs/articles/ci-cd-azure/local-testing.mdx +59 -0
- package/docs/articles/ci-cd-azure/multi-stage-deployment.mdx +88 -0
- package/docs/articles/ci-cd-azure/pr-preview-environments.mdx +50 -0
- package/docs/articles/ci-cd-azure/tag-based-releases.mdx +37 -0
- package/docs/articles/ci-cd-bitbucket/basic-deployment.mdx +27 -0
- package/docs/articles/ci-cd-bitbucket/deploy-and-test.mdx +41 -0
- package/docs/articles/ci-cd-bitbucket/local-testing.mdx +34 -0
- package/docs/articles/ci-cd-bitbucket/multi-stage-deployment.mdx +52 -0
- package/docs/articles/ci-cd-bitbucket/pr-preview-environments.mdx +46 -0
- package/docs/articles/ci-cd-bitbucket/tag-based-releases.mdx +27 -0
- package/docs/articles/ci-cd-circleci/basic-deployment.mdx +34 -0
- package/docs/articles/ci-cd-circleci/deploy-and-test.mdx +44 -0
- package/docs/articles/ci-cd-circleci/local-testing.mdx +50 -0
- package/docs/articles/ci-cd-circleci/multi-stage-deployment.mdx +82 -0
- package/docs/articles/ci-cd-circleci/pr-preview-environments.mdx +47 -0
- package/docs/articles/ci-cd-circleci/tag-based-releases.mdx +38 -0
- package/docs/articles/ci-cd-github/basic-deployment.mdx +48 -0
- package/docs/articles/ci-cd-github/cleanup-on-branch-delete.mdx +123 -0
- package/docs/articles/ci-cd-github/deploy-and-test.mdx +82 -0
- package/docs/articles/ci-cd-github/local-testing.mdx +102 -0
- package/docs/articles/ci-cd-github/multi-stage-deployment.mdx +136 -0
- package/docs/articles/ci-cd-github/pr-preview-environments.mdx +106 -0
- package/docs/articles/ci-cd-github/tag-based-releases.mdx +99 -0
- package/docs/articles/ci-cd-gitlab/basic-deployment.mdx +28 -0
- package/docs/articles/ci-cd-gitlab/deploy-and-test.mdx +44 -0
- package/docs/articles/ci-cd-gitlab/local-testing.mdx +39 -0
- package/docs/articles/ci-cd-gitlab/mr-preview-environments.mdx +52 -0
- package/docs/articles/ci-cd-gitlab/multi-stage-deployment.mdx +64 -0
- package/docs/articles/ci-cd-gitlab/tag-based-releases.mdx +28 -0
- package/docs/articles/composite-policy-reference.mdx +284 -0
- package/docs/articles/configuring-auth0-for-mcp-auth.mdx +186 -0
- package/docs/articles/configuring-okta-for-mcp-auth.mdx +208 -0
- package/docs/articles/convert-urls-to-openapi.mdx +62 -0
- package/docs/articles/cors.mdx +447 -0
- package/docs/articles/custom-audit-log-policy.mdx +95 -0
- package/docs/articles/custom-ci-cd-azure.mdx +81 -0
- package/docs/articles/custom-ci-cd-bitbucket.mdx +80 -0
- package/docs/articles/custom-ci-cd-circleci.mdx +78 -0
- package/docs/articles/custom-ci-cd-github.mdx +99 -0
- package/docs/articles/custom-ci-cd-gitlab.mdx +79 -0
- package/docs/articles/custom-ci-cd.mdx +82 -0
- package/docs/articles/custom-code-patterns.md +418 -0
- package/docs/articles/custom-domains.mdx +258 -0
- package/docs/articles/custom-logging-example.mdx +139 -0
- package/docs/articles/ddos-protection.mdx +138 -0
- package/docs/articles/development-options.mdx +49 -0
- package/docs/articles/environment-variables.mdx +134 -0
- package/docs/articles/environments.mdx +143 -0
- package/docs/articles/fastly-zuplo-host-setup.mdx +41 -0
- package/docs/articles/github-deployment-testing.mdx +101 -0
- package/docs/articles/gke-with-upstream-auth-policy.mdx +192 -0
- package/docs/articles/graphql-security.mdx +180 -0
- package/docs/articles/handling-form-data.mdx +61 -0
- package/docs/articles/health-checks.mdx +109 -0
- package/docs/articles/hosting-options.mdx +70 -0
- package/docs/articles/lazy-load-configuration-into-cache.mdx +92 -0
- package/docs/articles/limits.mdx +98 -0
- package/docs/articles/local-development-debugging.mdx +44 -0
- package/docs/articles/local-development-env-variables.mdx +23 -0
- package/docs/articles/local-development-installing-packages.mdx +23 -0
- package/docs/articles/local-development-routes-designer.mdx +27 -0
- package/docs/articles/local-development-services.mdx +40 -0
- package/docs/articles/local-development-troubleshooting.mdx +56 -0
- package/docs/articles/local-development.mdx +81 -0
- package/docs/articles/log-plugin-aws-cloudwatch.mdx +83 -0
- package/docs/articles/log-plugin-datadog.mdx +84 -0
- package/docs/articles/log-plugin-dynatrace.mdx +75 -0
- package/docs/articles/log-plugin-gcp.mdx +75 -0
- package/docs/articles/log-plugin-loki.mdx +136 -0
- package/docs/articles/log-plugin-new-relic.mdx +84 -0
- package/docs/articles/log-plugin-splunk.mdx +104 -0
- package/docs/articles/log-plugin-sumo.mdx +73 -0
- package/docs/articles/log-plugin-vmware-log-insight.mdx +154 -0
- package/docs/articles/log-request-response-data.mdx +398 -0
- package/docs/articles/logging.mdx +115 -0
- package/docs/articles/manual-mcp-oauth-testing.mdx +193 -0
- package/docs/articles/mcp-quickstart.mdx +135 -0
- package/docs/articles/metrics-plugins.mdx +371 -0
- package/docs/articles/migrate-from-apigee.md +408 -0
- package/docs/articles/migrate-from-aws-api-gateway.md +248 -0
- package/docs/articles/migrate-from-azure-apim.md +292 -0
- package/docs/articles/migrate-from-kong.md +300 -0
- package/docs/articles/migration-overview.md +81 -0
- package/docs/articles/monetization/api-access.mdx +69 -0
- package/docs/articles/monetization/billing-models.md +520 -0
- package/docs/articles/monetization/developer-portal.md +167 -0
- package/docs/articles/monetization/features.mdx +98 -0
- package/docs/articles/monetization/index.mdx +113 -0
- package/docs/articles/monetization/meters.mdx +135 -0
- package/docs/articles/monetization/monetization-policy.md +314 -0
- package/docs/articles/monetization/plan-examples.mdx +366 -0
- package/docs/articles/monetization/plans.mdx +266 -0
- package/docs/articles/monetization/pricing-models.mdx +225 -0
- package/docs/articles/monetization/private-plans.md +154 -0
- package/docs/articles/monetization/quickstart.md +355 -0
- package/docs/articles/monetization/rate-cards.mdx +171 -0
- package/docs/articles/monetization/stripe-integration.md +195 -0
- package/docs/articles/monetization/subscription-lifecycle.md +298 -0
- package/docs/articles/monetization/tax-collection.md +166 -0
- package/docs/articles/monetization/troubleshooting.md +272 -0
- package/docs/articles/monetization-custom.mdx +71 -0
- package/docs/articles/monetization-integrations.mdx +104 -0
- package/docs/articles/monitoring-your-gateway.mdx +53 -0
- package/docs/articles/monorepo-deployment.mdx +350 -0
- package/docs/articles/multiple-auth-policies.mdx +81 -0
- package/docs/articles/non-standard-ports.mdx +30 -0
- package/docs/articles/oauth-authentication.mdx +54 -0
- package/docs/articles/openapi-server-urls.mdx +60 -0
- package/docs/articles/openapi.mdx +130 -0
- package/docs/articles/opentelemetry.mdx +250 -0
- package/docs/articles/per-user-rate-limits-using-db.mdx +112 -0
- package/docs/articles/performance-testing.mdx +304 -0
- package/docs/articles/plugin-akamai-api-security.mdx +76 -0
- package/docs/articles/plugin-azure-blob.mdx +73 -0
- package/docs/articles/plugin-azure-event-hubs.mdx +64 -0
- package/docs/articles/plugin-hydrolix-traffic-peak.mdx +147 -0
- package/docs/articles/policies.mdx +33 -0
- package/docs/articles/rename-or-move-project.mdx +39 -0
- package/docs/articles/rick-and-morty-api-developer-portal-example.mdx +23 -0
- package/docs/articles/routing.mdx +193 -0
- package/docs/articles/s3-signed-url-uploads.mdx +521 -0
- package/docs/articles/secure-tunnel.mdx +84 -0
- package/docs/articles/securing-backend-mtls.mdx +268 -0
- package/docs/articles/securing-your-backend.mdx +148 -0
- package/docs/articles/security.mdx +105 -0
- package/docs/articles/sharing-code-across-projects.mdx +412 -0
- package/docs/articles/source-control-setup-azure.mdx +13 -0
- package/docs/articles/source-control-setup-bitbucket.mdx +43 -0
- package/docs/articles/source-control-setup-github.mdx +172 -0
- package/docs/articles/source-control-setup-gitlab.mdx +12 -0
- package/docs/articles/source-control.mdx +80 -0
- package/docs/articles/step-1-setup-basic-gateway-local.mdx +136 -0
- package/docs/articles/step-1-setup-basic-gateway.mdx +118 -0
- package/docs/articles/step-2-add-rate-limiting-local.mdx +126 -0
- package/docs/articles/step-2-add-rate-limiting.mdx +82 -0
- package/docs/articles/step-3-add-api-key-auth-local.mdx +199 -0
- package/docs/articles/step-3-add-api-key-auth.mdx +166 -0
- package/docs/articles/step-4-deploying-to-the-edge.mdx +220 -0
- package/docs/articles/step-5-dynamic-rate-limiting.mdx +167 -0
- package/docs/articles/support.mdx +144 -0
- package/docs/articles/terraform.mdx +114 -0
- package/docs/articles/testing-graphql.mdx +34 -0
- package/docs/articles/testing.mdx +522 -0
- package/docs/articles/troubleshooting-slow-responses.mdx +301 -0
- package/docs/articles/troubleshooting.md +302 -0
- package/docs/articles/tsconfig.mdx +105 -0
- package/docs/articles/tunnel-setup.mdx +195 -0
- package/docs/articles/tunnel-troubleshooting.mdx +50 -0
- package/docs/articles/update-zup-in-github-action.mdx +110 -0
- package/docs/articles/use-openapi-extension-data.mdx +79 -0
- package/docs/articles/users/multifactor-authentication.mdx +64 -0
- package/docs/articles/users/profile.mdx +13 -0
- package/docs/articles/versioning-on-zuplo.mdx +89 -0
- package/docs/articles/waf-ddos-akamai.md +133 -0
- package/docs/articles/waf-ddos-aws-waf-shield.mdx +85 -0
- package/docs/articles/waf-ddos-fastly.mdx +251 -0
- package/docs/articles/waf-ddos.mdx +140 -0
- package/docs/articles/zuplo-waf.mdx +156 -0
- package/docs/ask.mdx +3 -0
- package/docs/cli/authentication.mdx +56 -0
- package/docs/cli/connectivity.mdx +38 -0
- package/docs/cli/create-zuplo-api.mdx +80 -0
- package/docs/cli/delete.mdx +79 -0
- package/docs/cli/deploy.mdx +156 -0
- package/docs/cli/deploy.partial.mdx +46 -0
- package/docs/cli/dev.mdx +115 -0
- package/docs/cli/docs.mdx +66 -0
- package/docs/cli/editor.mdx +50 -0
- package/docs/cli/global-options.mdx +19 -0
- package/docs/cli/init.mdx +74 -0
- package/docs/cli/link.mdx +74 -0
- package/docs/cli/list.mdx +55 -0
- package/docs/cli/mtls-certificate-create.mdx +94 -0
- package/docs/cli/mtls-certificate-delete.mdx +55 -0
- package/docs/cli/mtls-certificate-describe.mdx +55 -0
- package/docs/cli/mtls-certificate-disable.mdx +55 -0
- package/docs/cli/mtls-certificate-list.mdx +47 -0
- package/docs/cli/mtls-certificate-update.mdx +72 -0
- package/docs/cli/openapi-convert.mdx +111 -0
- package/docs/cli/openapi-merge.mdx +138 -0
- package/docs/cli/openapi-merge.partial.mdx +29 -0
- package/docs/cli/openapi-overlay.mdx +123 -0
- package/docs/cli/overview.mdx +78 -0
- package/docs/cli/project-create.mdx +43 -0
- package/docs/cli/source-migrate.mdx +18 -0
- package/docs/cli/source-upgrade.mdx +41 -0
- package/docs/cli/test.mdx +70 -0
- package/docs/cli/test.partial.mdx +7 -0
- package/docs/cli/tunnel-create.mdx +53 -0
- package/docs/cli/tunnel-create.partial.mdx +9 -0
- package/docs/cli/tunnel-delete.mdx +35 -0
- package/docs/cli/tunnel-delete.partial.mdx +9 -0
- package/docs/cli/tunnel-describe.mdx +45 -0
- package/docs/cli/tunnel-describe.partial.mdx +5 -0
- package/docs/cli/tunnel-list.mdx +35 -0
- package/docs/cli/tunnel-list.partial.mdx +9 -0
- package/docs/cli/tunnel-rate-token.partial.mdx +9 -0
- package/docs/cli/tunnel-rotate-token.mdx +39 -0
- package/docs/cli/tunnel-services-describe.mdx +45 -0
- package/docs/cli/tunnel-services-describe.partial.mdx +9 -0
- package/docs/cli/tunnel-services-update.mdx +48 -0
- package/docs/cli/variable-create.mdx +91 -0
- package/docs/cli/variable-create.partial.mdx +5 -0
- package/docs/cli/variable-update.mdx +75 -0
- package/docs/cli/variable-update.partial.mdx +5 -0
- package/docs/concepts/api-keys.md +146 -0
- package/docs/concepts/authentication.mdx +109 -0
- package/docs/concepts/how-zuplo-works.mdx +120 -0
- package/docs/concepts/project-structure.mdx +174 -0
- package/docs/concepts/rate-limiting.md +246 -0
- package/docs/concepts/request-lifecycle.mdx +56 -0
- package/docs/concepts/source-control-and-deployment.mdx +229 -0
- package/docs/conferences/conference-prize-terms.mdx +80 -0
- package/docs/dedicated/akamai/ai-powered-applications.mdx +223 -0
- package/docs/dedicated/akamai/architecture.mdx +280 -0
- package/docs/dedicated/akamai/caching.mdx +212 -0
- package/docs/dedicated/akamai/cdn.mdx +156 -0
- package/docs/dedicated/architecture.mdx +208 -0
- package/docs/dedicated/custom-domains.mdx +31 -0
- package/docs/dedicated/federated-gateways.mdx +80 -0
- package/docs/dedicated/networking.mdx +69 -0
- package/docs/dedicated/overview.mdx +80 -0
- package/docs/dedicated/source-control.mdx +63 -0
- package/docs/dev-portal/dev-portal-create-consumer-on-auth.mdx +134 -0
- package/docs/dev-portal/introduction.mdx +65 -0
- package/docs/dev-portal/local-development.mdx +72 -0
- package/docs/dev-portal/migration.mdx +526 -0
- package/docs/dev-portal/node-modules.mdx +45 -0
- package/docs/dev-portal/updating.mdx +28 -0
- package/docs/dev-portal/zudoku/components/alert.mdx +130 -0
- package/docs/dev-portal/zudoku/components/badge.mdx +70 -0
- package/docs/dev-portal/zudoku/components/button.mdx +132 -0
- package/docs/dev-portal/zudoku/components/callout.mdx +112 -0
- package/docs/dev-portal/zudoku/components/card.mdx +104 -0
- package/docs/dev-portal/zudoku/components/checkbox.mdx +72 -0
- package/docs/dev-portal/zudoku/components/client-only.mdx +79 -0
- package/docs/dev-portal/zudoku/components/code-tabs.mdx +179 -0
- package/docs/dev-portal/zudoku/components/dialog.mdx +167 -0
- package/docs/dev-portal/zudoku/components/head.mdx +199 -0
- package/docs/dev-portal/zudoku/components/icons.mdx +27 -0
- package/docs/dev-portal/zudoku/components/input.mdx +96 -0
- package/docs/dev-portal/zudoku/components/label.mdx +86 -0
- package/docs/dev-portal/zudoku/components/link.mdx +242 -0
- package/docs/dev-portal/zudoku/components/markdown.mdx +151 -0
- package/docs/dev-portal/zudoku/components/mermaid.mdx +81 -0
- package/docs/dev-portal/zudoku/components/playground.mdx +87 -0
- package/docs/dev-portal/zudoku/components/secret.mdx +78 -0
- package/docs/dev-portal/zudoku/components/select.mdx +176 -0
- package/docs/dev-portal/zudoku/components/shadcn.mdx +73 -0
- package/docs/dev-portal/zudoku/components/slider.mdx +108 -0
- package/docs/dev-portal/zudoku/components/slot.mdx +119 -0
- package/docs/dev-portal/zudoku/components/stepper.mdx +138 -0
- package/docs/dev-portal/zudoku/components/switch.mdx +96 -0
- package/docs/dev-portal/zudoku/components/syntax-highlight.mdx +602 -0
- package/docs/dev-portal/zudoku/components/textarea.mdx +78 -0
- package/docs/dev-portal/zudoku/components/tooltip.mdx +195 -0
- package/docs/dev-portal/zudoku/components/typography.mdx +61 -0
- package/docs/dev-portal/zudoku/configuration/ai-assistants.md +64 -0
- package/docs/dev-portal/zudoku/configuration/api-catalog.md +108 -0
- package/docs/dev-portal/zudoku/configuration/api-reference.md +397 -0
- package/docs/dev-portal/zudoku/configuration/authentication-auth0.md +173 -0
- package/docs/dev-portal/zudoku/configuration/authentication-azure-ad.md +238 -0
- package/docs/dev-portal/zudoku/configuration/authentication-clerk.md +110 -0
- package/docs/dev-portal/zudoku/configuration/authentication-firebase.md +61 -0
- package/docs/dev-portal/zudoku/configuration/authentication-pingfederate.md +136 -0
- package/docs/dev-portal/zudoku/configuration/authentication-supabase.md +225 -0
- package/docs/dev-portal/zudoku/configuration/authentication.md +199 -0
- package/docs/dev-portal/zudoku/configuration/build-configuration.mdx +147 -0
- package/docs/dev-portal/zudoku/configuration/docs.md +282 -0
- package/docs/dev-portal/zudoku/configuration/footer.mdx +214 -0
- package/docs/dev-portal/zudoku/configuration/llms.md +89 -0
- package/docs/dev-portal/zudoku/configuration/navigation.mdx +408 -0
- package/docs/dev-portal/zudoku/configuration/overview.md +380 -0
- package/docs/dev-portal/zudoku/configuration/protected-routes.md +149 -0
- package/docs/dev-portal/zudoku/configuration/search.md +169 -0
- package/docs/dev-portal/zudoku/configuration/sentry.mdx +44 -0
- package/docs/dev-portal/zudoku/configuration/site.md +124 -0
- package/docs/dev-portal/zudoku/configuration/slots.mdx +124 -0
- package/docs/dev-portal/zudoku/configuration/vite-config.md +18 -0
- package/docs/dev-portal/zudoku/custom-plugins.md +287 -0
- package/docs/dev-portal/zudoku/customization/colors-theme.mdx +275 -0
- package/docs/dev-portal/zudoku/customization/fonts.md +110 -0
- package/docs/dev-portal/zudoku/extending/events.md +124 -0
- package/docs/dev-portal/zudoku/guides/custom-pages.md +106 -0
- package/docs/dev-portal/zudoku/guides/environment-variables.md +99 -0
- package/docs/dev-portal/zudoku/guides/mermaid.mdx +70 -0
- package/docs/dev-portal/zudoku/guides/navigation-migration.md +87 -0
- package/docs/dev-portal/zudoku/guides/navigation-rules.mdx +197 -0
- package/docs/dev-portal/zudoku/guides/processors.mdx +234 -0
- package/docs/dev-portal/zudoku/guides/static-files.md +55 -0
- package/docs/dev-portal/zudoku/guides/transforming-examples.md +156 -0
- package/docs/dev-portal/zudoku/guides/using-multiple-apis.md +87 -0
- package/docs/dev-portal/zudoku/markdown/admonitions.md +128 -0
- package/docs/dev-portal/zudoku/markdown/code-blocks.md +196 -0
- package/docs/dev-portal/zudoku/markdown/frontmatter.md +172 -0
- package/docs/dev-portal/zudoku/markdown/mdx.md +68 -0
- package/docs/dev-portal/zudoku/markdown/overview.md +275 -0
- package/docs/dev-portal/zudoku/plugins.md +5 -0
- package/docs/dev-portal/zudoku/writing.mdx +72 -0
- package/docs/errors/bad-request.mdx +39 -0
- package/docs/errors/build-error.mdx +45 -0
- package/docs/errors/fatal-project-error.mdx +39 -0
- package/docs/errors/gateway-timeout.mdx +33 -0
- package/docs/errors/get-head-body-error.mdx +41 -0
- package/docs/errors/main-mod-error.mdx +40 -0
- package/docs/errors/no-project-set.mdx +41 -0
- package/docs/errors/not-found.mdx +43 -0
- package/docs/errors/rate-limit-exceeded.mdx +31 -0
- package/docs/errors/schema-validation-failed.mdx +51 -0
- package/docs/errors/system-configuration-error.mdx +44 -0
- package/docs/errors/unauthorized.mdx +50 -0
- package/docs/errors/unknown-error.mdx +42 -0
- package/docs/errors.mdx +14 -0
- package/docs/guides/canary-routing-for-employees.mdx +385 -0
- package/docs/guides/geolocation-backend-routing.mdx +404 -0
- package/docs/guides/modify-openapi-paths.mdx +371 -0
- package/docs/guides/openapi-overlays.mdx +492 -0
- package/docs/guides/overview.mdx +12 -0
- package/docs/guides/user-based-backend-routing.mdx +437 -0
- package/docs/handlers/aws-lambda.mdx +201 -0
- package/docs/handlers/custom-handler.mdx +112 -0
- package/docs/handlers/legacy-dev-portal-handler.mdx +135 -0
- package/docs/handlers/mcp-server.mdx +730 -0
- package/docs/handlers/openapi.mdx +78 -0
- package/docs/handlers/redirect.mdx +115 -0
- package/docs/handlers/system-handlers.mdx +41 -0
- package/docs/handlers/url-forward.mdx +204 -0
- package/docs/handlers/url-rewrite.mdx +224 -0
- package/docs/handlers/websocket-handler.mdx +154 -0
- package/docs/home.mdx +6 -0
- package/docs/managed-edge/overview.md +78 -0
- package/docs/mcp-server/configuration-migration-guide.mdx +344 -0
- package/docs/mcp-server/custom-tools.mdx +487 -0
- package/docs/mcp-server/graphql.mdx +241 -0
- package/docs/mcp-server/introduction.mdx +122 -0
- package/docs/mcp-server/openai-apps-sdk.mdx +160 -0
- package/docs/mcp-server/prompts.mdx +283 -0
- package/docs/mcp-server/resources.mdx +288 -0
- package/docs/mcp-server/testing.mdx +53 -0
- package/docs/mcp-server/tools.mdx +306 -0
- package/docs/policies/_index.md +92 -0
- package/docs/policies/ab-test-inbound/intro.md +8 -0
- package/docs/policies/ab-test-inbound/policy.ts +14 -0
- package/docs/policies/ab-test-inbound/schema.json +27 -0
- package/docs/policies/ab-test-outbound/intro.md +8 -0
- package/docs/policies/ab-test-outbound/policy.ts +26 -0
- package/docs/policies/ab-test-outbound/schema.json +27 -0
- package/docs/policies/acl-policy-inbound/intro.md +5 -0
- package/docs/policies/acl-policy-inbound/policy.ts +32 -0
- package/docs/policies/acl-policy-inbound/schema.json +52 -0
- package/docs/policies/akamai-ai-firewall/schema.json +98 -0
- package/docs/policies/amberflo-metering-inbound/doc.md +183 -0
- package/docs/policies/amberflo-metering-inbound/intro.md +20 -0
- package/docs/policies/amberflo-metering-inbound/schema.json +108 -0
- package/docs/policies/api-key-inbound/doc.md +77 -0
- package/docs/policies/api-key-inbound/intro.md +30 -0
- package/docs/policies/api-key-inbound/schema.json +84 -0
- package/docs/policies/archive-request-aws-s3-inbound/intro.md +4 -0
- package/docs/policies/archive-request-aws-s3-inbound/policy.ts +58 -0
- package/docs/policies/archive-request-aws-s3-inbound/schema.json +68 -0
- package/docs/policies/archive-request-azure-storage-inbound/doc.md +31 -0
- package/docs/policies/archive-request-azure-storage-inbound/intro.md +4 -0
- package/docs/policies/archive-request-azure-storage-inbound/policy.ts +54 -0
- package/docs/policies/archive-request-azure-storage-inbound/schema.json +53 -0
- package/docs/policies/archive-request-gcp-storage-inbound/doc.md +63 -0
- package/docs/policies/archive-request-gcp-storage-inbound/intro.md +4 -0
- package/docs/policies/archive-request-gcp-storage-inbound/policy.ts +68 -0
- package/docs/policies/archive-request-gcp-storage-inbound/schema.json +47 -0
- package/docs/policies/archive-response-aws-s3-outbound/intro.md +2 -0
- package/docs/policies/archive-response-aws-s3-outbound/policy.ts +59 -0
- package/docs/policies/archive-response-aws-s3-outbound/schema.json +68 -0
- package/docs/policies/archive-response-azure-storage-outbound/doc.md +31 -0
- package/docs/policies/archive-response-azure-storage-outbound/intro.md +3 -0
- package/docs/policies/archive-response-azure-storage-outbound/policy.ts +54 -0
- package/docs/policies/archive-response-azure-storage-outbound/schema.json +53 -0
- package/docs/policies/audit-log-inbound/doc.md +78 -0
- package/docs/policies/audit-log-inbound/intro.md +10 -0
- package/docs/policies/audit-log-inbound/schema.json +81 -0
- package/docs/policies/auth0-jwt-auth-inbound/doc.md +125 -0
- package/docs/policies/auth0-jwt-auth-inbound/intro.md +17 -0
- package/docs/policies/auth0-jwt-auth-inbound/schema.json +74 -0
- package/docs/policies/authzen-inbound/doc.md +24 -0
- package/docs/policies/authzen-inbound/intro.md +31 -0
- package/docs/policies/authzen-inbound/schema.json +126 -0
- package/docs/policies/axiomatics-authz-inbound/doc.md +144 -0
- package/docs/policies/axiomatics-authz-inbound/intro.md +11 -0
- package/docs/policies/axiomatics-authz-inbound/schema.json +161 -0
- package/docs/policies/basic-auth-inbound/intro.md +9 -0
- package/docs/policies/basic-auth-inbound/schema.json +99 -0
- package/docs/policies/bot-detection-inbound/intro.md +4 -0
- package/docs/policies/bot-detection-inbound/schema.json +56 -0
- package/docs/policies/brownout-inbound/doc.md +55 -0
- package/docs/policies/brownout-inbound/intro.md +12 -0
- package/docs/policies/brownout-inbound/schema.json +115 -0
- package/docs/policies/caching-inbound/doc.md +209 -0
- package/docs/policies/caching-inbound/intro.md +23 -0
- package/docs/policies/caching-inbound/schema.json +98 -0
- package/docs/policies/change-method-inbound/schema.json +56 -0
- package/docs/policies/clear-headers-inbound/schema.json +59 -0
- package/docs/policies/clear-headers-outbound/schema.json +59 -0
- package/docs/policies/clerk-jwt-auth-inbound/doc.md +85 -0
- package/docs/policies/clerk-jwt-auth-inbound/intro.md +4 -0
- package/docs/policies/clerk-jwt-auth-inbound/schema.json +68 -0
- package/docs/policies/cognito-jwt-auth-inbound/intro.md +7 -0
- package/docs/policies/cognito-jwt-auth-inbound/schema.json +74 -0
- package/docs/policies/comet-opik-tracing-inbound/schema.json +65 -0
- package/docs/policies/complex-rate-limit-inbound/doc.md +20 -0
- package/docs/policies/complex-rate-limit-inbound/intro.md +23 -0
- package/docs/policies/complex-rate-limit-inbound/schema.json +142 -0
- package/docs/policies/composite-inbound/doc.md +69 -0
- package/docs/policies/composite-inbound/intro.md +15 -0
- package/docs/policies/composite-inbound/schema.json +59 -0
- package/docs/policies/composite-outbound/intro.md +6 -0
- package/docs/policies/composite-outbound/schema.json +59 -0
- package/docs/policies/curity-phantom-token-inbound/doc.md +109 -0
- package/docs/policies/curity-phantom-token-inbound/intro.md +3 -0
- package/docs/policies/curity-phantom-token-inbound/schema.json +68 -0
- package/docs/policies/custom-code-inbound/doc.md +267 -0
- package/docs/policies/custom-code-inbound/intro.md +2 -0
- package/docs/policies/custom-code-inbound/schema.json +48 -0
- package/docs/policies/custom-code-outbound/doc.md +235 -0
- package/docs/policies/custom-code-outbound/intro.md +2 -0
- package/docs/policies/custom-code-outbound/schema.json +43 -0
- package/docs/policies/firebase-jwt-inbound/intro.md +6 -0
- package/docs/policies/firebase-jwt-inbound/schema.json +68 -0
- package/docs/policies/formdata-to-json-inbound/schema.json +60 -0
- package/docs/policies/galileo-tracing-inbound/schema.json +65 -0
- package/docs/policies/geo-filter-inbound/doc.md +33 -0
- package/docs/policies/geo-filter-inbound/schema.json +108 -0
- package/docs/policies/graphql-complexity-limit-inbound/doc.md +48 -0
- package/docs/policies/graphql-complexity-limit-inbound/intro.md +2 -0
- package/docs/policies/graphql-complexity-limit-inbound/schema.json +90 -0
- package/docs/policies/graphql-disable-introspection-inbound/doc.md +66 -0
- package/docs/policies/graphql-disable-introspection-inbound/intro.md +15 -0
- package/docs/policies/graphql-disable-introspection-inbound/schema.json +48 -0
- package/docs/policies/graphql-introspection-filter-outbound/doc.md +148 -0
- package/docs/policies/graphql-introspection-filter-outbound/schema.json +79 -0
- package/docs/policies/hmac-auth-inbound/doc.md +30 -0
- package/docs/policies/hmac-auth-inbound/intro.md +10 -0
- package/docs/policies/hmac-auth-inbound/policy.ts +70 -0
- package/docs/policies/hmac-auth-inbound/schema.json +53 -0
- package/docs/policies/http-deprecation-outbound/doc.md +73 -0
- package/docs/policies/http-deprecation-outbound/schema.json +83 -0
- package/docs/policies/ip-restriction-inbound/intro.md +8 -0
- package/docs/policies/ip-restriction-inbound/policy.ts +40 -0
- package/docs/policies/ip-restriction-inbound/schema.json +58 -0
- package/docs/policies/jwt-scopes-inbound/schema.json +59 -0
- package/docs/policies/ldap-auth-inbound/schema.json +56 -0
- package/docs/policies/mock-api-inbound/schema.json +72 -0
- package/docs/policies/moesif-inbound/doc.md +44 -0
- package/docs/policies/moesif-inbound/intro.md +6 -0
- package/docs/policies/moesif-inbound/schema.json +68 -0
- package/docs/policies/monetization-inbound/doc.md +87 -0
- package/docs/policies/monetization-inbound/intro.md +6 -0
- package/docs/policies/monetization-inbound/schema.json +102 -0
- package/docs/policies/mtls-auth-inbound/intro.md +6 -0
- package/docs/policies/mtls-auth-inbound/schema.json +68 -0
- package/docs/policies/okta-fga-authz-inbound/doc.md +181 -0
- package/docs/policies/okta-fga-authz-inbound/intro.md +20 -0
- package/docs/policies/okta-fga-authz-inbound/schema.json +104 -0
- package/docs/policies/okta-jwt-auth-inbound/intro.md +7 -0
- package/docs/policies/okta-jwt-auth-inbound/schema.json +74 -0
- package/docs/policies/open-id-jwt-auth-inbound/doc.md +58 -0
- package/docs/policies/open-id-jwt-auth-inbound/intro.md +30 -0
- package/docs/policies/open-id-jwt-auth-inbound/schema.json +128 -0
- package/docs/policies/openfga-authz-inbound/doc.md +207 -0
- package/docs/policies/openfga-authz-inbound/intro.md +17 -0
- package/docs/policies/openfga-authz-inbound/schema.json +191 -0
- package/docs/policies/openmeter-inbound/doc.md +163 -0
- package/docs/policies/openmeter-inbound/intro.md +18 -0
- package/docs/policies/openmeter-inbound/schema.json +183 -0
- package/docs/policies/prompt-injection-outbound/doc.md +106 -0
- package/docs/policies/prompt-injection-outbound/intro.md +4 -0
- package/docs/policies/prompt-injection-outbound/schema.json +74 -0
- package/docs/policies/propel-auth-jwt-inbound/doc.md +88 -0
- package/docs/policies/propel-auth-jwt-inbound/intro.md +4 -0
- package/docs/policies/propel-auth-jwt-inbound/schema.json +74 -0
- package/docs/policies/query-param-to-header-inbound/doc.md +70 -0
- package/docs/policies/query-param-to-header-inbound/intro.md +5 -0
- package/docs/policies/query-param-to-header-inbound/schema.json +74 -0
- package/docs/policies/quota-inbound/doc.md +235 -0
- package/docs/policies/quota-inbound/intro.md +7 -0
- package/docs/policies/quota-inbound/schema.json +133 -0
- package/docs/policies/rate-limit-inbound/doc.md +78 -0
- package/docs/policies/rate-limit-inbound/intro.md +30 -0
- package/docs/policies/rate-limit-inbound/schema.json +134 -0
- package/docs/policies/rbac-policy-inbound/intro.md +3 -0
- package/docs/policies/rbac-policy-inbound/policy.ts +42 -0
- package/docs/policies/rbac-policy-inbound/schema.json +52 -0
- package/docs/policies/readme-metrics-inbound/doc.md +1 -0
- package/docs/policies/readme-metrics-inbound/intro.md +3 -0
- package/docs/policies/readme-metrics-inbound/schema.json +84 -0
- package/docs/policies/remove-headers-inbound/schema.json +59 -0
- package/docs/policies/remove-headers-outbound/schema.json +59 -0
- package/docs/policies/remove-query-params-inbound/schema.json +59 -0
- package/docs/policies/replace-string-outbound/schema.json +69 -0
- package/docs/policies/request-size-limit-inbound/schema.json +60 -0
- package/docs/policies/request-validation-inbound/doc.md +72 -0
- package/docs/policies/request-validation-inbound/intro.md +24 -0
- package/docs/policies/request-validation-inbound/schema.json +98 -0
- package/docs/policies/require-origin-inbound/intro.md +12 -0
- package/docs/policies/require-origin-inbound/schema.json +65 -0
- package/docs/policies/secret-masking-outbound/doc.md +41 -0
- package/docs/policies/secret-masking-outbound/intro.md +13 -0
- package/docs/policies/secret-masking-outbound/schema.json +65 -0
- package/docs/policies/semantic-cache-inbound/doc.md +63 -0
- package/docs/policies/semantic-cache-inbound/intro.md +4 -0
- package/docs/policies/semantic-cache-inbound/schema.json +179 -0
- package/docs/policies/set-body-inbound/intro.md +7 -0
- package/docs/policies/set-body-inbound/schema.json +56 -0
- package/docs/policies/set-headers-inbound/doc.md +41 -0
- package/docs/policies/set-headers-inbound/intro.md +2 -0
- package/docs/policies/set-headers-inbound/schema.json +83 -0
- package/docs/policies/set-headers-outbound/schema.json +83 -0
- package/docs/policies/set-query-params-inbound/schema.json +83 -0
- package/docs/policies/set-status-outbound/schema.json +62 -0
- package/docs/policies/sleep-inbound/schema.json +56 -0
- package/docs/policies/stripe-webhook-verification-inbound/intro.md +2 -0
- package/docs/policies/stripe-webhook-verification-inbound/schema.json +60 -0
- package/docs/policies/supabase-jwt-auth-inbound/doc.md +29 -0
- package/docs/policies/supabase-jwt-auth-inbound/intro.md +12 -0
- package/docs/policies/supabase-jwt-auth-inbound/schema.json +86 -0
- package/docs/policies/transform-body-inbound/intro.md +8 -0
- package/docs/policies/transform-body-inbound/policy.ts +16 -0
- package/docs/policies/transform-body-inbound/schema.json +27 -0
- package/docs/policies/transform-body-outbound/intro.md +8 -0
- package/docs/policies/transform-body-outbound/policy.ts +19 -0
- package/docs/policies/transform-body-outbound/schema.json +27 -0
- package/docs/policies/upstream-azure-ad-service-auth-inbound/doc.md +82 -0
- package/docs/policies/upstream-azure-ad-service-auth-inbound/intro.md +20 -0
- package/docs/policies/upstream-azure-ad-service-auth-inbound/schema.json +84 -0
- package/docs/policies/upstream-firebase-admin-auth-inbound/intro.md +10 -0
- package/docs/policies/upstream-firebase-admin-auth-inbound/schema.json +68 -0
- package/docs/policies/upstream-firebase-user-auth-inbound/intro.md +2 -0
- package/docs/policies/upstream-firebase-user-auth-inbound/schema.json +113 -0
- package/docs/policies/upstream-gcp-federated-auth-inbound/doc.md +139 -0
- package/docs/policies/upstream-gcp-federated-auth-inbound/intro.md +21 -0
- package/docs/policies/upstream-gcp-federated-auth-inbound/schema.json +96 -0
- package/docs/policies/upstream-gcp-jwt-inbound/intro.md +10 -0
- package/docs/policies/upstream-gcp-jwt-inbound/schema.json +62 -0
- package/docs/policies/upstream-gcp-service-auth-inbound/doc.md +132 -0
- package/docs/policies/upstream-gcp-service-auth-inbound/intro.md +25 -0
- package/docs/policies/upstream-gcp-service-auth-inbound/schema.json +95 -0
- package/docs/policies/upstream-zuplo-jwt-auth-inbound/doc.md +213 -0
- package/docs/policies/upstream-zuplo-jwt-auth-inbound/intro.md +16 -0
- package/docs/policies/upstream-zuplo-jwt-auth-inbound/schema.json +101 -0
- package/docs/policies/validate-json-schema-inbound/doc.md +129 -0
- package/docs/policies/validate-json-schema-inbound/intro.md +7 -0
- package/docs/policies/validate-json-schema-inbound/schema.json +56 -0
- package/docs/policies/web-bot-auth-inbound/doc.md +104 -0
- package/docs/policies/web-bot-auth-inbound/intro.md +16 -0
- package/docs/policies/web-bot-auth-inbound/schema.json +76 -0
- package/docs/policies/xml-to-json-outbound/doc.md +71 -0
- package/docs/policies/xml-to-json-outbound/intro.md +4 -0
- package/docs/policies/xml-to-json-outbound/schema.json +117 -0
- package/docs/programmable-api/audit-log.mdx +74 -0
- package/docs/programmable-api/background-dispatcher.mdx +124 -0
- package/docs/programmable-api/background-loader.mdx +104 -0
- package/docs/programmable-api/cache.mdx +186 -0
- package/docs/programmable-api/compatibility-dates.mdx +201 -0
- package/docs/programmable-api/console-logging.mdx +48 -0
- package/docs/programmable-api/context-data.mdx +127 -0
- package/docs/programmable-api/custom-cors-policy.mdx +64 -0
- package/docs/programmable-api/environment.mdx +328 -0
- package/docs/programmable-api/hooks.mdx +569 -0
- package/docs/programmable-api/http-problems.mdx +385 -0
- package/docs/programmable-api/jwt-service-plugin.mdx +420 -0
- package/docs/programmable-api/logger.mdx +223 -0
- package/docs/programmable-api/memory-zone-read-through-cache.mdx +96 -0
- package/docs/programmable-api/node-modules.mdx +67 -0
- package/docs/programmable-api/not-found-handler.mdx +47 -0
- package/docs/programmable-api/oauth-protected-resource-plugin.mdx +46 -0
- package/docs/programmable-api/overview.mdx +213 -0
- package/docs/programmable-api/problem-response-formatter.mdx +183 -0
- package/docs/programmable-api/request-user.mdx +289 -0
- package/docs/programmable-api/reusing-code.mdx +26 -0
- package/docs/programmable-api/route-raw.mdx +55 -0
- package/docs/programmable-api/runtime-behaviors.mdx +25 -0
- package/docs/programmable-api/runtime-errors.mdx +246 -0
- package/docs/programmable-api/runtime-extensions.mdx +340 -0
- package/docs/programmable-api/safely-clone-a-request-or-response.mdx +57 -0
- package/docs/programmable-api/streaming-zone-cache.mdx +155 -0
- package/docs/programmable-api/web-crypto-apis.mdx +219 -0
- package/docs/programmable-api/web-standard-apis.mdx +109 -0
- package/docs/programmable-api/zone-cache.mdx +131 -0
- package/docs/programmable-api/zp-body-removed.mdx +32 -0
- package/docs/programmable-api/zuplo-context.mdx +414 -0
- package/docs/programmable-api/zuplo-id-token.mdx +90 -0
- package/docs/programmable-api/zuplo-json.mdx +91 -0
- package/docs/programmable-api/zuplo-request.mdx +200 -0
- package/docs/sample-apis.mdx +78 -0
- package/docs/self-hosted/overview.md +60 -0
- package/package.json +6 -5
|
@@ -0,0 +1,96 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft-07/schema",
|
|
3
|
+
"$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
|
|
4
|
+
"type": "object",
|
|
5
|
+
"title": "Upstream GCP Federated Auth",
|
|
6
|
+
"isDeprecated": false,
|
|
7
|
+
"isPaidAddOn": false,
|
|
8
|
+
"isEnterprise": true,
|
|
9
|
+
"isInternal": false,
|
|
10
|
+
"isBeta": true,
|
|
11
|
+
"isHidden": false,
|
|
12
|
+
"products": ["api-gateway"],
|
|
13
|
+
"description": "Authenticates with GCP resources or Google services using Workload Identity Federation allowing secure access to these resources without requiring the use of a service account private key.",
|
|
14
|
+
"deprecatedMessage": "",
|
|
15
|
+
"required": ["handler"],
|
|
16
|
+
"properties": {
|
|
17
|
+
"handler": {
|
|
18
|
+
"type": "object",
|
|
19
|
+
"default": {},
|
|
20
|
+
"required": ["export", "module", "options"],
|
|
21
|
+
"properties": {
|
|
22
|
+
"export": {
|
|
23
|
+
"const": "UpstreamGcpFederatedAuthInboundPolicy",
|
|
24
|
+
"description": "The name of the exported type"
|
|
25
|
+
},
|
|
26
|
+
"module": {
|
|
27
|
+
"const": "$import(@zuplo/runtime)",
|
|
28
|
+
"description": "The module containing the policy"
|
|
29
|
+
},
|
|
30
|
+
"options": {
|
|
31
|
+
"title": "UpstreamGcpFederatedAuthInboundPolicyOptions",
|
|
32
|
+
"type": "object",
|
|
33
|
+
"description": "The options for this policy.",
|
|
34
|
+
"additionalProperties": false,
|
|
35
|
+
"required": [
|
|
36
|
+
"audience",
|
|
37
|
+
"serviceAccountEmail",
|
|
38
|
+
"workloadIdentityProvider"
|
|
39
|
+
],
|
|
40
|
+
"properties": {
|
|
41
|
+
"audience": {
|
|
42
|
+
"type": "string",
|
|
43
|
+
"examples": ["https://hello-k7meruiynq-uc.a.run.app"],
|
|
44
|
+
"description": "The audience for the minted JWT. This is typically the URL of your service. See the document [AuthRequirement](https://cloud.google.com/endpoints/docs/grpc-service-config/reference/rpc/google.api#google.api.AuthRequirement) for details."
|
|
45
|
+
},
|
|
46
|
+
"serviceAccountEmail": {
|
|
47
|
+
"type": "string",
|
|
48
|
+
"examples": ["zup-api@my-project.iam.gserviceaccount.com"],
|
|
49
|
+
"description": "The Google Service Account email address."
|
|
50
|
+
},
|
|
51
|
+
"workloadIdentityProvider": {
|
|
52
|
+
"type": "string",
|
|
53
|
+
"examples": [
|
|
54
|
+
"projects/932049231233/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
|
|
55
|
+
]
|
|
56
|
+
},
|
|
57
|
+
"tokenLifetime": {
|
|
58
|
+
"type": "number",
|
|
59
|
+
"x-show-example": false,
|
|
60
|
+
"default": 3600,
|
|
61
|
+
"description": "The lifetime in seconds of the issued token."
|
|
62
|
+
},
|
|
63
|
+
"tokenRetries": {
|
|
64
|
+
"type": "number",
|
|
65
|
+
"x-show-example": false,
|
|
66
|
+
"default": 3,
|
|
67
|
+
"description": "The number of times to retry fetching the token in the event of a failure."
|
|
68
|
+
},
|
|
69
|
+
"expirationOffsetSeconds": {
|
|
70
|
+
"type": "number",
|
|
71
|
+
"x-show-example": false,
|
|
72
|
+
"default": 300,
|
|
73
|
+
"description": "The number of seconds less than the token expiration to cache the token."
|
|
74
|
+
},
|
|
75
|
+
"useMemoryCacheOnly": {
|
|
76
|
+
"type": "boolean",
|
|
77
|
+
"x-show-example": false,
|
|
78
|
+
"description": "This is an advanced option that should only be used if you do not want to persist information in ZoneCache."
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
}
|
|
82
|
+
},
|
|
83
|
+
"examples": [
|
|
84
|
+
{
|
|
85
|
+
"export": "UpstreamGcpFederatedAuthInboundPolicy",
|
|
86
|
+
"module": "$import(@zuplo/runtime)",
|
|
87
|
+
"options": {
|
|
88
|
+
"audience": "https://hello-k7meruiynq-uc.a.run.app",
|
|
89
|
+
"serviceAccountEmail": "zup-api@my-project.iam.gserviceaccount.com",
|
|
90
|
+
"workloadIdentityProvider": "projects/932049231233/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
]
|
|
94
|
+
}
|
|
95
|
+
}
|
|
96
|
+
}
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
This policy adds a JWT token to the headers, ready for us in an outgoing request
|
|
2
|
+
when calling a GCP service (e.g. Cloud Endpoints / ESPv2). We recommend reading
|
|
3
|
+
the `serviceAccountJson` from environment variables (so it is not checked in to
|
|
4
|
+
source control) using the `$env(ENV_VAR)` syntax.
|
|
5
|
+
|
|
6
|
+
CAUTION: This policy only works with
|
|
7
|
+
[certain Google APIs](https://developers.google.com/identity/protocols/oauth2/service-account#jwt-auth).
|
|
8
|
+
In most cases, the
|
|
9
|
+
[Upstream GCP Service Auth](https://zuplo.com/docs/policies/upstream-gcp-service-auth-inbound)
|
|
10
|
+
should be used.
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft-07/schema",
|
|
3
|
+
"$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
|
|
4
|
+
"type": "object",
|
|
5
|
+
"title": "Upstream GCP Self-Signed JWT",
|
|
6
|
+
"isDeprecated": false,
|
|
7
|
+
"isPaidAddOn": false,
|
|
8
|
+
"isEnterprise": true,
|
|
9
|
+
"isInternal": false,
|
|
10
|
+
"isBeta": false,
|
|
11
|
+
"isHidden": false,
|
|
12
|
+
"products": ["api-gateway"],
|
|
13
|
+
"description": "Creates a self-signed JWT token (generated using a Google Service Account JSON) and attaches it to the outgoing request. Useful when calling GCP services like Cloud Endpoints / ESPv2",
|
|
14
|
+
"deprecatedMessage": "",
|
|
15
|
+
"required": ["handler"],
|
|
16
|
+
"properties": {
|
|
17
|
+
"handler": {
|
|
18
|
+
"type": "object",
|
|
19
|
+
"default": {},
|
|
20
|
+
"required": ["export", "module", "options"],
|
|
21
|
+
"properties": {
|
|
22
|
+
"export": {
|
|
23
|
+
"const": "UpstreamGcpJwtInboundPolicy",
|
|
24
|
+
"description": "The name of the exported type"
|
|
25
|
+
},
|
|
26
|
+
"module": {
|
|
27
|
+
"const": "$import(@zuplo/runtime)",
|
|
28
|
+
"description": "The module containing the policy"
|
|
29
|
+
},
|
|
30
|
+
"options": {
|
|
31
|
+
"title": "UpstreamGcpJwtInboundPolicyOptions",
|
|
32
|
+
"type": "object",
|
|
33
|
+
"description": "The options for this policy.",
|
|
34
|
+
"additionalProperties": false,
|
|
35
|
+
"required": ["audience", "serviceAccountJson"],
|
|
36
|
+
"properties": {
|
|
37
|
+
"audience": {
|
|
38
|
+
"type": "string",
|
|
39
|
+
"examples": ["your_gcp_service.endpoint.com"],
|
|
40
|
+
"description": "The audience for the minted JWT. See the document [AuthRequirement](https://cloud.google.com/endpoints/docs/grpc-service-config/reference/rpc/google.api#google.api.AuthRequirement) for details."
|
|
41
|
+
},
|
|
42
|
+
"serviceAccountJson": {
|
|
43
|
+
"type": "string",
|
|
44
|
+
"examples": ["$env(SERVICE_ACCOUNT_JSON)"],
|
|
45
|
+
"description": "The Google Service Account key in JSON format. Note you can load this from environment variables using the $env(ENV\\_VAR) syntax."
|
|
46
|
+
}
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
},
|
|
50
|
+
"examples": [
|
|
51
|
+
{
|
|
52
|
+
"export": "UpstreamGcpJwtInboundPolicy",
|
|
53
|
+
"module": "$import(@zuplo/runtime)",
|
|
54
|
+
"options": {
|
|
55
|
+
"audience": "your_gcp_service.endpoint.com",
|
|
56
|
+
"serviceAccountJson": "$env(SERVICE_ACCOUNT_JSON)"
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
]
|
|
60
|
+
}
|
|
61
|
+
}
|
|
62
|
+
}
|
|
@@ -0,0 +1,132 @@
|
|
|
1
|
+
This policy authenticates your Zuplo gateway to Google Cloud Platform services
|
|
2
|
+
by automatically adding GCP-issued ID tokens to the `Authorization` header of
|
|
3
|
+
upstream requests. It supports both authenticating to your own GCP services and
|
|
4
|
+
calling Google APIs directly.
|
|
5
|
+
|
|
6
|
+
### How It Works
|
|
7
|
+
|
|
8
|
+
The policy performs the following operations:
|
|
9
|
+
|
|
10
|
+
1. Uses your GCP service account credentials to obtain an ID token or access
|
|
11
|
+
token
|
|
12
|
+
2. Caches the token for subsequent requests until it expires
|
|
13
|
+
3. Adds the token to the `Authorization` header as a Bearer token
|
|
14
|
+
4. Automatically handles token renewal when needed
|
|
15
|
+
|
|
16
|
+
### Setup Instructions
|
|
17
|
+
|
|
18
|
+
#### Create the GCP Service Account
|
|
19
|
+
|
|
20
|
+
1. [Create a service account](https://cloud.google.com/iam/docs/service-accounts-create)
|
|
21
|
+
specifically for your Zuplo Gateway (e.g., `zuplo-gateway`)
|
|
22
|
+
2. Grant the account permission to call any GCP services you want to proxy with
|
|
23
|
+
Zuplo
|
|
24
|
+
3. [Create a Service Account key](https://cloud.google.com/iam/docs/keys-create-delete)
|
|
25
|
+
in JSON format
|
|
26
|
+
4. In your Zuplo project, set an environment variable (e.g.,
|
|
27
|
+
`GCP_SERVICE_ACCOUNT`) as a secret with the value of the downloaded JSON
|
|
28
|
+
|
|
29
|
+
:::caution
|
|
30
|
+
|
|
31
|
+
The value of the private key is a JSON file. **Before saving it to Zuplo's
|
|
32
|
+
environment variables**, you must remove all line breaks and all instances of
|
|
33
|
+
the `\n` escape character. The JSON file should be a single line.
|
|
34
|
+
|
|
35
|
+
:::
|
|
36
|
+
|
|
37
|
+
### Policy Configuration
|
|
38
|
+
|
|
39
|
+
This policy supports two main use cases, each with different configuration
|
|
40
|
+
requirements:
|
|
41
|
+
|
|
42
|
+
#### 1. Authenticating to Your GCP Services
|
|
43
|
+
|
|
44
|
+
When calling your own services like Cloud Run, Cloud Functions, or services
|
|
45
|
+
protected by Identity Aware Proxy (IAP), use the `audience` property:
|
|
46
|
+
|
|
47
|
+
```json
|
|
48
|
+
{
|
|
49
|
+
"name": "gcp-service-auth",
|
|
50
|
+
"export": "UpstreamGcpServiceAuthInboundPolicy",
|
|
51
|
+
"module": "$import(@zuplo/runtime)",
|
|
52
|
+
"options": {
|
|
53
|
+
"audience": "https://my-app-1235.a.run.app",
|
|
54
|
+
"serviceAccountJson": "$env(GCP_SERVICE_ACCOUNT)"
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
**Audience Values:**
|
|
60
|
+
|
|
61
|
+
- For **Cloud Run**: Use the full URL of your Cloud Run service (e.g.,
|
|
62
|
+
`https://my-service.a.run.app`)
|
|
63
|
+
- For **Identity Aware Proxy**: Use the Client ID of your OAuth application
|
|
64
|
+
- For **Cloud Functions**: Use the full URL of your function
|
|
65
|
+
|
|
66
|
+
#### 2. Calling Google APIs
|
|
67
|
+
|
|
68
|
+
When calling Google APIs directly (e.g., executing a
|
|
69
|
+
[Workflow](https://cloud.google.com/workflows/docs/executing-workflow)), use the
|
|
70
|
+
`scopes` property:
|
|
71
|
+
|
|
72
|
+
```json
|
|
73
|
+
{
|
|
74
|
+
"name": "gcp-service-auth-gcloud-api",
|
|
75
|
+
"export": "UpstreamGcpServiceAuthInboundPolicy",
|
|
76
|
+
"module": "$import(@zuplo/runtime)",
|
|
77
|
+
"options": {
|
|
78
|
+
"scopes": [
|
|
79
|
+
"https://www.googleapis.com/auth/cloud-platform",
|
|
80
|
+
"https://www.googleapis.com/auth/cloud-platform.read-only"
|
|
81
|
+
],
|
|
82
|
+
"serviceAccountJson": "$env(GCP_SERVICE_ACCOUNT)"
|
|
83
|
+
}
|
|
84
|
+
}
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
**Finding Required Scopes:** Refer to Google's API documentation for the
|
|
88
|
+
specific API you're calling. Look for the
|
|
89
|
+
[**Authorization scopes**](https://cloud.google.com/resource-manager/reference/rest/v1/projects/get#authorization-scopes)
|
|
90
|
+
section, which lists the required scopes in URL format (e.g.,
|
|
91
|
+
`https://www.googleapis.com/auth/cloud-platform`).
|
|
92
|
+
|
|
93
|
+
### Usage Example
|
|
94
|
+
|
|
95
|
+
#### Securing Cloud Run Access
|
|
96
|
+
|
|
97
|
+
Apply the policy to routes that need to access your Cloud Run service:
|
|
98
|
+
|
|
99
|
+
```json
|
|
100
|
+
{
|
|
101
|
+
"paths": {
|
|
102
|
+
"/api/data": {
|
|
103
|
+
"get": {
|
|
104
|
+
"x-zuplo-route": {
|
|
105
|
+
"policies": {
|
|
106
|
+
"inbound": ["jwt-auth", "gcp-service-auth"]
|
|
107
|
+
},
|
|
108
|
+
"handler": {
|
|
109
|
+
"export": "forwardToOrigin",
|
|
110
|
+
"module": "$import(@zuplo/runtime)",
|
|
111
|
+
"options": {
|
|
112
|
+
"baseUrl": "https://my-service-1235.a.run.app"
|
|
113
|
+
}
|
|
114
|
+
}
|
|
115
|
+
}
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
}
|
|
119
|
+
}
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
### Security Considerations
|
|
123
|
+
|
|
124
|
+
- Store the service account JSON as an environment variable using
|
|
125
|
+
`$env(VARIABLE_NAME)` syntax
|
|
126
|
+
- Follow the principle of least privilege when assigning permissions to your
|
|
127
|
+
service account
|
|
128
|
+
- Regularly rotate your service account keys according to your security policies
|
|
129
|
+
- Consider using
|
|
130
|
+
[Workload Identity Federation](https://cloud.google.com/iam/docs/workload-identity-federation)
|
|
131
|
+
for keyless authentication when possible
|
|
132
|
+
- Monitor your service account usage through GCP audit logs
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
Secure your Google Cloud Platform services by automatically adding GCP-issued ID
|
|
2
|
+
tokens to upstream requests. This policy enables your Zuplo gateway to
|
|
3
|
+
authenticate with GCP IAM-protected services without requiring any code changes
|
|
4
|
+
to your backend.
|
|
5
|
+
|
|
6
|
+
With this policy, you'll benefit from:
|
|
7
|
+
|
|
8
|
+
- **Enhanced Backend Security**: Restrict access to your GCP services to only
|
|
9
|
+
your Zuplo gateway
|
|
10
|
+
- **Simplified Authentication**: Delegate authentication and authorization to
|
|
11
|
+
your gateway without backend code changes
|
|
12
|
+
- **Automatic Token Management**: Handle token acquisition, caching, and renewal
|
|
13
|
+
automatically
|
|
14
|
+
- **GCP Integration**: Seamlessly connect with Cloud Run, Cloud Functions, GKE
|
|
15
|
+
with IAP, and other GCP services
|
|
16
|
+
- **Credential Security**: Store sensitive GCP service account credentials
|
|
17
|
+
securely in your Zuplo environment
|
|
18
|
+
|
|
19
|
+
This policy works with
|
|
20
|
+
[GCP Identity Aware Proxy](https://zuplo.com/docs/articles/gke-with-upstream-auth-policy)
|
|
21
|
+
or services like [Cloud Run](https://cloud.google.com/iap/docs/managing-access)
|
|
22
|
+
that natively support IAM authorization.
|
|
23
|
+
|
|
24
|
+
For information on how Google's service-based auth works, see
|
|
25
|
+
[Authenticating for invocation](https://cloud.google.com/functions/docs/securing/authenticating).
|
|
@@ -0,0 +1,95 @@
|
|
|
1
|
+
{
|
|
2
|
+
"$schema": "https://json-schema.org/draft-07/schema",
|
|
3
|
+
"$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
|
|
4
|
+
"type": "object",
|
|
5
|
+
"title": "Upstream GCP Service Auth",
|
|
6
|
+
"isDeprecated": false,
|
|
7
|
+
"isPaidAddOn": false,
|
|
8
|
+
"isEnterprise": true,
|
|
9
|
+
"isInternal": false,
|
|
10
|
+
"isBeta": false,
|
|
11
|
+
"isHidden": false,
|
|
12
|
+
"products": ["api-gateway"],
|
|
13
|
+
"description": "Creates an ID Token from Google's OAuth service and attaches it to the outgoing request. Useful when calling GCP services or Google APIs that are secured with GCP IAM.",
|
|
14
|
+
"deprecatedMessage": "",
|
|
15
|
+
"required": ["handler"],
|
|
16
|
+
"properties": {
|
|
17
|
+
"handler": {
|
|
18
|
+
"type": "object",
|
|
19
|
+
"default": {},
|
|
20
|
+
"required": ["export", "module", "options"],
|
|
21
|
+
"properties": {
|
|
22
|
+
"export": {
|
|
23
|
+
"const": "UpstreamGcpServiceAuthInboundPolicy",
|
|
24
|
+
"description": "The name of the exported type"
|
|
25
|
+
},
|
|
26
|
+
"module": {
|
|
27
|
+
"const": "$import(@zuplo/runtime)",
|
|
28
|
+
"description": "The module containing the policy"
|
|
29
|
+
},
|
|
30
|
+
"options": {
|
|
31
|
+
"title": "UpstreamGcpServiceAuthInboundPolicyOptions",
|
|
32
|
+
"type": "object",
|
|
33
|
+
"description": "The options for this policy.",
|
|
34
|
+
"additionalProperties": false,
|
|
35
|
+
"required": ["serviceAccountJson"],
|
|
36
|
+
"properties": {
|
|
37
|
+
"audience": {
|
|
38
|
+
"type": "string",
|
|
39
|
+
"examples": ["https://my-service-a2ev-uc.a.run.app"],
|
|
40
|
+
"description": "The audience for the service to be called. This is typically the URL of your service endpoint like 'https://my-service-a2ev-uc.a.run.app'. If calling a Google API, leave this empty."
|
|
41
|
+
},
|
|
42
|
+
"scopes": {
|
|
43
|
+
"type": "array",
|
|
44
|
+
"items": {
|
|
45
|
+
"type": "string"
|
|
46
|
+
},
|
|
47
|
+
"examples": [["https://www.googleapis.com/auth/cloud-platform"]],
|
|
48
|
+
"description": "The scopes to grant the access token. See [documentation](https://developers.google.com/identity/protocols/oauth2/scopes) for details. This is only set with calling a Google API. If calling a service like Cloud Run, etc. leave this empty."
|
|
49
|
+
},
|
|
50
|
+
"serviceAccountJson": {
|
|
51
|
+
"type": "string",
|
|
52
|
+
"examples": ["$env(SERVICE_ACCOUNT_JSON)"],
|
|
53
|
+
"description": "The Google Service Account key in JSON format. Note you can load this from environment variables using the `$env(ENV_VAR)` syntax."
|
|
54
|
+
},
|
|
55
|
+
"tokenRetries": {
|
|
56
|
+
"type": "number",
|
|
57
|
+
"x-show-example": false,
|
|
58
|
+
"default": 3,
|
|
59
|
+
"description": "The number of times to retry fetching the token in the event of a failure."
|
|
60
|
+
},
|
|
61
|
+
"expirationOffsetSeconds": {
|
|
62
|
+
"type": "number",
|
|
63
|
+
"x-show-example": false,
|
|
64
|
+
"default": 300,
|
|
65
|
+
"description": "The number of seconds less than the token expiration to cache the token."
|
|
66
|
+
},
|
|
67
|
+
"useMemoryCacheOnly": {
|
|
68
|
+
"type": "boolean",
|
|
69
|
+
"x-show-example": false,
|
|
70
|
+
"description": "This is an advanced option that should only be used if you do not want to persist information in ZoneCache."
|
|
71
|
+
},
|
|
72
|
+
"version": {
|
|
73
|
+
"type": "number",
|
|
74
|
+
"default": 1,
|
|
75
|
+
"enum": [1, 2],
|
|
76
|
+
"x-show-example": false,
|
|
77
|
+
"description": "The version of the policy."
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
}
|
|
81
|
+
},
|
|
82
|
+
"examples": [
|
|
83
|
+
{
|
|
84
|
+
"export": "UpstreamGcpServiceAuthInboundPolicy",
|
|
85
|
+
"module": "$import(@zuplo/runtime)",
|
|
86
|
+
"options": {
|
|
87
|
+
"audience": "https://my-service-a2ev-uc.a.run.app",
|
|
88
|
+
"scopes": ["https://www.googleapis.com/auth/cloud-platform"],
|
|
89
|
+
"serviceAccountJson": "$env(SERVICE_ACCOUNT_JSON)"
|
|
90
|
+
}
|
|
91
|
+
}
|
|
92
|
+
]
|
|
93
|
+
}
|
|
94
|
+
}
|
|
95
|
+
}
|
|
@@ -0,0 +1,213 @@
|
|
|
1
|
+
## How It Works
|
|
2
|
+
|
|
3
|
+
When a request passes through this policy:
|
|
4
|
+
|
|
5
|
+
1. The policy generates a new JWT token using Zuplo's JWT service
|
|
6
|
+
2. The JWT includes standard claims (subject, audience, expiration) and any
|
|
7
|
+
custom claims you configure
|
|
8
|
+
3. The token is added to the specified request header (default: `Authorization`)
|
|
9
|
+
4. The modified request is forwarded to your upstream service
|
|
10
|
+
5. Your upstream service can then validate the JWT to authenticate the request
|
|
11
|
+
comes from your Zuplo API Gateway
|
|
12
|
+
|
|
13
|
+
## Configuration
|
|
14
|
+
|
|
15
|
+
### Basic Configuration
|
|
16
|
+
|
|
17
|
+
The simplest configuration uses all defaults:
|
|
18
|
+
|
|
19
|
+
```json
|
|
20
|
+
{
|
|
21
|
+
"name": "upstream-jwt-policy",
|
|
22
|
+
"policyType": "upstream-zuplo-jwt-inbound"
|
|
23
|
+
}
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
This will:
|
|
27
|
+
|
|
28
|
+
- Add the JWT to the `Authorization` header
|
|
29
|
+
- Use `Bearer` as the token prefix
|
|
30
|
+
- Set token expiration to 300 seconds (5 minutes)
|
|
31
|
+
- Use the authenticated user's subject or "api-gateway" as the JWT subject
|
|
32
|
+
|
|
33
|
+
### Advanced Configuration
|
|
34
|
+
|
|
35
|
+
```json
|
|
36
|
+
{
|
|
37
|
+
"name": "upstream-jwt-policy",
|
|
38
|
+
"policyType": "upstream-zuplo-jwt-auth-inbound",
|
|
39
|
+
"handler": {
|
|
40
|
+
"export": "UpstreamZuploJwtAuthInboundPolicy",
|
|
41
|
+
"module": "$import(@zuplo/runtime)",
|
|
42
|
+
"options": {
|
|
43
|
+
"audience": "https://api.example.com",
|
|
44
|
+
"headerName": "X-API-Token",
|
|
45
|
+
"tokenPrefix": "Token",
|
|
46
|
+
"expiresIn": "10m",
|
|
47
|
+
"additionalClaims": {
|
|
48
|
+
"iss": "my-api-gateway",
|
|
49
|
+
"scope": "read write",
|
|
50
|
+
"custom": "value"
|
|
51
|
+
}
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
## Options Reference
|
|
58
|
+
|
|
59
|
+
### `audience`
|
|
60
|
+
|
|
61
|
+
- **Type**: `string`
|
|
62
|
+
- **Default**: The current request URL
|
|
63
|
+
- **Description**: The audience claim for the JWT. Useful when your upstream
|
|
64
|
+
service expects a specific audience value
|
|
65
|
+
|
|
66
|
+
### `headerName`
|
|
67
|
+
|
|
68
|
+
- **Type**: `string`
|
|
69
|
+
- **Default**: `"Authorization"`
|
|
70
|
+
- **Description**: The header name where the JWT will be attached
|
|
71
|
+
|
|
72
|
+
### `tokenPrefix`
|
|
73
|
+
|
|
74
|
+
- **Type**: `string`
|
|
75
|
+
- **Default**: `"Bearer"`
|
|
76
|
+
- **Description**: The prefix to use before the JWT token. Set to an empty
|
|
77
|
+
string to send the token without a prefix
|
|
78
|
+
|
|
79
|
+
### `expiresIn`
|
|
80
|
+
|
|
81
|
+
- **Type**: `number | string`
|
|
82
|
+
- **Default**: `300`
|
|
83
|
+
- **Description**: JWT expiration time. Can be:
|
|
84
|
+
- A number representing seconds (e.g., `300` for 5 minutes)
|
|
85
|
+
- A string with time units (e.g., `"5m"` for 5 minutes, `"1h"` for 1 hour,
|
|
86
|
+
`"7d"` for 7 days)
|
|
87
|
+
|
|
88
|
+
Supported time units:
|
|
89
|
+
- `s` - seconds
|
|
90
|
+
- `m` - minutes
|
|
91
|
+
- `h` - hours
|
|
92
|
+
- `d` - days
|
|
93
|
+
- `w` - weeks
|
|
94
|
+
- `y` - years
|
|
95
|
+
|
|
96
|
+
### `additionalClaims`
|
|
97
|
+
|
|
98
|
+
- **Type**: `object`
|
|
99
|
+
- **Default**: `{}`
|
|
100
|
+
- **Description**: Additional claims to include in the JWT. These will be merged
|
|
101
|
+
with the default claims
|
|
102
|
+
|
|
103
|
+
## JWT Claims
|
|
104
|
+
|
|
105
|
+
The generated JWT includes the following standard claims:
|
|
106
|
+
|
|
107
|
+
- `sub` (subject): The authenticated user's subject claim, or "api-gateway" if
|
|
108
|
+
no user is authenticated
|
|
109
|
+
- `aud` (audience): The value from the `audience` option, or the current request
|
|
110
|
+
URL if not specified
|
|
111
|
+
- `exp` (expiration): Token expiration timestamp based on the `expiresIn` option
|
|
112
|
+
- `iat` (issued at): Token issuance timestamp (automatically added by JWT
|
|
113
|
+
service)
|
|
114
|
+
|
|
115
|
+
Any properties in `additionalClaims` will be merged into the JWT payload.
|
|
116
|
+
|
|
117
|
+
## Use Cases
|
|
118
|
+
|
|
119
|
+
### Audience-Specific Authentication
|
|
120
|
+
|
|
121
|
+
As a best practice, you can set the `audience` option to target specific
|
|
122
|
+
upstream services. This ensures that the JWT is only valid for that service,
|
|
123
|
+
preventing misuse if the token is intercepted.
|
|
124
|
+
|
|
125
|
+
```json
|
|
126
|
+
{
|
|
127
|
+
"name": "audience-specific-auth",
|
|
128
|
+
"policyType": "upstream-zuplo-jwt-auth-inbound",
|
|
129
|
+
"handler": {
|
|
130
|
+
"export": "UpstreamZuploJwtAuthInboundPolicy",
|
|
131
|
+
"module": "$import(@zuplo/runtime)",
|
|
132
|
+
"options": {
|
|
133
|
+
"audience": "https://api.example.com"
|
|
134
|
+
}
|
|
135
|
+
}
|
|
136
|
+
}
|
|
137
|
+
```
|
|
138
|
+
|
|
139
|
+
### Custom Claims
|
|
140
|
+
|
|
141
|
+
Custom claims can be added to the JWT to provide additional context or metadata
|
|
142
|
+
for your upstream service. For example, you might want to include
|
|
143
|
+
environment-specific variables.
|
|
144
|
+
|
|
145
|
+
```json
|
|
146
|
+
{
|
|
147
|
+
"name": "service-auth",
|
|
148
|
+
"policyType": "upstream-zuplo-jwt-auth-inbound",
|
|
149
|
+
"handler": {
|
|
150
|
+
"export": "UpstreamZuploJwtAuthInboundPolicy",
|
|
151
|
+
"module": "$import(@zuplo/runtime)",
|
|
152
|
+
"options": {
|
|
153
|
+
"additionalClaims": {
|
|
154
|
+
"env": "$env(MY_VAR)"
|
|
155
|
+
}
|
|
156
|
+
}
|
|
157
|
+
}
|
|
158
|
+
}
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
### Custom Header Authentication
|
|
162
|
+
|
|
163
|
+
Sometimes your upstream service might already expect an `Authorization` header.
|
|
164
|
+
In that case you can configure the policy to use a custom header.
|
|
165
|
+
|
|
166
|
+
```json
|
|
167
|
+
{
|
|
168
|
+
"name": "custom-header-auth",
|
|
169
|
+
"policyType": "upstream-zuplo-jwt-auth-inbound",
|
|
170
|
+
"handler": {
|
|
171
|
+
"export": "UpstreamZuploJwtAuthInboundPolicy",
|
|
172
|
+
"module": "$import(@zuplo/runtime)",
|
|
173
|
+
"options": {
|
|
174
|
+
"headerName": "X-Service-Token",
|
|
175
|
+
"tokenPrefix": "", // No prefix
|
|
176
|
+
"expiresIn": "30m"
|
|
177
|
+
}
|
|
178
|
+
}
|
|
179
|
+
}
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
## Prerequisites
|
|
183
|
+
|
|
184
|
+
This policy requires the JWT Service Plugin to be configured in your Zuplo
|
|
185
|
+
project. The JWT service handles the cryptographic signing of tokens using your
|
|
186
|
+
project's private key.
|
|
187
|
+
|
|
188
|
+
## Security Considerations
|
|
189
|
+
|
|
190
|
+
1. **Token Expiration**: Keep token expiration times as short as practical for
|
|
191
|
+
your use case
|
|
192
|
+
2. **Claims Validation**: Upstream services should validate JWT claims,
|
|
193
|
+
especially the audience and expiration
|
|
194
|
+
3. **Claim Sensitivity**: Avoid including sensitive information in JWT claims as
|
|
195
|
+
they can be decoded by anyone
|
|
196
|
+
|
|
197
|
+
## Troubleshooting
|
|
198
|
+
|
|
199
|
+
### Token Not Appearing in Request
|
|
200
|
+
|
|
201
|
+
Check that:
|
|
202
|
+
|
|
203
|
+
- The policy is correctly configured in your route
|
|
204
|
+
- The `headerName` matches what your upstream service expects
|
|
205
|
+
- No other policies are overwriting the header
|
|
206
|
+
|
|
207
|
+
### Invalid Token Errors
|
|
208
|
+
|
|
209
|
+
Verify that:
|
|
210
|
+
|
|
211
|
+
- Your upstream service can validate Zuplo-signed JWTs
|
|
212
|
+
- The token hasn't expired (check `expiresIn` setting)
|
|
213
|
+
- The audience claim matches what your upstream service expects
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
This policy generates a Zuplo JWT token and attaches it to outgoing requests.
|
|
2
|
+
It's useful when your upstream services need to authenticate requests coming
|
|
3
|
+
from your Zuplo API Gateway using JWT tokens.
|
|
4
|
+
|
|
5
|
+
The policy creates a self-signed JWT using Zuplo's built-in JWT service and adds
|
|
6
|
+
it to the specified request header (defaults to `Authorization`). The JWT
|
|
7
|
+
includes standard claims like subject, audience, and expiration time, plus any
|
|
8
|
+
additional custom claims you configure.
|
|
9
|
+
|
|
10
|
+
Key features:
|
|
11
|
+
|
|
12
|
+
- Configurable audience claim for specific service targeting
|
|
13
|
+
- Configurable header name and token prefix
|
|
14
|
+
- Support for custom claims in the JWT payload
|
|
15
|
+
- Adjustable token expiration time
|
|
16
|
+
- Automatic subject extraction from authenticated users
|