zuplo 6.70.28 → 6.70.30

package/docs/articles/configuring-auth0-for-mcp-auth.mdx

@@ -17,6 +17,15 @@ authentication for your MCP Server.
 
 This guide will assume that you already have a working Auth0 account and tenant.
 
+:::note
+
+This guide is an example of how you can set up your Auth0 tenant for MCP OAuth
+support. It is recommended that you consult the
+[Auth0 documentation](https://auth0.com/ai/docs/mcp/guides/registering-your-mcp-client-application)
+for more information.
+
+:::
+
 ### Create an Auth0 API
 
 First, you will need to create an Auth0 API. This API will be used to represent
@@ -30,18 +39,6 @@ your MCP Server.
    `https://my-gateway.zuplo.dev/mcp`. **The trailing slash isn't required.**
 3. Leave the **Signing Algorithm** as `RS256` and click **Create**.
 
-### Enable Dynamic Client Registration
-
-Next, you will need to enable Dynamic Client Registration for the API you just
-created.
-
-1. In the Auth0 dashboard, navigate to the tenant settings in **Settings** on
-   the left hand sidebar.
-2. Navigate to the **Advanced** tab.
-3. Scroll down to the **Settings** section and check the toggle for **OIDC
-   Dynamic Application Registration**. Also ensure that the **Enable Application
-   Connections** toggle is checked.
-
 ### Configure the Connection
 
 Next, you will need to configure an Auth0 Connection for your API.
@@ -80,12 +77,45 @@ Next, you will need to configure an Auth0 Connection for your API.
    --data '{ "is_domain_connection": true }'
    ```
 
-5. Configure a Default Audience by clicking on Settings > General. Then in the
-   API Authorization Settings, modify the Default Audience. See the Auth0 doc on
-   [API Authorization Settings](https://auth0.com/docs/get-started/tenant-settings#api-authorization-settings)
-   for more information on how to configure a default audience. The audience
-   should be the identifier of the API you created in
-   [Create an Auth0 API](#create-an-auth0-api).
+5. Enable Resource Parameter Compatibility Profile. See the
+   [Auth0 tenant settings docs](https://auth0.com/docs/get-started/tenant-settings)
+   for more information.
+
+After completing these changes to your Auth0 tenant, you will need to enable
+CIMD or DCR (or both) on your Auth0 tenant.
+
+### Enable CIMD for MCP OAuth
+
+To use CIMD for MCP OAuth authentication, do the following:
+
+1. In the Auth0 dashboard, navigate to the tenant settings in **Settings** on
+   the left hand sidebar.
+2. Navigate to the **Advanced** tab.
+3. Scroll down to the **Settings** section and check the toggle for **Client ID
+   Metadata Document (CIMD) Registration**.
+4. Register the MCP clients via their public CIMD client data metadata URL by
+   clicking "Create Application" and then "Import from URL". Note that for all
+   the MCP clients you want to support, you will need to obtain the metadata URL
+   and register each application individually.
+
+See the official
+[Auth0 docs](https://auth0.com/ai/docs/mcp/guides/registering-your-mcp-client-application/manual-cimd-registration)
+for more information.
+
+### Enabling DCR for MCP OAuth
+
+To use DCR for MCP OAuth authentication, do the following:
+
+1. In the Auth0 dashboard, navigate to the tenant settings in **Settings** on
+   the left hand sidebar.
+2. Navigate to the **Advanced** tab.
+3. Scroll down to the **Settings** section and check the toggle for **Dynamic
+   Client Registration (DCR)**. Also ensure that the **Enable Application
+   Connections** toggle is checked.
+
+See the official
+[Auth0 docs](https://auth0.com/ai/docs/mcp/guides/registering-your-mcp-client-application/dynamic-client-registration)
+for more information.
 
 ### Configure OAuth on Zuplo
 
@@ -184,3 +214,13 @@ open the OAuth settings. This will allow you to debug the flow step by step.
 You should be able to hit the **Continue** button in the Inspector UI at each
 step of the flow successfully. If you need more help debugging, see
 [Testing OAuth on Zuplo](../handlers/mcp-server.mdx#oauth-testing).
+
+:::note
+
+When testing CIMD authentication, you will need an MCP client with a CIMD
+compatible client metadata URL. Currently, MCP Inspector does not have this, so
+it is recommended that you test with another client like the Claude Code CLI
+(Client Metadata URI as of May 2026 is
+https://claude.ai/oauth/claude-code-client-metadata).
+
+:::

package/docs/cli/project-list.mdx

@@ -0,0 +1,59 @@
+---
+title: "Zuplo CLI: Project List"
+sidebar_label: project list
+---
+
+<CliCommand
+  command="project list"
+  description="Lists the projects in your account"
+  options={[
+  {
+    "name": "account",
+    "type": "string",
+    "description": "The account name",
+    "required": false,
+    "deprecated": false,
+    "hidden": false
+  },
+  {
+    "name": "output",
+    "type": "string",
+    "description": "Output format",
+    "default": "default",
+    "required": false,
+    "deprecated": false,
+    "hidden": false,
+    "alias": [
+      "o"
+    ],
+    "choices": [
+      "default",
+      "json"
+    ]
+  }
+]}
+  examples={[
+  [
+    "$0 project list",
+    "List all projects in your account"
+  ],
+  [
+    "$0 project list --output json",
+    "List all projects as JSON"
+  ],
+  [
+    "$0 project list --account my-account",
+    "Explicitly specify the account"
+  ]
+]}
+  usage="$0 project list [options]"
+>
+
+</CliCommand>
+
+## Global options
+
+The following global options are available for all commands:
+
+- [`--help`](./global-options.mdx#help)
+- [`--api-key`](./global-options.mdx#api-key)

package/docs/cli/test.mdx

@@ -32,6 +32,13 @@ sidebar_label: test
     "deprecated": false,
     "hidden": true,
     "normalize": true
+  },
+  {
+    "name": "test-concurrency",
+    "type": "number",
+    "required": false,
+    "deprecated": false,
+    "hidden": true
   }
 ]}
   examples={[

package/docs/policies/_index.md

@@ -78,6 +78,7 @@
 | set-body-inbound | Set Body | Sets the body of the request in the inbound pipeline - make sure to convert a GET/HEAD request to another method when using this policy. | api-gateway |
 | set-headers-outbound | Set Headers | Adds or sets headers on the on the outgoing response. | api-gateway |
 | set-status-outbound | Set Status Code | Sets the status code on the on the outgoing response. | api-gateway |
+| set-upstream-api-key-inbound | Set Upstream API Key | Sets a single header on the incoming request, typically used to attach an API key for the upstream service. A more directed version of the `SetHeadersInboundPolicy` that defaults the header name to `Authorization` and is intended to be used with an `$env()` reference for the value. | api-gateway |
 | sleep-inbound | Sleep / Delay | Add a delay to the incoming request. Useful for testing. | api-gateway |
 | stripe-webhook-verification-inbound | Stripe Webhook Auth | The Stripe Webhook policy validates the authenticity of an incoming Stripe webhook. | api-gateway |
 | supabase-jwt-auth-inbound | Supabase JWT Auth | The Supabase JWT Authentication policy supports user JWT tokens created by Supabase. | api-gateway |

package/docs/policies/akamai-firewall-for-ai-inbound/schema.json

@@ -33,6 +33,20 @@
           "description": "The options for the Akamai Firewall for AI inbound policy. Sends the incoming request to Akamai's Firewall for AI detect endpoint and blocks the request if any rule returns a 'deny' action.",
           "additionalProperties": false,
           "required": ["configurationId", "api-key"],
+          "examples": [
+            {
+              "configurationId": "$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)",
+              "api-key": "$env(AKAMAI_FIREWALL_FOR_AI_API_KEY)",
+              "capture": {
+                "body": true,
+                "headers": false,
+                "url": false,
+                "queryString": false
+              },
+              "onWarn": "log",
+              "throwOnError": true
+            }
+          ],
           "properties": {
             "configurationId": {
               "type": "string",
@@ -108,14 +122,14 @@
           "export": "AkamaiFirewallForAiInboundPolicy",
           "module": "$import(@zuplo/runtime)",
           "options": {
+            "configurationId": "$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)",
             "api-key": "$env(AKAMAI_FIREWALL_FOR_AI_API_KEY)",
             "capture": {
               "body": true,
               "headers": false,
-              "queryString": false,
-              "url": false
+              "url": false,
+              "queryString": false
             },
-            "configurationId": "$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)",
             "onWarn": "log",
             "throwOnError": true
           }

package/docs/policies/akamai-firewall-for-ai-outbound/schema.json

@@ -33,6 +33,20 @@
           "description": "The options for the Akamai Firewall for AI outbound policy. Sends the upstream response to Akamai's Firewall for AI detect endpoint and blocks the response if any rule returns a 'deny' action.",
           "additionalProperties": false,
           "required": ["configurationId", "api-key"],
+          "examples": [
+            {
+              "configurationId": "$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)",
+              "api-key": "$env(AKAMAI_FIREWALL_FOR_AI_API_KEY)",
+              "capture": {
+                "body": true,
+                "headers": false,
+                "url": false,
+                "queryString": false
+              },
+              "onWarn": "log",
+              "throwOnError": true
+            }
+          ],
           "properties": {
             "configurationId": {
               "type": "string",
@@ -108,14 +122,14 @@
           "export": "AkamaiFirewallForAiOutboundPolicy",
           "module": "$import(@zuplo/runtime)",
           "options": {
+            "configurationId": "$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)",
             "api-key": "$env(AKAMAI_FIREWALL_FOR_AI_API_KEY)",
             "capture": {
               "body": true,
               "headers": false,
-              "queryString": false,
-              "url": false
+              "url": false,
+              "queryString": false
             },
-            "configurationId": "$env(AKAMAI_FIREWALL_FOR_AI_CONFIGURATION_ID)",
             "onWarn": "log",
             "throwOnError": true
           }

package/docs/policies/complex-rate-limit-inbound/schema.json

@@ -117,11 +117,11 @@
           "export": "ComplexRateLimitInboundPolicy",
           "module": "$import(@zuplo/runtime)",
           "options": {
+            "rateLimitBy": "ip",
             "limits": {
               "apples": 2,
               "bananas": 3
             },
-            "rateLimitBy": "ip",
             "timeWindowMinutes": 0.6
           }
         },
@@ -129,11 +129,11 @@
           "export": "ComplexRateLimitInboundPolicy",
           "module": "$import(@zuplo/runtime)",
           "options": {
+            "rateLimitBy": "function",
             "identifier": {
               "export": "$import(./modules/my-module)",
               "module": "default"
-            },
-            "rateLimitBy": "function"
+            }
           }
         }
       ]

package/docs/policies/open-id-jwt-auth-inbound/schema.json

@@ -87,15 +87,11 @@
           },
           "examples": [
             {
-              "x-example-name": "Public Key Validation with JWKS (Recommended)",
-              "x-example-description": "This example shows how to configure the policy using a Public Key from an OpenID Connect provider.",
               "issuer": "$env(AUTH_ISSUER)",
               "audience": "$env(AUTH_AUDIENCE)",
               "jwkUrl": "https://zuplo-demo.us.auth0.com/.well-known/jwks.json"
             },
             {
-              "x-example-name": "Client Secret Validation",
-              "x-example-description": "This example shows how to configure the policy using a shared secret.",
               "issuer": "$env(AUTH_ISSUER)",
               "audience": "$env(AUTH_AUDIENCE)",
               "secret": "$env(AUTH_SECRET)"
@@ -108,8 +104,8 @@
           "export": "OpenIdJwtInboundPolicy",
           "module": "$import(@zuplo/runtime)",
           "options": {
-            "audience": "$env(AUTH_AUDIENCE)",
             "issuer": "$env(AUTH_ISSUER)",
+            "audience": "$env(AUTH_AUDIENCE)",
             "jwkUrl": "https://zuplo-demo.us.auth0.com/.well-known/jwks.json"
           }
         },
@@ -117,8 +113,8 @@
           "export": "OpenIdJwtInboundPolicy",
           "module": "$import(@zuplo/runtime)",
           "options": {
-            "audience": "$env(AUTH_AUDIENCE)",
             "issuer": "$env(AUTH_ISSUER)",
+            "audience": "$env(AUTH_AUDIENCE)",
             "secret": "$env(AUTH_SECRET)"
           }
         }

package/docs/policies/quota-inbound/schema.json

@@ -119,11 +119,11 @@
           "export": "QuotaInboundPolicy",
           "module": "$import(@zuplo/runtime)",
           "options": {
+            "period": "monthly",
+            "quotaBy": "user",
             "allowances": {
               "requests": 10
             },
-            "period": "monthly",
-            "quotaBy": "user",
             "quotaOnStatusCodes": "200-399"
           }
         }

package/docs/policies/rate-limit-inbound/schema.json

@@ -121,11 +121,11 @@
           "export": "RateLimitInboundPolicy",
           "module": "$import(@zuplo/runtime)",
           "options": {
+            "rateLimitBy": "function",
             "identifier": {
               "export": "$import(./modules/my-module)",
               "module": "default"
-            },
-            "rateLimitBy": "function"
+            }
           }
         }
       ]

package/docs/policies/semantic-cache-inbound/schema.json

@@ -154,9 +154,9 @@
           "options": {
             "cacheBy": "propertyPath",
             "cacheByPropertyPath": ".userId",
+            "semanticTolerance": 0.8,
             "expirationSecondsTtl": 3600,
-            "namespace": "user-cache",
-            "semanticTolerance": 0.8
+            "namespace": "user-cache"
           }
         },
         {
@@ -168,9 +168,9 @@
               "export": "cacheKeyFunction",
               "module": "$import(./modules/cache-key)"
             },
+            "semanticTolerance": 0.9,
             "expirationSecondsTtl": 1800,
-            "namespace": "api-cache",
-            "semanticTolerance": 0.9
+            "namespace": "api-cache"
           }
         }
       ]

package/docs/policies/set-upstream-api-key-inbound/doc.md

@@ -0,0 +1,43 @@
+Many upstream APIs require an API key or bearer token to be passed in a header
+on every request. This policy is a focused version of the
+`SetHeadersInboundPolicy` that sets a single header (defaulting to
+`Authorization`) and is designed to be paired with an environment variable so
+the secret never lives in your `policies.json`.
+
+The most common configuration sets a bearer token from an environment variable:
+
+```json
+{
+  "name": "set-upstream-api-key-inbound-policy",
+  "policyType": "set-upstream-api-key-inbound",
+  "handler": {
+    "export": "SetUpstreamApiKeyInboundPolicy",
+    "module": "$import(@zuplo/runtime)",
+    "options": {
+      "value": "Bearer $env(UPSTREAM_API_KEY)"
+    }
+  }
+}
+```
+
+You can also customize the header name. For example, if your upstream uses a
+custom header rather than `Authorization`:
+
+```json
+{
+  "name": "set-upstream-api-key-inbound-policy",
+  "policyType": "set-upstream-api-key-inbound",
+  "handler": {
+    "export": "SetUpstreamApiKeyInboundPolicy",
+    "module": "$import(@zuplo/runtime)",
+    "options": {
+      "header": "X-API-Key",
+      "value": "$env(UPSTREAM_API_KEY)"
+    }
+  }
+}
+```
+
+By default the policy overwrites any header with the same name that was sent by
+the client. Set `overwrite` to `false` to preserve the incoming value when one
+is present.

package/docs/policies/set-upstream-api-key-inbound/intro.md

@@ -0,0 +1,5 @@
+The set upstream API key policy attaches a single header (by default
+`Authorization`) to the incoming request so it can be forwarded to your
+upstream service. It is a focused version of the set headers policy intended
+for the common case of authenticating Zuplo to an upstream API using a secret
+sourced from an environment variable.

package/docs/policies/set-upstream-api-key-inbound/schema.json

@@ -0,0 +1,69 @@
+{
+  "$schema": "https://json-schema.org/draft-07/schema",
+  "$id": "http://zuplo.com/schemas/policies/auth0-jwt-auth-inbound.json",
+  "type": "object",
+  "title": "Set Upstream API Key",
+  "isDeprecated": false,
+  "isPaidAddOn": false,
+  "isEnterprise": false,
+  "isInternal": false,
+  "isBeta": false,
+  "isHidden": false,
+  "products": ["api-gateway"],
+  "description": "Sets a single header on the incoming request, typically used to attach an API key for the upstream service. A more directed version of the `SetHeadersInboundPolicy` that defaults the header name to `Authorization` and is intended to be used with an `$env()` reference for the value.",
+  "deprecatedMessage": "",
+  "required": ["handler"],
+  "properties": {
+    "handler": {
+      "type": "object",
+      "default": {},
+      "required": ["export", "module", "options"],
+      "properties": {
+        "export": {
+          "const": "SetUpstreamApiKeyInboundPolicy",
+          "description": "The name of the exported type"
+        },
+        "module": {
+          "const": "$import(@zuplo/runtime)",
+          "description": "The module containing the policy"
+        },
+        "options": {
+          "title": "SetUpstreamApiKeyInboundPolicyOptions",
+          "type": "object",
+          "description": "The options for this policy.",
+          "additionalProperties": false,
+          "required": ["value"],
+          "properties": {
+            "header": {
+              "type": "string",
+              "default": "Authorization",
+              "examples": ["Authorization"],
+              "description": "The name of the header to set on the request. Defaults to `Authorization`."
+            },
+            "value": {
+              "type": "string",
+              "examples": ["Bearer $env(UPSTREAM_API_KEY)"],
+              "description": "The value of the header. Most commonly an environment variable reference such as `Bearer $env(UPSTREAM_API_KEY)` so the secret is sourced from your environment."
+            },
+            "overwrite": {
+              "type": "boolean",
+              "x-show-example": false,
+              "default": true,
+              "description": "Overwrite the value if the header is already present in the request."
+            }
+          }
+        }
+      },
+      "examples": [
+        {
+          "export": "SetUpstreamApiKeyInboundPolicy",
+          "module": "$import(@zuplo/runtime)",
+          "options": {
+            "header": "Authorization",
+            "value": "Bearer $env(UPSTREAM_API_KEY)"
+          }
+        }
+      ]
+    }
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zuplo",
-  "version": "6.70.28",
+  "version": "6.70.30",
   "type": "module",
   "description": "The programmable API Gateway",
   "author": "Zuplo, Inc.",
@@ -19,9 +19,9 @@
     "zuplo": "zuplo.js"
   },
   "dependencies": {
-    "@zuplo/cli": "6.70.28",
-    "@zuplo/core": "6.70.28",
-    "@zuplo/runtime": "6.70.28",
+    "@zuplo/cli": "6.70.30",
+    "@zuplo/core": "6.70.30",
+    "@zuplo/runtime": "6.70.30",
     "@zuplo/test": "1.4.0"
   }
 }