zuplo 6.72.2 → 6.72.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (61) hide show
  1. package/docs/analytics/access-and-entitlements.md +27 -34
  2. package/docs/analytics/overview.md +7 -6
  3. package/docs/analytics/reference/url-parameters.md +2 -10
  4. package/docs/analytics/shared-controls.md +3 -10
  5. package/docs/analytics/tabs/agents.md +3 -3
  6. package/docs/analytics/tabs/requests.md +2 -4
  7. package/docs/articles/accounts/audit-logs.mdx +4 -4
  8. package/docs/articles/audit-logging.mdx +65 -0
  9. package/docs/articles/audit-logs.mdx +222 -0
  10. package/docs/articles/connect-to-aws-alb-with-mtls.mdx +89 -13
  11. package/docs/articles/{custom-audit-log-policy.mdx → custom-audit-logs.mdx} +26 -22
  12. package/docs/articles/graphql-security.mdx +2 -1
  13. package/docs/articles/graphql.mdx +8 -0
  14. package/docs/articles/opentelemetry.mdx +7 -5
  15. package/docs/articles/securing-backend-mtls.mdx +92 -3
  16. package/docs/articles/troubleshooting-slow-responses.mdx +4 -3
  17. package/docs/articles/troubleshooting.md +3 -1
  18. package/docs/policies/_index.md +3 -0
  19. package/docs/policies/audit-log-inbound/doc.md +16 -11
  20. package/docs/policies/authzen-inbound/schema.json +1 -1
  21. package/docs/policies/axiomatics-authz-inbound/schema.json +1 -1
  22. package/docs/policies/clerk-jwt-auth-inbound/schema.json +3 -3
  23. package/docs/policies/mcp-auth0-oauth-inbound/schema.json +8 -5
  24. package/docs/policies/mcp-clerk-oauth-inbound/schema.json +78 -0
  25. package/docs/policies/mcp-cognito-oauth-inbound/schema.json +78 -0
  26. package/docs/policies/mcp-entra-oauth-inbound/schema.json +78 -0
  27. package/docs/policies/mcp-google-oauth-inbound/schema.json +78 -0
  28. package/docs/policies/mcp-keycloak-oauth-inbound/schema.json +78 -0
  29. package/docs/policies/mcp-logto-oauth-inbound/schema.json +78 -0
  30. package/docs/policies/mcp-oauth-inbound/schema.json +8 -5
  31. package/docs/policies/mcp-okta-oauth-inbound/schema.json +78 -0
  32. package/docs/policies/mcp-onelogin-oauth-inbound/schema.json +78 -0
  33. package/docs/policies/mcp-ping-oauth-inbound/schema.json +78 -0
  34. package/docs/policies/mcp-token-exchange-inbound/doc.md +72 -4
  35. package/docs/policies/mcp-token-exchange-inbound/intro.md +5 -4
  36. package/docs/policies/mcp-token-exchange-inbound/schema.json +277 -2
  37. package/docs/policies/mcp-workos-oauth-inbound/schema.json +78 -0
  38. package/docs/policies/mtls-auth-inbound/intro.md +52 -5
  39. package/docs/policies/okta-fga-authz-inbound/schema.json +1 -1
  40. package/docs/policies/open-id-jwt-auth-inbound/schema.json +3 -3
  41. package/docs/policies/openfga-authz-inbound/schema.json +1 -1
  42. package/docs/policies/propel-auth-jwt-inbound/schema.json +3 -3
  43. package/docs/policies/require-user-claims-inbound/doc.md +120 -0
  44. package/docs/policies/require-user-claims-inbound/intro.md +9 -0
  45. package/docs/policies/require-user-claims-inbound/schema.json +1323 -0
  46. package/docs/policies/semantic-cache-inbound/schema.json +1 -1
  47. package/docs/policies/upstream-aws-federated-auth-inbound/doc.md +78 -0
  48. package/docs/policies/upstream-aws-federated-auth-inbound/intro.md +20 -0
  49. package/docs/policies/upstream-aws-federated-auth-inbound/schema.json +98 -0
  50. package/docs/policies/upstream-aws-service-auth-inbound/doc.md +89 -0
  51. package/docs/policies/upstream-aws-service-auth-inbound/intro.md +19 -0
  52. package/docs/policies/upstream-aws-service-auth-inbound/schema.json +113 -0
  53. package/docs/policies/upstream-azure-ad-service-auth-inbound/schema.json +4 -4
  54. package/docs/policies/upstream-gcp-federated-auth-inbound/doc.md +2 -2
  55. package/docs/policies/upstream-gcp-federated-auth-inbound/schema.json +5 -5
  56. package/docs/policies/upstream-gcp-service-auth-inbound/doc.md +3 -3
  57. package/docs/policies/upstream-gcp-service-auth-inbound/schema.json +3 -3
  58. package/docs/policies/upstream-zuplo-jwt-auth-inbound/schema.json +19 -0
  59. package/docs/programmable-api/overview.mdx +0 -7
  60. package/package.json +4 -4
  61. package/docs/programmable-api/audit-log.mdx +0 -74
@@ -7,7 +7,7 @@
7
7
  "isPaidAddOn": false,
8
8
  "isEnterprise": true,
9
9
  "isInternal": false,
10
- "isBeta": true,
10
+ "isBeta": false,
11
11
  "isHidden": false,
12
12
  "requiresAI": true,
13
13
  "products": ["ai-gateway"],
@@ -0,0 +1,78 @@
1
+ ## Overview
2
+
3
+ The Upstream AWS Federated Auth policy obtains AWS credentials **without storing
4
+ any AWS keys**. It exchanges Zuplo's ambient OIDC identity token for an IAM
5
+ role's short-lived temporary credentials using STS
6
+ `AssumeRoleWithWebIdentity`, then registers those credentials on the request
7
+ context.
8
+
9
+ Like the `upstream-aws-service-auth` policy, it does **not** add an
10
+ `Authorization` header itself — AWS Signature Version 4 signs the exact final
11
+ request, which is only known inside the handler. The AWS Lambda handler and your
12
+ own code read the resolved credentials and sign the requests they build.
13
+
14
+ ## AWS setup
15
+
16
+ 1. Create an **IAM OIDC identity provider** that trusts the Zuplo issuer. Set
17
+ the audience (client ID) to the value you use for the `audience` option
18
+ (default `sts.amazonaws.com`).
19
+ 2. Create an **IAM role** whose trust policy allows
20
+ `sts:AssumeRoleWithWebIdentity` for that provider, with a condition on the
21
+ token's audience.
22
+ 3. Grant the role only the permissions the gateway needs (for example
23
+ `execute-api:Invoke` or `lambda:InvokeFunction`).
24
+
25
+ ## Using the credentials
26
+
27
+ ### With the AWS Lambda handler
28
+
29
+ ```json
30
+ {
31
+ "paths": {
32
+ "/lambda/{path}*": {
33
+ "x-zuplo-route": {
34
+ "handler": {
35
+ "export": "awsLambdaHandler",
36
+ "module": "$import(@zuplo/runtime)",
37
+ "options": { "region": "us-east-1", "functionName": "my-function" }
38
+ },
39
+ "policies": { "inbound": ["upstream-aws-federated-auth"] }
40
+ }
41
+ }
42
+ }
43
+ }
44
+ ```
45
+
46
+ ### With custom code
47
+
48
+ ```typescript
49
+ import { AwsClient } from "@zuplo/runtime/aws";
50
+ import { ZuploContext, ZuploRequest } from "@zuplo/runtime";
51
+
52
+ export default async function (request: ZuploRequest, context: ZuploContext) {
53
+ const aws = AwsClient.fromContext(context, {
54
+ service: "execute-api",
55
+ region: "us-east-1",
56
+ });
57
+ return aws.fetch(
58
+ "https://abc123.execute-api.us-east-1.amazonaws.com/prod/orders"
59
+ );
60
+ }
61
+ ```
62
+
63
+ ## Configuration
64
+
65
+ ```json
66
+ {
67
+ "name": "upstream-aws-federated-auth",
68
+ "policyType": "upstream-aws-federated-auth",
69
+ "handler": {
70
+ "export": "UpstreamAwsFederatedAuthInboundPolicy",
71
+ "module": "$import(@zuplo/runtime)",
72
+ "options": {
73
+ "roleArn": "arn:aws:iam::123456789012:role/zuplo-gateway",
74
+ "region": "us-east-1"
75
+ }
76
+ }
77
+ }
78
+ ```
@@ -0,0 +1,20 @@
1
+ Authenticate to AWS upstreams with **no stored AWS keys** using Workload
2
+ Identity Federation. This policy exchanges Zuplo's ambient OIDC identity for an
3
+ IAM role's short-lived temporary credentials via STS AssumeRoleWithWebIdentity,
4
+ and makes them available to the AWS Lambda handler and to custom code, which
5
+ sign upstream requests with AWS Signature Version 4.
6
+
7
+ With this policy, you'll benefit from:
8
+
9
+ - **No Long-Lived Secrets**: No AWS access keys are stored anywhere — the
10
+ gateway proves its identity with a short-lived, audience-bound OIDC token
11
+ - **Least Privilege**: Assume a specific IAM role whose trust policy trusts only
12
+ the Zuplo OIDC identity provider
13
+ - **Automatic Token Management**: Temporary credentials are cached in memory and
14
+ refreshed before they expire
15
+ - **Reusable Credentials**: Resolve credentials once and use them from the AWS
16
+ Lambda handler or your own code via `AwsClient.fromContext(context)`
17
+
18
+ To set this up you configure an IAM OIDC identity provider that trusts Zuplo's
19
+ issuer, and an IAM role whose trust policy permits AssumeRoleWithWebIdentity for
20
+ that provider.
@@ -0,0 +1,98 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft-07/schema",
3
+ "$id": "https://cdn.zuplo.com/policies/runtime/schemas/upstream-aws-federated-auth-inbound.json",
4
+ "type": "object",
5
+ "title": "Upstream AWS Federated Auth",
6
+ "isDeprecated": false,
7
+ "isPaidAddOn": false,
8
+ "isEnterprise": true,
9
+ "isInternal": false,
10
+ "isBeta": true,
11
+ "isHidden": false,
12
+ "requiresAI": false,
13
+ "products": ["api-gateway"],
14
+ "description": "Resolves AWS credentials with STS AssumeRoleWithWebIdentity using Zuplo's ambient OIDC identity — no AWS keys are stored anywhere. The role's trust policy must trust the Zuplo OIDC identity provider. Resolved credentials are registered on the request context for the AWS Lambda handler and custom code to sign upstream requests with `AwsClient.fromContext`. This policy does not itself sign or forward the request.",
15
+ "deprecatedMessage": "",
16
+ "required": ["handler"],
17
+ "properties": {
18
+ "handler": {
19
+ "type": "object",
20
+ "default": {},
21
+ "required": ["export", "module", "options"],
22
+ "properties": {
23
+ "export": {
24
+ "const": "UpstreamAwsFederatedAuthInboundPolicy",
25
+ "description": "The name of the exported type"
26
+ },
27
+ "module": {
28
+ "const": "$import(@zuplo/runtime)",
29
+ "description": "The module containing the policy"
30
+ },
31
+ "options": {
32
+ "title": "UpstreamAwsFederatedAuthInboundPolicyOptions",
33
+ "type": "object",
34
+ "description": "The options for this policy.",
35
+ "additionalProperties": false,
36
+ "required": ["roleArn", "region"],
37
+ "properties": {
38
+ "roleArn": {
39
+ "type": "string",
40
+ "examples": ["arn:aws:iam::123456789012:role/zuplo-gateway"],
41
+ "description": "The IAM role to assume with STS AssumeRoleWithWebIdentity. The role's trust policy must trust the Zuplo OIDC identity provider."
42
+ },
43
+ "region": {
44
+ "type": "string",
45
+ "examples": ["us-east-1"],
46
+ "description": "The AWS region used for the STS endpoint and as the default signing region for consumers of the resolved credentials."
47
+ },
48
+ "audience": {
49
+ "type": "string",
50
+ "default": "sts.amazonaws.com",
51
+ "x-show-example": false,
52
+ "description": "The audience ('aud' claim) of the Zuplo-issued OIDC token. Must match a client ID configured on the IAM OIDC identity provider."
53
+ },
54
+ "roleSessionName": {
55
+ "type": "string",
56
+ "default": "zuplo-gateway",
57
+ "x-show-example": false,
58
+ "description": "The STS role session name recorded in AWS CloudTrail. Must match the pattern \\[\\\\w+=,.@-\\]{2,64}."
59
+ },
60
+ "durationSeconds": {
61
+ "type": "number",
62
+ "default": 3600,
63
+ "x-show-example": false,
64
+ "description": "The lifetime in seconds of the temporary credentials requested from STS (900-43200). The assumed role's maximum session duration may further limit this value."
65
+ },
66
+ "stsEndpoint": {
67
+ "type": "string",
68
+ "x-show-example": false,
69
+ "description": "Overrides the STS endpoint URL. Only needed for non-standard partitions such as AWS GovCloud or AWS China."
70
+ },
71
+ "tokenRetries": {
72
+ "type": "number",
73
+ "default": 3,
74
+ "x-show-example": false,
75
+ "description": "The number of times to retry fetching temporary credentials in the event of a failure."
76
+ },
77
+ "expirationOffsetSeconds": {
78
+ "type": "number",
79
+ "default": 300,
80
+ "x-show-example": false,
81
+ "description": "The number of seconds before credential expiration at which cached credentials are discarded and refreshed."
82
+ }
83
+ }
84
+ }
85
+ },
86
+ "examples": [
87
+ {
88
+ "export": "UpstreamAwsFederatedAuthInboundPolicy",
89
+ "module": "$import(@zuplo/runtime)",
90
+ "options": {
91
+ "region": "us-east-1",
92
+ "roleArn": "arn:aws:iam::123456789012:role/zuplo-gateway"
93
+ }
94
+ }
95
+ ]
96
+ }
97
+ }
98
+ }
@@ -0,0 +1,89 @@
1
+ ## Overview
2
+
3
+ The Upstream AWS Service Auth policy resolves AWS credentials and registers them
4
+ on the request context. Unlike the other upstream auth policies, it does **not**
5
+ add an `Authorization` header itself — AWS Signature Version 4 signs the exact
6
+ final request (method, host, path, query and body hash), which is only known
7
+ inside the handler. Instead, the AWS Lambda handler and your own code read the
8
+ resolved credentials and sign the requests they build.
9
+
10
+ There are two modes:
11
+
12
+ - **Static credentials** — the configured `accessKeyId` / `secretAccessKey`
13
+ (and optional `sessionToken`) are used directly.
14
+ - **Assumed role** — when `roleArn` is set, the policy calls STS `AssumeRole`
15
+ (signed with the configured keys) and uses the role's short-lived temporary
16
+ credentials. These are cached in memory and refreshed before they expire.
17
+
18
+ ## Using the credentials
19
+
20
+ ### With the AWS Lambda handler
21
+
22
+ Attach this policy to a route whose handler is `awsLambdaHandler`, and omit the
23
+ handler's own `accessKeyId` / `secretAccessKey`. The handler will use the
24
+ credentials resolved by the policy.
25
+
26
+ ```json
27
+ {
28
+ "paths": {
29
+ "/lambda/{path}*": {
30
+ "x-zuplo-route": {
31
+ "handler": {
32
+ "export": "awsLambdaHandler",
33
+ "module": "$import(@zuplo/runtime)",
34
+ "options": {
35
+ "region": "us-east-1",
36
+ "functionName": "my-function"
37
+ }
38
+ },
39
+ "policies": { "inbound": ["upstream-aws-service-auth"] }
40
+ }
41
+ }
42
+ }
43
+ }
44
+ ```
45
+
46
+ ### With custom code (for example, API Gateway with IAM auth, or S3)
47
+
48
+ Attach the policy, then sign outbound requests with `AwsClient.fromContext`:
49
+
50
+ ```typescript
51
+ import { AwsClient } from "@zuplo/runtime/aws";
52
+ import { ZuploContext, ZuploRequest } from "@zuplo/runtime";
53
+
54
+ export default async function (request: ZuploRequest, context: ZuploContext) {
55
+ const aws = AwsClient.fromContext(context, {
56
+ service: "execute-api",
57
+ region: "us-east-1",
58
+ });
59
+ return aws.fetch(
60
+ "https://abc123.execute-api.us-east-1.amazonaws.com/prod/orders"
61
+ );
62
+ }
63
+ ```
64
+
65
+ If a route does not attach the policy, you can run it on demand from custom code
66
+ with `await context.invokeInboundPolicy("upstream-aws-service-auth", request)`
67
+ before calling `AwsClient.fromContext`.
68
+
69
+ ## Configuration
70
+
71
+ ```json
72
+ {
73
+ "name": "upstream-aws-service-auth",
74
+ "policyType": "upstream-aws-service-auth",
75
+ "handler": {
76
+ "export": "UpstreamAwsServiceAuthInboundPolicy",
77
+ "module": "$import(@zuplo/runtime)",
78
+ "options": {
79
+ "accessKeyId": "$env(AWS_ACCESS_KEY_ID)",
80
+ "secretAccessKey": "$env(AWS_SECRET_ACCESS_KEY)",
81
+ "region": "us-east-1",
82
+ "roleArn": "arn:aws:iam::123456789012:role/my-gateway-role"
83
+ }
84
+ }
85
+ }
86
+ ```
87
+
88
+ Store `accessKeyId` and `secretAccessKey` in environment variables using
89
+ `$env(...)` — never commit them to source.
@@ -0,0 +1,19 @@
1
+ Authenticate to AWS upstreams using an IAM access key pair, optionally exchanged
2
+ for an IAM role's temporary credentials via STS AssumeRole. This policy resolves
3
+ AWS credentials and makes them available to the AWS Lambda handler and to custom
4
+ code, which sign upstream requests with AWS Signature Version 4.
5
+
6
+ With this policy, you'll benefit from:
7
+
8
+ - **Reusable Credentials**: Resolve AWS credentials once and use them from the
9
+ AWS Lambda handler or your own code via `AwsClient.fromContext(context)`
10
+ - **Role Assumption**: Optionally assume an IAM role (STS AssumeRole) to obtain
11
+ short-lived, least-privilege temporary credentials
12
+ - **Automatic Token Management**: Temporary credentials are cached in memory and
13
+ refreshed before they expire
14
+ - **Credential Security**: Store access keys securely in your Zuplo environment
15
+ and keep them out of source control
16
+
17
+ To avoid storing any long-lived AWS keys at all, use the
18
+ `upstream-aws-federated-auth` policy instead, which uses Workload Identity
19
+ Federation.
@@ -0,0 +1,113 @@
1
+ {
2
+ "$schema": "https://json-schema.org/draft-07/schema",
3
+ "$id": "https://cdn.zuplo.com/policies/runtime/schemas/upstream-aws-service-auth-inbound.json",
4
+ "type": "object",
5
+ "title": "Upstream AWS Service Auth",
6
+ "isDeprecated": false,
7
+ "isPaidAddOn": false,
8
+ "isEnterprise": true,
9
+ "isInternal": false,
10
+ "isBeta": true,
11
+ "isHidden": false,
12
+ "requiresAI": false,
13
+ "products": ["api-gateway"],
14
+ "description": "Resolves AWS credentials from static access keys (optionally exchanged for an IAM role's temporary credentials via STS AssumeRole) and registers them on the request context. The AWS Lambda handler and custom code read them with `AwsClient.fromContext` to sign upstream requests. This policy does not itself sign or forward the request.",
15
+ "deprecatedMessage": "",
16
+ "required": ["handler"],
17
+ "properties": {
18
+ "handler": {
19
+ "type": "object",
20
+ "default": {},
21
+ "required": ["export", "module", "options"],
22
+ "properties": {
23
+ "export": {
24
+ "const": "UpstreamAwsServiceAuthInboundPolicy",
25
+ "description": "The name of the exported type"
26
+ },
27
+ "module": {
28
+ "const": "$import(@zuplo/runtime)",
29
+ "description": "The module containing the policy"
30
+ },
31
+ "options": {
32
+ "title": "UpstreamAwsServiceAuthInboundPolicyOptions",
33
+ "type": "object",
34
+ "description": "The options for this policy.",
35
+ "additionalProperties": false,
36
+ "required": ["accessKeyId", "secretAccessKey", "region"],
37
+ "properties": {
38
+ "accessKeyId": {
39
+ "type": "string",
40
+ "examples": ["$env(AWS_ACCESS_KEY_ID)"],
41
+ "description": "The AWS access key ID. Store the value in an environment variable rather than in source."
42
+ },
43
+ "secretAccessKey": {
44
+ "type": "string",
45
+ "examples": ["$env(AWS_SECRET_ACCESS_KEY)"],
46
+ "description": "The AWS secret access key. Always store this in an environment variable."
47
+ },
48
+ "region": {
49
+ "type": "string",
50
+ "examples": ["us-east-1"],
51
+ "description": "The AWS region. Used for the STS endpoint when 'roleArn' is set, and as the default signing region for consumers of the resolved credentials."
52
+ },
53
+ "sessionToken": {
54
+ "type": "string",
55
+ "x-show-example": false,
56
+ "description": "The AWS session token, required only when the configured access key pair is itself a temporary credential."
57
+ },
58
+ "roleArn": {
59
+ "type": "string",
60
+ "x-show-example": false,
61
+ "description": "An IAM role to assume using STS AssumeRole with the configured access keys. When set, the resolved credentials are the role's temporary credentials instead of the static keys."
62
+ },
63
+ "externalId": {
64
+ "type": "string",
65
+ "x-show-example": false,
66
+ "description": "The external ID to pass to STS AssumeRole when the role's trust policy requires one."
67
+ },
68
+ "roleSessionName": {
69
+ "type": "string",
70
+ "default": "zuplo-gateway",
71
+ "x-show-example": false,
72
+ "description": "The STS role session name recorded in AWS CloudTrail. Must match the pattern \\[\\\\w+=,.@-\\]{2,64}."
73
+ },
74
+ "durationSeconds": {
75
+ "type": "number",
76
+ "default": 3600,
77
+ "x-show-example": false,
78
+ "description": "The lifetime in seconds of the temporary credentials requested from STS (900-43200). The assumed role's maximum session duration may further limit this value."
79
+ },
80
+ "stsEndpoint": {
81
+ "type": "string",
82
+ "x-show-example": false,
83
+ "description": "Overrides the STS endpoint URL. Only needed for non-standard partitions such as AWS GovCloud or AWS China."
84
+ },
85
+ "tokenRetries": {
86
+ "type": "number",
87
+ "default": 3,
88
+ "x-show-example": false,
89
+ "description": "The number of times to retry fetching temporary credentials in the event of a failure."
90
+ },
91
+ "expirationOffsetSeconds": {
92
+ "type": "number",
93
+ "default": 300,
94
+ "x-show-example": false,
95
+ "description": "The number of seconds before credential expiration at which cached credentials are discarded and refreshed."
96
+ }
97
+ }
98
+ }
99
+ },
100
+ "examples": [
101
+ {
102
+ "export": "UpstreamAwsServiceAuthInboundPolicy",
103
+ "module": "$import(@zuplo/runtime)",
104
+ "options": {
105
+ "accessKeyId": "$env(AWS_ACCESS_KEY_ID)",
106
+ "region": "us-east-1",
107
+ "secretAccessKey": "$env(AWS_SECRET_ACCESS_KEY)"
108
+ }
109
+ }
110
+ ]
111
+ }
112
+ }
113
+ }
@@ -41,12 +41,12 @@
41
41
  "properties": {
42
42
  "activeDirectoryTenantId": {
43
43
  "type": "string",
44
- "examples": ["b8e4141e-31f4-43e3-9a96-f97f3eba1eea"],
44
+ "examples": ["11111111-1111-1111-1111-111111111111"],
45
45
  "description": "Azure Active Directory Tenant ID."
46
46
  },
47
47
  "activeDirectoryClientId": {
48
48
  "type": "string",
49
- "examples": ["20edbb34-13e9-42d0-a63c-1b6a0a20d02d"],
49
+ "examples": ["22222222-2222-2222-2222-222222222222"],
50
50
  "description": "The Application (client) ID of the Azure AD App Registration."
51
51
  },
52
52
  "activeDirectoryClientSecret": {
@@ -72,9 +72,9 @@
72
72
  "export": "UpstreamAzureAdServiceAuthInboundPolicy",
73
73
  "module": "$import(@zuplo/runtime)",
74
74
  "options": {
75
- "activeDirectoryClientId": "20edbb34-13e9-42d0-a63c-1b6a0a20d02d",
75
+ "activeDirectoryClientId": "22222222-2222-2222-2222-222222222222",
76
76
  "activeDirectoryClientSecret": "$env(ACTIVE_DIRECTORY_CLIENT_SECRET)",
77
- "activeDirectoryTenantId": "b8e4141e-31f4-43e3-9a96-f97f3eba1eea",
77
+ "activeDirectoryTenantId": "11111111-1111-1111-1111-111111111111",
78
78
  "expirationOffsetSeconds": 300,
79
79
  "tokenRetries": 3
80
80
  }
@@ -130,9 +130,9 @@ With GCP Workload Federation setup, you can add the policy to your Zuplo API.
130
130
  "module": "$import(@zuplo/runtime)",
131
131
  "export": "UpstreamGcpFederatedAuthInboundPolicy",
132
132
  "options": {
133
- "audience": "https://test-basic-vhpkl3cvtq-uc.a.run.app",
133
+ "audience": "https://my-backend-api-a1b2c3d4e5-uc.a.run.app",
134
134
  "serviceAccountEmail": "zup-api@my-project.iam.gserviceaccount.com",
135
- "workloadIdentityProvider": "projects/932049231233/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
135
+ "workloadIdentityProvider": "projects/1234567890/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
136
136
  }
137
137
  }
138
138
  }
@@ -7,7 +7,7 @@
7
7
  "isPaidAddOn": false,
8
8
  "isEnterprise": true,
9
9
  "isInternal": false,
10
- "isBeta": true,
10
+ "isBeta": false,
11
11
  "isHidden": false,
12
12
  "requiresAI": false,
13
13
  "products": ["api-gateway"],
@@ -41,7 +41,7 @@
41
41
  "properties": {
42
42
  "audience": {
43
43
  "type": "string",
44
- "examples": ["https://hello-k7meruiynq-uc.a.run.app"],
44
+ "examples": ["https://my-backend-api-a1b2c3d4e5-uc.a.run.app"],
45
45
  "description": "The audience for the minted JWT. This is typically the URL of your service. See the document [AuthRequirement](https://cloud.google.com/endpoints/docs/grpc-service-config/reference/rpc/google.api#google.api.AuthRequirement) for details."
46
46
  },
47
47
  "serviceAccountEmail": {
@@ -52,7 +52,7 @@
52
52
  "workloadIdentityProvider": {
53
53
  "type": "string",
54
54
  "examples": [
55
- "projects/932049231233/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
55
+ "projects/1234567890/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
56
56
  ]
57
57
  },
58
58
  "tokenLifetime": {
@@ -86,9 +86,9 @@
86
86
  "export": "UpstreamGcpFederatedAuthInboundPolicy",
87
87
  "module": "$import(@zuplo/runtime)",
88
88
  "options": {
89
- "audience": "https://hello-k7meruiynq-uc.a.run.app",
89
+ "audience": "https://my-backend-api-a1b2c3d4e5-uc.a.run.app",
90
90
  "serviceAccountEmail": "zup-api@my-project.iam.gserviceaccount.com",
91
- "workloadIdentityProvider": "projects/932049231233/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
91
+ "workloadIdentityProvider": "projects/1234567890/locations/global/workloadIdentityPools/my-pool/providers/my-provider"
92
92
  }
93
93
  }
94
94
  ]
@@ -50,7 +50,7 @@ protected by Identity Aware Proxy (IAP), use the `audience` property:
50
50
  "export": "UpstreamGcpServiceAuthInboundPolicy",
51
51
  "module": "$import(@zuplo/runtime)",
52
52
  "options": {
53
- "audience": "https://my-app-1235.a.run.app",
53
+ "audience": "https://my-backend-api-a1b2c3d4e5-uc.a.run.app",
54
54
  "serviceAccountJson": "$env(GCP_SERVICE_ACCOUNT)"
55
55
  }
56
56
  }
@@ -59,7 +59,7 @@ protected by Identity Aware Proxy (IAP), use the `audience` property:
59
59
  **Audience Values:**
60
60
 
61
61
  - For **Cloud Run**: Use the full URL of your Cloud Run service (e.g.,
62
- `https://my-service.a.run.app`)
62
+ `https://my-backend-api-a1b2c3d4e5-uc.a.run.app`)
63
63
  - For **Identity Aware Proxy**: Use the Client ID of your OAuth application
64
64
  - For **Cloud Functions**: Use the full URL of your function
65
65
 
@@ -109,7 +109,7 @@ Apply the policy to routes that need to access your Cloud Run service:
109
109
  "export": "forwardToOrigin",
110
110
  "module": "$import(@zuplo/runtime)",
111
111
  "options": {
112
- "baseUrl": "https://my-service-1235.a.run.app"
112
+ "baseUrl": "https://my-backend-api-a1b2c3d4e5-uc.a.run.app"
113
113
  }
114
114
  }
115
115
  }
@@ -37,8 +37,8 @@
37
37
  "properties": {
38
38
  "audience": {
39
39
  "type": "string",
40
- "examples": ["https://my-service-a2ev-uc.a.run.app"],
41
- "description": "The audience for the service to be called. This is typically the URL of your service endpoint like 'https://my-service-a2ev-uc.a.run.app'. If calling a Google API, leave this empty."
40
+ "examples": ["https://my-backend-api-a1b2c3d4e5-uc.a.run.app"],
41
+ "description": "The audience for the service to be called. This is typically the URL of your service endpoint like 'https://my-backend-api-a1b2c3d4e5-uc.a.run.app'. If calling a Google API, leave this empty."
42
42
  },
43
43
  "scopes": {
44
44
  "type": "array",
@@ -91,7 +91,7 @@
91
91
  "export": "UpstreamGcpServiceAuthInboundPolicy",
92
92
  "module": "$import(@zuplo/runtime)",
93
93
  "options": {
94
- "audience": "https://my-service-a2ev-uc.a.run.app",
94
+ "audience": "https://my-backend-api-a1b2c3d4e5-uc.a.run.app",
95
95
  "scopes": ["https://www.googleapis.com/auth/cloud-platform"],
96
96
  "serviceAccountJson": "$env(SERVICE_ACCOUNT_JSON)"
97
97
  }
@@ -40,6 +40,25 @@
40
40
  "examples": ["https://api.example.com", "my-service"],
41
41
  "description": "The audience claim for the JWT."
42
42
  },
43
+ "subject": {
44
+ "type": "string",
45
+ "examples": ["zuplo-gateway"],
46
+ "x-show-example": false,
47
+ "description": "The subject ('sub') claim for the minted JWT. Identifies the acting subject of the token (typically the gateway itself)."
48
+ },
49
+ "claimsFromUser": {
50
+ "type": "object",
51
+ "additionalProperties": {
52
+ "type": "string"
53
+ },
54
+ "examples": [
55
+ {
56
+ "caller": "sub"
57
+ }
58
+ ],
59
+ "x-show-example": false,
60
+ "description": "Maps claims in the minted JWT to values from the authenticated user (request.user). Each key is the claim name to set; each value is a light JSON-path selector into request.user using dot or bracket notation (e.g. 'sub', 'data.role', or 'data\\[\"https://example.com/claim\"\\]' for keys containing dots or slashes). When set, the policy requires an authenticated user and returns 401 if request.user is absent — it never mints a token with missing identity."
61
+ },
43
62
  "headerName": {
44
63
  "type": "string",
45
64
  "default": "Authorization",
@@ -124,13 +124,6 @@ about built-in request handlers.
124
124
 
125
125
  ## Plugins
126
126
 
127
- ### AuditLogPlugin
128
-
129
- - **Status**: Documented ([Audit Log](./audit-log.mdx))
130
- - **Description**: Comprehensive request/response logging
131
- - **Key Features**: Configurable request/response capture, custom output
132
- providers
133
-
134
127
  ### Logging Plugins
135
128
 
136
129
  See [Logging documentation](/docs/articles/logging.mdx) for details on logging
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "zuplo",
3
- "version": "6.72.2",
3
+ "version": "6.72.7",
4
4
  "type": "module",
5
5
  "description": "The programmable API Gateway",
6
6
  "author": "Zuplo, Inc.",
@@ -19,9 +19,9 @@
19
19
  "zuplo": "zuplo.js"
20
20
  },
21
21
  "dependencies": {
22
- "@zuplo/cli": "6.72.2",
23
- "@zuplo/core": "6.72.2",
24
- "@zuplo/runtime": "6.72.2",
22
+ "@zuplo/cli": "6.72.7",
23
+ "@zuplo/core": "6.72.7",
24
+ "@zuplo/runtime": "6.72.7",
25
25
  "@zuplo/test": "1.4.0"
26
26
  }
27
27
  }