Release date 2026/04/28
Fixed an issue where token_exchange.cache.enabled = false was ignored and exchanged tokens were still cached because the cache toggle incorrectly read token_exchange.cache.ttl instead of token_exchange.cache.enabled.
Fixed an issue where token exchange actor tokens were not sourced correctly from token_exchange.request, ensuring correct forwarding of actor tokens configured in headers or plugin config.
Release date 2026/04/07
Added Token Exchange support to swap JWT tokens before accessing MCP Server.
Added support for mapping claim to authenticated credential.
Made the client_id field not required when client_auth is set to something other than client_secret_basic or client_secret_post
Added upstream_headers field for mapping token claims to upstream headers using path-based access. Mutually exclusive with claim_to_header.
Added support for passing tokens upstream.
Added support for multiple token validation methods.
Added support mapping claims in token to consumer and consumer_groups.
Fixed an issue where we didn’t clear header for absent claim.
Release date 2025/12/18
Fixed an issue where MCP-like request was not authenticated.
Fixed an issue where the oidc schema was polluted during merging.
Fixed an issue where resource without path was not correctly handled.
Fixed an issue where there was an unexpected required: false in the plugin schema.
Fixed an issue where x-forwarded-* headers were not respected.
Release date 2025/12/10
Fixed an issue where MCP-like request was not authenticated. Previously, we only authenticated requests that satisfied the MCP spec. As a result, the attacker can bypass this via an MCP-like request. Therefore, now we change to authenticate all the requests.
Fixed an issue where the oidc schema was polluted during merging.
Fixed an issue where resource without path was not correctly handled.
Fixed an issue where x-forwarded-* headers were not respected.