v0.31.0
New: OAuth2 Token Injection
The new oauth_token request transform mints short-lived OAuth2 access tokens and injects them as Authorization: Bearer headers on configured hosts. Three grant types are supported: refresh_token (RFC 6749), jwt_bearer (RFC 7523), and client_credentials (RFC 6749 §4.4). Token exchange, caching, refresh, and single-flight deduplication are all handled automatically.
Credentials resolve from any secrets-package source (env, 1Password, AWS Secrets Manager, etc.) and are re-read on their configured ttl, rebuilding the token source when they change. The configured token_endpoint is also stubbed so sandboxed client SDKs can complete their own OAuth2 handshake against the proxy using a placeholder token while the proxy injects the real one upstream. If token minting fails, the request is closed with a synthetic 502 rather than forwarding an unauthenticated request.
Migration: gcp_auth is superseded by oauth_token and will be removed in the next release. Migrate your gcp_auth config to an oauth_token transform with grant: jwt_bearer.
transforms:
- type: oauth_token
hosts: ["bigquery.googleapis.com"]
grant: jwt_bearer
credentials: { source: env, key: SERVICE_ACCOUNT_JSON }
token_endpoint: "https://oauth2.googleapis.com/token"