fix: merged with master

Author: Kapil Gowru

fern/fern.config.json

@@ -1,4 +1,4 @@
 {
   "organization": "fern",
-  "version": "0.64.22"
-}
+  "version": "0.65.23"
+}

fern/products/docs/docs.yml

@@ -162,7 +162,7 @@ navigation:
     contents:
       - page: SSO
         path: ./pages/authentication/sso.mdx
-      - page: RBAC
+      - page: Role based access control (RBAC)
         path: ./pages/authentication/rbac.mdx
       - page: API Key Injection
         path: ./pages/api-references/autopopulate-api-key.mdx

fern/products/docs/pages/authentication/rbac.mdx

@@ -6,59 +6,87 @@ description: Learn how to restrict access to your documentation using role-based
 
 <Note>RBAC is part of the pro plan.</Note>
 
-Fern allows you to restrict parts of your navigation to individuals with specific roles. Below, we walk through each of the steps
-required to configure RBAC.
+## Introduction
+
+Fern allows you to restrict parts of your navigation to individuals with specific roles. RBAC enables you to create different levels of access for different user types within your documentation.
+
+### Use cases
+
+Role-based access control is helpful for scenarios such as:
+
+- **Partner documentation**: Provide exclusive API documentation to integration partners while keeping internal docs private
+- **Beta features**: Share new features with beta users before general release
+- **Internal documentation**: Restrict sensitive documentation to employees only
+- **Tiered access**: Offer different documentation levels based on subscription tiers
+- **Customer-specific content**: Show different documentation based on customer type or plan
+
+### How it works
+
+If a user visits content not marked as visible to the `everyone` role, Fern will check for an authentication cookie to indicate what roles that user has. If the user does not have a role matching the viewers of the page, we will redirect them to the URL you provided during setup.
+
+Below, we walk through each of the steps required to configure RBAC.
+
+### Architecture diagram
+
+```mermaid
+sequenceDiagram
+    participant U as User
+    participant F as Fern Docs
+    participant R as Redirect URL
+    participant A as Auth System
+
+    U->>F: Visit restricted page
+    F->>F: Check fern_token cookie
+    
+    alt Cookie exists
+        F->>F: Decode JWT with secret key
+        F->>F: Extract roles from JWT
+        F->>F: Check if user has required role
+        
+        alt User has required role
+            F->>U: Show restricted content
+        else User lacks required role
+            F->>U: User is shown a 404 page
+        end
+    else No cookie
+        F->>R: Redirect to login page
+        R->>A: Authenticate user
+    end
+    
+    Note over A: User logs in
+    
+    A->>A: Generate JWT with roles
+    A->>F: Set fern_token cookie
+    F->>F: Validate JWT and roles
+    F->>U: Show restricted content
+```
+
+## Set up RBAC
 
 <Steps>
 ### Define all the `roles` in your docs.yml
 
-Start by defining all the different roles in your `docs.yml`. You can simply specify this under a `roles` key:
+Start by defining all the different roles in your `docs.yml`. You can specify this under a `roles` key:
 
 ```yml docs.yml
 roles:
-  - everyone # every user is given this role
-  - partners
-  - beta-users
-  - admins
-```
-
-<Info>The `everyone` role is a special role. Every user has this role.</Info>
-
-### Define viewers on parts of the navigation
-
-Every navigation item (`sections`, `pages`, `api references`) can have a set of designated viewers. If you don't
-specify viewers, then it defaults to `everyone` and the page is public.
-
-```yml docs.yml {7-8,14-16}
-navigation:
-  - tab: Documentation
-    layout:
-      - page: Overview
-        path: pages/overview.mdx
-      - section: Beta Release
-        viewers:
-          - beta-users
-  - tab: API Reference
-    layout:
-      - page: Overview
-        path: pages/overview.mdx
-      - section: Beta Release
-        viewers:
-          - partners
-          - admin
+ - everyone # every user is given this role
+ - partners
+ - beta-users
+ - admins
 ```
 
-The viewers are inherited by nested pieces of content. For example, if a section can only be viewed by `admins`, then all its
-pages and nested sections can also only be viewed by admins.
+<Info>
+The `everyone` role is special. Every user has this role (including unauthenticated users).
+</Info>
 
 ### Configure authentication via a `fern_token`
 
 In this step, we will configure authentication so that Fern can understand what roles a particular user has. Fern expects the user's
 browser session to have a cookie called `fern_token`. If the cookie is not present, the user will be redirected to your company's
 login page.
 
-Upon login, you must set a JWT for the user using a secret key that we will provide you with. The JWT must have a `fern` claim
-with a key called roles.
+**You are responsible for creating and setting the `fern_token` cookie in your authentication system.** Upon login, you must set a JWT for the user using a secret key that we will provide. The JWT must have a `fern` claim with a key called `roles`.
 
 ```json
 {
@@ -68,6 +96,79 @@ with a key called roles.
 }
 ```
 
-<Note>Please reach out to [email protected] when you are on this step so we can provide you with a secret key.</Note>
+### Contact Fern for setup
+
+When you're ready to implement RBAC, **contact [email protected]** to receive your secret key for JWT signing.
+
+You'll also need to provide the URL where Fern should send unauthenticated users to log in.
+
+<Note>Optional: If you'd like restricted pages to be visible but locked to unauthenticated users (rather than completely hidden), let us know during this step.</Note>
 
 </Steps>
+
+### Access control within navigation
+
+You can designate viewers on the following navigation items:
+- `products`
+- `versions`
+- `tabs`
+- `sections`
+- `pages`
+- `api references`
+- `changelogs`
+
+If you don't specify viewers, the content will be visible to _any authenticated user_.
+
+```yml docs.yml {6-7, 13-15}
+navigation:
+  - tab: Home
+    layout: 
+      - page: Welcome # this page is public
+        path: pages/welcome.mdx
+        viewer: 
+          - everyone 
+  - tab: Documentation
+    layout:
+      - page: Overview # this page is visible to all logged-in users
+        path: pages/overview.mdx 
+      - section: Beta Release # this section is visible to beta-users and admins
+        viewers:
+          - beta-users
+          - admins
+        contents: 
+          ...
+```
+
+Viewership is inherited. For example, if a section can only be viewed by `admins`, then all its pages and nested sections can also only be viewed by admins.
+
+### Access control within MDX pages
+
+You can restrict specific content within your MDX pages to users with certain roles. This allows you to show different content to different user types on the same page.
+
+#### Basic usage
+
+Use the `<If />` component to conditionally render content based on user roles:
+
+```mdx
+<If roles={["beta-users"]}>
+  <Callout>
+    This callout is only visible to beta users.
+  </Callout>
+</If>
+```
+
+#### Multiple roles
+
+You can specify multiple roles. Content will be visible to users who have **any** of the specified roles:
+
+```mdx
+<If roles={["partners", "admins"]}>
+  <Callout>
+    This content is visible to both partners and admins.
+  </Callout>
+</If>
+```
+
+<Note>
+The `<If>` component respects the same role inheritance rules as navigation items. If a user has access to a page, they can see all content on that page that matches their roles.
+</Note>

fern/products/sdks/guides/configure-global-headers.mdx

@@ -3,6 +3,99 @@ title: Configure Global Headers
 description: Guide to configuring global headers in your SDKs.
 ---
 
-Learn how to configure global headers for all requests made by your SDKs. 
+Your API may leverage certain headers for every endpoint or most endpoints.
+These are called **global headers**.
 
-<Warning>Docs are coming soon for this page.<br/><br/>Please [book a demo](https://buildwithfern.com/book-demo) or [reach out to us](https://buildwithfern.com/book-demo) to get set up with this feature. </Warning> 
+## How it works for SDK users
+
+Once you configure a global header (either automatically detected or manually
+specified), Fern generates an SDK that accepts this as a constructor parameter.
+Users can then provide the value once, and the generated SDK automatically
+includes the header in all their API calls:
+
+```python
+import os
+
+class Client:
+
+  def __init__(self, *, apiKey: str):
+```
+
+## Specifying global headers
+
+Fern automatically identifies headers that are used in every request, or the
+majority of requests, and marks them as global. You can manually configure additional
+global headers in either `api.yml` (Fern Definition) or `openapi.yml`.
+
+<AccordionGroup>
+<Accordion title="Fern Definition">
+
+To specify headers that are meant to be included on every request:
+
+<CodeBlock title="api.yml">
+```yaml {3}
+name: api
+headers:
+  X-App-Id: string
+```
+</CodeBlock>
+
+### Global path parameters
+You can also specify path parameters that are meant to be included on every request:
+
+<CodeBlock title="api.yml">
+```yaml
+name: api
+base-path: /{userId}/{orgId}
+path-parameters:
+  userId: string
+  orgId: string
+```
+</CodeBlock>
+
+#### Overriding the base path
+
+If you have certain endpoints that do not live at the configured `base-path`, you can 
+override the `base-path` at the endpoint level. 
+
+```yml imdb.yml {5}
+service: 
+  endpoints: 
+    getMovie: 
+      method: POST
+      base-path: "override/{arg}"
+      path: "movies/{movieId}"
+      path-parameters: 
+        arg: string
+```
+
+<Note>
+  You cannot yet specify query parameters that are meant to be included on every request.
+If you'd like to see this feature, please upvote [this issue](https://github.com/fern-api/fern/issues/2930).
+</Note>
+
+</Accordion>
+<Accordion title="OpenAPI">
+
+Use the `x-fern-global-headers` extension to label additional headers as global
+or to alias the names of global headers:
+
+```yaml title="openapi.yml"
+x-fern-global-headers:
+  - header: custom_api_key
+    name: api_key
+  - header: userpool_id
+    optional: true
+```
+
+This configuration yields the following client:
+
+```python
+import os
+
+class Client:
+
+  def __init__(self, *, apiKey: str, userpoolId: typing.Optional[str])
+```
+</Accordion>
+</AccordionGroup>