MicrosoftDocs
diff --git a/‎articles/azure-app-configuration/concept-enable-rbac.md‎
Lines changed: 18 additions & 0 deletions b/‎articles/azure-app-configuration/concept-enable-rbac.md‎
Lines changed: 18 additions & 0 deletions
diff --git a/‎articles/azure-app-configuration/concept-snapshot-references.md‎
Lines changed: 8 additions & 7 deletions b/‎articles/azure-app-configuration/concept-snapshot-references.md‎
Lines changed: 8 additions & 7 deletions
diff --git a/‎articles/azure-app-configuration/configuration-provider-overview.md‎
Lines changed: 1 addition & 1 deletion b/‎articles/azure-app-configuration/configuration-provider-overview.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-app-configuration/reference-kubernetes-provider.md‎
Lines changed: 9 additions & 0 deletions b/‎articles/azure-app-configuration/reference-kubernetes-provider.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎articles/azure-functions/functions-bindings-web-pubsub.md‎
Lines changed: 1 addition & 1 deletion b/‎articles/azure-functions/functions-bindings-web-pubsub.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/azure-web-pubsub/concept-client-protocols.md‎
Lines changed: 14 additions & 8 deletions b/‎articles/azure-web-pubsub/concept-client-protocols.md‎
Lines changed: 14 additions & 8 deletions
diff --git a/‎articles/azure-web-pubsub/concept-service-internals.md‎
Lines changed: 2 additions & 0 deletions b/‎articles/azure-web-pubsub/concept-service-internals.md‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/azure-web-pubsub/concept-wildcard-group-roles.md‎
Lines changed: 133 additions & 0 deletions b/‎articles/azure-web-pubsub/concept-wildcard-group-roles.md‎
Lines changed: 133 additions & 0 deletions
diff --git a/‎articles/azure-web-pubsub/howto-connect-mqtt-websocket-client.md‎
Lines changed: 2 additions & 0 deletions b/‎articles/azure-web-pubsub/howto-connect-mqtt-websocket-client.md‎
Lines changed: 2 additions & 0 deletions
@@ -333,6 +333,24 @@ clientOptions := &azappconfig.ClientOptions{
 client, _ := azappconfig.NewClient(myStoreEndpoint, credential, clientOptions)
 ```
 
+### [Kubernetes](#tab/kubernetes)
+#### Kubernetes provider
+
+If your application runs on Kubernetes and you use the Azure App Configuration Kubernetes Provider, the audience configuration depends on how the provider is installed.
+
+- **AKS extension**: No audience configuration is needed. The extension automatically determines the audience based on the cloud where it runs.
+- **Helm chart**: The audience can be configured at installation time by setting the `env.azureAppConfigurationAudience` parameter. Use version **2.6.0** or later of the [Azure App Configuration Kubernetes Provider](./quickstart-azure-kubernetes-service.md) to configure the audience.
+
+The following command demonstrates how to install the Azure App Configuration Kubernetes Provider via Helm with a cloud-specific audience.
+
+```console
+helm install azureappconfiguration.kubernetesprovider \
+    oci://mcr.microsoft.com/azure-app-configuration/helmchart/kubernetes-provider \
+    --namespace azappconfig-system \
+    --create-namespace \
+    --set env.azureAppConfigurationAudience="{Cloud specific audience here}"
+```
+
 ---
 
 ## Next steps
 
@@ -118,13 +118,14 @@ If a snapshot reference is added that points to the aforementioned snapshot, the
 
 ## Language availability
 
-| Language    | Minimum version / status |
-|-------------|---------------------------|
-| .NET        | 8.4.0+                    |
-| Java        | Work in progress          |
-| JavaScript  | 2.3.0+                    |
-| Python      | 2.4.0+                    |
-| Go          | Work in progress          |
+| Language / platform | Minimum version / status |
+|---------------------|--------------------------|
+| .NET                | 8.4.0+                   |
+| Java                | Work in progress         |
+| JavaScript          | 2.3.0+                   |
+| Python              | 2.4.0+                   |
+| Go                  | Work in progress         |
+| Kubernetes          | 2.6.0+                   |
 
 ## Next steps
 
 
@@ -69,10 +69,10 @@ Replica Auto Discovery | [GA](./reference-dotnet-provider.md#geo-replication) |
 Replica Failover | [GA](./reference-dotnet-provider.md#geo-replication) | [GA](/azure/developer/java/spring-framework/app-configuration-support#geo-replication) | GA | [GA](./reference-python-provider.md#geo-replication) | [GA](./reference-javascript-provider.md#geo-replication) | [GA](./reference-go-provider.md#geo-replication)
 Replica Load Balancing | [GA](./reference-dotnet-provider.md#geo-replication) | GA | GA | [GA](./reference-python-provider.md#geo-replication) | [GA](./reference-javascript-provider.md#geo-replication) | [GA](./reference-go-provider.md#geo-replication)
 Snapshots | [GA](./reference-dotnet-provider.md#snapshot) | [GA](/azure/developer/java/spring-framework/app-configuration-support#selecting-configurations) | GA | [GA](./reference-python-provider.md#load-configuration-from-snapshots) | [GA](./reference-javascript-provider.md#snapshot) | [GA](./reference-go-provider.md#snapshot)
+Snapshot Reference | [GA](./reference-dotnet-provider.md#snapshot-reference) | WIP | [GA](./reference-kubernetes-provider.md#snapshot-reference) | WIP | [GA](./reference-javascript-provider.md#snapshot-reference) | WIP
 Distributed Tracing | [GA](./reference-dotnet-provider.md#distributed-tracing) | WIP | WIP | WIP | WIP | N/A
 Health Check | [GA](./reference-dotnet-provider.md#health-check) | [GA](/azure/developer/java/spring-framework/app-configuration-support#health-indicator) | WIP | WIP | WIP | N/A 
 Select by Tag Filters | [GA](./reference-dotnet-provider.md#load-specific-key-values-using-selectors) | WIP | GA | [GA](./reference-python-provider.md#tag-filters) | [GA](./reference-javascript-provider.md#tag-filters) | [GA](./reference-go-provider.md#tag-filters)
-Snapshot Reference | [GA](./reference-dotnet-provider.md#snapshot-reference) | WIP | WIP | WIP | [GA](./reference-javascript-provider.md#snapshot-reference) | WIP
 Load from Azure Front Door | [Preview](./reference-dotnet-provider.md#connect-to-azure-front-door) | WIP | WIP | WIP | [Preview](./reference-javascript-provider.md#connect-to-azure-front-door)  | WIP
 
 
 
@@ -433,6 +433,15 @@ spec:
       interval: 1m
 ```
 
+### Snapshot reference
+
+A snapshot reference is a configuration setting that references a snapshot in the same App Configuration store. When loaded, the provider resolves it and adds all key-values from that snapshot. Using snapshot references enables switching between snapshots at runtime, unlike adding a snapshot selector, which requires code changes and/or restarts to switch to a new snapshot.
+
+For more information about creating a snapshot reference, go to [snapshot reference concept](./concept-snapshot-references.md).
+
+> [!NOTE] 
+> To use snapshot references, use the version *2.6.0* or later of Azure App Configuration Kubernetes provider.
+
 ### Key Vault references
 
 #### Authentication
 
@@ -3,7 +3,7 @@ title: Azure Functions Web PubSub bindings
 description: Understand how to use Web PubSub bindings with Azure Functions.
 ms.topic: reference
 ms.custom: devx-track-extended-java, devx-track-js, devx-track-python
-ms.date: 1/21/2026
+ms.date: 01/28/2026
 zone_pivot_groups: programming-languages-set-functions-lang-workers
 ---
 
 
@@ -4,8 +4,8 @@ description: This article presents an overview of the client protocols for Azure
 author: vicancy
 ms.author: lianwei
 ms.service: azure-web-pubsub
-ms.topic: reference
-ms.date: 11/08/2021
+ms.topic: conceptual
+ms.date: 03/30/2026
 ms.custom: sfi-ropc-nochange
 ---
 
@@ -42,13 +42,13 @@ You could also configure properties for the client connection when generating th
 
 You could also add custom claims into the access token, and these values are preserved as the `claims` property in [connect upstream request body](./reference-cloud-events.md#system-connect-event).
 
-[Server SDKs](./howto-generate-client-access-url.md#generate-from-service-sdk) provides APIs to generate the access token for the clients. 
+[Server SDKs](./howto-generate-client-access-url.md#generate-from-service-sdk) provides APIs to generate the access token for the clients.
 
 <a name="simple_client"></a>
 
 ## The simple WebSocket client
 
-A **simple WebSocket client**, as the naming indicates, is a simple WebSocket connection. It can also have its own custom subprotocol. 
+A **simple WebSocket client**, as the naming indicates, is a simple WebSocket connection. It can also have its own custom subprotocol.
 
 For example, in JavaScript, you can create a simple WebSocket client by using the following code:
 
@@ -62,7 +62,7 @@ var client2 = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub1', '
 
 Simple WebSocket client has two modes: `sendEvent` and `sendToGroup`. The mode is determined once the connection is established and cannot be changed later.
 
-`sendEvent` is the default mode for the simple WebSocket client. In `sendEvent` mode, every WebSocket frame the client sent is considered as a `message` event. Users can configure [event handlers](./concept-service-internals.md#event-handler) or [event listeners](./concept-service-internals.md#event-listener) to handle these `message` events. 
+`sendEvent` is the default mode for the simple WebSocket client. In `sendEvent` mode, every WebSocket frame the client sent is considered as a `message` event. Users can configure [event handlers](./concept-service-internals.md#event-handler) or [event listeners](./concept-service-internals.md#event-listener) to handle these `message` events.
 
 ```javascript
 // Every data frame is considered as a `message` event
@@ -102,7 +102,7 @@ var pubsubClient = new WebSocket('wss://test.webpubsub.azure.com/client/hubs/hub
 
 ```js
 let ackId = 0;
-pubsubClient.send(    
+pubsubClient.send(
     JSON.stringify({
         type: 'joinGroup',
         group: 'group1',
@@ -114,7 +114,7 @@ pubsubClient.send(
 
 ```js
 let ackId = 0;
-pubsubClient.send(    
+pubsubClient.send(
     JSON.stringify({
         type: 'sendToGroup',
         group: 'group1',
@@ -191,6 +191,8 @@ As you likely noticed in the earlier PubSub WebSocket client description, a clie
 | `webpubsub.sendToGroup` | The client can publish messages to any group. |
 | `webpubsub.joinLeaveGroup.<group>` | The client can join or leave group `<group>`. |
 | `webpubsub.sendToGroup.<group>` | The client can publish messages to group `<group>`. |
+| `webpubsub.joinLeaveGroups.<pattern>` | The client can join/leave any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
+| `webpubsub.sendToGroups.<pattern>` | The client can publish messages to any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
 | | |
 
 The permission of a client can be granted in several ways:
@@ -199,7 +201,7 @@ The permission of a client can be granted in several ways:
 
 Client can connect to the service using a JWT. The token payload can carry information such as the `role` of the client. When signing the JWT to the client, you can grant permissions to the client by giving the client specific roles.
 
-For example, let's sign a JWT that has the permission to send messages to `group1` and `group2`: 
+For example, let's sign a JWT that has the permission to send messages to `group1` and `group2`:
 
 ```js
 let token = await serviceClient.getClientAccessToken({
@@ -231,6 +233,10 @@ let service = new WebPubSubServiceClient("<your_connection_string>", "test-hub")
 await service.grantPermission("<connection_id>", "joinLeaveGroup", { targetName: "group1" });
 ```
 
+> [!NOTE]
+> Assigning wildcard roles (e.g., `webpubsub.sendToGroups.<pattern>`)  through REST APIs or server SDKs are not supported yet. This feature will be supported in a future update.
+
+
 ## Next steps
 
 [!INCLUDE [next step](includes/include-next-step.md)]
@@ -212,6 +212,8 @@ A client can publish to other clients only when it's _authorized_ to. The `role`
 | `webpubsub.sendToGroup`            | The client can publish messages to any group.       |
 | `webpubsub.joinLeaveGroup.<group>` | The client can join/leave group `<group>`.          |
 | `webpubsub.sendToGroup.<group>`    | The client can publish messages to group `<group>`. |
+| `webpubsub.joinLeaveGroups.<pattern>` | The client can join/leave any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
+| `webpubsub.sendToGroups.<pattern>` | The client can publish messages to any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
 
 The server-side can also grant or revoke permissions of the client dynamically through [server protocol](#connection-manager) as to be illustrated in a later section.
 
 
@@ -0,0 +1,133 @@
+---
+title: Use wildcard group role patterns
+description: Learn how to grant Azure Web PubSub clients permissions to many groups using wildcard role patterns.
+author: kevinguo-ed
+ms.author: kevinguo
+ms.service: azure-web-pubsub
+ms.topic: conceptual
+ms.date: 01/28/2026
+ms.custom:
+---
+
+# Use wildcard group role patterns
+
+Azure Web PubSub now supports wildcard pattern matching in client "group" roles so you can authorize a client for many related groups with a single role string.
+
+You can continue to use the existing literal roles:
+
+- `webpubsub.sendToGroup.{groupName}`
+- `webpubsub.joinLeaveGroup.{groupName}`
+
+But you can now also use the new pattern roles:
+
+- `webpubsub.sendToGroups.{pattern}`
+- `webpubsub.joinLeaveGroups.{pattern}`
+
+Where `{pattern}` follows the wildcard syntax below.
+
+## When to use pattern roles
+
+Use pattern roles when:
+
+- A user or device must access a large but bounded dynamic set of groups (for example: all groups for a specific tenant or project)
+- You want to keep access tokens small (avoid listing dozens or hundreds of explicit group roles)
+
+## Pattern syntax
+
+| Symbol | Meaning |
+| ------ | ------- |
+| `?` | Matches exactly one character except `.` |
+| `*` | Matches zero or more characters except `.` |
+| `**` | Matches zero or more characters including `.` (crosses segment boundaries) |
+| `\` | Escape character for `\`, `*`, `?` |
+| `.` | Acts as a hierarchy separator and is never matched by `?` or `*` (only by `**`). |
+
+Additional rules:
+- Up to five total `*` characters (including those forming `**`) are allowed in a single pattern.
+
+### Examples
+
+| Pattern | Matches | Does not match |
+| ------- | ------- | -------------- |
+| `chat-*` | `chat-1`, `chat-room` | `chat.1`, `xchat-1` |
+| `clientA.*` | `clientA.alpha`, `clientA.1` | `clientA.alpha.room1`, `clientB.alpha` |
+| `clientA.**` | `clientA.alpha`, `clientA.alpha.room1` | `clientB.anything` |
+| `clientA.rooms.?1` | `clientA.rooms.a1`, `clientA.rooms.11` | `clientA.rooms.1`, `clientA.rooms.a.1` |
+| `literal\*star` | `literal*star` | `literalXstar` |
+
+### Escaping
+
+Prefix `*`, `?`, or `\` with `\` to match the literal character. Example: `project\*123` matches only `project*123`.
+
+## Using pattern roles in code
+
+Add the pattern role to the `roles` collection when generating a client access token. The client then automatically has the implied permissions for matching groups.
+
+## Code samples
+
+# [JavaScript](#tab/javascript)
+
+```js
+const token = await serviceClient.getClientAccessToken({
+  roles: [
+    // Can send to all groups under clientA.
+  'webpubsub.sendToGroups.clientA.**',
+    // Can join/leave any direct child group under public.
+  'webpubsub.joinLeaveGroups.public.*'
+  ]
+});
+```
+
+# [C#](#tab/csharp)
+
+```csharp
+var url = service.GetClientAccessUri(roles: new [] {
+    // Can send to all groups under clientA.
+  "webpubsub.sendToGroups.clientA.**",
+    // Can join/leave any direct child group under public.
+  "webpubsub.joinLeaveGroups.public.*"
+});
+```
+
+# [Python](#tab/python)
+
+```python
+token = service.get_client_access_token(roles=[
+  # Can send to all groups under clientA.
+  "webpubsub.sendToGroups.clientA.**",
+
+  # Can join/leave any direct child group under public.
+  "webpubsub.joinLeaveGroups.public.*"
+])
+```
+
+# [Java](#tab/java)
+
+```java
+GetClientAccessTokenOptions opt = new GetClientAccessTokenOptions();
+// Can send to all groups under clientA.
+opt.addRole("webpubsub.sendToGroups.clientA.**");
+
+// Can join/leave any direct child group under public.
+opt.addRole("webpubsub.joinLeaveGroups.public.*");
+WebPubSubClientAccessToken token = service.getClientAccessToken(opt);
+```
+
+---
+
+## Security guidance
+
+- Prefer the narrowest pattern that satisfies the scenario.
+- Minimize the use of `*` to reduce over-permissioning risks.
+
+## Frequently asked questions
+
+**Q: Can I mix literal and pattern roles?**
+
+Yes. A literal role always applies exactly; patterns add broader coverage.
+
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Generate client access URL and use roles](howto-generate-client-access-url.md)
@@ -43,6 +43,8 @@ A client can publish to other clients only when it's *authorized* to do so. A cl
 | `webpubsub.sendToGroup` | The client can publish messages to any group. |
 | `webpubsub.joinLeaveGroup.<group>` | The client can join or leave group `<group>`. |
 | `webpubsub.sendToGroup.<group>` | The client can publish messages to group `<group>`. |
+| `webpubsub.joinLeaveGroups.<pattern>` | The client can join/leave any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
+| `webpubsub.sendToGroups.<pattern>` | The client can publish messages to any group whose name matches `<pattern>` (see [Wildcard group role patterns](./concept-wildcard-group-roles.md)). |
 | | |
 
 ## Authentication and authorization