1. Home
  2. Tyk Open Source API Gateway v2.x
  3. Quotas, Rate Limits and Security
  4. Understanding Tyk Token Session Objects

Understanding Tyk Token Session Objects

All tokens that are used to access services via Tyk correspond to a session object that informs Tyk about the context of this particular token.

A session object takes the following form:

    "last_check": 0,
    "allowance": 1000,
    "rate": 1000,
    "per": 1,
    "expires": 1458669677,
    "quota_max": 1000,
    "quota_renews": 1458667309,
    "quota_remaining": 1000,
    "quota_renewal_rate": 3600,
    "access_rights": {
        "e1d21f942ec746ed416ab97fe1bf07e8": {
            "api_name": "Closed",
            "api_id": "e1d21f942ec746ed416ab97fe1bf07e8",
            "versions": ["Default"],
            "allowed_urls": null
    "org_id": "53ac07777cbb8c2d53000002",
    "oauth_client_id": "",
    "basic_auth_data": {
        "password": "",
        "hash_type": ""
    "jwt_data": {
        "secret": ""
    "hmac_enabled": false,
    "hmac_string": "",
    "is_inactive": false,
    "apply_policy_id": "",
    "data_expires": 0,
    "monitor": {
        "trigger_limits": null
    "meta_data": {
        "test": "test-data"
    "tags": ["tag1", "tag2"],
    "alias": "[email protected]" 
  • last_check (deprecated): No longer used, but this value is related to rate limiting.
  • allowance (deprecated): No longer directly used, this value, no key creation, should be the same as rate.
  • rate: The number of requests that are allowed in the specified rate limiting window.
  • per: The number of seconds that the rate window should encompass.
  • expires: An epoch that defines when the key should expire.
  • quota_max: The maximum number of requests allowed during the quota period.
  • quota_renews: An epoch that defines when the quota renews.
  • quota_remaining: The number of requests remaining for this user’s quota (unrelated to rate limit).
  • quota_renewal_rate: The time, in seconds. during which the quota is valid. So for 1000 requests per hour, this value would be 3600 while quota_max and quota_remaining would be 1000.
  • access_rights: This section is defined in the Access Control section of this documentation, use this section define what APIs and versions this token has access to.
  • org_id: The organisation this user belongs to, this can be used in conjunction with the org_id setting in the API Definition object to have tokens “owned” by organisations.
  • oauth_client_id: This is set by Tyk if the token is generated by an OAuth client during an OAuth authorisation flow.
  • basic_auth_data: This section defines the basic auth password and hashing method.
  • jwt_data: This section contains a JWT shared secret if the ID matches a JWT ID.
  • hmac_enabled: If this token belongs to an HMAC user, this will set the token as a valid HMAC provider.
  • hmac_string: The value of the HMAC shared secret.
  • is_inactive: Set this value to true to deny access.
  • apply_policy_id: The policy ID that is bound to this token.
  • data_expires: An value, in seconds, that defines when data generated by this token expires in the analytics DB (must be using Pro edition and MongoDB).
  • monitor: Rate monitor trigger settings, defined elsewhere in the documentation.
  • meta_data: Meta data to be included as part of the session, this is a key/value string map that can be used in other middleware such as transforms and header injection to embed user-specific data into a request, or alternatively to query the providence of a key.
  • tags: Tags are embedded into analytics data when the request completes. If a policy has tags, those tags will supersede the ones carried by the token (they will be overwritten).
  • alias: As of v2.1, an Alias offers a way to identify a token in a more human-readable manner, add an Alias to a token in order to have the data transferred into Analytics later on so you can track both hashed and un-hashed tokens to a meaningful identifier that doesn’t expose the security of the underlying token.