The Transformation of Policies and Keys

For this 3.0 release, we’ve also inspected user journeys for both Policy and Key creation and viewing. When you log in for the first time, you’ll notice a change in layout that should help you work faster and smarter. We’ve pulled together an FAQ and video walk-through below to support you in understanding the new layout and how it will improve your policy and key workflow. 

Hey, my Policy Management table has changed!

We’ve given the Policy Management table a facelift. Previously we were displaying only the policy name and ID. Now, you’ll also see the policy state and access rights and authentication type – both of which you can filter your policies by. This means you’re able to locate a specific policy much faster and have a more informative overview of all your policies. 

Where do I choose which APIs to give access to in my policy or key? 

When you create a new policy or key your first step is adding the access rights. 

For policy creation, we understood there was often a struggle to locate the correct API so we’ve given you more visibility. Along with searching by API name, you can now filter by authentication type. We’ve added this same functionality when applying a policy to a key, allowing you to filter policies by API access rights and authentication type.

If adding a second API or policy, the access rights list will automatically filter to only display API or policies with compatible authentication types. This prevents you from making any unnecessary errors.

Hold on – when I add Access Rights to my policy it looks completely different!

You’re right! To make viewing and editing your policy more straight forward, we are now grouping all actions within each API. This means that when you need to edit your policy, you’re able to locate and change the specific API belonging to that policy.

Where do I set my rate limiting, throttling and usage quota?

Rate limiting, throttling and usage quota can now be set in the Global Limits and Quota panel. We’ve also added disable check boxes for each so you no longer need to enter -1 into the rate-limiting and throttling fields to disable, or -1 in the usage quota field to set unlimited quota. 

How can I set per API limits and quota?

Now that we’ve grouped all actions within each API, all you need to do is open that API’s panel and switch the ‘Set per API Limits and Quota’ toggle on. A gold tag will display next to the API name to indicate that it is no longer inheriting the Global Limits and Quota, but has its own limits and quota defined. Switching the toggle off will remove the gold tag and the API will go back to inheriting the values set in the Global Limits and Quota.

How can I set my path-based permissions?

Open the APIs panel and switch the ‘Path-Based Permissions’ toggle on. Now you can set all paths for that API. Along with entering custom regex, we’ve also connected any endpoints defined for that API in the Endpoint Designer (located in the API Designer) and they can be chosen from the drop-down Paths menu.

How do I partition my policy?

You can now partition your policy within the Global Limits and Quota panel. Previously, the setup for partitioning a policy comprised double negatives that were often confusing. We’ve fixed this by having Enforce Access Rights, Enforce Rate Limiting and Enforce Usage Quota all checked by default. Now if you want to partition a policy, it’s clear what the key overrides will be. For example, if you uncheck ‘Enforce Rate Limiting’ it means that rate-limiting will no longer be enforced and therefore able to be overridden at key level. 

Where do I name my policy?

The first tab is all about access rights, the second tab Configurations stores all the extra information such as name, status, key expiry, tags and metadata.

How do I set my policy to active or deny access to my policy?

We’ve now combined these two options into one called ‘Policy State’, which can be set in the second tab, Configurations. There are three policy states:

Active: All keys are active and new keys can be created.
Draft: All keys are active, but no new keys can be created.
Access Denied: All keys are deactivated and no keys can be created.

The new messaging around each state makes it clear what effect they each have on the policy and gives you more control over key management for that policy. 

Tyk 3.0: UX Policies Update 


Wow – my Key Management table has more useful information on it!

It’s called a Key Management table for a reason – we want you to be able to manage your keys. To display the Key Management table you either need to set your `hash_keys` to false in your `tyk.conf` and `tyk_analytics.conf` files or if you want to remain in hashed mode, you can set `enable_hashed_keys_listing` to `true` in your `tyk.conf` file. You’ll see a table that not only shows the key ID, but also the key alias (if applied), policies (if applied), date added and the key expiry. All valuable information to help you keep better track of your keys.

Wait a minute – when I apply a policy to my key the layout has changed!

We can’t get anything past you! Similar to API access rights, we are also grouping all actions within each policy. With this new layout, you’ll have full visibility of your policy and understand the authentication type, API access rights and which API inherit the global limits and quota and which have them set per API. The rate-limiting, throttling and usage quota set for the API in the policy will also be displayed, although this information can only be edited from within the policy itself. 

I need to set authentication details such as; enforce HMAC/ authenticate using a client certificate/ add a username and password for basic authentication / add a JWT secret to my key – how do I do this?

This was the first action performed when creating a key. We want you to work smarter so now after you select access rights we’ll automatically detect the key’s authentication and display the correct fields in a third tab called Authentication. If we detect that the key authentication doesn’t require the additional information then we won’t display the third tab.

When I’m applying a partitioned policy to my key, how can I set the key level overrides?

Where a partitioned policy applies to a key and an override is set, a panel will be displayed above the policies called Key Global Limits and Quota. Any overrides such as rate-limiting, throttling and usage quota can be set here as well as adding access rights (when access rights have not been enforced). 

Tyk 3.0: UX Keys Update


That concludes our dive into some UX changes we’ve made. Hopefully these will help you work faster and smarter. We love hearing from you so if you have any feedback or would be interested in participating in user research or testing then send us an email at [email protected]. We look forward to hearing from you!