Tyk 2.7: An API Gateway Odyssey

2.7 a Tyk Update

Though it might feel like eons since our last release, it was only a few months back that Tyk 2.6 helped take your API management to the next level.

Since then, we’ve been back at Tyk’s Cape Canaveral, tinkering away to reach our goal of making our latest release the best-performing open source API Gateway you’ve ever seen.

We think you’ll agree the time has been well-spent, with the resulting improvements giving up to 160% increase in Tyk performance compared to Tyk 2.6! It’s not quite ‘to infinity and beyond’, but it’s a start!

What does this mean in real terms? A significant increase in Tyk Gateway throughput capacity (i.e. how many requests the Gateway can handle per second), and latency reduction for those requests. All in all – a much speedier, slicker, and performant API Gateway.

As well as giving Tyk a warp drive upgrade for your next blast-off, we’ve also found the time to slip in custom key-hashing algorithms and Dashboard user groups.

That’s right – Tyk 2.7 has landed, and the (API) force is strong with this one. Read 2.7’s release notes for the full technical manual, or keep reading for the launch lowdown.


Tyk 2.7

Performance that’s out of this world, whichever version of Tyk you’re using

Whether you’re using the headless open source API Gateway, Tyk On-Prem or SaaS, or a full-multi-cloud-multi-data-centre-shebang version of Tyk, you’ll notice immediate improvements in Tyk’s performance.

We painstakingly analysed every little piece of our Gateway to improve our throughput by up to 160%. This included optimising default configs and analytics recording pipeline, ensuring better HTTP connection re-use, regexp caching, reducing queries to the database, and making tiny refinements in each and every middleware we provide.

Oh my god, it's full of cat memes

The final performance boost you see personally will vary depending on your current setup, and the biggest boost will be seen on high traffic apps, with load of more than 1000 requests per second.  

What does this mean on the ground? You’ll notice you’re using less CPU power, paying less money, and global warming will end (maybe).

Our API Gateway Performance Odyssey

We don’t ever want to release something only to hear those immortal words: ‘Houston, we have a problem’, so, as per usual, we’ve tested our performance improvements. And by ‘tested’, we mean: tested, tested again, triple-tested, and then some.

For 2.7 testing, we threw away all notions of hitting a nice, round, shiny benchmark figure. Let’s face it, it looks good on the marketing material, but what use is it if the set-up is nothing like what you’re using Tyk on?

Instead, our performance testing plan was focused on replicating the setup of our customers as much as possible: that means, no supercomputers and no sub-millisecond-inner-data-centre latency.

We tested 2.7 on a moderate performance 2 CPU Linode machine, with 50ms latency between Tyk and upstream. For testing, we used Tyk Gateway in Hybrid mode, with default config, except single 2.7 change where max_idle_connections_per_host  set to 500, vs 100 in 2.6.

Test runner was using Locust framework and Boomer for load generation, and, for keyless APIs, we were able to achieve 3.7K RPS (requests per second) in 2.7, while 2.6 showed about 2.5K RPS: an impressive 47% improvement.

For protected APIs, when Tyk needs to track both rate limits and quotas, 2.7 shows around 3.1K RPS, while 2.6 shows around 1.2K RPS, a massive 160% improvement!

Tyk 2.7 performance tests Tyk 2.7 performance tests

Create custom key hashing algorithms Laika boss

Goes to space laika boss

Key hashing is a security technique we introduced inside Tyk a long, long time ago (though not in a galaxy far, far away…), which obfuscates your API tokens when stored at rest in the database.

By doing this, API consumers have access to their own API tokens only, and API owners have access to the hashes, which gives them access to usage and analytics in a secure manner.

As time goes on, though, algorithms age, and in order to keep up with the latest security trends, we’ve introduced a new way to change algorithms used for key hashing.

This new feature is in a public beta, and is turned off by default – if you don’t turn it on then Tyk will continue to use the murmur32 algorithm as it currently does. To set the custom algorithm you need to set hash_key_function to one of the following options:

  • murmur32
  • murmur64
  • murmur128
  • sha256

Murmur non-cryptographic hash functions are considered as the industry fastest and least conflict-prone algorithms to date and provide a good balance between security and performance. With this change you now you may choose different hash lengths, depending on your organization security policies.

In addition to that, we have introduced a new sha256 cryptographic key hashing algorithm, for cases when you are willing to sacrifice performance for additional security.

Changing the hashing algorithm is totally backwards compatible: all your existing keys will continue working with the old murmur32 hashing algorithm, and your new keys will use the algorithm specified in your Tyk config.

Moreover, if you change the algorithm in the future, Tyk will maintain your keys with multiple hashing algorithms without any issues.

Ground control to Major Tom: Manage your user groups

With Tyk 2.7, you can now manage user groups inside our Dashboard, as well as individual users.  

It works just like you’d expect: instead of setting permissions per user, you can now create a user group and assign it to multiple users. An example can be creating a group for users who can only see analytics or only manage portal developers. It works for Single Sign On as well – just specify group ID during SSO flow.

This feature is available to all our Cloud and Hybrid users. For On-Premise installations, this feature is available for customers with an “Unlimited” license.

In order to manage user groups, ensure that you have either admin or “user groups” permission for your user, which can be enabled by your admin. From an API standpoint of view, your user groups itself can also be managed by the new Dashboard API.

The User object now has new group_id field, and if it is specified, all permissions will be inherited from the specified group. The SSO API has been updated to include group_id field as well, for more details see the documentation.

In space, no one can hear you scream…

But, as long as you’re on this earth, you can benefit from unlimited Tyk support as part of your existing Tyk product package, and from just £200 per month.

Tyk’s product and engineering team are one-and-the-same, so you’re dealing with a support desk who knows the product inside-out, and is highly-responsive. It’s been rated by Forrester as best in the business, with more than one of our clients even calling us ‘too fast!’

Whether you’re using an on-premise single node Gateway, or our SaaS offering, all our paid Tyk packages include support: start maximising your Tyk use from just £200 per month.

Get Tyk 2.7: One small step to download; one giant leap for your API Management performance

Yuri Gagarin be kidding me

We wouldn’t be surprised if, after hearing all this, you’re keen to launch your own Tyk 2.7. Great news for us: we’ve run out of dodgy space references.

(Or have we?)

On Tyk cloud? You don’t have to do anything. The Gateway and Dashboard will be updated automatically.

Got Tyk Hybrid, or running On-Premises? The release is available right away via packages and Docker. Head over to the Upgrade Guide and follow the instructions.

Not using Tyk yet? What are you waiting for? Get started on Tyk now.

Download Tyk 2.7 now