What do we mean by “Batteries-included”?

Remember, getting a gift as a child, rushing to get it all set up, and then realising that the batteries weren’t included? Why not include the most crucial part to the puzzle and just include the batteries? Now, we experience this all the time in the world of technology where you need to bump up to the next tier of the product or upgrade your subscription. Some of the best parts of the technology seem to hide in more expensive versions of the product, and sometimes that upgrade is just not possible because of budget or business-value constraints.

Here at Tyk, we have felt that pain as well, and that’s why we have adopted the idea of “Batteries-included” as part of our core offering. All of those cool features you’ve read about that are part of Tyk, always included. We can’t imagine a more disappointing experience than reading about a necessary or cool feature in Tyk only to realise you need to upgrade and pay more to access it. All of our core features are included in every installation of Tyk. Unlike some other players in our space, we don’t limit the functionality based on the plan you’ve subscribed to. Everything below is already included in all of Tyk’s offerings, including our free and open-source community edition gateway.

So now you may ask, “what features are part of your ‘batteries-included’ approach?” Well, buckle up while we go through what they are and a few places where you may want to use these powerful features!


With security being a top priority for companies, it’s no shock that the primary reason that an organisation may choose to use an API management platform is to simplify and augment their security. The Tyk Gateway supports almost any type of authentication as part of our “batteries-included” model, including:

  • Basic authentication (username and password)
  • Bearer tokens
  • HMAC signatures 
  • JSON web tokens
  • OAuth 2.0
  • Open (Keyless)
  • OpenID Connect
  • Mutual TLS 
  • Go Plugin Authentication
  • And more, including writing custom authentication plugins with Python or JavaScript

By allowing for so many authentication modes to be supported out-of-the-box, supporting your organisation’s diverse security needs is simple to do with Tyk. Since you can also implement custom authentication plugins, you never need to worry about whether your specific needs can be supported by Tyk.

Rate limiting and quotas

Part of a robust API management solution includes the ability to apply rate-limiting and quotas to API requests. Rate limiting covers the rate at which the user can use the API as expressed in requests per second or RPS. A quota usually defines a longer period of time like allowing a certain amount of requests per hour or per day. This can come in extremely useful when trying to manage the amount of traffic that is coming into your services so they are not overwhelmed and can prevent a denial of service attack from high request volumes. It also is a great tool if you have applied a monetisation scheme to API usage, which only allows for certain limits. This functionality would be considered a cornerstone of a good API management strategy.

Body and header transformations

Body and header transformations can be extremely helpful when abstracting the transformation of incoming or outgoing data from code into configuration at the gateway level. With Tyk, transformations use Go templates to define the transformations, which means you get great flexibility for implementing the transformations while also being very simple to do. Transformations can apply to both the body and header of the request and response, so abstracting transformations from your code into the gateway are easily done. So whether you need to upgrade your SOAP services to RESTful JSON services or you need to rejig your JSON fields for a specific use case, all of this can be done without code and can have you production-ready really quickly.

Monitoring and analytics

Besides being a highly performant API gateway, Tyk is also extremely powerful monitoring and analytics tool. The Tyk Dashboard has a full set of analytics functions and visualisations that you can use to view your API traffic and activity. This feature also allows users to quickly discover, debug, and discover solutions for errors that might be occurring.

Within Tyk there are two types of analytics:

  • Per request
    • Ability to view precise details about each request, like status or path.
  • Aggregate
    • Ability to aggregate statistics by:
      • APIID
      • ResponseCode
      • APIVersion
      • APIKey
      • OauthID
      • Geo
      • Tags
      • TrackPath

If you already have a favourite analytics platform, Tyk also provides connectivity to some other very popular options like ElasticSearch, Splunk, Moesif, and more.

IP Whitelist/Blacklist

Within our extensive plugin options, we have also included the ability to quickly configure and apply IP whitelist and blacklist strategies. For whitelisting, you can easily turn on the whitelist middleware, configure an explicit list of IP addresses which are allowed access APIs within Tyk, and instantly apply these rules. The reverse is true for blacklisting IPs, where you’ll specify the IP addresses which should be blocked from accessing any APIs through Tyk. Both these strategies can be extremely useful for securing your APIs from known threats, and limiting the scope of which IPs have access to your APIs within Tyk.


When building APIs, performance is always the forefront of anything we do. Being able to handle requests quickly is something that is extremely important in any architecture which relies heavily on APIs. When adding in an API gateway, the added latency can be a concern. With Tyk, the added latency is minimal and can even further be reduced by adding caching into your API management strategy. Within Tyk, caching can be done a few ways including dynamic caching based on header and body content or on a per-path basis. As well, Tyk also allows you to enable upstream cache control, which allows users to specify whether a response should be cached and for how long.

Mock responses

It’s usually been somewhat difficult to mock out endpoints efficiently. Generally, we would create a suite of mocks after bugging the backend team for the schemas and data contracts, then everyone would need to deploy these mocks on their local, and if anything changed, then you’d need to repeat the same pattern. Once you have made it this far and built the frontend or services leveraging the mocked APIs you, then would need to worry about integration. With Tyk, you can simply create mocks within the gateway itself and then have the front-end integrate and consume these mocks until the live upstream services are created. This makes mocking easy and allows for integration to happen in the early stages of development, gradually and when needed, instead of a “big-bang” approach. When the live upstream service is available, it’s as simple as changing the mock out to the finished endpoint which should be seamless for the frontend team leveraging the mock.

Virtual endpoints

When using a self-managed deployment of Tyk, you can implement serverless functionality by using virtual endpoints. With a virtual endpoint, you can create a short JavaScript function at the end of the route, which will then be executed when the endpoint is called. This is great for when you have data from a few services that you want to aggregate into a single response or if you want to do some computations or transformations on data retrieved from multiple services. 


GraphQL is an emerging technology that is quickly being adopted among startups and large enterprises alike. As part of the trend for many companies to move towards supporting GraphQL, Tyk has built many features to enable GraphQL API management as well as building GraphQL APIs.

Within Tyk’s API management offering a few key highlights include:

  • GraphQL API authentication including support for OAuth 2.0, JWT’s, OpenID Connect and more
  • Rate limit and quotas for GraphQL APIs
  • Query depth limiting for limiting the possibility of deeply nested and potentially malicious queries aiming to cause a denial of service attack.
  • Field-based permissions to specify which users have access to what fields

Tyk’s Universal Data Graph is another GraphQL feature which allows users to build GraphQL endpoints using their existing infrastructure and service code. First, the user will create a GraphQL schema which outlines the data they would like to expose through the GraphQL endpoint. After the schema is defined, users then map in their data using a data source which leverages existing RESTful or GraphQL endpoints.

And there’s more!

The above outline just a few of the highlights of our “batteries-included” approach to API management. These features are meant to give users the best API management toolkit possible while keeping cost and experience consistent across all of our offerings. The easiest way to discover all of our great features is to sign up for a free trial of Tyk, browse through our docs, and try out all of Tyk’s API Management offering for yourself. Batteries are included.