Cloud Login Install

Update a Tyk OAS API

Introduction

As developers working on API development, it can be necessary for us to regularly update our API definition as, for example, we add endpoints or support new methods. This definition is normally generated either from our codebase or created using API design tools (such as Swagger Editor, Postman and Stoplight).

One of the most powerful features of working with Tyk OAS is that you can make changes to your Tyk OAS API Definition or OpenAPI Document outside Tyk and then use this updated description to update the Tyk OAS API. You can simply update the configuration on Tyk without having to make any changes to the Tyk Gateway configuration (x-tyk-api-gateway).

In this section will walk you through different methods you can use to Update a Tyk OAS API using the Tyk Gateway API, Tyk Dashboard API and Tyk Dashboard GUI.

Note

Tyk OAS API support is currently in Early Access and some Tyk features are not yet supported. You can see the status of what is and isn’t yet supported here.

Differences between using the Tyk Dashboard API and Tyk Gateway API

The examples in these tutorials have been written assuming that you are using the Tyk Gateway API.

You can also run these steps using the Tyk Dashboard API, noting the differences summarised here:

Interface Port Endpoint Authorization Header Authorization credentials
Tyk Gateway API 8080 tyk/apis/oas x-tyk-authorization secret value set in tyk.conf
Tyk Dashboard API 3000 api/apis/oas authorization From Dashboard User Profile
  • When using the Tyk Dashboard API, you can find your credentials key from your User Profile > Edit Profile > Tyk Dashboard API Access Credentials

Note

You will also need to have ‘admin’ or ‘api’ rights if RBAC is enabled.

Tutorial 1: Create and update a keyless Tyk OAS API

Click to expand tutorial

Step 1: Create an initial API

Following the instructions to create a Tyk OAS API, create a new API by sending this Tyk OAS API Definition to the Gateway API endpoint (this is an example that contains the very minimal required fields).

Remember to set the x-tyk-authorization value in your request header and curl the domain name and port to be the correct values for your environment.

curl --location --request POST 'http://{your-tyk-host}:{port}/tyk/apis/oas' \
--header 'x-tyk-authorization: {your-secret}' \
--header 'Content-Type: text/plain' \
--data-raw 
'{
  "info": {
    "title": "Petstore",
    "version": "1.0.0"
  },
  "openapi": "3.0.3",
  "components": {},
  "paths": {},
  "x-tyk-api-gateway": {
    "info": {
      "name": "Petstore",
      "state": {
        "active": true
      }
    },
    "upstream": {
      "url": "https://petstore.swagger.io/v2"
    },
    "server": {
      "listenPath": {
        "value": "/petstore/",
        "strip": true
      }
    }
  }
}'

If the command succeeds, you will see the following response, where key contains the unique identifier (id) for the API you have just created:

{
    "key": {NEW-API-ID},
    "status": "ok",
    "action": "added"
}

Once you have created your API, you will need to either restart the Tyk Gateway, or issue a hot reload command:

curl -H "x-tyk-authorization: {your-secret}" -s http://{your-tyk-host}:{port}/tyk/reload/group

Step 2: Update your API with a new endpoint

Let’s say that you have updated your API definition by adding details of the POST /pet path of the Petstore API.

You simply update your Tyk OAS API Definition and send it to the Tyk Gateway using a PUT request to the /apis/oas endpoint.

Property Description
Resource URL /tyk/apis/oas/{API-ID}
Method PUT
Type None
Body Tyk OAS API Definition
Parameters Path: {API-ID}

To direct the update to the correct Tyk OAS API, you need to specify the API-ID value from the response you received from Tyk when creating the API. You can find this in the x-tyk-api-gateway.info.id field of the Tyk OAS API Definition that Tyk has stored in the /apps folder of your Tyk Gateway.

Remember to set the x-tyk-authorization value in your request header and the domain name and port to be the correct values for your environment as you use this command to update your API:

curl --location --request PUT 'http://{your-tyk-host}:{port}/tyk/apis/oas/{API-ID}' \
--header 'x-tyk-authorization: {your-secret}' \
--header 'Content-Type: text/plain' \
--data-raw 
'{
    "info": {
        "title": "Petstore",
        "version": "1.0.0"
    },
    "openapi": "3.0.3",
    "components": {},
    "paths": {
        "/pet": {
            "post": {
                "operationId": "addPet",
                "requestBody": {
                    "$ref": "#/components/requestBodies/Pet"
                },
                "responses": {
                    "405": {
                        "description": "Invalid input"
                    }
                },
                "summary": "Add a new pet to the store",
                "tags": [
                    "pet"
                ]
            }
        }
    },
    "x-tyk-api-gateway": {
        "info": {
            "name": "Petstore",
            "id": {API-ID},
            "state": {
                "active": true
            }
        },
        "upstream": {
            "url": "https://petstore.swagger.io/v2"
        },
        "server": {
            "listenPath": {
                "value": "/petstore/",
                "strip": true
            }
        }
    }
}'

If the command succeeds, you will see the following response, where key contains the unique identifier (id) for the API you have just updated:

{
    "key": {API-ID},
    "status": "ok",
    "action": "modified"
}

Once you have updated your API, you will need to either restart the Tyk Gateway, or issue a hot reload command:

curl -H "x-tyk-authorization: {your-secret}" -s http://{your-tyk-host}:{port}/tyk/reload/group

What did you just do?

You sent an updated Tyk OAS API Definition to the Tyk Gateway’s /apis/oas endpoint.

For a next step, continue to tutorial 2, where we will protect the new API by enabling authentication.

Tutorial 2: Update your API with authentication

You’ve now got an API deployed on your Tyk Gateway, but it is keyless - anyone can access it without authenticating themselves. Let’s now add some security so that you can control who can access your service.

Click to expand tutorial

Step 1: Modify your Tyk OAS API Definition

Update your Tyk OAS API Definition as follows, configuring the authentication method to require an API key to access your API:

...
"basic-config-and-security/security":[
  {
      "api_key":[
        
      ]
  }
],
...
"components": {
  "securitySchemes": {
    "api_key": {
        "in": "header",
        "name": "api_key",
        "type": "apiKey"
    }
  }
  ....
}
...
"x-tyk-api-gateway": {
  ...
  "server": {
    ...
    "authentication": {
      "enabled": true,
      "securitySchemes": {
        "api_key": {
          "enabled": true
        }
      }
    }
  }
}

You can check out an example of a full Tyk OAS API definition here.

Step 2: Update the Tyk OAS API

You need to update the configuration of your API on your Tyk Gateway. As before, you do this by sending a PUT request passing the updated Tyk OAS API Definition.

Remember to set the x-tyk-authorization value in your request header and the domain name and port to be the correct values for your environment. The path parameter is, again, the unique API Id that was assigned when you first created the API in Tyk Gateway.

Here’s the command:

curl --location --request PUT 'http://{your-tyk-host}:{port}/tyk/apis/oas/{API-ID}' \
--header 'x-tyk-authorization: {your-secret}' \
--header 'Content-Type: text/plain' \
--data-raw 
'{
    "info": {
        "title": "Petstore",
        "version": "1.0.0"
    },
    "openapi": "3.0.3",
    "basic-config-and-security/security":[
      {
          "api_key":[
            
          ]
      }
    ],   
    "components": {
      "securitySchemes": {
        "api_key": {
            "in": "header",
            "name": "api_key",
            "type": "apiKey"
        }
      },
    },
    "paths": {
      "/pet": {
          "post": {
              "operationId": "addPet",
              "requestBody": {
                  "$ref": "#/components/requestBodies/Pet"
              },
              "responses": {
                  "405": {
                      "description": "Invalid input"
                  }
              },
              "summary": "Add a new pet to the store",
              "tags": [
                  "pet"
              ]
          }
      }
    },
    "x-tyk-api-gateway": {
      "info": {
          "name": "Petstore",
          "id": {API-ID},
          "state": {
              "active": true
          }
      },
      "upstream": {
          "url": "https://petstore.swagger.io/v2"
      },
      "server": {
          "listenPath": {
              "value": "/petstore/",
              "strip": true
          }
        "authentication": {
          "enabled": true,
          "securitySchemes": {
            "api_key": {
              "enabled": true
            }
          }
        }
      }
    }
  }'

If the command succeeds, you will see the following response, where key contains the unique identifier (id) for the API you have just updated:

{
    "key": {API-ID},
    "status": "ok",
    "action": "added"
}

Once you have updated your API, don’t forget you need to either restart the Tyk Gateway, or issue a hot reload command to ensure it is loaded into the Gateway ready to handle traffic:

curl -H "x-tyk-authorization: {your-secret}" -s http://{your-tyk-host}:{port}/tyk/reload/group

Step 3: Test your protected API

  1. Send a request without any credentials
curl --location --request POST 'http://{your-tyk-host}:{port}/petstore/pet/' \
--header 'accept: */*' \
--header 'Content-Type: application/json'
--data-raw 
'{
    "category": {
        "id": 0,
        "name": "dogs"
    },
    "name": "labrador",
    "photoUrls": [],
    "tags": [
        {
            "id": 0,
            "name": "family_dogs"
        }
    ],
    "status": "available"
}'

You will see the following response:

{
  "error": "Authorization field missing"
}
  1. Send a request with incorrect credentials
curl --location --request GET ''http://{your-tyk-host}:{port}/petstore/pet/123' \
--header 'accept: */*' \
--header 'Content-Type: application/json' \
--header 'api_key: 12345'
--data-raw 
'{
    "id": 0,
    "category": {
        "id": 0,
        "name": "dogs"
    },
    "name": "labrador",
    "photoUrls": [],
    "tags": [
        {
            "id": 0,
            "name": "family_dogs"
        }
    ],
    "status": "available"
}'

You will see the following response:

{
  "error": "Access to this API has been disallowed"
}
  1. Send a request with correct credentials

Obtain an API key from your Tyk Gateway and provide this in your curl command in place of $(API_KEY) as follows:

curl --location --request GET '${GATEWAY_URL}/petstore-test/pet/123' \
--header 'accept: */*' \
--header 'Content-Type: application/json' \
--header 'api_key: ${API_KEY}'
--data-raw 
'{
    "id": 0,
    "category": {
        "id": 0,
        "name": "dogs"
    },
    "name": "labrador",
    "photoUrls": [],
    "tags": [
        {
            "id": 0,
            "name": "family_dogs"
        }
    ],
    "status": "available"
}'

If the command succeeds, you will receive an HTTP 200 response with the following payload:

{
    "id": {ALLOCATED_ID},
    "category": {
        "id": 0,
        "name": "dogs"
    },
    "name": "labrador",
    "photoUrls": [],
    "tags": [
        {
            "id": 0,
            "name": "family_dogs"
        }
    ],
    "status": "available"
}

Congratulations! You have just created your first keyless Tyk OAS API, then protected it using Tyk.

Tutorial 3: Update Tyk OAS API definition with an updated OpenAPI definition

Step 1: Create an Initial API

Following the instructions to create a Tyk OAS API, create a new API by sending this Tyk OAS API Definition to the Gateway API endpoint (this is an example that contains the very minimal required fields).

Remember to set the x-tyk-authorization value in your request header and curl the domain name and port to be the correct values for your environment.

curl --location --request POST 'http://{your-tyk-host}:{port}/tyk/apis/oas' \
--header 'x-tyk-authorization: {your-secret}' \
--header 'Content-Type: text/plain' \
--data-raw 
'{
  "info": {
    "title": "Petstore",
    "version": "1.0.0"
  },
  "openapi": "3.0.3",
  "components": {},
  "paths": {},
  "x-tyk-api-gateway": {
    "info": {
      "name": "Petstore",
      "state": {
        "active": true
      }
    },
    "upstream": {
      "url": "https://petstore.swagger.io/v2"
    },
    "server": {
      "listenPath": {
        "value": "/petstore/",
        "strip": true
      }
    }
  }
}'

If the command succeeds, you will see the following response, where key contains the unique identifier (id) for the API you have just created:

{
    "key": {NEW-API-ID},
    "status": "ok",
    "action": "added"
}

Once you have created your API, you will need to either restart the Tyk Gateway, or issue a hot reload command:

curl -H "x-tyk-authorization: {your-secret}" -s http://{your-tyk-host}:{port}/tyk/reload/group

Step 2: Update the OpenAPI Document

Now let’s assume you made a change in your API definition (as mentioned above, from code or a tool, outside Tyk’s domain). The change could be adding a new path, changing a description or anything that changes the definition of the API.

In this example we added a new endpoint, POST /pet, with a schema that validates the payload it receives (requestBody.content.application/json.schema) and a new security scheme.

You can see the updated OpenAPI Document in the next step.

Step 3: Update the Tyk OAS API using the OpenAPI Document

You can update your Tyk OAS API by providing just the OpenAPI Document, using the PATCH request.

Tyk will use the content of the OpenAPI Document to update just the OpenAPI section in the Tyk OAS API definition.

Property Description
Resource URL /tyk/apis/oas/{API-ID}
Method PATCH
Type None
Body OAS API Definition
Parameters Path: {API-ID}
curl --location --request PATCH 'http://{your-tyk-host}:{port}/tyk/apis/oas/{API-ID}' \
--header 'x-tyk-authorization: {your-secret}' \
--header 'Content-Type: text/plain' \
--data-raw '{
   "info":{
      "title":"Petstore",
      "version":"1.0.0"
   },
   "openapi":"3.0.3",
   "basic-config-and-security/security":[
      {
         "api_key":[
            
         ]
      }
   ],
   "components":{
      "securitySchemes":{
         "api_key":{
            "type":"apiKey",
            "name":"api_key",
            "in":"header"
         }
      },
      "schemas":{
         "Pet":{
            "required":[
               "name"
            ],
            "type":"object",
            "properties":{
               "id":{
                  "type":"integer",
                  "format":"int64",
                  "example":10
               },
               "name":{
                  "type":"string",
                  "example":"doggie"
               },
               "category":{
                  "type":"string",
                  "example":"dog"
               },
               "status":{
                  "type":"string",
                  "description":"pet status in the store",
                  "enum":[
                     "available",
                     "pending",
                     "sold"
                  ]
               }
            }
         }
      }
   },
   "paths":{
      "/pet":{
         "post":{
            "operationId":"addPet",
            "requestBody":{
               "description":"Update an existent pet in the store",
               "content":{
                  "application/json":{
                     "schema":{
                        "$ref":"#/components/schemas/Pet"
                     }
                  }
               },
               "required":true
            },
            "responses":{
               "405":{
                  "description":"Invalid input"
               }
            },
            "summary":"Add a new pet to the store",
            "tags":[
               "pet"
            ]
         }
      }
   }
}'

If the command succeeds, you will see the following response, where key contains the unique identifier (id) for the API you have just updated:

{
    "key": {API-ID},
    "status": "ok",
    "action": "modified"
}

Once you have created your API, you will need to either restart the Tyk Gateway, or issue a hot reload command:

curl -H "x-tyk-authorization: {your-secret}" -s http://{your-tyk-host}:{port}/tyk/reload/group

Step 4: Protect your API based on the OpenAPI definition

You have now updated the Tyk OAS API definition with a new OpenAPI Document, that describes a new security mechanism. In order for Tyk Gateway to start protecting the API using this authentication mechanism, it needs to be enabled within the Tyk section of the Tyk OAS API definition.

To do this you would add the query parameter authentication=true to the PATCH request you just performed: this tells Tyk to automatically enable authentication, based on the settings in the OpenAPI definition.

Property Description
Resource URL /tyk/apis/oas/{API-ID}
Method PATCH
Type None
Body OAS API Definition
Parameters Path: {API-ID} Query: authentication

You can do this now, passing in the same OpenAPI Document again:

curl --location --request PATCH 'http://{your-tyk-host}:{port}/tyk/apis/oas/{API-ID}?authentication=true' \
--header 'x-tyk-authorization: {your-secret}' \
--header 'Content-Type: text/plain' \
--data-raw '{
    "info": {
        "title": "Petstore",
        "version": "1.0.0"
    },
    "openapi": "3.0.3",
    "basic-config-and-security/security": [
      {
        "api_key": []
      }
    ],
    "components": {
      "securitySchemes": {
        "api_key": {
          "type": "apiKey",
          "name": "api_key",
          "in": "header"
        }
      }
    },
    "paths": {
        "/pet": {
            "post": {
                "operationId": "addPet",
                "requestBody": {
                    "$ref": "#/components/requestBodies/Pet"
                },
                "responses": {
                    "405": {
                        "description": "Invalid input"
                    }
                },
                "summary": "Add a new pet to the store",
                "tags": [
                    "pet"
                ]
            }
        }
    }
}'

If the command succeeds, you will see the following response, where key contains the unique identifier (id) for the API you have just updated:

{
    "key": {API-ID},
    "status": "ok",
    "action": "modified"
}

Once you have updated your API, don’t forget that you need to either restart the Tyk Gateway, or issue a hot reload command:

curl -H "x-tyk-authorization: {your-secret}" -s http://{your-tyk-host}:{port}/tyk/reload/group

Step 5: Check your OAS API definition

Go to the /apps folder of your Tyk Gateway installation (by default in /var/tyk-gateway) and check the newly modified Tyk OAS API Definition. You’ll notice that the following configuration has been added under the x-tyk-api-gateway section, which now tells your Tyk Gateway to protect your API using an Authentication token.

{
  ...
  "x-tyk-api-gateway": {
    ...
    "server": {
      ...
      "authentication": {
        "enabled": true,
        "securitySchemes": {
          "api_key": {
            "enabled": true,
            "header": {
              "enabled": true
            }
          }
        }
      }
    }
  }
}

What did you just do?

You sent an updated OpenAPI Document to the Tyk Gateway’s /apis/oas endpoint using the PATCH method and automatically configured Tyk to use the security settings in that document by setting the query parameter authentication=true.

You have updated a Tyk OAS API, enabling authentication, using only the OpenAPI Document. You didn’t have to work with the Tyk OAS API Definition, Tyk handled that for you.