> ## Documentation Index
> Fetch the complete documentation index at: https://tyk.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Tyk Gateway Configuration Options
> Configuration options and environment variables for Tyk Gateway.
export const uuid_0 = undefined
export const ulid_0 = undefined
You can use environment variables to override the config file for the Tyk Gateway. The Gateway configuration file can be found in the `tyk-gateway` folder and by default is called `tyk.conf`, though it can be renamed and specified using the `--conf` flag. Environment variables are created from the dot notation versions of the JSON objects contained with the config files.
To understand how the environment variables notation works, see [Environment Variables](/5.12/tyk-oss-gateway/configuration).
All the Gateway environment variables have the prefix `TYK_GW_`. The environment variables will take precedence over the values in the configuration file.
### Environment Variable Type Mapping
When configuring Tyk components using environment variables, it's important to understand how different data types are represented. The type of each variable is based on its definition in the Go source code. This section provides a guide on how to format values for common data types.
| Go Type | Environment Variable Format | Example |
| ------------------------ | ------------------------------------------ | -------------------------------------------------------------------- |
| `string` | A regular string of text. | `TYK_GW_SECRET="mysecret"` |
| `int`, `int64` | A whole number. | `TYK_GW_LISTENPORT=8080` |
| `bool` | `true` or `false`. | `TYK_GW_USEDBAPPCONFIG=true` |
| `[]string` | A comma-separated list of strings. | `TYK_PMP_PUMPS_STDOUT_FILTERS_SKIPPEDAPIIDS="api1,api2,api3"` |
| `map[string]string` | A comma-separated list of key:value pairs. | `TYK_GW_GLOBALHEADERS="X-Tyk-Test:true,X-Tyk-Version:1.0"` |
| `map[string]interface{}` | A JSON string representing the object. | `TYK_GW_POLICIES_POLICYSOURCE_CONFIG='{"connection_string": "..."}'` |
For complex types like `map[string]interface{}`, the value should be a valid JSON string. For `[]string` and `map[string]string`, ensure there are no spaces around the commas unless they are part of the value itself.
### tyk lint
In **v2.4** we have added a new `tyk lint` command which will validate your `tyk.conf` file and validate it for syntax correctness, misspelled attribute names or format of values. The Syntax can be:
`tyk lint` or `tyk --conf=path lint`
If `--conf` is not used, the first of the following paths to exist is used:
`./tyk.conf`
`/etc/tyk/tyk.conf`
### hostname
ENV: TYK\_GW\_HOSTNAME
Type: `string`
Force your Gateway to work only on a specific domain name. Can be overridden by API custom domain.
### listen\_address
ENV: TYK\_GW\_LISTENADDRESS
Type: `string`
If your machine has multiple network devices or IPs you can force the Gateway to use the IP address you want.
### listen\_port
ENV: TYK\_GW\_LISTENPORT
Type: `int`
Setting this value will change the port that Tyk listens on. Default: 8080.
### control\_api\_hostname
ENV: TYK\_GW\_CONTROLAPIHOSTNAME
Type: `string`
Custom hostname for the Control API
### control\_api\_port
ENV: TYK\_GW\_CONTROLAPIPORT
Type: `int`
Set this to expose the Tyk Gateway API on a separate port. You can protect it behind a firewall if needed. Please make sure you follow this guide when setting the control port [https://tyk.io/docs/tyk-self-managed/#change-your-control-port](https://tyk.io/docs/tyk-self-managed/#change-your-control-port).
### secret
ENV: TYK\_GW\_SECRET
Type: `string`
This should be changed as soon as Tyk is installed on your system.
This value is used in every interaction with the Tyk Gateway API. It should be passed along as the X-Tyk-Authorization header in any requests made.
Tyk assumes that you are sensible enough not to expose the management endpoints publicly and to keep this configuration value to yourself.
### node\_secret
ENV: TYK\_GW\_NODESECRET
Type: `string`
The shared secret between the Gateway and the Dashboard to ensure that API Definition downloads, heartbeat and Policy loads are from a valid source.
### pid\_file\_location
ENV: TYK\_GW\_PIDFILELOCATION
Type: `string`
Linux PID file location. Do not change unless you know what you are doing. Default: /var/run/tyk/tyk-gateway.pid
### allow\_insecure\_configs
ENV: TYK\_GW\_ALLOWINSECURECONFIGS
Type: `bool`
Can be set to disable Dashboard message signature verification. When set to `true`, `public_key_path` can be ignored.
### public\_key\_path
ENV: TYK\_GW\_PUBLICKEYPATH
Type: `string`
While communicating with the Dashboard. By default, all messages are signed by a private/public key pair. Set path to public key.
### allow\_remote\_config
ENV: TYK\_GW\_ALLOWREMOTECONFIG
Type: `bool`
Allow your Dashboard to remotely set Gateway configuration via the Nodes screen.
### enable\_config\_inspection
ENV: TYK\_GW\_ENABLECONFIGINSPECTION
Type: `bool`
Set to true to enable the `/config` and `/env` endpoints for configuration inspection.
Default: false
### security
Global Certificate configuration
### security.private\_certificate\_encoding\_secret
ENV: TYK\_GW\_SECURITY\_PRIVATECERTIFICATEENCODINGSECRET
Type: `string`
Set the AES256 secret which is used to encode certificate private keys when they uploaded via certificate storage
### security.control\_api\_use\_mutual\_tls
ENV: TYK\_GW\_SECURITY\_CONTROLAPIUSEMUTUALTLS
Type: `bool`
Enable Gateway Control API to use Mutual TLS. Certificates can be set via `security.certificates.control_api` section
### security.pinned\_public\_keys
ENV: TYK\_GW\_SECURITY\_PINNEDPUBLICKEYS
Type: `map[string]string`
Specify public keys used for Certificate Pinning on global level.
### security.allow\_unsafe\_dynamic\_mtls\_token
ENV: TYK\_GW\_SECURITY\_ALLOWUNSAFEDYNAMICMTLSTOKEN
Type: `bool`
AllowUnsafeDynamicMTLSToken is provided for backward compatibility with clients that are authorized using just the token for APIs secured with legacy Dynamic mTLS. If set to false (default), the client certificate must be presented and the mTLS handshake will be enforced. This is the recommended setting.
### security.certificates.upstream
ENV: TYK\_GW\_SECURITY\_CERTIFICATES\_UPSTREAM
Type: `map[string]string`
Upstream is used to specify the certificates to be used in mutual TLS connections to upstream services. These are set at gateway level as a map of domain -> certificate id or path.
For example if you want Tyk to use the certificate `ab23ef123` for requests to the `example.com` upstream and `/certs/default.pem` for all other upstreams then:
In `tyk.conf` you would configure `"security": {"certificates": {"upstream": {"*": "/certs/default.pem", "example.com": "ab23ef123"}}}`
And if using environment variables you would set this to `*:/certs/default.pem,example.com:ab23ef123`.
### security.certificates.control\_api
ENV: TYK\_GW\_SECURITY\_CERTIFICATES\_CONTROLAPI
Type: `[]string`
Certificates used for Control API Mutual TLS
### security.certificates.dashboard\_api
ENV: TYK\_GW\_SECURITY\_CERTIFICATES\_DASHBOARD
Type: `[]string`
Used for communicating with the Dashboard if it is configured to use Mutual TLS
### security.certificates.mdcb\_api
ENV: TYK\_GW\_SECURITY\_CERTIFICATES\_MDCB
Type: `[]string`
Certificates used for MDCB Mutual TLS
### security.certificate\_expiry\_monitor
CertificateExpiryMonitor configures the certificate expiry monitoring and notification feature
### security.certificate\_expiry\_monitor.warning\_threshold\_days
ENV: TYK\_GW\_SECURITY\_CERTIFICATEEXPIRYMONITOR\_WARNINGTHRESHOLDDAYS
Type: `int`
WarningThresholdDays specifies the number of days before certificate expiry that the Gateway will start generating CertificateExpiringSoon events when the certificate is used
Default: DefaultWarningThresholdDays (30 days)
### security.certificate\_expiry\_monitor.check\_cooldown\_seconds
ENV: TYK\_GW\_SECURITY\_CERTIFICATEEXPIRYMONITOR\_CHECKCOOLDOWNSECONDS
Type: `int`
CheckCooldownSeconds specifies the minimum time in seconds that the Gateway will leave between checking for the expiry of a certificate when it is used in an API request - if a certificate is used repeatedly this prevents unnecessary expiry checks
Default: DefaultCheckCooldownSeconds (3600 seconds = 1 hour)
### security.certificate\_expiry\_monitor.event\_cooldown\_seconds
ENV: TYK\_GW\_SECURITY\_CERTIFICATEEXPIRYMONITOR\_EVENTCOOLDOWNSECONDS
Type: `int`
EventCooldownSeconds specifies the minimum time in seconds between firing the same certificate expiry event - this prevents unnecessary events from being generated for an expiring or expired certificate being used repeatedly; note that the higher of the value configured here or the default (DefaultEventCooldownSeconds) will be applied
Default: DefaultEventCooldownSeconds (86400 seconds = 24 hours)
### external\_services
ENV: TYK\_GW\_EXTERNALSERVICES
Type: `ExternalServiceConfig`
External service configuration for proxy and mTLS support
### http\_server\_options
Gateway HTTP server configuration
### http\_server\_options.read\_timeout
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_READTIMEOUT
Type: `int`
API Consumer -> Gateway network read timeout. Not setting this config, or setting this to 0, defaults to 120 seconds
### http\_server\_options.write\_timeout
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_WRITETIMEOUT
Type: `int`
API Consumer -> Gateway network write timeout. Not setting this config, or setting this to 0, defaults to 120 seconds
If you set `proxy_default_timeout` to a value greater than 120 seconds, you must also increase [http\_server\_options.write\_timeout](/5.12/#http-server-options-write-timeout) to a value greater than `proxy_default_timeout`. The `write_timeout` setting defaults to 120 seconds and controls how long Tyk waits to write the response back to the client. If not adjusted, the client connection will be closed before the upstream response is received.
### http\_server\_options.use\_ssl
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_USESSL
Type: `bool`
Set to true to enable SSL connections
### http\_server\_options.enable\_http2
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_ENABLEHTTP2
Type: `bool`
Enable HTTP2 protocol handling
### http\_server\_options.enable\_strict\_routes
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_ENABLESTRICTROUTES
Type: `bool`
EnableStrictRoutes changes the routing to avoid nearest-neighbour requests on overlapping routes
* if disabled, `/apple` will route to `/app`, the current default behavior,
* if enabled, `/app` only responds to `/app`, `/app/` and `/app/*` but not `/apple`
Regular expressions and parameterized routes will be left alone regardless of this setting.
### http\_server\_options.enable\_path\_prefix\_matching
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_ENABLEPATHPREFIXMATCHING
Type: `bool`
EnablePathPrefixMatching changes how the gateway matches incoming URL paths against routes (patterns) defined in the API definition.
By default, the gateway uses wildcard matching. When EnablePathPrefixMatching is enabled, it switches to prefix matching. For example, a defined path such as `/json` will only match request URLs that begin with `/json`, rather than matching any URL containing `/json`.
The gateway checks the request URL against several variations depending on whether path versioning is enabled:
* Full path (listen path + version + endpoint): `/listen-path/v4/json`
* Non-versioned full path (listen path + endpoint): `/listen-path/json`
* Path without version (endpoint only): `/json`
For patterns that start with `/`, the gateway prepends `^` before performing the check, ensuring a true prefix match.
For patterns that start with `^`, the gateway will already perform prefix matching so EnablePathPrefixMatching will have no impact.
This option allows for more specific and controlled routing of API requests, potentially reducing unintended matches. Note that you may need to adjust existing route definitions when enabling this option.
Example:
With wildcard matching, `/json` might match `/api/v1/data/json`.
With prefix matching, `/json` would not match `/api/v1/data/json`, but would match `/json/data`.
Combining EnablePathPrefixMatching with EnablePathSuffixMatching will result in exact URL matching, with `/json` being evaluated as `^/json$`.
### http\_server\_options.enable\_path\_suffix\_matching
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_ENABLEPATHSUFFIXMATCHING
Type: `bool`
EnablePathSuffixMatching changes how the gateway matches incoming URL paths against routes (patterns) defined in the API definition.
By default, the gateway uses wildcard matching. When EnablePathSuffixMatching is enabled, it switches to suffix matching. For example, a defined path such as `/json` will only match request URLs that end with `/json`, rather than matching any URL containing `/json`.
The gateway checks the request URL against several variations depending on whether path versioning is enabled:
* Full path (listen path + version + endpoint): `/listen-path/v4/json`
* Non-versioned full path (listen path + endpoint): `/listen-path/json`
* Path without version (endpoint only): `/json`
For patterns that already end with `$`, the gateway will already perform suffix matching so EnablePathSuffixMatching will have no impact. For all other patterns, the gateway appends `$` before performing the check, ensuring a true suffix match.
This option allows for more specific and controlled routing of API requests, potentially reducing unintended matches. Note that you may need to adjust existing route definitions when enabling this option.
Example:
With wildcard matching, `/json` might match `/api/v1/json/data`.
With suffix matching, `/json` would not match `/api/v1/json/data`, but would match `/api/v1/json`.
Combining EnablePathSuffixMatching with EnablePathPrefixMatching will result in exact URL matching, with `/json` being evaluated as `^/json$`.
### http\_server\_options.ssl\_insecure\_skip\_verify
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_SSLINSECURESKIPVERIFY
Type: `bool`
Disable TLS verification. Required if you are using self-signed certificates.
### http\_server\_options.enable\_websockets
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_ENABLEWEBSOCKETS
Type: `bool`
Enabled WebSockets and server side events support
### http\_server\_options.certificates
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_CERTIFICATES
Type: `CertsData`
Deprecated: Use `ssl_certificates`instead.
### http\_server\_options.ssl\_certificates
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_SSLCERTIFICATES
Type: `[]string`
Index of certificates available to the Gateway for use in client and upstream communication.
The string value in the array can be two of the following options:
1. The ID assigned to and used to identify a certificate in the Tyk Certificate Store
2. The path to a file accessible to the Gateway. This PEM file must contain the private key and public certificate pair concatenated together.
### http\_server\_options.server\_name
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_SERVERNAME
Type: `string`
Start your Gateway HTTP server on specific server name
### http\_server\_options.min\_version
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_MINVERSION
Type: `uint16`
Minimum TLS version. Possible values: [https://tyk.io/docs/api-management/certificates#tls-or-ssl](https://tyk.io/docs/api-management/certificates#tls-or-ssl)
### http\_server\_options.max\_version
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_MAXVERSION
Type: `uint16`
Maximum TLS version.
### http\_server\_options.skip\_client\_ca\_announcement
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_SKIPCLIENTCAANNOUNCEMENT
Type: `bool`
When mTLS enabled, this option allows to skip client CA announcement in the TLS handshake.
This option is useful when you have a lot of ClientCAs and you want to reduce the handshake overhead, as some clients can hit TLS handshake limits.
This option does not give any hints to the client, on which certificate to pick (but this is very rare situation when it is required)
### http\_server\_options.flush\_interval
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_FLUSHINTERVAL
Type: `int`
Set this to the number of seconds that Tyk uses to flush content from the proxied upstream connection to the open downstream connection.
This option needed be set for streaming protocols like Server Side Events, or gRPC streaming.
### http\_server\_options.skip\_url\_cleaning
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_SKIPURLCLEANING
Type: `bool`
Allow the use of a double slash in a URL path. This can be useful if you need to pass raw URLs to your API endpoints.
For example: `http://myapi.com/get/http://example.com`.
### http\_server\_options.skip\_target\_path\_escaping
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_SKIPTARGETPATHESCAPING
Type: `bool`
Disable automatic character escaping, allowing to path original URL data to the upstream.
### http\_server\_options.ssl\_ciphers
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_CIPHERS
Type: `[]string`
Custom SSL ciphers applicable when using TLS version 1.2. See the list of ciphers here [https://tyk.io/docs/api-management/certificates#supported-tls-cipher-suites](https://tyk.io/docs/api-management/certificates#supported-tls-cipher-suites)
### http\_server\_options.max\_request\_body\_size
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_MAXREQUESTBODYSIZE
Type: `int64`
MaxRequestBodySize configures a maximum size limit for request body size (in bytes) for all APIs on the Gateway.
Tyk Gateway will evaluate all API requests against this size limit and will respond with HTTP 413 status code if the body of the request is larger.
Two methods are used to perform the comparison:
* If the API Request contains the `Content-Length` header, this is directly compared against `MaxRequestBodySize`.
* If the `Content-Length` header is not provided, the Request body is read in chunks to compare total size against `MaxRequestBodySize`.
A value of zero (default) means that no maximum is set and API requests will not be tested.
See more information about setting request size limits here:
[https://tyk.io/docs/api-management/traffic-transformation/#request-size-limits](https://tyk.io/docs/api-management/traffic-transformation/#request-size-limits)
### http\_server\_options.xff\_depth
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_XFFDEPTH
Type: `int`
XFFDepth controls which position in the X-Forwarded-For chain to use for determining client IP address.
A value of 0 means using the first IP (default). this is way the Gateway has calculated the client IP historically,
the most common case, and will be used when this config is not set.
However, any non-zero value will use that position from the right in the X-Forwarded-For chain.
This is a security feature to prevent against IP spoofing attacks, and is recommended to be set to a non-zero value.
A value of 1 means using the last IP, 2 means second to last, and so on.
### http\_server\_options.max\_response\_body\_size
ENV: TYK\_GW\_HTTPSERVEROPTIONS\_MAXRESPONSEBODYSIZE
Type: `int64`
MaxResponseBodySize sets an upper limit on the response body (payload) size in bytes. It defaults to 0, which means there is no restriction on the response body size.
The Gateway will return `HTTP 500 Response Body Too Large` if the response payload exceeds MaxResponseBodySize+1 bytes.
**Note:** The limit is applied only when the [Response Body Transform middleware](/5.12/api-management/traffic-transformation/response-body) is enabled.
### version\_header
ENV: TYK\_GW\_VERSIONHEADER
Type: `string`
Expose version header with a given name. Works only for versioned APIs.
### suppress\_redis\_signal\_reload
ENV: TYK\_GW\_SUPPRESSREDISSIGNALRELOAD
Type: `bool`
Disable dynamic API and Policy reloads, e.g. it will load new changes only on procecss start.
### reload\_interval
ENV: TYK\_GW\_RELOADINTERVAL
Type: `int64`
ReloadInterval defines a duration in seconds within which the gateway responds to a reload event.
The value defaults to 1, values lower than 1 are ignored.
### hash\_keys
ENV: TYK\_GW\_HASHKEYS
Type: `bool`
Enable Key hashing
### disable\_key\_actions\_by\_username
ENV: TYK\_GW\_DISABLEKEYACTIONSBYUSERNAME
Type: `bool`
DisableKeyActionsByUsername disables key search by username.
When this is set to `true` you are able to search for keys only by keyID or key hash (if `hash_keys` is also set to `true`)
Note that if `hash_keys` is also set to `true` then the keyID will not be provided for APIs secured using basic auth. In this scenario the only search option would be to use key hash
If you are using the Tyk Dashboard, you must configure this setting with the same value in both Gateway and Dashboard
### hash\_key\_function
ENV: TYK\_GW\_HASHKEYFUNCTION
Type: `string`
Specify the Key hashing algorithm. Possible values: murmur64, murmur128, sha256.
### basic\_auth\_hash\_key\_function
ENV: TYK\_GW\_BASICAUTHHASHKEYFUNCTION
Type: `string`
Specify the Key hashing algorithm for "basic auth". Possible values: murmur64, murmur128, sha256, bcrypt.
Will default to "bcrypt" if not set.
### hash\_key\_function\_fallback
ENV: TYK\_GW\_HASHKEYFUNCTIONFALLBACK
Type: `[]string`
Specify your previous key hashing algorithm if you migrated from one algorithm to another.
### enable\_hashed\_keys\_listing
ENV: TYK\_GW\_ENABLEHASHEDKEYSLISTING
Type: `bool`
Allows the listing of hashed API keys
### min\_token\_length
ENV: TYK\_GW\_MINTOKENLENGTH
Type: `int`
Minimum API token length
### template\_path
ENV: TYK\_GW\_TEMPLATEPATH
Type: `string`
Path to error and webhook templates. Defaults to the current binary path.
### policies
The policies section allows you to define where Tyk can find its policy templates. Policy templates are similar to key definitions in that they allow you to set quotas, access rights and rate limits for keys.
Policies are loaded when Tyk starts and if changed require a hot-reload so they are loaded into memory.
A policy can be defined in a file (Open Source installations) or from the same database as the Dashboard.
### policies.policy\_source
ENV: TYK\_GW\_POLICIES\_POLICYSOURCE
Type: `string`
Set this value to `file` to look in the file system for a definition file. Set to `service` to use the Dashboard service.
### policies.policy\_connection\_string
ENV: TYK\_GW\_POLICIES\_POLICYCONNECTIONSTRING
Type: `string`
This option is required if `policies.policy_source` is set to `service`.
Set this to the URL of your Tyk Dashboard installation. The URL needs to be formatted as: http\://dashboard\_host:port.
### policies.policy\_record\_name
ENV: TYK\_GW\_POLICIES\_POLICYRECORDNAME
Type: `string`
This option only applies in OSS deployment when the `policies.policy_source` is either set
to `file` or an empty string. If `policies.policy_path` is not set, then Tyk will load policies
from the JSON file specified by `policies.policy_record_name`.
### policies.allow\_explicit\_policy\_id
ENV: TYK\_GW\_POLICIES\_ALLOWEXPLICITPOLICYID
Type: `bool`
In a Pro installation, Tyk will load Policy IDs and use the internal object-ID as the ID of the policy.
This is not portable in cases where the data needs to be moved from installation to installation.
If you set this value to `true`, then the id parameter in a stored policy (or imported policy using the Dashboard API), will be used instead of the internal ID.
This option should only be used when moving an installation to a new database.
Deprecated. Is not used in codebase.
### policies.policy\_path
ENV: TYK\_GW\_POLICIES\_POLICYPATH
Type: `string`
This option only applies in OSS deployment when the `policies.policy_source` is either set
to `file` or an empty string. If `policies.policy_path` is set, then Tyk will load policies
from all the JSON files under the directory specified by the `policies.policy_path` option.
In this configuration, Tyk Gateway will allow policy management through the Gateway API.
### ports\_whitelist
ENV: TYK\_GW\_PORTWHITELIST
Type: `PortsWhiteList`
Defines the ports that will be available for the API services to bind to in the format
documented here [https://tyk.io/docs/api-management/non-http-protocols/#allowing-specific-ports](https://tyk.io/docs/api-management/non-http-protocols/#allowing-specific-ports).
Ports can be configured per protocol, e.g. https, tls etc.
If configuring via environment variable `TYK_GW_PORTWHITELIST` then remember to escape
JSON strings.
### disable\_ports\_whitelist
ENV: TYK\_GW\_DISABLEPORTWHITELIST
Type: `bool`
Disable port whilisting, essentially allowing you to use any port for your API.
### app\_path
ENV: TYK\_GW\_APPPATH
Type: `string`
If Tyk is being used in its standard configuration (Open Source installations), then API definitions are stored in the apps folder (by default in /opt/tyk-gateway/apps).
This location is scanned for .json files and re-scanned at startup or reload.
See the API section of the Tyk Gateway API for more details.
### use\_db\_app\_configs
ENV: TYK\_GW\_USEDBAPPCONFIGS
Type: `bool`
If you are a Tyk Pro user, this option will enable polling the Dashboard service for API definitions.
On startup Tyk will attempt to connect and download any relevant application configurations from from your Dashboard instance.
The files are exactly the same as the JSON files on disk with the exception of a BSON ID supplied by the Dashboard service.
### db\_app\_conf\_options
This section defines API loading and shard options. Enable these settings to selectively load API definitions on a node from your Dashboard service.
### db\_app\_conf\_options.connection\_string
ENV: TYK\_GW\_DBAPPCONFOPTIONS\_CONNECTIONSTRING
Type: `string`
Set the URL to your Dashboard instance (or a load balanced instance). The URL needs to be formatted as: `http://dashboard_host:port`
### db\_app\_conf\_options.connection\_timeout
ENV: TYK\_GW\_DBAPPCONFOPTIONS\_CONNECTIONTIMEOUT
Type: `int`
Set a timeout value, in seconds, for your Dashboard connection. Default value is 30.
### db\_app\_conf\_options.node\_is\_segmented
ENV: TYK\_GW\_DBAPPCONFOPTIONS\_NODEISSEGMENTED
Type: `bool`
Set to `true` to enable filtering (sharding) of APIs.
### db\_app\_conf\_options.tags
ENV: TYK\_GW\_DBAPPCONFOPTIONS\_TAGS
Type: `[]string`
The tags to use when filtering (sharding) Tyk Gateway nodes. Tags are processed as `OR` operations.
If you include a non-filter tag (e.g. an identifier such as `node-id-1`, this will become available to your Dashboard analytics).
### storage
This section defines your Redis configuration.
### storage.type
ENV: TYK\_GW\_STORAGE\_TYPE
Type: `string`
This should be set to `redis` (lowercase)
### storage.host
ENV: TYK\_GW\_STORAGE\_HOST
Type: `string`
The Redis host, by default this is set to `localhost`, but for production this should be set to a cluster.
### storage.port
ENV: TYK\_GW\_STORAGE\_PORT
Type: `int`
The Redis instance port.
### storage.addrs
ENV: TYK\_GW\_STORAGE\_ADDRS
Type: `[]string`
If you have multi-node setup, you should use this field instead. For example: \["host1:port1", "host2:port2"].
### storage.master\_name
ENV: TYK\_GW\_STORAGE\_MASTERNAME
Type: `string`
Redis sentinel master name
### storage.sentinel\_password
ENV: TYK\_GW\_STORAGE\_SENTINELPASSWORD
Type: `string`
Redis sentinel password
### storage.username
ENV: TYK\_GW\_STORAGE\_USERNAME
Type: `string`
Redis user name
### storage.password
ENV: TYK\_GW\_STORAGE\_PASSWORD
Type: `string`
If your Redis instance has a password set for access, you can set it here.
### storage.database
ENV: TYK\_GW\_STORAGE\_DATABASE
Type: `int`
Redis database
### storage.optimisation\_max\_idle
ENV: TYK\_GW\_STORAGE\_MAXIDLE
Type: `int`
Set the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.
### storage.optimisation\_max\_active
ENV: TYK\_GW\_STORAGE\_MAXACTIVE
Type: `int`
Set the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.
### storage.timeout
ENV: TYK\_GW\_STORAGE\_TIMEOUT
Type: `int`
Set a custom timeout for Redis network operations. Default value 5 seconds.
### storage.enable\_cluster
ENV: TYK\_GW\_STORAGE\_ENABLECLUSTER
Type: `bool`
Enable Redis Cluster support
### storage.use\_ssl
ENV: TYK\_GW\_STORAGE\_USESSL
Type: `bool`
Enable SSL/TLS connection between your Tyk Gateway & Redis.
### storage.ssl\_insecure\_skip\_verify
ENV: TYK\_GW\_STORAGE\_SSLINSECURESKIPVERIFY
Type: `bool`
Disable TLS verification
### storage.ca\_file
ENV: TYK\_GW\_STORAGE\_CAFILE
Type: `string`
Path to the CA file.
### storage.cert\_file
ENV: TYK\_GW\_STORAGE\_CERTFILE
Type: `string`
Path to the cert file.
### storage.key\_file
ENV: TYK\_GW\_STORAGE\_KEYFILE
Type: `string`
Path to the key file.
### storage.tls\_max\_version
ENV: TYK\_GW\_STORAGE\_TLSMAXVERSION
Type: `string`
Maximum TLS version that is supported.
Options: \["1.0", "1.1", "1.2", "1.3"].
Defaults to "1.3".
### storage.tls\_min\_version
ENV: TYK\_GW\_STORAGE\_TLSMINVERSION
Type: `string`
Minimum TLS version that is supported.
Options: \["1.0", "1.1", "1.2", "1.3"].
Defaults to "1.2".
### storage.compress\_api\_definitions
ENV: TYK\_GW\_STORAGE\_COMPRESSAPIDEFINITIONS
Type: `bool`
When set to `true`, enables Zstd compression for API definitions stored in Redis RPC backups.
This feature significantly reduces Redis memory usage in MDCB deployments where API definitions are cached locally on Data Plane Gateways.
The Gateway can read both compressed and uncompressed formats for backward compatibility.
You can safely enable this setting on existing deployments.
The Gateway continues to load previously stored uncompressed backups and stores all new backups in compressed form.
Note: This feature works with API definitions up to 100MB uncompressed
Defaults to `false`.
### disable\_dashboard\_zeroconf
ENV: TYK\_GW\_DISABLEDASHBOARDZEROCONF
Type: `bool`
Disable the capability of the Gateway to `autodiscover` the Dashboard through heartbeat messages via Redis.
The goal of zeroconf is auto-discovery, so you do not have to specify the Tyk Dashboard address in your Gateway`tyk.conf` file.
In some specific cases, for example, when the Dashboard is bound to a public domain, not accessible inside an internal network, or similar, `disable_dashboard_zeroconf` can be set to `true`, in favor of directly specifying a Tyk Dashboard address.
### slave\_options
The `slave_options` allow you to configure the RPC slave connection required for MDCB installations.
These settings must be configured for every RPC slave/worker node.
### slave\_options.use\_rpc
ENV: TYK\_GW\_SLAVEOPTIONS\_USERPC
Type: `bool`
Set to `true` to connect a worker Gateway using RPC.
### slave\_options.use\_ssl
ENV: TYK\_GW\_SLAVEOPTIONS\_USESSL
Type: `bool`
Set this option to `true` to use an SSL RPC connection.
### slave\_options.ssl\_insecure\_skip\_verify
ENV: TYK\_GW\_SLAVEOPTIONS\_SSLINSECURESKIPVERIFY
Type: `bool`
Set this option to `true` to allow the certificate validation (certificate chain and hostname) to be skipped.
This can be useful if you use a self-signed certificate.
### slave\_options.connection\_string
ENV: TYK\_GW\_SLAVEOPTIONS\_CONNECTIONSTRING
Type: `string`
Use this setting to add the URL for your MDCB or load balancer host.
### slave\_options.rpc\_key
ENV: TYK\_GW\_SLAVEOPTIONS\_RPCKEY
Type: `string`
Your organization ID to connect to the MDCB installation.
### slave\_options.api\_key
ENV: TYK\_GW\_SLAVEOPTIONS\_APIKEY
Type: `string`
This the API key of a user used to authenticate and authorize the Gateway's access through MDCB.
The user should be a standard Dashboard user with minimal privileges so as to reduce any risk if the user is compromised.
The suggested security settings are read for Real-time notifications and the remaining options set to deny.
### slave\_options.enable\_rpc\_cache
ENV: TYK\_GW\_SLAVEOPTIONS\_ENABLERPCCACHE
Type: `bool`
Set this option to `true` to enable RPC caching for keys.
### slave\_options.bind\_to\_slugs
ENV: TYK\_GW\_SLAVEOPTIONS\_BINDTOSLUGSINSTEADOFLISTENPATHS
Type: `bool`
For an Self-Managed installation this can be left at `false` (the default setting). For Legacy Cloud Gateways it must be set to ‘true’.
### slave\_options.disable\_keyspace\_sync
ENV: TYK\_GW\_SLAVEOPTIONS\_DISABLEKEYSPACESYNC
Type: `bool`
Set this option to `true` if you don’t want to monitor changes in the keys from a primary Gateway.
### slave\_options.group\_id
ENV: TYK\_GW\_SLAVEOPTIONS\_GROUPID
Type: `string`
This is the `zone` that this instance inhabits, e.g. the cluster/data-center the Gateway lives in.
The group ID must be the same across all the Gateways of a data-center/cluster which are also sharing the same Redis instance.
This ID should also be unique per cluster (otherwise another Gateway cluster can pick up your keyspace events and your cluster will get zero updates).
### slave\_options.call\_timeout
ENV: TYK\_GW\_SLAVEOPTIONS\_CALLTIMEOUT
Type: `int`
Call Timeout allows to specify a time in seconds for the maximum allowed duration of a RPC call.
### slave\_options.ping\_timeout
ENV: TYK\_GW\_SLAVEOPTIONS\_PINGTIMEOUT
Type: `int`
The maximum time in seconds that a RPC ping can last.
### slave\_options.rpc\_pool\_size
ENV: TYK\_GW\_SLAVEOPTIONS\_RPCPOOLSIZE
Type: `int`
The number of RPC connections in the pool. Basically it creates a set of connections that you can re-use as needed. Defaults to 5.
### slave\_options.key\_space\_sync\_interval
ENV: TYK\_GW\_SLAVEOPTIONS\_KEYSPACESYNCINTERVAL
Type: `float32`
You can use this to set a period for which the Gateway will check if there are changes in keys that must be synchronized. If this value is not set then it will default to 10 seconds.
### slave\_options.rpc\_cert\_cache\_expiration
ENV: TYK\_GW\_SLAVEOPTIONS\_RPCCERTCACHEEXPIRATION
Type: `float32`
RPCCertCacheExpiration defines the expiration time of the rpc cache that stores the certificates, defined in seconds
### slave\_options.rpc\_global\_cache\_expiration
ENV: TYK\_GW\_SLAVEOPTIONS\_RPCGLOBALCACHEEXPIRATION
Type: `float32`
RPCKeysCacheExpiration defines the expiration time of the rpc cache that stores the keys, defined in seconds
### slave\_options.rpc\_cert\_fetch\_max\_elapsed\_time
ENV: TYK\_GW\_SLAVEOPTIONS\_RPCCERTFETCHMAXELAPSEDTIME
Type: `float32`
RPCCertFetchMaxElapsedTime sets the maximum time in seconds to retry certificate fetch from MDCB during startup (default: 30)
### slave\_options.rpc\_cert\_fetch\_initial\_interval
ENV: TYK\_GW\_SLAVEOPTIONS\_RPCCERTFETCHINITIALINTERVAL
Type: `float32`
RPCCertFetchInitialInterval sets the initial retry interval in seconds for certificate fetch backoff (default: 0.1)
### slave\_options.rpc\_cert\_fetch\_max\_interval
ENV: TYK\_GW\_SLAVEOPTIONS\_RPCCERTFETCHMAXINTERVAL
Type: `float32`
RPCCertFetchMaxInterval sets the maximum retry interval in seconds for certificate fetch backoff (default: 2)
### slave\_options.rpc\_cert\_fetch\_retry\_enabled
ENV: TYK\_GW\_SLAVEOPTIONS\_RPCCERTFETCHRETRYENABLED
Type: `*bool`
RPCCertFetchRetryEnabled enables exponential backoff retry for certificate fetch from MDCB during startup (default: true)
### slave\_options.rpc\_cert\_fetch\_max\_retries
ENV: TYK\_GW\_SLAVEOPTIONS\_RPCCERTFETCHMAXRETRIES
Type: `*int`
RPCCertFetchMaxRetries sets the maximum number of retry attempts for certificate fetch. 0 means unlimited (time-based only) (default: 3)
### slave\_options.synchroniser\_enabled
ENV: TYK\_GW\_SLAVEOPTIONS\_SYNCHRONISERENABLED
Type: `bool`
SynchroniserEnabled enable this config if MDCB has enabled the synchoniser. If disabled then it will ignore signals to synchonise recources
### slave\_options.dns\_monitor
DNSMonitor configures background DNS monitoring for proactive detection of MDCB DNS changes
### slave\_options.dns\_monitor.enabled
ENV: TYK\_GW\_SLAVEOPTIONS\_DNSMONITOR\_ENABLED
Type: `bool`
Enable background DNS monitoring for proactive detection of MDCB DNS changes
### slave\_options.dns\_monitor.check\_interval
ENV: TYK\_GW\_SLAVEOPTIONS\_DNSMONITOR\_CHECKINTERVAL
Type: `int`
Check interval in seconds for DNS monitoring (default: 30)
### slave\_options.sync\_used\_certs\_only
ENV: TYK\_GW\_SLAVEOPTIONS\_SYNCUSEDCERTSONLY
Type: `bool`
Set to true to sync only certificates used by loaded APIs.
Only applies when use\_rpc is true.
Prevents proactive sync of unused certificates from control plane.
Certificates are fetched on-demand via RPC and cached locally.
Note: Certificates accumulate over time as they are used; they are not removed when APIs are deleted.
Reduces memory usage and log noise in segmented deployments.
### management\_node
ENV: TYK\_GW\_MANAGEMENTNODE
Type: `bool`
If set to `true`, distributed rate limiter will be disabled for this node, and it will be excluded from any rate limit calculation.
If you set `db_app_conf_options.node_is_segmented` to `true` for multiple Gateway nodes, you should ensure that `management_node` is set to `false`.
This is to ensure visibility for the management node across all APIs.
For pro installations, `management_node` is not a valid configuration option.
Always set `management_node` to `false` in pro environments.
### auth\_override
This is used as part of the RPC / Hybrid back-end configuration in a Tyk Enterprise installation and isn’t used anywhere else.
### enable\_fixed\_window\_rate\_limiter
ENV: TYK\_GW\_ENABLEFIXEDWINDOWRATELIMITER
Type: `bool`
EnableFixedWindow enables fixed window rate limiting.
### enable\_redis\_rolling\_limiter
ENV: TYK\_GW\_ENABLEREDISROLLINGLIMITER
Type: `bool`
Redis based rate limiter with sliding log. Provides 100% rate limiting accuracy, but require two additional Redis roundtrips for each request.
### enable\_sentinel\_rate\_limiter
ENV: TYK\_GW\_ENABLESENTINELRATELIMITER
Type: `bool`
To enable, set to `true`. The sentinel-based rate limiter delivers a smoother performance curve as rate-limit calculations happen off-thread, but a stricter time-out based cool-down for clients. For example, when a throttling action is triggered, they are required to cool-down for the period of the rate limit.
Disabling the sentinel based rate limiter will make rate-limit calculations happen on-thread and therefore offers a staggered cool-down and a smoother rate-limit experience for the client.
For example, you can slow your connection throughput to regain entry into your rate limit. This is more of a “throttle” than a “block”.
The standard rate limiter offers similar performance as the sentinel-based limiter. This is disabled by default.
### enable\_rate\_limit\_smoothing
ENV: TYK\_GW\_ENABLERATELIMITSMOOTHING
Type: `bool`
EnableRateLimitSmoothing enables or disables rate limit smoothing. The rate smoothing is only supported on the
Redis Rate Limiter, or the Sentinel Rate Limiter, as both algorithms implement a sliding log.
### enable\_non\_transactional\_rate\_limiter
ENV: TYK\_GW\_ENABLENONTRANSACTIONALRATELIMITER
Type: `bool`
An enhancement for the Redis and Sentinel rate limiters, that offers a significant improvement in performance by not using transactions on Redis rate-limit buckets.
### drl\_notification\_frequency
ENV: TYK\_GW\_DRLNOTIFICATIONFREQUENCY
Type: `int`
How frequently a distributed rate limiter synchronises information between the Gateway nodes. Default: 2 seconds.
### drl\_threshold
ENV: TYK\_GW\_DRLTHRESHOLD
Type: `float64`
A distributed rate limiter is inaccurate on small rate limits, and it will fallback to a Redis or Sentinel rate limiter on an individual user basis, if its rate limiter lower then threshold.
A Rate limiter threshold calculated using the following formula: `rate_threshold = drl_threshold * number_of_gateways`.
So you have 2 Gateways, and your threshold is set to 5, if a user rate limit is larger than 10, it will use the distributed rate limiter algorithm.
Default: 5
### drl\_enable\_sentinel\_rate\_limiter
ENV: TYK\_GW\_DRLENABLESENTINELRATELIMITER
Type: `bool`
Controls which algorthm to use as a fallback when your distributed rate limiter can't be used.
### enforce\_org\_data\_age
ENV: TYK\_GW\_ENFORCEORGDATAAGE
Type: `bool`
Allows you to dynamically configure analytics expiration on a per organization level
### enforce\_org\_data\_detail\_logging
ENV: TYK\_GW\_ENFORCEORGDATADETAILLOGGING
Type: `bool`
Allows you to dynamically configure detailed logging on a per organization level
### enforce\_org\_quotas
ENV: TYK\_GW\_ENFORCEORGQUOTAS
Type: `bool`
Allows you to dynamically configure organization quotas on a per organization level
### monitor
The monitor section is useful if you wish to enforce a global trigger limit on organization and user quotas.
This feature will trigger a webhook event to fire when specific triggers are reached.
Triggers can be global (set in the node), by organization (set in the organization session object) or by key (set in the key session object)
While Organization-level and Key-level triggers can be tiered (e.g. trigger at 10%, trigger at 20%, trigger at 80%), in the node-level configuration only a global value can be set.
If a global value and specific trigger level are the same the trigger will only fire once:
```
"monitor": {
"enable_trigger_monitors": true,
"configuration": {
"method": "POST",
"target_path": "http://domain.com/notify/quota-trigger",
"template_path": "templates/monitor_template.json",
"header_map": {
"some-secret": "89787855"
},
"event_timeout": 10
},
"global_trigger_limit": 80.0,
"monitor_user_keys": false,
"monitor_org_keys": true
},
```
### monitor.enable\_trigger\_monitors
ENV: TYK\_GW\_MONITOR\_ENABLETRIGGERMONITORS
Type: `bool`
Set this to `true` to have monitors enabled in your configuration for the node.
### monitor.configuration.method
ENV: TYK\_GW\_MONITOR\_CONFIG\_METHOD
Type: `string`
The method to use for the webhook.
### monitor.configuration.target\_path
ENV: TYK\_GW\_MONITOR\_CONFIG\_TARGETPATH
Type: `string`
The target path on which to send the request.
### monitor.configuration.template\_path
ENV: TYK\_GW\_MONITOR\_CONFIG\_TEMPLATEPATH
Type: `string`
The template to load in order to format the request.
### monitor.configuration.header\_map
ENV: TYK\_GW\_MONITOR\_CONFIG\_HEADERLIST
Type: `map[string]string`
Headers to set when firing the webhook.
### monitor.configuration.event\_timeout
ENV: TYK\_GW\_MONITOR\_CONFIG\_EVENTTIMEOUT
Type: `int64`
The cool-down for the event so it does not trigger again (in seconds).
### monitor.global\_trigger\_limit
ENV: TYK\_GW\_MONITOR\_GLOBALTRIGGERLIMIT
Type: `float64`
The trigger limit, as a percentage of the quota that must be reached in order to trigger the event, any time the quota percentage is increased the event will trigger.
### monitor.monitor\_user\_keys
ENV: TYK\_GW\_MONITOR\_MONITORUSERKEYS
Type: `bool`
Apply the monitoring subsystem to user keys.
### monitor.monitor\_org\_keys
ENV: TYK\_GW\_MONITOR\_MONITORORGKEYS
Type: `bool`
Apply the monitoring subsystem to organization keys.
### max\_idle\_connections
ENV: TYK\_GW\_MAXIDLECONNS
Type: `int`
Maximum idle connections, per API, between Tyk and Upstream. By default not limited.
### max\_idle\_connections\_per\_host
ENV: TYK\_GW\_MAXIDLECONNSPERHOST
Type: `int`
Maximum idle connections, per API, per upstream, between Tyk and Upstream.
A value of `0` will use the default from the Go standard library, which is 2 connections. Tyk recommends setting this value to `500` for production environments.
### max\_conn\_time
ENV: TYK\_GW\_MAXCONNTIME
Type: `int64`
Maximum connection time. If set it will force gateway reconnect to the upstream.
### close\_connections
ENV: TYK\_GW\_CLOSECONNECTIONS
Type: `bool`
If set, disable keepalive between User and Tyk
### enable\_custom\_domains
ENV: TYK\_GW\_ENABLECUSTOMDOMAINS
Type: `bool`
Allows you to use custom domains
### allow\_master\_keys
ENV: TYK\_GW\_ALLOWMASTERKEYS
Type: `bool`
If AllowMasterKeys is set to true, session objects (key definitions) that do not have explicit access rights set
will be allowed by Tyk. This means that keys that are created have access to ALL APIs, which in many cases is
unwanted behavior unless you are sure about what you are doing.
### service\_discovery.default\_cache\_timeout
ENV: TYK\_GW\_SERVICEDISCOVERY\_DEFAULTCACHETIMEOUT
Type: `int`
Service discovery cache timeout
### proxy\_ssl\_insecure\_skip\_verify
ENV: TYK\_GW\_PROXYSSLINSECURESKIPVERIFY
Type: `bool`
Globally ignore TLS verification between Tyk and your Upstream services
### proxy\_enable\_http2
ENV: TYK\_GW\_PROXYENABLEHTTP2
Type: `bool`
Enable HTTP2 support between Tyk and your upstream service. Required for gRPC.
### proxy\_ssl\_min\_version
ENV: TYK\_GW\_PROXYSSLMINVERSION
Type: `uint16`
Minimum TLS version for connection between Tyk and your upstream service.
### proxy\_ssl\_max\_version
ENV: TYK\_GW\_PROXYSSLMAXVERSION
Type: `uint16`
Maximum TLS version for connection between Tyk and your upstream service.
### proxy\_ssl\_ciphers
ENV: TYK\_GW\_PROXYSSLCIPHERSUITES
Type: `[]string`
Allow list of ciphers for connection between Tyk and your upstream service.
### proxy\_default\_timeout
ENV: TYK\_GW\_PROXYDEFAULTTIMEOUT
Type: `float64`
This can specify a default timeout in seconds for upstream API requests.
Default: 30 seconds
If you set `proxy_default_timeout` to a value greater than 120 seconds, you must also increase [http\_server\_options.write\_timeout](/5.12/#http-server-options-write-timeout) to a value greater than `proxy_default_timeout`. The `write_timeout` setting defaults to 120 seconds and controls how long Tyk waits to write the response back to the client. If not adjusted, the client connection will be closed before the upstream response is received.
### proxy\_ssl\_disable\_renegotiation
ENV: TYK\_GW\_PROXYSSLDISABLERENEGOTIATION
Type: `bool`
Disable TLS renegotiation.
### proxy\_close\_connections
ENV: TYK\_GW\_PROXYCLOSECONNECTIONS
Type: `bool`
Disable keepalives between Tyk and your upstream service.
Set this value to `true` to force Tyk to close the connection with the server, otherwise the connections will remain open for as long as your OS keeps TCP connections open.
This can cause a file-handler limit to be exceeded. Setting to false can have performance benefits as the connection can be reused.
### uptime\_tests
Tyk nodes can provide uptime awareness, uptime testing and analytics for your underlying APIs uptime and availability.
Tyk can also notify you when a service goes down.
### uptime\_tests.disable
ENV: TYK\_GW\_UPTIMETESTS\_DISABLE
Type: `bool`
To disable uptime tests on this node, set this value to `true`.
### uptime\_tests.poller\_group
ENV: TYK\_GW\_UPTIMETESTS\_POLLERGROUP
Type: `string`
If you have multiple Gateway clusters connected to the same Redis instance, you need to set a unique poller group for each cluster.
### uptime\_tests.config.failure\_trigger\_sample\_size
ENV: TYK\_GW\_UPTIMETESTS\_CONFIG\_FAILURETRIGGERSAMPLESIZE
Type: `int`
The sample size to trigger a `HostUp` or `HostDown` event. For example, a setting of 3 will require at least three failures to occur before the uptime test is triggered.
### uptime\_tests.config.time\_wait
ENV: TYK\_GW\_UPTIMETESTS\_CONFIG\_TIMEWAIT
Type: `int`
The value in seconds between tests runs. All tests will run simultaneously. This value will set the time between those tests. So a value of 60 will run all uptime tests every 60 seconds.
### uptime\_tests.config.checker\_pool\_size
ENV: TYK\_GW\_UPTIMETESTS\_CONFIG\_CHECKERPOOLSIZE
Type: `int`
The goroutine pool size to keep idle for uptime tests. If you have many uptime tests running at a high time period, then increase this value.
### uptime\_tests.config.enable\_uptime\_analytics
ENV: TYK\_GW\_UPTIMETESTS\_CONFIG\_ENABLEUPTIMEANALYTICS
Type: `bool`
Set this value to `true` to have the node capture and record analytics data regarding the uptime tests.
### health\_check
This section enables the configuration of the health-check API endpoint and the size of the sample data cache (in seconds).
### health\_check.enable\_health\_checks
ENV: TYK\_GW\_HEALTHCHECK\_ENABLEHEALTHCHECKS
Type: `bool`
Setting this value to `true` will enable the health-check endpoint on /Tyk/health.
### health\_check.health\_check\_value\_timeouts
ENV: TYK\_GW\_HEALTHCHECK\_HEALTHCHECKVALUETIMEOUT
Type: `int64`
This setting defaults to 60 seconds. This is the time window that Tyk uses to sample health-check data.
You can set a higher value for more accurate data (a larger sample period), or a lower value for less accurate data.
The reason this value is configurable is because sample data takes up space in your Redis DB to store the data to calculate samples. On high-availability systems this may not be desirable and smaller values may be preferred.
### health\_check\_endpoint\_name
ENV: TYK\_GW\_HEALTHCHECKENDPOINTNAME
Type: `string`
HealthCheckEndpointName Enables you to change the liveness endpoint.
Default is "/hello"
### readiness\_check\_endpoint\_name
ENV: TYK\_GW\_READINESSCHECKENDPOINTNAME
Type: `string`
ReadinessCheckEndpointName Enables you to change the readiness endpoint
Default is "/ready"
### graceful\_shutdown\_timeout\_duration
ENV: TYK\_GW\_GRACEFULSHUTDOWNTIMEOUTDURATION
Type: `int`
GracefulShutdownTimeoutDuration sets how many seconds the gateway should wait for an existing connection
to finish before shutting down the server. Defaults to 30 seconds.
### oauth\_refresh\_token\_expire
ENV: TYK\_GW\_OAUTHREFRESHEXPIRE
Type: `int64`
Change the expiry time of a refresh token. By default 14 days (in seconds).
### oauth\_token\_expire
ENV: TYK\_GW\_OAUTHTOKENEXPIRE
Type: `int32`
Change the expiry time of OAuth tokens (in seconds).
### oauth\_token\_expired\_retain\_period
ENV: TYK\_GW\_OAUTHTOKENEXPIREDRETAINPERIOD
Type: `int32`
Specifies how long expired tokens are stored in Redis. The value is in seconds and the default is 0. Using the default means expired tokens are never removed from Redis.
### oauth\_redirect\_uri\_separator
ENV: TYK\_GW\_OAUTHREDIRECTURISEPARATOR
Type: `string`
Character which should be used as a separator for OAuth redirect URI URLs. Default: ;.
### oauth\_error\_status\_code
ENV: TYK\_GW\_OAUTHERRORSTATUSCODE
Type: `int`
Configures the OAuth error status code returned. If not set, it defaults to a 403 error.
### enable\_key\_logging
ENV: TYK\_GW\_ENABLEKEYLOGGING
Type: `bool`
By default all key IDs in logs are hidden. Set to `true` if you want to see them for debugging reasons.
### ssl\_force\_common\_name\_check
ENV: TYK\_GW\_SSLFORCECOMMONNAMECHECK
Type: `bool`
Force the validation of the hostname against the common name, even if TLS verification is disabled.
### enable\_analytics
ENV: TYK\_GW\_ENABLEANALYTICS
Type: `bool`
Tyk is capable of recording every hit to your API to a database with various filtering parameters. Set this value to `true` and fill in the sub-section below to enable logging.
For performance reasons, Tyk will store traffic data to Redis initially and then purge the data from Redis to MongoDB or other data stores on a regular basis as determined by the purge\_delay setting in your Tyk Pump configuration.
### analytics\_config
This section defines options on what analytics data to store.
### analytics\_config.type
ENV: TYK\_GW\_ANALYTICSCONFIG\_TYPE
Type: `string`
Set empty for a Self-Managed installation or `rpc` for multi-cloud.
### analytics\_config.ignored\_ips
ENV: TYK\_GW\_ANALYTICSCONFIG\_IGNOREDIPS
Type: `[]string`
Adding IP addresses to this list will cause Tyk to ignore these IPs in the analytics data. These IP addresses will not produce an analytics log record.
This is useful for health checks and other samplers that might skew usage data.
The IP addresses must be provided as a JSON array, with the values being single IPs. CIDR values are not supported.
### analytics\_config.enable\_detailed\_recording
ENV: TYK\_GW\_ANALYTICSCONFIG\_ENABLEDETAILEDRECORDING
Type: `bool`
Set this value to `true` to have Tyk store the inbound request and outbound response data in HTTP Wire format as part of the Analytics data.
Please note, this will greatly increase your analytics DB size and can cause performance degradation on analytics processing by the Dashboard.
This setting can be overridden with an organization flag, enabed at an API level, or on individual Key level.
### analytics\_config.enable\_geo\_ip
ENV: TYK\_GW\_ANALYTICSCONFIG\_ENABLEGEOIP
Type: `bool`
Tyk can store GeoIP information based on MaxMind DB’s to enable GeoIP tracking on inbound request analytics. Set this value to `true` and assign a DB using the `geo_ip_db_path` setting.
### analytics\_config.geo\_ip\_db\_path
ENV: TYK\_GW\_ANALYTICSCONFIG\_GEOIPDBLOCATION
Type: `string`
Path to a MaxMind GeoIP database
The analytics GeoIP DB can be replaced on disk. It will cleanly auto-reload every hour.
### analytics\_config.normalise\_urls
This section describes methods that enable you to normalise inbound URLs in your analytics to have more meaningful per-path data.
### analytics\_config.normalise\_urls.enabled
ENV: TYK\_GW\_ANALYTICSCONFIG\_NORMALISEURLS\_ENABLED
Type: `bool`
Set this to `true` to enable normalisation.
### analytics\_config.normalise\_urls.normalise\_uuids
ENV: TYK\_GW\_ANALYTICSCONFIG\_NORMALISEURLS\_NORMALISEUUIDS
Type: `bool`
Each UUID will be replaced with a placeholder {uuid_0}
### analytics\_config.normalise\_urls.normalise\_ulids
ENV: TYK\_GW\_ANALYTICSCONFIG\_NORMALISEURLS\_NORMALISEULIDS
Type: `bool`
Each ULID will be replaced with a placeholder {ulid_0}
### analytics\_config.normalise\_urls.normalise\_numbers
ENV: TYK\_GW\_ANALYTICSCONFIG\_NORMALISEURLS\_NORMALISENUMBERS
Type: `bool`
Set this to true to have Tyk automatically match for numeric IDs, it will match with a preceding slash so as not to capture actual numbers:
### analytics\_config.normalise\_urls.custom\_patterns
ENV: TYK\_GW\_ANALYTICSCONFIG\_NORMALISEURLS\_CUSTOM
Type: `[]string`
This is a list of custom patterns you can add. These must be valid regex strings. Tyk will replace these values with a `{var}` placeholder.
### analytics\_config.pool\_size
ENV: TYK\_GW\_ANALYTICSCONFIG\_POOLSIZE
Type: `int`
Number of workers used to process analytics. Defaults to number of CPU cores.
### analytics\_config.records\_buffer\_size
ENV: TYK\_GW\_ANALYTICSCONFIG\_RECORDSBUFFERSIZE
Type: `uint64`
Number of records in analytics queue, per worker. Default: 1000.
### analytics\_config.storage\_expiration\_time
ENV: TYK\_GW\_ANALYTICSCONFIG\_STORAGEEXPIRATIONTIME
Type: `int`
You can set a time (in seconds) to configure how long analytics are kept if they are not processed. The default is 60 seconds.
This is used to prevent the potential infinite growth of Redis analytics storage.
### analytics\_config.enable\_multiple\_analytics\_keys
ENV: TYK\_GW\_ANALYTICSCONFIG\_ENABLEMULTIPLEANALYTICSKEYS
Type: `bool`
Set this to `true` to have Tyk automatically divide the analytics records in multiple analytics keys.
This is especially useful when `storage.enable_cluster` is set to `true` since it will distribute the analytic keys across all the cluster nodes.
### analytics\_config.purge\_interval
ENV: TYK\_GW\_ANALYTICSCONFIG\_PURGEINTERVAL
Type: `float32`
You can set the interval length on how often the tyk Gateway will purge analytics data. This value is in seconds and defaults to 10 seconds.
### analytics\_config.serializer\_type
ENV: TYK\_GW\_ANALYTICSCONFIG\_SERIALIZERTYPE
Type: `string`
Determines the serialization engine for analytics. Available options: msgpack, and protobuf. By default, msgpack.
### enable\_separate\_analytics\_store
ENV: TYK\_GW\_ENABLESEPERATEANALYTICSSTORE
Type: `bool`
Enable separate analytics storage. Used together with `analytics_storage`.
### analytics\_storage.type
ENV: TYK\_GW\_ANALYTICSSTORAGE\_TYPE
Type: `string`
This should be set to `redis` (lowercase)
### analytics\_storage.host
ENV: TYK\_GW\_ANALYTICSSTORAGE\_HOST
Type: `string`
The Redis host, by default this is set to `localhost`, but for production this should be set to a cluster.
### analytics\_storage.port
ENV: TYK\_GW\_ANALYTICSSTORAGE\_PORT
Type: `int`
The Redis instance port.
### analytics\_storage.addrs
ENV: TYK\_GW\_ANALYTICSSTORAGE\_ADDRS
Type: `[]string`
If you have multi-node setup, you should use this field instead. For example: \["host1:port1", "host2:port2"].
### analytics\_storage.master\_name
ENV: TYK\_GW\_ANALYTICSSTORAGE\_MASTERNAME
Type: `string`
Redis sentinel master name
### analytics\_storage.sentinel\_password
ENV: TYK\_GW\_ANALYTICSSTORAGE\_SENTINELPASSWORD
Type: `string`
Redis sentinel password
### analytics\_storage.username
ENV: TYK\_GW\_ANALYTICSSTORAGE\_USERNAME
Type: `string`
Redis user name
### analytics\_storage.password
ENV: TYK\_GW\_ANALYTICSSTORAGE\_PASSWORD
Type: `string`
If your Redis instance has a password set for access, you can set it here.
### analytics\_storage.database
ENV: TYK\_GW\_ANALYTICSSTORAGE\_DATABASE
Type: `int`
Redis database
### analytics\_storage.optimisation\_max\_idle
ENV: TYK\_GW\_ANALYTICSSTORAGE\_MAXIDLE
Type: `int`
Set the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.
### analytics\_storage.optimisation\_max\_active
ENV: TYK\_GW\_ANALYTICSSTORAGE\_MAXACTIVE
Type: `int`
Set the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.
### analytics\_storage.timeout
ENV: TYK\_GW\_ANALYTICSSTORAGE\_TIMEOUT
Type: `int`
Set a custom timeout for Redis network operations. Default value 5 seconds.
### analytics\_storage.enable\_cluster
ENV: TYK\_GW\_ANALYTICSSTORAGE\_ENABLECLUSTER
Type: `bool`
Enable Redis Cluster support
### analytics\_storage.use\_ssl
ENV: TYK\_GW\_ANALYTICSSTORAGE\_USESSL
Type: `bool`
Enable SSL/TLS connection between your Tyk Gateway & Redis.
### analytics\_storage.ssl\_insecure\_skip\_verify
ENV: TYK\_GW\_ANALYTICSSTORAGE\_SSLINSECURESKIPVERIFY
Type: `bool`
Disable TLS verification
### analytics\_storage.ca\_file
ENV: TYK\_GW\_ANALYTICSSTORAGE\_CAFILE
Type: `string`
Path to the CA file.
### analytics\_storage.cert\_file
ENV: TYK\_GW\_ANALYTICSSTORAGE\_CERTFILE
Type: `string`
Path to the cert file.
### analytics\_storage.key\_file
ENV: TYK\_GW\_ANALYTICSSTORAGE\_KEYFILE
Type: `string`
Path to the key file.
### analytics\_storage.tls\_max\_version
ENV: TYK\_GW\_ANALYTICSSTORAGE\_TLSMAXVERSION
Type: `string`
Maximum TLS version that is supported.
Options: \["1.0", "1.1", "1.2", "1.3"].
Defaults to "1.3".
### analytics\_storage.tls\_min\_version
ENV: TYK\_GW\_ANALYTICSSTORAGE\_TLSMINVERSION
Type: `string`
Minimum TLS version that is supported.
Options: \["1.0", "1.1", "1.2", "1.3"].
Defaults to "1.2".
### liveness\_check.check\_duration
ENV: TYK\_GW\_LIVENESSCHECK\_CHECKDURATION
Type: `time.Duration`
Frequencies of performing interval healthchecks for Redis, Dashboard, and RPC layer.
Expressed in Nanoseconds. For example: 1000000000 -> 1s.
Default: 10 seconds.
### dns\_cache
This section enables the global configuration of the expireable DNS records caching for your Gateway API endpoints.
By design caching affects only http(s), ws(s) protocols APIs and doesn’t affect any plugin/middleware DNS queries.
```
"dns_cache": {
"enabled": true, //Turned off by default
"ttl": 60, //Time in seconds before the record will be removed from cache
"multiple_ips_handle_strategy": "random" //A strategy, which will be used when dns query will reply with more than 1 ip address per single host.
}
```
### dns\_cache.enabled
ENV: TYK\_GW\_DNSCACHE\_ENABLED
Type: `bool`
Setting this value to `true` will enable caching of DNS queries responses used for API endpoint’s host names. By default caching is disabled.
### dns\_cache.ttl
ENV: TYK\_GW\_DNSCACHE\_TTL
Type: `int64`
This setting allows you to specify a duration in seconds before the record will be removed from cache after being added to it on the first DNS query resolution of API endpoints.
Setting `ttl` to `-1` prevents record from being expired and removed from cache on next check interval.
### dns\_cache.multiple\_ips\_handle\_strategy
ENV: TYK\_GW\_DNSCACHE\_MULTIPLEIPSHANDLESTRATEGY
Type: `string`
A strategy which will be used when a DNS query will reply with more than 1 IP Address per single host.
As a DNS query response IP Addresses can have a changing order depending on DNS server balancing strategy (eg: round robin, geographically dependent origin-ip ordering, etc) this option allows you to not to limit the connection to the first host in a cached response list or prevent response caching.
* `pick_first` will instruct your Tyk Gateway to connect to the first IP in a returned IP list and cache the response.
* `random` will instruct your Tyk Gateway to connect to a random IP in a returned IP list and cache the response.
* `no_cache` will instruct your Tyk Gateway to connect to the first IP in a returned IP list and fetch each addresses list without caching on each API endpoint DNS query.
### disable\_regexp\_cache
ENV: TYK\_GW\_DISABLEREGEXPCACHE
Type: `bool`
If set to `true` this allows you to disable the regular expression cache. The default setting is `false`.
### regexp\_cache\_expire
ENV: TYK\_GW\_REGEXPCACHEEXPIRE
Type: `int32`
If you set `disable_regexp_cache` to `false`, you can use this setting to limit how long the regular expression cache is kept for in seconds.
The default is 60 seconds. This must be a positive value. If you set to 0 this uses the default value.
### local\_session\_cache
Tyk can cache some data locally, this can speed up lookup times on a single node and lower the number of connections and operations being done on Redis. It will however introduce a slight delay when updating or modifying keys as the cache must expire.
This does not affect rate limiting.
### local\_session\_cache.disable\_cached\_session\_state
ENV: TYK\_GW\_LOCALSESSIONCACHE\_DISABLECACHESESSIONSTATE
Type: `bool`
By default sessions are set to cache. Set this to `true` to stop Tyk from caching keys locally on the node.
### enable\_separate\_cache\_store
ENV: TYK\_GW\_ENABLESEPERATECACHESTORE
Type: `bool`
Enable to use a separate Redis for cache storage
### cache\_storage.type
ENV: TYK\_GW\_CACHESTORAGE\_TYPE
Type: `string`
This should be set to `redis` (lowercase)
### cache\_storage.host
ENV: TYK\_GW\_CACHESTORAGE\_HOST
Type: `string`
The Redis host, by default this is set to `localhost`, but for production this should be set to a cluster.
### cache\_storage.port
ENV: TYK\_GW\_CACHESTORAGE\_PORT
Type: `int`
The Redis instance port.
### cache\_storage.addrs
ENV: TYK\_GW\_CACHESTORAGE\_ADDRS
Type: `[]string`
If you have multi-node setup, you should use this field instead. For example: \["host1:port1", "host2:port2"].
### cache\_storage.master\_name
ENV: TYK\_GW\_CACHESTORAGE\_MASTERNAME
Type: `string`
Redis sentinel master name
### cache\_storage.sentinel\_password
ENV: TYK\_GW\_CACHESTORAGE\_SENTINELPASSWORD
Type: `string`
Redis sentinel password
### cache\_storage.username
ENV: TYK\_GW\_CACHESTORAGE\_USERNAME
Type: `string`
Redis user name
### cache\_storage.password
ENV: TYK\_GW\_CACHESTORAGE\_PASSWORD
Type: `string`
If your Redis instance has a password set for access, you can set it here.
### cache\_storage.database
ENV: TYK\_GW\_CACHESTORAGE\_DATABASE
Type: `int`
Redis database
### cache\_storage.optimisation\_max\_idle
ENV: TYK\_GW\_CACHESTORAGE\_MAXIDLE
Type: `int`
Set the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.
### cache\_storage.optimisation\_max\_active
ENV: TYK\_GW\_CACHESTORAGE\_MAXACTIVE
Type: `int`
Set the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.
### cache\_storage.timeout
ENV: TYK\_GW\_CACHESTORAGE\_TIMEOUT
Type: `int`
Set a custom timeout for Redis network operations. Default value 5 seconds.
### cache\_storage.enable\_cluster
ENV: TYK\_GW\_CACHESTORAGE\_ENABLECLUSTER
Type: `bool`
Enable Redis Cluster support
### cache\_storage.use\_ssl
ENV: TYK\_GW\_CACHESTORAGE\_USESSL
Type: `bool`
Enable SSL/TLS connection between your Tyk Gateway & Redis.
### cache\_storage.ssl\_insecure\_skip\_verify
ENV: TYK\_GW\_CACHESTORAGE\_SSLINSECURESKIPVERIFY
Type: `bool`
Disable TLS verification
### cache\_storage.ca\_file
ENV: TYK\_GW\_CACHESTORAGE\_CAFILE
Type: `string`
Path to the CA file.
### cache\_storage.cert\_file
ENV: TYK\_GW\_CACHESTORAGE\_CERTFILE
Type: `string`
Path to the cert file.
### cache\_storage.key\_file
ENV: TYK\_GW\_CACHESTORAGE\_KEYFILE
Type: `string`
Path to the key file.
### cache\_storage.tls\_max\_version
ENV: TYK\_GW\_CACHESTORAGE\_TLSMAXVERSION
Type: `string`
Maximum TLS version that is supported.
Options: \["1.0", "1.1", "1.2", "1.3"].
Defaults to "1.3".
### cache\_storage.tls\_min\_version
ENV: TYK\_GW\_CACHESTORAGE\_TLSMINVERSION
Type: `string`
Minimum TLS version that is supported.
Options: \["1.0", "1.1", "1.2", "1.3"].
Defaults to "1.2".
### enable\_bundle\_downloader
ENV: TYK\_GW\_ENABLEBUNDLEDOWNLOADER
Type: `bool`
Enable downloading Plugin bundles
Example:
```
"enable_bundle_downloader": true,
"bundle_base_url": "http://my-bundle-server.com/bundles/",
"public_key_path": "/path/to/my/pubkey",
```
### bundle\_base\_url
ENV: TYK\_GW\_BUNDLEBASEURL
Type: `string`
Is a base URL that will be used to download the bundle. In this example we have `bundle-latest.zip` specified in the API settings, Tyk will fetch the following URL: [http://my-bundle-server.com/bundles/bundle-latest.zip](http://my-bundle-server.com/bundles/bundle-latest.zip) (see the next section for details).
### bundle\_insecure\_skip\_verify
ENV: TYK\_GW\_BUNDLEINSECURESKIPVERIFY
Type: `bool`
Disable TLS validation for bundle URLs
### skip\_verify\_existing\_plugin\_bundle
ENV: TYK\_GW\_SKIPVERIFYEXISTINGPLUGINBUNDLE
Type: `bool`
SkipVerifyExistingPluginBundle skips checksum verification for plugin bundles already on disk.
Tyk always verifies the integrity of plugin bundles when downloading them for the first time to local disk. For security against corruption of the bundles after they have been loaded, it then re-verifies bundle checksum (for signed bundles) when loading each API that uses the plugins.
In trusted environments, this reverification may be unnecessary and can be skipped using this option, reducing the API load time.
### enable\_jsvm
ENV: TYK\_GW\_ENABLEJSVM
Type: `bool`
Set to true if you are using JSVM custom middleware or virtual endpoints.
### jsvm\_timeout
ENV: TYK\_GW\_JSVMTIMEOUT
Type: `int`
Set the execution timeout for JSVM plugins and virtal endpoints
### disable\_virtual\_path\_blobs
ENV: TYK\_GW\_DISABLEVIRTUALPATHBLOBS
Type: `bool`
Disable virtual endpoints and the code will not be loaded into the VM when the API definition initialises.
This is useful for systems where you want to avoid having third-party code run.
### tyk\_js\_path
ENV: TYK\_GW\_TYKJSPATH
Type: `string`
Path to the JavaScript file which will be pre-loaded for any JSVM middleware or virtual endpoint. Useful for defining global shared functions.
### middleware\_path
ENV: TYK\_GW\_MIDDLEWAREPATH
Type: `string`
Path to the plugins dirrectory. By default is \`\`./middleware\`.
### coprocess\_options
Configuration options for Python and gRPC plugins.
### coprocess\_options.enable\_coprocess
ENV: TYK\_GW\_COPROCESSOPTIONS\_ENABLECOPROCESS
Type: `bool`
Enable gRPC and Python plugins
### coprocess\_options.coprocess\_grpc\_server
ENV: TYK\_GW\_COPROCESSOPTIONS\_COPROCESSGRPCSERVER
Type: `string`
Address of gRPC user
### coprocess\_options.grpc\_recv\_max\_size
ENV: TYK\_GW\_COPROCESSOPTIONS\_GRPCRECVMAXSIZE
Type: `int`
Maximum message which can be received from a gRPC server
### coprocess\_options.grpc\_send\_max\_size
ENV: TYK\_GW\_COPROCESSOPTIONS\_GRPCSENDMAXSIZE
Type: `int`
Maximum message which can be sent to gRPC server
### coprocess\_options.grpc\_authority
ENV: TYK\_GW\_COPROCESSOPTIONS\_GRPCAUTHORITY
Type: `string`
Authority used in GRPC connection
### coprocess\_options.grpc\_round\_robin\_load\_balancing
ENV: TYK\_GW\_COPROCESSOPTIONS\_GRPCROUNDROBINLOADBALANCING
Type: `bool`
GRPCRoundRobinLoadBalancing enables round robin load balancing for gRPC services; you must provide the address of the load balanced service using `dns:///` protocol in `coprocess_grpc_server`.
### coprocess\_options.python\_path\_prefix
ENV: TYK\_GW\_COPROCESSOPTIONS\_PYTHONPATHPREFIX
Type: `string`
Sets the path to built-in Tyk modules. This will be part of the Python module lookup path. The value used here is the default one for most installations.
### coprocess\_options.python\_version
ENV: TYK\_GW\_COPROCESSOPTIONS\_PYTHONVERSION
Type: `string`
If you have multiple Python versions installed you can specify your version.
### ignore\_endpoint\_case
ENV: TYK\_GW\_IGNOREENDPOINTCASE
Type: `bool`
Ignore the case of any endpoints for APIs managed by Tyk. Setting this to `true` will override any individual API and Ignore, Blacklist and Whitelist plugin endpoint settings.
### ignore\_canonical\_mime\_header\_key
ENV: TYK\_GW\_IGNORECANONICALMIMEHEADERKEY
Type: `bool`
When enabled Tyk ignores the canonical format of the MIME header keys.
For example when a request header with a “my-header” key is injected using “global\_headers”, the upstream would typically get it as “My-Header”. When this flag is enabled it will be sent as “my-header” instead.
Current support is limited to JavaScript plugins, global header injection, virtual endpoint and JQ transform header rewrites.
This functionality doesn’t affect headers that are sent by the HTTP client and the default formatting will apply in this case.
For technical details refer to the [CanonicalMIMEHeaderKey](https://golang.org/pkg/net/textproto/#CanonicalMIMEHeaderKey) functionality in the Go documentation.
### log\_level
ENV: TYK\_GW\_LOGLEVEL
Type: `string`
You can now set a logging level (log\_level). The following levels can be set: debug, info, warn, error.
If not set or left empty, it will default to `info`.
### log\_format
ENV: TYK\_GW\_LOGFORMAT
Type: `string`
You can now configure the log format to be either the standard or json format
If not set or left empty, it will default to `standard`.
### access\_logs
AccessLogs configures the output for access logs.
If not configured, the access log is disabled.
### access\_logs.enabled
ENV: TYK\_GW\_ACCESSLOGS\_ENABLED
Type: `bool`
Enabled controls the generation of access logs by the Gateway. Default: false.
### access\_logs.template
ENV: TYK\_GW\_ACCESSLOGS\_TEMPLATE
Type: `[]string`
Template configures which fields to include in the access log.
If no template is configured, all available fields will be logged.
Example: \["client\_ip", "path"].
Template Options:
* `api_key` will include the obfuscated or hashed key.
* `circuit_breaker_state` will include the circuit breaker state when applicable.
* `client_ip` will include the IP of the request.
* `error_source` will include the source of an error (e.g., ReverseProxy).
* `error_target` will include the target that caused an error.
* `host` will include the host of the request.
* `latency_gateway` will include the gateway processing latency.
* `latency_total` will include the total latency of the request.
* `method` will include the request method.
* `org_id` will include the organization ID.
* `path` will include the path of the request.
* `protocol` will include the protocol of the request.
* `remote_addr` will include the remote address of the request.
* `response_code_details` will include detailed error description for 5XX responses.
* `response_flag` will include the error classification flag (e.g., URT, UCF, TLE).
* `status` will include the response status code.
* `tls_cert_expiry` will include the TLS certificate expiry date when applicable.
* `tls_cert_subject` will include the TLS certificate subject when applicable.
* `trace_id` will include the OpenTelemetry trace ID when tracing is enabled.
* `upstream_addr` will include the upstream address (scheme, host and path).
* `upstream_latency` will include the upstream latency of the request.
* `upstream_status` will include the upstream response status code for 5XX responses.
* `user_agent` will include the user agent of the request.
### tracing
Section for configuring OpenTracing support
Deprecated: use OpenTelemetry instead.
### tracing.name
ENV: TYK\_GW\_TRACER\_NAME
Type: `string`
The name of the tracer to initialize. For instance appdash, to use appdash tracer
### tracing.enabled
ENV: TYK\_GW\_TRACER\_ENABLED
Type: `bool`
Enable tracing
### tracing.options
ENV: TYK\_GW\_TRACER\_OPTIONS
Type: `map[string]interface{}`
Tracing configuration. Refer to the Tracing Docs for the full list of options.
### opentelemetry
Section for configuring OpenTelemetry.
### opentelemetry.enabled
ENV: TYK\_GW\_OPENTELEMETRY\_ENABLED
Type: `bool`
A flag that can be used to enable or disable the trace exporter.
### opentelemetry.
Shared exporter/transport configuration.
### opentelemetry.exporter
ENV: TYK\_GW\_OPENTELEMETRY\_EXPORTER
Type: `string`
The type of the exporter to sending data in OTLP protocol.
This should be set to the same type of the OpenTelemetry collector.
Valid values are "grpc", or "http".
Defaults to "grpc".
### opentelemetry.endpoint
ENV: TYK\_GW\_OPENTELEMETRY\_ENDPOINT
Type: `string`
OpenTelemetry collector endpoint to connect to.
Defaults to "localhost:4317".
### opentelemetry.headers
ENV: TYK\_GW\_OPENTELEMETRY\_HEADERS
Type: `map[string]string`
A map of headers that will be sent with HTTP requests to the collector.
### opentelemetry.connection\_timeout
ENV: TYK\_GW\_OPENTELEMETRY\_CONNECTIONTIMEOUT
Type: `int`
Timeout for establishing a connection to the collector.
Defaults to 1 second.
### opentelemetry.resource\_name
ENV: TYK\_GW\_OPENTELEMETRY\_RESOURCENAME
Type: `string`
Name of the resource that will be used to identify the resource.
Defaults to "tyk".
### opentelemetry.tls
TLS configuration for the exporter.
### opentelemetry.tls.enable
ENV: TYK\_GW\_OPENTELEMETRY\_TLS\_ENABLE
Type: `bool`
Flag that can be used to enable TLS. Defaults to false (disabled).
### opentelemetry.tls.insecure\_skip\_verify
ENV: TYK\_GW\_OPENTELEMETRY\_TLS\_INSECURESKIPVERIFY
Type: `bool`
Flag that can be used to skip TLS verification if TLS is enabled.
Defaults to false.
### opentelemetry.tls.ca\_file
ENV: TYK\_GW\_OPENTELEMETRY\_TLS\_CAFILE
Type: `string`
Path to the CA file.
### opentelemetry.tls.cert\_file
ENV: TYK\_GW\_OPENTELEMETRY\_TLS\_CERTFILE
Type: `string`
Path to the cert file.
### opentelemetry.tls.key\_file
ENV: TYK\_GW\_OPENTELEMETRY\_TLS\_KEYFILE
Type: `string`
Path to the key file.
### opentelemetry.tls.max\_version
ENV: TYK\_GW\_OPENTELEMETRY\_TLS\_MAXVERSION
Type: `string`
Maximum TLS version that is supported.
Options: \["1.0", "1.1", "1.2", "1.3"].
Defaults to "1.3".
### opentelemetry.tls.min\_version
ENV: TYK\_GW\_OPENTELEMETRY\_TLS\_MINVERSION
Type: `string`
Minimum TLS version that is supported.
Options: \["1.0", "1.1", "1.2", "1.3"].
Defaults to "1.2".
### opentelemetry.span\_processor\_type
ENV: TYK\_GW\_OPENTELEMETRY\_SPANPROCESSORTYPE
Type: `string`
Type of the span processor to use. Valid values are "simple" or "batch".
Defaults to "batch".
### opentelemetry.span\_batch\_config
Configuration for the batch span processor.
Only applies when SpanProcessorType is "batch".
### opentelemetry.span\_batch\_config.max\_queue\_size
ENV: TYK\_GW\_OPENTELEMETRY\_SPANBATCHCONFIG\_MAXQUEUESIZE
Type: `int`
MaxQueueSize is the maximum queue size to buffer spans for delayed processing.
If the queue gets full it drops the spans.
The default value is 2048.
### opentelemetry.span\_batch\_config.max\_export\_batch\_size
ENV: TYK\_GW\_OPENTELEMETRY\_SPANBATCHCONFIG\_MAXEXPORTBATCHSIZE
Type: `int`
MaxExportBatchSize is the maximum number of spans to process in a single batch.
If there are more than one batch worth of spans then it processes multiple batches
of spans one batch after the other without any delay.
The default value is 512.
### opentelemetry.span\_batch\_config.batch\_timeout
ENV: TYK\_GW\_OPENTELEMETRY\_SPANBATCHCONFIG\_BATCHTIMEOUT
Type: `int`
BatchTimeout is the maximum duration for constructing a batch. Processor
forcefully sends available spans when timeout is reached.
The default value is 5 seconds.
### opentelemetry.context\_propagation
ENV: TYK\_GW\_OPENTELEMETRY\_CONTEXTPROPAGATION
Type: `string`
Type of the context propagator to use. Valid values are:
* "tracecontext": tracecontext is a propagator that supports the W3C
Trace Context format ([https://www.w3.org/TR/trace-context/](https://www.w3.org/TR/trace-context/)).
* "b3": b3 is a propagator serializes SpanContext to/from B3 multi Headers format.
* "custom": custom propagator reads from and writes to a custom header only.
* "composite": composite propagator reads from custom header (priority) or standard headers,
and writes to both custom and standard headers.
Defaults to "tracecontext".
### opentelemetry.custom\_trace\_header
ENV: TYK\_GW\_OPENTELEMETRY\_CUSTOMTRACEHEADER
Type: `string`
Name of custom header to use for trace ID instead of standard "traceparent".
When set with context\_propagation="custom", the gateway will extract trace context
from this header and propagate it using the same custom header.
When set with context\_propagation="tracecontext" or "b3", the gateway will extract
trace context from this header (priority) or standard headers (fallback), and propagate
using standard headers only.
When set with context\_propagation="composite", the gateway will extract trace context
from this header (priority) or standard headers (fallback), and propagate using both
custom and standard headers.
Example: "X-Correlation-ID", "X-Request-ID", "X-Trace-ID"
The header value should be a valid OpenTelemetry Trace ID: a 32-character (16-byte)
lowercase hex string with at least one non-zero byte
(e.g. "0102030405060708090a0b0c0d0e0f10"). UUIDs with dashes are also accepted
(e.g. "550e8400-e29b-41d4-a716-446655440000") — dashes are removed automatically.
See: [https://opentelemetry.io/docs/specs/otel/trace/api/](https://opentelemetry.io/docs/specs/otel/trace/api/)
If the value contains non-hex characters, those characters will be stripped and the
remaining hex characters will be zero-padded to 32 characters. This means arbitrary
strings like "my-request-id" will NOT produce a predictable trace ID. To ensure
trace ID consistency between the custom header and the reported trace, always send
a valid OpenTelemetry Trace ID or UUID.
### opentelemetry.sampling
Defines the configurations to use in the sampler.
### opentelemetry.sampling.type
ENV: TYK\_GW\_OPENTELEMETRY\_SAMPLING\_TYPE
Type: `string`
Refers to the policy used by OpenTelemetry to determine
whether a particular trace should be sampled or not. It's determined at the
start of a trace and the decision is propagated down the trace. Valid Values are:
AlwaysOn, AlwaysOff and TraceIDRatioBased. It defaults to AlwaysOn.
### opentelemetry.sampling.rate
ENV: TYK\_GW\_OPENTELEMETRY\_SAMPLING\_RATE
Type: `float64`
Parameter for the TraceIDRatioBased sampler type and represents the percentage
of traces to be sampled. The value should fall between 0.0 (0%) and 1.0 (100%). For instance, if
the sampling rate is set to 0.5, the sampler will aim to sample approximately 50% of the traces.
By default, it's set to 0.5.
### opentelemetry.sampling.parent\_based
ENV: TYK\_GW\_OPENTELEMETRY\_SAMPLING\_PARENTBASED
Type: `bool`
Rule that ensures that if we decide to record data for a particular operation,
we'll also record data for all the subsequent work that operation causes (its "child spans").
This approach helps in keeping the entire story of a transaction together. Typically, ParentBased
is used in conjunction with TraceIDRatioBased. Using it with AlwaysOn or AlwaysOff might not be as
effective since, in those cases, you're either recording everything or nothing, and there are no
intermediary decisions to consider. The default value for this option is false.
### newrelic.app\_name
ENV: TYK\_GW\_NEWRELIC\_APPNAME
Type: `string`
New Relic Application name
### newrelic.license\_key
ENV: TYK\_GW\_NEWRELIC\_LICENSEKEY
Type: `string`
New Relic License key
### newrelic.enable\_distributed\_tracing
ENV: TYK\_GW\_NEWRELIC\_ENABLEDISTRIBUTEDTRACING
Type: `bool`
Enable distributed tracing
### enable\_http\_profiler
ENV: TYK\_GW\_HTTPPROFILE
Type: `bool`
Enable debugging of your Tyk Gateway by exposing profiling information through [https://tyk.io/docs/api-management/troubleshooting-debugging](https://tyk.io/docs/api-management/troubleshooting-debugging)
### use\_redis\_log
ENV: TYK\_GW\_USEREDISLOG
Type: `bool`
Enables the real-time Gateway log view in the Dashboard.
For logs to appear in the Tyk Dashboard, both the Gateway and the Dashboard must be configured to use the **same Redis instance**.
In deployments where the Data Plane (Gateway) and Control Plane (Dashboard) use separate Redis instances,
enabling this option on the Gateway will not make logs available in the Dashboard.
### use\_sentry
ENV: TYK\_GW\_USESENTRY
Type: `bool`
Enable Sentry logging
### sentry\_code
ENV: TYK\_GW\_SENTRYCODE
Type: `string`
Sentry API code
### sentry\_log\_level
ENV: TYK\_GW\_SENTRYLOGLEVEL
Type: `string`
Log verbosity for Sentry logging
### use\_syslog
ENV: TYK\_GW\_USESYSLOG
Type: `bool`
Enable Syslog log output
### syslog\_transport
ENV: TYK\_GW\_SYSLOGTRANSPORT
Type: `string`
Syslong transport to use. Values: tcp or udp.
### syslog\_network\_addr
ENV: TYK\_GW\_SYSLOGNETWORKADDR
Type: `string`
Graylog server address
### use\_graylog
ENV: TYK\_GW\_USEGRAYLOG
Type: `bool`
Use Graylog log output
### graylog\_network\_addr
ENV: TYK\_GW\_GRAYLOGNETWORKADDR
Type: `string`
Graylog server address
### use\_logstash
ENV: TYK\_GW\_USELOGSTASH
Type: `bool`
Use logstash log output
### logstash\_transport
ENV: TYK\_GW\_LOGSTASHTRANSPORT
Type: `string`
Logstash network transport. Values: tcp or udp.
### logstash\_network\_addr
ENV: TYK\_GW\_LOGSTASHNETWORKADDR
Type: `string`
Logstash server address
### track\_404\_logs
ENV: TYK\_GW\_TRACK404LOGS
Type: `bool`
Show 404 HTTP errors in your Gateway application logs
### statsd\_connection\_string
ENV: TYK\_GW\_STATSDCONNECTIONSTRING
Type: `string`
Address of StatsD server. If set enable statsd monitoring.
### statsd\_prefix
ENV: TYK\_GW\_STATSDPREFIX
Type: `string`
StatsD prefix
### event\_handlers
ENV: TYK\_GW\_EVENTHANDLERS
Type: `apidef.EventHandlerMetaConfig`
Event System
### hide\_generator\_header
ENV: TYK\_GW\_HIDEGENERATORHEADER
Type: `bool`
HideGeneratorHeader will mask the 'X-Generator' and 'X-Mascot-...' headers, if set to true.
### force\_global\_session\_lifetime
ENV: TYK\_GW\_FORCEGLOBALSESSIONLIFETIME
Type: `bool`
Enable global API token expiration. Can be needed if all your APIs using JWT or oAuth 2.0 auth methods with dynamically generated keys.
### session\_lifetime\_respects\_key\_expiration
ENV: TYK\_GW\_SESSIONLIFETIMERESPECTSKEYEXPIRATION
Type: `bool`
SessionLifetimeRespectsKeyExpiration respects the key expiration time when the session lifetime is less than the key expiration. That is, Redis waits the key expiration for physical removal.
### global\_session\_lifetime
ENV: TYK\_GW\_GLOBALSESSIONLIFETIME
Type: `int64`
global session lifetime, in seconds.
### kv.KV
ENV: TYK\_GW\_KV\_KV
Type: `struct`
See more details [https://tyk.io/docs/tyk-self-managed/#store-configuration-with-key-value-store](https://tyk.io/docs/tyk-self-managed/#store-configuration-with-key-value-store)
### kv.consul.address
ENV: TYK\_GW\_KV\_CONSUL\_ADDRESS
Type: `string`
Address is the address of the Consul server
### kv.consul.scheme
ENV: TYK\_GW\_KV\_CONSUL\_SCHEME
Type: `string`
Scheme is the URI scheme for the Consul server
### kv.consul.datacenter
ENV: TYK\_GW\_KV\_CONSUL\_DATACENTER
Type: `string`
The datacenter to use. If not provided, the default agent datacenter is used.
### kv.consul.http\_auth.username
ENV: TYK\_GW\_KV\_CONSUL\_HTTPAUTH\_USERNAME
Type: `string`
Username to use for HTTP Basic Authentication
### kv.consul.http\_auth.password
ENV: TYK\_GW\_KV\_CONSUL\_HTTPAUTH\_PASSWORD
Type: `string`
Password to use for HTTP Basic Authentication
### kv.consul.tls\_config.address
ENV: TYK\_GW\_KV\_CONSUL\_TLSCONFIG\_ADDRESS
Type: `string`
Address
### kv.consul.tls\_config.ca\_file
ENV: TYK\_GW\_KV\_CONSUL\_TLSCONFIG\_CAFILE
Type: `string`
CA file
### kv.consul.tls\_config.ca\_path
ENV: TYK\_GW\_KV\_CONSUL\_TLSCONFIG\_CAPATH
Type: `string`
CA Path
### kv.consul.tls\_config.cert\_file
ENV: TYK\_GW\_KV\_CONSUL\_TLSCONFIG\_CERTFILE
Type: `string`
Cert file
### kv.consul.tls\_config.key\_file
ENV: TYK\_GW\_KV\_CONSUL\_TLSCONFIG\_KEYFILE
Type: `string`
Key file
### kv.consul.tls\_config.insecure\_skip\_verify
ENV: TYK\_GW\_KV\_CONSUL\_TLSCONFIG\_INSECURESKIPVERIFY
Type: `bool`
Disable TLS validation
### kv.vault.token
ENV: TYK\_GW\_KV\_VAULT\_TOKEN
Type: `string`
Token is the vault root token
### kv.vault.kv\_version
ENV: TYK\_GW\_KV\_VAULT\_KVVERSION
Type: `int`
KVVersion is the version number of Vault. Usually defaults to 2
### secrets
ENV: TYK\_GW\_SECRETS
Type: `map[string]string`
Secrets configures a list of key/value pairs for the gateway.
When configuring it via environment variable, the expected value
is a comma separated list of key-value pairs delimited with a colon.
Example: `TYK_GW_SECRETS=key1:value1,key2:/value2`
Produces: `{"key1": "value1", "key2": "/value2"}`
The secret value may be used as `secrets://key1` from the API definition.
In versions before gateway 5.3, only `listen_path` and `target_url` fields
have had the secrets replaced.
See more details [https://tyk.io/docs/tyk-self-managed/#how-to-access-the-externally-stored-data](https://tyk.io/docs/tyk-self-managed/#how-to-access-the-externally-stored-data)
### override\_messages
Override the default error code and or message returned by middleware.
The following message IDs can be used to override the message and error codes:
AuthToken message IDs
* `auth.auth_field_missing`
* `auth.key_not_found`
OIDC message IDs
* `oauth.auth_field_missing`
* `oauth.auth_field_malformed`
* `oauth.key_not_found`
* `oauth.client_deleted`
Sample Override Message Setting
```
"override_messages": {
"oauth.auth_field_missing" : {
"code": 401,
"message": "Token is not authorized"
}
}
```
### cloud
ENV: TYK\_GW\_CLOUD
Type: `bool`
Cloud flag shows the Gateway runs in Tyk Cloud.
### jwt\_ssl\_insecure\_skip\_verify
ENV: TYK\_GW\_JWTSSLINSECURESKIPVERIFY
Type: `bool`
Skip TLS verification for JWT JWKs url validation
### resource\_sync
ResourceSync configures mitigation strategy in case sync fails.
### resource\_sync.retry\_attempts
ENV: TYK\_GW\_RESOURCESYNC\_RETRYATTEMPTS
Type: `int`
RetryAttempts defines the number of retries that the Gateway
should perform during a resource sync (APIs or policies), defaulting
to zero which means no retries are attempted.
### resource\_sync.interval
ENV: TYK\_GW\_RESOURCESYNC\_INTERVAL
Type: `int`
Interval configures the interval in seconds between each retry on a resource sync error.
### oas\_config
OAS holds the configuration for various OpenAPI-specific functionalities
### oas\_config.validate\_examples
ENV: TYK\_GW\_OAS\_VALIDATEEXAMPLES
Type: `bool`
ValidateExamples enables validation of values provided in `example` and `examples` fields against the declared schemas in the OpenAPI Document. Defaults to false.
### oas\_config.validate\_schema\_defaults
ENV: TYK\_GW\_OAS\_VALIDATESCHEMADEFAULTS
Type: `bool`
ValidateSchemaDefaults enables validation of values provided in `default` fields against the declared schemas in the OpenAPI Document. Defaults to false.
### streaming
Streaming holds the configuration for Tyk Streaming functionalities
### streaming.enabled
ENV: TYK\_GW\_STREAMING\_ENABLED
Type: `bool`
This flag enables the Tyk Streaming feature.
### streaming.allow\_unsafe
ENV: TYK\_GW\_STREAMING\_ALLOWUNSAFE
Type: `[]string`
AllowUnsafe specifies a list of potentially unsafe streaming components that should be allowed in the configuration.
By default, components that could pose security risks (like file access, subprocess execution, socket operations, etc.)
are filtered out. This field allows administrators to explicitly permit specific unsafe components when needed.
Use with caution as enabling unsafe components may introduce security vulnerabilities.
### jwks
JWKS holds the configuration for Tyk JWKS functionalities
### jwks.cache
Cache holds configuration for JWKS caching
### jwks.cache.timeout
ENV: TYK\_GW\_JWKS\_CACHE\_TIMEOUT
Type: `int64`
Timeout defines how long the JWKS will be kept in the cache before forcing a refresh from the JWKS endpoint.
Default is 240 seconds (4 minutes). Set to 0 to use the default value.