Tyk Dashboard Configuration Options

Last updated: 23 minutes read.

You can use environment variables to override the config file for the Tyk Dashboard. The Dashboard configuration file can be found in the tyk-dashboard folder and by default is called tyk_analytics.conf, though it can be renamed and specified using the --conf flag. Environment variables are created from the dot notation versions of the JSON objects contained with the config files. To understand how the environment variables notation works, see Environment Variables.

The Tyk Dashboard has a separate configuration file, it is small and comes packaged with the tarball. It uses a separate configuration file as it may be installed on a different host to your Tyk Gateway nodes.

The Dashboard configuration file can be found in the tyk-dashboard folder and by default is called tyk_analytics.conf, though it can be renamed and specified using the --conf flag.

Please consult the data storage configuration guide for further information relating to how to configure Tyk’s data storage across different database engines.

Environment Variables

All the Dashboard environment variables have the prefix TYK_DB_. The environment variables will take precedence over the values in the configuration file.

Environment variables (env var) can be used to override the settings defined in the configuration file. Where an environment variable is specified, its value will take precedence over the value in the configuration file.

The file will look like the sample below, the various fields are explained in the following sections:

{
  "listen_port": 3000,
  "tyk_api_config": {
    "Host": "http://tyk-gateway",
    "Port": "8080",
    "Secret": "352d20ee67be67f6340b4c0605b044b7"
  },
  "enable_aggregate_lookups": true,
  "storage": {
    "main": {
      "type": "postgres",
      "connection_string": "user=laurentiughiur password=test123 database='tyk-test' host=127.0.0.1 port=5432",
      "table_sharding": true
    },
    "analytics": {
      "type": "postgres",
      "connection_string": "user=laurentiughiur password=test123 database='tyk-test' host=127.0.0.1 port=5432",
      "table_sharding": true
    },
    "logs": {
      "type": "postgres",
      "connection_string": "user=laurentiughiur password=test123 database='tyk-test' host=127.0.0.1 port=5432",
      "table_sharding": true
    },
    "uptime": {
      "type": "postgres",
      "connection_string": "user=laurentiughiur password=test123 database='tyk-test' host=127.0.0.1 port=5432",
      "table_sharding": true
    }
  },
  "enable_ownership": false,
  "mongo_url": "mongodb://tyk-mongo:27017/tyk_analytics",
  "mongo_use_ssl": false,
  "mongo_ssl_insecure_skip_verify": false,
  "mongo_session_consistency": "",
  "mongo_batch_size": 2000,
  "page_size": 10,
  "admin_secret": "12345",
  "shared_node_secret": "352d20ee67be67f6340b4c0605b044b7",
  "redis_port": 6379,
  "redis_host": "tyk-redis",
  "redis_username": "",
  "redis_password": "",
  "redis_master_name": "",
  "redis_timeout": 0,
  "redis_database": 0,
  "enable_cluster": false,
  "redis_use_ssl": false,
  "redis_ssl_insecure_skip_verify": false,
  "force_api_defaults": false,
  "notify_on_change": true,
  "license_key": "",
  "redis_hosts": null,
  "redis_addrs": null,
  "hash_keys": true,
    "enable_hashed_keys_listing": false,
  "email_backend": {
    "enable_email_notifications": false,
    "code": "sendgrid",
    "settings": {
      "ClientKey": ""
      },
    "default_from_email": "[email protected]",
    "default_from_name": "Some Person",
    "dashboard_hostname": ""
  },
  "hide_listen_path": false,
  "sentry_code": "",
  "sentry_js_code": "",
  "use_sentry": false,
  "enable_master_keys": false,
  "enable_duplicate_slugs": true,
  "show_org_id": true,
  "host_config": {
    "enable_host_names": true,
    "disable_org_slug_prefix": true,
    "hostname": "www.tyk-test.com",
    "override_hostname": "www.tyk-test.com:8080",
    "portal_domains": {},
    "portal_root_path": "/portal",
    "generate_secure_paths": false,
    "secure_cookies": false,
    "use_strict_hostmatch": false
  },
  "http_server_options": {
    "use_ssl": false,
    "certificates": [],
    "min_version": 0,
    "ssl_ciphers": null,
    "ssl_insecure_skip_verify": false,
    "prefer_server_ciphers": false
  },
  "basic-config-and-security/security": {
    "allow_admin_reset_password": false,
    "login_failure_username_limit": 0,
    "login_failure_ip_limit": 0,
    "login_failure_expiration": 0,
    "login_disallow_forward_proxy": false,
    "audit_log_path": "",
    "user_password_max_days": 0,
    "enforce_password_history": 0,
    "force_first_login_pw_reset": false,
    "enable_content_security_policy": false,
    "allowed_content_sources": "",
    "private_certificate_encoding_secret": "some-secret",
    "open_policy":{
      "enabled": true,
      "debug": true,
      "enable_api": true
      },
    "additional_permissions": {
      "api_manager": "API Manager"
      }
  },
  "ui": {
    "languages": {
      "Chinese": "cn",
      "English": "en",
      "Korean": "ko"
    },
    "hide_help": true,
    "default_lang": "en",
    "login_page": {},
    "nav": {
      "dont_show_admin_sockets": false,
      "hide_activity_by_api_section": false,
      "hide_geo": false,
      "hide_licenses_section": false,
      "hide_logs": false,
      "hide_tib_section": false
    },
    "uptime": {},
    "portal_section": null,
    "designer": {},
    "dont_show_admin_sockets": false,
    "dont_allow_license_management": false,
    "dont_allow_license_management_view": false,
    "cloud": false
  },
  "home_dir": "/opt/tyk-dashboard",
  "identity_broker": {
    "enabled": false,
    "host": {
      "connection_string": "",
      "secret": ""
    }
  },
  "tagging_options": {
    "tag_all_apis_by_org": false
  },
  "use_sharded_analytics": true,
  "enable_aggregate_lookups": true,
  "aggregate_lookup_cutoff": "26/05/2016",
  "maintenance_mode": false,
  "allow_explicit_policy_id": true,
  "private_key_path": "",
  "node_schema_path": "",
  "oauth_redirect_uri_separator": ";",
  "statsd_connection_string": "",
  "statsd_prefix": "",
  "disable_parallel_sessions": false,
  "dashboard_session_lifetime": 0,
  "alternative_dashboard_url": "",
  "sso_permission_defaults": null,
  "sso_default_group_id": "",
  "sso_custom_login_url": "",
  "sso_custom_portal_login_url": "",
  "sso_enable_user_lookup": false,
  "notifications_listen_port": 5000,
  "portal_session_lifetime": 0,
  "enable_delete_key_by_hash": false,
  "enable_update_key_by_hash": false,
  "audit": {
    "enabled": false,
    "format": "",
    "path": "",
    "detailed_recording": false
  },
  "enable_multi_org_users": false,
  "version_check_url": "",
  "health_check_endpoint_name": ""
}

listen_port

EV: TYK_DB_LISTENPORT
Type: int

Setting this value will change the port that Tyk Dashboard listens on. Default: 3000.

tyk_api_config

This section contains details for a Tyk Gateway node that the Tyk Dashboard can speak to. The Dashboard controls Tyk using the Gateway API and only requires visibility to one node, so long as all nodes are using the same API Definitions.

Note

If the Dashboard cannot see a Tyk node, key management functions will not work properly.

In a sharded environment, the Gateway node specified in tyk_api_config must not be sharded.

tyk_api_config.Host

EV: TYK_DB_TYKAPI_HOST
Type: string

This is the full URL of your Tyk node.

tyk_api_config.Port

EV: TYK_DB_TYKAPI_PORT
Type: string

The port that Tyk is running on

tyk_api_config.Secret

EV: TYK_DB_TYKAPI_SECRET
Type: string

The secret set in your tyk.conf file. This is the key that Tyk Dashboard will use to speak to the Tyk node’s Gateway API. Note that this value has to match the secret value in tyk.conf.

mongo_url

EV: TYK_DB_MONGOURL
Type: string

The full URL to your MongoDB instance, this can be a clustered instance if necessary and should include the database and username / password data.

mongo_use_ssl

EV: TYK_DB_MONGOUSESSL
Type: bool

Set to true to enable Mongo SSL connection

mongo_ssl_insecure_skip_verify

EV: TYK_DB_MONGOSSLINSECURESKIPVERIFY
Type: bool

Allows the use of self-signed certificates when connecting to an encrypted MongoDB database.

mongo_ssl_allow_invalid_hostnames

EV: TYK_DB_MONGOSSLALLOWINVALIDHOSTNAMES
Type: bool

Ignore hostname check when it differs from the original (for example with SSH tunneling). The rest of the TLS verification will still be performed.

mongo_ssl_ca_file

EV: TYK_DB_MONGOSSLCAFILE
Type: string

Path to the PEM file with trusted root certificates

mongo_ssl_pem_keyfile

EV: TYK_DB_MONGOSSLPEMKEYFILE
Type: string

Path to the PEM file which contains both client certificate and private key. This is required for Mutual TLS.

mongo_session_consistency

EV: TYK_DB_MONGOSESSIONCONSISTENCY
Type: string

Mongo session constency: “strong”, “eventual”, or “monotonic”. default is “strong”

mongo_batch_size

EV: TYK_DB_MONGOBATCHSIZE
Type: int

Sets the batch size for mongo results. Defaults to 2000. Increasing this number can decrease dashboard performance. This value cannot be lower than 100 and will fallback to 100 if a lower value has been set.

mongo_driver

EV: TYK_DB_MONGODRIVER
Type: string

Determines the MongoDB driver used. It could be mongo-go to use the official mongo driver for go v1.11 or mgo to use mgo driver. By default, the value is mgo. It can be set at storage level as well if the database type is mongo. This config is available since dashboard v5.0.2

mongo_direct_connection

EV: TYK_DB_MONGODIRECTCONNECTION
Type: bool

MongoDirectConnection informs whether to establish connections only with the specified seed servers, or to obtain information for the whole cluster and establish connections with further servers too. If true, the client will only connect to the host provided in the ConnectionString and won’t attempt to discover other hosts in the cluster. Useful when network restrictions prevent discovery, such as with SSH tunneling. Default is false.

page_size

EV: TYK_DB_PAGESIZE
Type: int

The page size that the dashboard should use. Defaults to 10.

storage

This option allows you to store different types of data in different databases. For example, logs can be stored in one database, analytics in another, and master resources in another.

storage.main

Main database where the dashboard resources are stored (users, orgs, policies, etc)

storage.main.mongo

Connection setting for a mongo database

storage.main.mongo.driver

EV: TYK_DB_STORAGE_MAIN_MONGO_DRIVER
Type: string

Driver to use when connected to a mongo database. It could be mongo-go to use the official mongo driver for go v1.11 or mgo to use mgo driver. By default, the value is mgo. This config is available since dashboard v5.0.2

storage.main.postgres

Connection settings for a Postgres database

storage.main.postgres.prefer_simple_protocol

EV: TYK_DB_STORAGE_MAIN_POSTGRES_PREFERSIMPLEPROTOCOL
Type: bool

disables implicit prepared statement usage

storage.main.mysql

Connection settings for a MySQL database

storage.main.mysql.default_string_size

EV: TYK_DB_STORAGE_MAIN_MYSQL_DEFAULTSTRINGSIZE
Type: uint

default size for string fields. By default set to: 256

storage.main.mysql.disable_datetime_precision

EV: TYK_DB_STORAGE_MAIN_MYSQL_DISABLEDATETIMEPRECISION
Type: bool

disable datetime precision, which not supported before MySQL 5.6

storage.main.mysql.dont_support_rename_index

EV: TYK_DB_STORAGE_MAIN_MYSQL_DONTSUPPORTRENAMEINDEX
Type: bool

drop & create when rename index, rename index not supported before MySQL 5.7, MariaDB

storage.main.mysql.dont_support_rename_column

EV: TYK_DB_STORAGE_MAIN_MYSQL_DONTSUPPORTRENAMECOLUMN
Type: bool

change when rename column, rename column not supported before MySQL 8, MariaDB

storage.main.mysql.skip_initialize_with_version

EV: TYK_DB_STORAGE_MAIN_MYSQL_SKIPINITIALIZEWITHVERSION
Type: bool

auto configure based on currently MySQL version

storage.analytics

Where all the analytics related data is stored

storage.analytics.mongo

Connection setting for a mongo database

storage.analytics.mongo.driver

EV: TYK_DB_STORAGE_ANALYTICS_MONGO_DRIVER
Type: string

Driver to use when connected to a mongo database. It could be mongo-go to use the official mongo driver for go v1.11 or mgo to use mgo driver. By default, the value is mgo. This config is available since dashboard v5.0.2

storage.analytics.postgres

Connection settings for a Postgres database

storage.analytics.postgres.prefer_simple_protocol

EV: TYK_DB_STORAGE_ANALYTICS_POSTGRES_PREFERSIMPLEPROTOCOL
Type: bool

disables implicit prepared statement usage

storage.analytics.mysql

Connection settings for a MySQL database

storage.analytics.mysql.default_string_size

EV: TYK_DB_STORAGE_ANALYTICS_MYSQL_DEFAULTSTRINGSIZE
Type: uint

default size for string fields. By default set to: 256

storage.analytics.mysql.disable_datetime_precision

EV: TYK_DB_STORAGE_ANALYTICS_MYSQL_DISABLEDATETIMEPRECISION
Type: bool

disable datetime precision, which not supported before MySQL 5.6

storage.analytics.mysql.dont_support_rename_index

EV: TYK_DB_STORAGE_ANALYTICS_MYSQL_DONTSUPPORTRENAMEINDEX
Type: bool

drop & create when rename index, rename index not supported before MySQL 5.7, MariaDB

storage.analytics.mysql.dont_support_rename_column

EV: TYK_DB_STORAGE_ANALYTICS_MYSQL_DONTSUPPORTRENAMECOLUMN
Type: bool

change when rename column, rename column not supported before MySQL 8, MariaDB

storage.analytics.mysql.skip_initialize_with_version

EV: TYK_DB_STORAGE_ANALYTICS_MYSQL_SKIPINITIALIZEWITHVERSION
Type: bool

auto configure based on currently MySQL version

storage.logs.mongo

Connection setting for a mongo database

storage.logs.mongo.driver

EV: TYK_DB_STORAGE_LOGS_MONGO_DRIVER
Type: string

Driver to use when connected to a mongo database. It could be mongo-go to use the official mongo driver for go v1.11 or mgo to use mgo driver. By default, the value is mgo. This config is available since dashboard v5.0.2

storage.logs.postgres

Connection settings for a Postgres database

storage.logs.postgres.prefer_simple_protocol

EV: TYK_DB_STORAGE_LOGS_POSTGRES_PREFERSIMPLEPROTOCOL
Type: bool

disables implicit prepared statement usage

storage.logs.mysql

Connection settings for a MySQL database

storage.logs.mysql.default_string_size

EV: TYK_DB_STORAGE_LOGS_MYSQL_DEFAULTSTRINGSIZE
Type: uint

default size for string fields. By default set to: 256

storage.logs.mysql.disable_datetime_precision

EV: TYK_DB_STORAGE_LOGS_MYSQL_DISABLEDATETIMEPRECISION
Type: bool

disable datetime precision, which not supported before MySQL 5.6

storage.logs.mysql.dont_support_rename_index

EV: TYK_DB_STORAGE_LOGS_MYSQL_DONTSUPPORTRENAMEINDEX
Type: bool

drop & create when rename index, rename index not supported before MySQL 5.7, MariaDB

storage.logs.mysql.dont_support_rename_column

EV: TYK_DB_STORAGE_LOGS_MYSQL_DONTSUPPORTRENAMECOLUMN
Type: bool

change when rename column, rename column not supported before MySQL 8, MariaDB

storage.logs.mysql.skip_initialize_with_version

EV: TYK_DB_STORAGE_LOGS_MYSQL_SKIPINITIALIZEWITHVERSION
Type: bool

auto configure based on currently MySQL version

storage.uptime

Where all the uptime related data is stored

storage.uptime.mongo

Connection setting for a mongo database

storage.uptime.mongo.driver

EV: TYK_DB_STORAGE_UPTIME_MONGO_DRIVER
Type: string

Driver to use when connected to a mongo database. It could be mongo-go to use the official mongo driver for go v1.11 or mgo to use mgo driver. By default, the value is mgo. This config is available since dashboard v5.0.2

storage.uptime.postgres

Connection settings for a Postgres database

storage.uptime.postgres.prefer_simple_protocol

EV: TYK_DB_STORAGE_UPTIME_POSTGRES_PREFERSIMPLEPROTOCOL
Type: bool

disables implicit prepared statement usage

storage.uptime.mysql

Connection settings for a MySQL database

storage.uptime.mysql.default_string_size

EV: TYK_DB_STORAGE_UPTIME_MYSQL_DEFAULTSTRINGSIZE
Type: uint

default size for string fields. By default set to: 256

storage.uptime.mysql.disable_datetime_precision

EV: TYK_DB_STORAGE_UPTIME_MYSQL_DISABLEDATETIMEPRECISION
Type: bool

disable datetime precision, which not supported before MySQL 5.6

storage.uptime.mysql.dont_support_rename_index

EV: TYK_DB_STORAGE_UPTIME_MYSQL_DONTSUPPORTRENAMEINDEX
Type: bool

drop & create when rename index, rename index not supported before MySQL 5.7, MariaDB

storage.uptime.mysql.dont_support_rename_column

EV: TYK_DB_STORAGE_UPTIME_MYSQL_DONTSUPPORTRENAMECOLUMN
Type: bool

change when rename column, rename column not supported before MySQL 8, MariaDB

storage.uptime.mysql.skip_initialize_with_version

EV: TYK_DB_STORAGE_UPTIME_MYSQL_SKIPINITIALIZEWITHVERSION
Type: bool

auto configure based on currently MySQL version

admin_secret

EV: TYK_DB_ADMINSECRET
Type: string

This secret is to be used by a special set of endpoints that we call “Admin APIs”. This API is part of the super-admin context and therefore has a separate endpoint prefix /admin. It also requires a special auth header called admin-auth. This purpose of these endpoints is to allow functionality that regular Dashboard users should not have, such as create new organisations, create super users etc. See the Admin API for more information on these endpoints.

shared_node_secret

EV: TYK_DB_NODESECRET
Type: string

This value should match with the node_secret Gateway configuration option value. Each node communicates with the Dashboard via a shared secret (this setting) and a nonce to ensure that out-of-band requests cannot be made. Nodes will send a heartbeat every few seconds to notify the Dashboard that they are running.

redis_port

EV: TYK_DB_REDISPORT
Type: int

The port that your Redis installation listens on.

Note

The Tyk Dashboard uses Redis to store its session data and to communicate with your Tyk Gateway nodes occasionally. The Redis details used by the dashboard must be the same as those set for your Tyk installation.

redis_host

EV: TYK_DB_REDISHOST
Type: string

The hostname for the Redis collection and can be an IP address.

redis_addrs

EV: TYK_DB_REDISADDRS
Type: []string

Used for configuring Redis clusters. See Redis Cluster and Tyk Dashboard for more info. Example:

   "addrs": [
     "server1:6379",
     "server2:6380",
     "server3:6381"
   ],

redis_hosts

EV: TYK_DB_HOSTS
Type: map[string]string

DEPRECATED. Use redis_addrs instead. You can also specify multiple Redis hosts here. Tyk will use this array if it is not empty, or it will use the individual legacy parameters above. You can specify multiple host:port combinations here.

redis_username

EV: TYK_DB_REDISUSERNAME
Type: string

If you are using Redis AUTH using its requirepass setting, enter your username here (recommended). If this is not used, the Dashboard will not attempt to login to Redis.

redis_password

EV: TYK_DB_REDISPASSWORD
Type: string

The password for your Redis Auth username.

redis_master_name

EV: TYK_DB_REDISMASTERNAME
Type: string

Redis Sentinel Master name

redis_sentinel_password

EV: TYK_DB_REDISSENTINELPASSWORD
Type: string

Redis Sentinel password

redis_timeout

EV: TYK_DB_REDISTIMEOUT
Type: int

Set a custom Redis network timeout. Default value is 5 seconds.

redis_database

EV: TYK_DB_REDISDATABASE
Type: int

Set this to the index of your Redis database if you are using more than one.

enable_cluster

EV: TYK_DB_ENABLECLUSTER
Type: bool

Set this to true if you are using a Redis cluster.

redis_use_ssl

EV: TYK_DB_REDISUSESSL
Type: bool

Use Redis SSL connection

redis_ssl_insecure_skip_verify

EV: TYK_DB_REDISSSLINSECURESKIPVERIFY
Type: bool

Ignore TLS verification for Redis connectin

notify_on_change

EV: TYK_DB_NOTIFYONCHANGE
Type: bool

Licensed users can use this setting to enable/disable whether the Tyk Dashboard will notify all Tyk Gateway nodes to hot-reload when an API definition is changed.

license_key

EV: TYK_DB_LICENSEKEY
Type: string

Your Tyk Dashboard license key

hash_keys

EV: TYK_DB_HASHKEYS
Type: bool

If your Tyk Gateway is using hashed keys, set this value to true so it matches. The Dashboard will now operate in a mode that is compatible with key hashing.

disable_key_actions_by_username

EV: TYK_DB_DISABLEKEYACTIONSBYUSERNAME
Type: bool

DisableKeyActionsByUsername disables basic auth key operation by username. When this is set to true you are able to search for keys only by keyID or key hash (if hash_keys is also set to true) Note that if hash_keys is also set to true then the keyID will not be provided for APIs secured using basic auth. In this scenario the only search option would be to use key hash You must configure this setting with the same value in both Gateway and Dashboard

enable_delete_key_by_hash

EV: TYK_DB_ENABLEDELETEKEYBYHASH
Type: bool

To delete a key by its hash, set this option to true

enable_update_key_by_hash

EV: TYK_DB_ENABLEUPDATEKEYBYHASH
Type: bool

To update a key by its hash, set this option to true.

enable_hashed_keys_listing

EV: TYK_DB_ENABLEHASHEDKEYSLISTING
Type: bool

To retrieve a list of all key hash listings, set this option to true.

email_backend

Tyk supports an interface-based email back-end system. We support mandrill, sendgrid, amazonses and mailgun. See Outbound Email Configuration for more details on configuring these different providers.

email_backend.enable_email_notifications

EV: TYK_DB_EMAILBACKEND_ENABLEEMAILNOTIFICATIONS
Type: bool

Set to true to have Tyk send emails for things such as key approvals and portal sign ups.

email_backend.code

EV: TYK_DB_EMAILBACKEND_CODE
Type: string

The code of the back-end to use, mandrill, sendgrid, amazonses and mailgun are supported.

email_backend.settings

EV: TYK_DB_EMAILBACKEND_SETTINGS
Type: map[string]string

The custom settings sections for the back end system.

email_backend.default_from_email

EV: TYK_DB_EMAILBACKEND_DEFAULTFROMEMAIL
Type: string

The address to send email from.

email_backend.default_from_name

EV: TYK_DB_EMAILBACKEND_DEFAULTFROMNAME
Type: string

The name to use when sending emails.

email_backend.dashboard_hostname

EV: TYK_DB_EMAILBACKEND_DASHBOARDHOSTNAME
Type: string

Your public dashboard hostname.

hide_listen_path

EV: TYK_DB_HIDELISTENPATH
Type: bool

If you set this option to true, then the listen path will not be editable or visible in the Dashboard.

use_sentry

EV: TYK_DB_USESENTRY
Type: bool

The Tyk Dashboard has Sentry integration to externalise logging. Set this to true to enable the logger.

sentry_code

EV: TYK_DB_SENTRYCODE
Type: string

If you have a Sentry setup, or are using Getsentry, you can add the Sentry DSN here and Tyk will begin sending events.

sentry_js_code

EV: TYK_DB_SENTRYJSCODE
Type: string

To have the Dashboard report Javascript errors to you, add a separate DSN here.

enable_master_keys

EV: TYK_DB_ENABLEMASTERKEYS
Type: bool

If this is set to true, session objects (key definitions) that do not have explicit access rights set will be allowed by Tyk. This means that keys that are created have access to ALL APIs, which in many cases is unwanted behaviour unless you are sure about what you are doing. To use this setting also requires the corresponding Gateway configuration setting allow_master_keys to be set to true.

enable_duplicate_slugs

EV: TYK_DB_ENABLEDUPLICATESLUGS
Type: bool

Setting this option to true will cause the dashboard to not validate against other listen paths.

show_org_id

EV: TYK_DB_SHOWORGID
Type: bool

Determines whether the Org ID will be shown in the Users -> Username detail page. This can be useful for quickly identifying your Org ID.

host_config

Section to manage dashboard host names and domains

host_config.enable_host_names

EV: TYK_DB_HOSTCONFIG_ENABLEHOSTNAMES
Type: bool

The Tyk Dashboard can bind the Dashboard application to a specific domain name. Enable this option to have the Dashboard only allow access on a specific domain and 404 on any other host access (not recommended).

host_config.disable_org_slug_prefix

EV: TYK_DB_HOSTCONFIG_DISABLEORGSLUGPREFIX
Type: bool

By default, for developer portal, Tyk will add orgID prefix. Set to true if you have single tenant application or each portal on separate domain.

host_config.hostname

EV: TYK_DB_HOSTCONFIG_HOSTNAME
Type: string

The hostname to bind the Dashboard to. This must be a proper hostname and not localhost.

host_config.override_hostname

EV: TYK_DB_HOSTCONFIG_GATEWAYHOSTNAME
Type: string

Set this value to whatever hostname your Tyk Gateway is running on.

host_config.portal_domains

EV: TYK_DB_HOSTCONFIG_PORTALDOMAINS
Type: map[string]string

It is possible to hard-code portal domains (these override settings set by the Dashboard for routing purposes).

Example:

"portal_domains": {
.  "portal.com": "<orgID>"
}

host_config.portal_root_path

EV: TYK_DB_HOSTCONFIG_PORTALROOTPATH
Type: string

The root path for the portal.

host_config.generate_secure_paths

EV: TYK_DB_HOSTCONFIG_GENERATEHTTPS
Type: bool

If you prefer to have your URLs start with https, set this option to true.

host_config.secure_cookies

EV: TYK_DB_HOSTCONFIG_SECURECOOKIES
Type: bool

This enables HTTPS “secure” cookies.

http_server_options

This section is reserved for settings relating to the HTTP server that powers the Dashboard.

http_server_options.use_ssl

EV: TYK_DB_HTTPSERVEROPTIONS_USESSL
Type: bool

Enable to use SSL.

http_server_options.certificates

EV: TYK_DB_HTTPSERVEROPTIONS_CERTIFICATES
Type: CertsData

Add a certificate block for each domain being covered by the application.

For example:

{
  "domain_name": "*.banana.com",
  "cert_file": "new.cert.cert",
  "key_file": "new.cert.key"
}

http_server_options.ssl_certificates

EV: TYK_DB_HTTPSERVEROPTIONS_SSLCERTIFICATES
Type: []string

SSL certificates used by your Gateway server. A list of certificate path to files.

http_server_options.min_version

EV: TYK_DB_HTTPSERVEROPTIONS_MINVERSION
Type: uint16

Minimum TLS version. See TLS and SSL.

http_server_options.ssl_ciphers

EV: TYK_DB_HTTPSERVEROPTIONS_CIPHERSUITES
Type: []string

Array of allowed cipher suites as defined at https://golang.org/pkg/crypto/tls/#pkg-constants

http_server_options.ssl_insecure_skip_verify

EV: TYK_DB_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY
Type: bool

Disable TLS verifiation

http_server_options.prefer_server_ciphers

EV: TYK_DB_HTTPSERVEROPTIONS_PREFERSERVERCIPHERSUITES
Type: bool

A boolean value to control whether the server selects the preferred ciphersuite for the client, or the preferred ciphersuite for the server. If set to true, the server preferences in the order of the elements listed in ssl_ciphers is used.

For more information see TLS and SSL

security

This section controls login limits for both the Dashboard and the Developer Portal. The path for you audit log is also set here.

security.allow_admin_reset_password

EV: TYK_DB_SECURITY_ALLOWADMINRESETPASSWORD
Type: bool

This allows an admin user to reset the password of other users. The default is false.

security.login_failure_username_limit

EV: TYK_DB_SECURITY_LOGINFAILUREUSERNAMELIMIT
Type: int

Controls how many time a user can attempt to log in before being denied access. The default is 0.

security.login_failure_ip_limit

EV: TYK_DB_SECURITY_LOGINFAILUREIPLIMIT
Type: int

Controls how many times an IP Address can be used to attempt to log in before being denied access. The default is 0.

security.login_failure_expiration

EV: TYK_DB_SECURITY_LOGINFAILUREEXPIRATION
Type: int

Controls how long before the failure limits are reset in seconds. The default is 900 seconds.

security.hide_login_failure_limit_error

EV: TYK_DB_SECURITY_HIDELOGINFAILURELIMITERROR
Type: bool

By default it will show message like “Retry in N seconds.”. In some secure environments it can be treated as leaking of secure context. This option makes failed login attempt to be shown as standard login failure.

security.login_disallow_forward_proxy

EV: TYK_DB_SECURITY_LOGINDISALLOWFORWARDPROXY
Type: bool

Set to true to allow the Tyk Dashboard login to ignore the host from the X-Forwarded-For header when accessing the Dashboard via a proxy. This can be useful for limiting retry attempts.

security.audit_log_path

EV: TYK_DB_SECURITY_AUDITLOGPATH
Type: string

This sets the path to your audit log and enables audit with default settings. It will log all user actions and response statuses to it. Security information such as passwords are not logged.

security.user_password_max_days

EV: TYK_DB_SECURITY_USERPASSWORDMAXDAYS
Type: int

Set the maximum lifetime of a password for a user. They will be prompted to reset if password lifetime exceeds the configured expiry value. e.g. if value set to 30 any user password set over 30 days in past will be considered invalid and must be reset.

security.enforce_password_history

EV: TYK_DB_SECURITY_ENFORCEPASSWORDHISTORY
Type: int

Set a maximum number of previous passwords used by a user that cannot be reused. For example, If set to 5 the user upon setting their password cannot reuse any of their 5 most recently used password for that Tyk user account.

security.force_first_login_pw_reset

EV: TYK_DB_SECURITY_FORCEFIRSTLOGINPWRESET
Type: bool

A newly created user will be forced to reset their password upon first login. Defaults to false.

security.enable_content_security_policy

EV: TYK_DB_SECURITY_ENABLECONTENTSECURITYPOLICY
Type: bool

Enable browser Content-Security-Policy, e.g. CSP. The default is false.

security.allowed_content_sources

EV: TYK_DB_SECURITY_ALLOWEDCONTENTSOURCES
Type: string

If CSP enabled, specify space separated string, with list of allowed resources.

security.open_policy

OpenPolicy configuration

security.open_policy.enabled

EV: TYK_DB_SECURITY_OPENPOLICY_ENABLED
Type: bool

Enable OpenPolicy

security.open_policy.debug

EV: TYK_DB_SECURITY_OPENPOLICY_DEBUG
Type: bool

Enable OpenPolicy debug mode

security.open_policy.enable_api

EV: TYK_DB_SECURITY_OPENPOLICY_ENABLEAPI
Type: bool

Enable modify OpenPolicy rules via UI and API

security.additional_permissions

EV: TYK_DB_SECURITY_ADDITIONALPERMISSIONS
Type: map[ObjectGroup]string

Through this options, you can provide a list of additional permissions, that can be applied for existing or newly created users or user groups. Example:

{
  "api_developer": "API Developer",
  "custom_permission": "Custom Permission"
}

security.private_certificate_encoding_secret

EV: TYK_DB_SECURITY_PRIVATECERTIFICATEENCODINGSECRET
Type: string

When using SAML with embedded identity broker, is required to upload a certificate that is encoded by the gateway to store it safely, TIB needs the private key as well, hence it needs the same encoding secret so the information is decoded successfully. This value should match with the encoding secret set in the gateway config file, if not set then it will use by default tyk_api_config.secret to attempt to decode the certificate.

ui

This section controls various settings for the look and feel of the Dashboard UI.

ui.languages

EV: TYK_DB_UI_LANGUAGES
Type: map[string]string

This section lists the current languages the Dashboard UI supports

ui.hide_help

EV: TYK_DB_UI_HIDEHELP
Type: bool

Set to true to hide the help tips.

ui.default_lang

EV: TYK_DB_UI_DEFAULTLANG
Type: string

This settings sets the default language for the UI. Default setting is en. Can be set to any of the other languages listed under ui.languages.

ui.dont_allow_license_management

EV: TYK_DB_UI_DONTALLOWLICENSEMANAGEMENT
Type: bool

Do not allow license management screen

ui.dev

EV: TYK_DB_UI_DEV
Type: bool

Temporary : Enable dev mode feature on UI

home_dir

EV: TYK_DB_HOMEDIR
Type: string

The path to the home directory of Tyk Dashboard, this must be set in order for Portal templates and other files to be loadable. By default this is /opt/tyk-dashboard/.

identity_broker

Tyk Dashboard has some preset Tyk Identity Broker configurations set up, for this integration to work, the Dashboard must be able to see an Identity Broker instance. The settings in this section are to enable this integration.

identity_broker.enabled

EV: TYK_DB_TIB_ENABLED
Type: bool

A boolean setting to enable the TIB integration (otherwise it will not appear in the UI).

identity_broker.host

When using external TIB, this is the URL where it’s reachable

identity_broker.host.connection_string

EV: TYK_DB_TIB_HOST_CONNECTIONSTRING
Type: string

The URL to the host. It must be in the form: http://domain:port. Set this value only if you need to use external Tyk Identity Broker

identity_broker.host.secret

EV: TYK_DB_TIB_HOST_SECRET
Type: string

The shared secret between TIB and the Dashboard. This ensures all API requests between Dashboard and TIB are valid.

identity_broker.ssl_insecure_skip_verify

EV: TYK_DB_TIB_SSLINSECURESKIPVERIFY
Type: bool

Skip the TLS verification in the transport layer of the HTTP client. Is intended to have it enable for POC and testing purposes, do not use in production. Defaults to false.

use_sharded_analytics

EV: TYK_DB_USESHARDEDANLAYTICS
Type: bool

If using the mongo-pump-selective pump, where data is written to org-id-specific collections in MongoDB, then enabling this option will switch querying for analytics over to the independent collection entries.

enable_aggregate_lookups

EV: TYK_DB_ENABLEAGGREGATELOOKUPS
Type: bool

If using the new Aggregate Pump, Tyk Analytics can make use of the newer, faster Analytics lookup, to ensure that this can be made backwards compatible. This option must be set to true, in conjunction with the aggregate_lookup_cutoff value.

aggregate_lookup_cutoff

EV: TYK_DB_AGGREGATELOOKUPCUTOFF
Type: string

Set this to a date value of the form DD/MM/YYYY. Any analytics queries before this date will fall back to the raw base log data collection (slower). This is to ensure continuity of service and a smooth upgrade process with no loss of data.

maintenance_mode

EV: TYK_DB_MAINTENANCEMODE
Type: bool

Set to true to enable special maintenance screen for portal and dashboard

allow_explicit_policy_id

EV: TYK_DB_ALLOWEXPLICITPOLICYID
Type: bool

Set this value to true if you planning to use Tyk Sync or Tyk Operator

disable_parallel_sessions

EV: TYK_DB_DISABLEPARALLELSESSIONS
Type: bool

If set to true, it restricts an account to a single session. When an account logs in, any other open sessions for that account are logged out.

dashboard_session_lifetime

EV: TYK_DB_DASHBOARDSESSIONLIFETIME
Type: int64

Dashboard session lifetime

portal_session_lifetime

EV: TYK_DB_PORTALSESSIONLIFETIME
Type: int

Portal session lifetime

alternative_dashboard_url

EV: TYK_DB_ALTERNATIVEDASHBOARDURL
Type: string

Redirect all dashboard users to another URL

sso_permission_defaults

EV: TYK_DB_SSOPERMISSIONDEFAULTS
Type: map[ObjectGroup]string

Specify permissions of the user who logged in using Admin SSO API (for example Tyk Identity Broker). See Dashboard Admin SSO API for more details.

sso_default_group_id

EV: TYK_DB_SSODEFAULTUSERGROUP
Type: string

Default User Group which will be assigned to SSO users.

sso_custom_login_url

EV: TYK_DB_SSOCUSTOMLOGINURL
Type: string

Specify a custom dashboard login URL if you are using 3rd party authentication like TIB.

sso_custom_portal_login_url

EV: TYK_DB_SSOCUSTOMPORTALLOGINURL
Type: string

Specify custom portal login URL if you are using 3rd party authentication like TIB.

sso_enable_user_lookup

EV: TYK_DB_SSOENABLEUSERLOOKUP
Type: bool

When enabled, if dashboard already have user with given email found, it will be used for the login process

sso_custom_login_error_url

EV: TYK_DB_SSOCUSTOMLOGINERRORURL
Type: string

SSOCustomLoginErrorURL is an URL to redirect the user in case that SSO fails. If empty the user will be redirected to the error page of dashboard

audit

Enable dashboard audit. Example:

"audit": {
  "enabled": true,
  "format": "json",
  "path": "/tmp/audit.log",
  "detailed_recording": false
 },

Audit records the following fields for json format:

  • req_id - unique request ID
  • org_id - organisation ID
  • date - date in RFC1123 format
  • timestamp - unix timestamp
  • ip - IP address the request originated from
  • user - Dashboard user who performed the request
  • action - description of the action performed (i.e. Update User`)
  • method - HTTP-method of the request
  • url - URL of the request
  • status - HTTP response status of the request
  • diff - provides a diff of changed fields (available only for PUT requests)
  • request_dump - HTTP request copy (available if detailed_recording is set to true)
  • response_dump - HTTP response copy (available if detailed_recording is set to true)

audit.enabled

EV: TYK_DB_AUDIT_ENABLED
Type: bool

Enables audit logging, set to false by default.

audit.format

EV: TYK_DB_AUDIT_FORMAT
Type: string

Format of audit log file. Possible values are json and text (text is default value)

audit.path

EV: TYK_DB_AUDIT_PATH
Type: string

Path to the audit log

audit.detailed_recording

EV: TYK_DB_AUDIT_DETAILEDRECORDING
Type: bool

Enables detailed records in the audit log. Set to false by default. If set to true then audit log records will contain the http-request (without body) and full http-response including the body`

enable_multi_org_users

EV: TYK_DB_ENABLEMULTIORGUSERS
Type: bool

Enable support for users with the same email for multiple organisations

health_check_endpoint_name

EV: TYK_DB_HEALTHCHECKENDPOINTNAME
Type: string

Health check endpoint name. Default: /health

edge_endpoints

EV: TYK_DB_EDGEENDPOINTS
Type: EdgeEndpoints

List of Edge Gateways, that will be displayed in the Dashboard UI, so that you can select to which specific Gateway(s) you want to load an API into. Example:

 "edge_endpoints": [
 {
   "name": "Private Gateway",
   "endpoint": "https://payable-matter-gw.aws-euw2.cloud-ara.tyk.io",
   "tags": ["edge", "private-gw"]
 },
 {
   "name": "Public Gateway",
   "endpoint": "video-taped-gokart-gw.aws-usw2.cloud-ara.tyk.io",
   "tags": ["edge", "public-gw"]
 }
 ]

For every Edge Gateway there needs to be defined, its name, the ingress URL and a list of tags that APIs will use for triggering Gateways to load its configuration. Note: For the Hybrid setup, users must fill in the Gateway URLs manually in the Tyk OAS API Definition servers section.

portal_session_secret

EV: TYK_DB_PORTALSESSIONSECRET
Type: string

Portal session secret

dcr_ssl_insecure_skip_verify

EV: TYK_DB_DCRSSLINSECURESKIPVERIFY
Type: bool

Ignore TLS verification for DCR calls

private_key_path

EV: TYK_DB_PRIVATEKEYPATH
Type: string

Private key path used to sign notifications coming to the gateways

oauth_redirect_uri_separator

EV: TYK_DB_OAUTHREDIRECTURISEPARATOR
Type: string

oAuth redirect URI separator

statsd_connection_string

EV: TYK_DB_STATSDCONNECTIONSTRING
Type: string

Enable StatsD monitoring when set to non empty. StatsD connection string.

statsd_prefix

EV: TYK_DB_STATSDPREFIX
Type: string

StatsD prefix

allow_unsafe_oas

EV: TYK_DB_ALLOWUNSAFEOAS
Type: bool

Allow the modification of Tyk OAS APIs via the Tyk Classic API endpoints. Note that this is not recommended but is provided for early adopters and will be deprecated later