Tyk OAS API Definition

Last updated: Jan 27, 2025

Introduction to Tyk OAS

Tyk has always had a proprietary specification for defining APIs. From Tyk v4.1 Tyk has supported API definitions that embed the OpenAPI Specification v3.0.x (OAS) format, which can offer significant time and complexity savings if you are already using it to design and document your APIs.

If you can’t wait to get started, head on over to our guide to using OAS API Definitions for some tutorials.

What does a Tyk OAS API Definition look like?

As part of a Tyk OAS Definition, there are a number of vendor specific fields that need to be configured. These fall into these categories:

Info - information about your New API; its name and whether it should be active for example
Upstream - where should Tyk forward requests to?
Server - what URL should users be using to call the API served by the Tyk Gateway.

You can also optionally define:

Middleware - add additional logic to your API flow, for example allow/block lists or request/response validation.
Servers - find out how Tyk integrates neatly between your clients and upstream services, automatically configuring where it will proxy requests
Authentication - with Tyk’s OpenAPI implementation you have the option of delegating authentication to the upstream service, or handling it on the Tyk Gateway
Mock Responses - Tyk can automatically configure mock response middleware using the configuration included in your OAS document; this allows you to test your APIs without connecting to the upstream services
Request Validation - Tyk can protect your APIs by automatically validating the request parameters and payload against a schema that defines what it should look like
Paths - this is a section within the OAS definition that instructs Tyk which API paths (also referred to as endpoints) should be configured; Tyk uses this information to determine which middleware should be enabled for each
Versioning - API versioning, a crucial API gateway capability, allows you to update and improve your APIs without breaking existing clients or services

Servers

These are the URLs you would use to access an API. Once an API is added to Tyk, you will be using a URL that points at the Tyk Gateway itself, plus optionally, an additional listen path on the end of the URL. As part of an import, where possible, Tyk will aim to take the current server in the OAS API Specification provided and make that the Upstream in the Tyk OAS API Specification that is created. That way, Tyk will forward requests to the same place a user would have sent requests to before a gateway was in place. At the same time, the Tyk Gateway will be made the Server. This has the effect of automatically inserting Tyk into your API flow.

Import OAS Definition

When you import an OAS API definition, Tyk analyzes the servers section of the definition so that it can automatically configure the upstream URL and the listen path for the Tyk API, as follows:

The servers section is analyzed only if there is no upstreamUrl query parameter used together with the import API. If an upstreamUrl was specified, that will be used as the upstream for the API and the servers section will be ignored.

The servers section may contain multiple upstream URLs. Currently, Tyk only analyzes the first entry in the list, and uses it as the upstream URL if it is valid. For example:

For the following imported OAS server section

{
  "servers": [
    {
      "url": "https://upstream-A.com"
    },
    {
      "url": "http://upstream-B.com"
    }
  ]
}

Tyk will read https://upstream-A.com and set it as the upstream URL for the newly created API.

{
  ...
  "x-tyk-api-gateway": {
    ...
    "upstream": {
      "url": "https://upstream-A.com"
    }
  }
}

Tyk will insert the API URL as the first entry in the servers section since all traffic will now travel through the Tyk Gateway.

{
  "servers": [
    {
      "url": {API-URL}
    },
    {
      "url": "https://upstream-A.com"
    },
    {
      "url": "http://upstream-B.com"
    }
  ]
}

If the first entry in the servers configuration contains a relative URL, or a format that Tyk can’t properly work with, the import will fail with an error. For example: When importing the following servers configuration:

{
  "servers": [
    {
      "url": "/relative-url"
    },
    {
      "url": "http://upstream-B.com"
    }
  ]
}

Tyk will import API will error with the following message, asking for a valid URL format or upstreamUrl query parameter to be provided:

{
    "status": "error",
    "message": "error validating servers entry in OAS: Please update \"/relative-url\" to be a valid url or pass a valid url with upstreamURL query param"
}

Tyk supports OpenAPI server variables, so if the first servers entry contains a parameterised URL, Tyk will fill in the parameters with the values provided in the variables associated with that entry. For example:

{
  "servers": [
    {
      "url": "https://upstream-A.com/{param1}"
      "variables": {
        "param1": {
          "default": "default-value"
        }
      }
    },
    {
      "url": "http://upstream-B.com"
    }
  ]
}

will result in Tyk importing the API with the following upstream URL:

{
  ...
  "x-tyk-api-gateway": {
    ...
    "upstream": {
      "url": "https://upstream-A.com/default-value"
    }
  }
}

Create API

When creating an API, either using the Tyk Gateway or Dashboard API, Tyk analyzes the first entry URL value from the Tyk OAS API Definition servers configuration:

it won’t provide any change, if it already matches the API URL, OR
it will insert a new first servers object containing the correct API URL value

This means that when you export this OAS API Definition to provide documentation for your developer portal, it will automatically tell your users the correct way to call the API now that Tyk is handling it.

Update API

Whenever a Tyk API gets updated using either the Tyk Gateway or Dashboard API, Tyk analyzes the first entry URL value from the Tyk OAS API Definition servers configuration:

it won’t provide any change, if it already matches the API URL, OR
it will insert a new first servers object containing the correct API URL value, if the servers section doesn’t exist at all in the Tyk OAS API Definition.
it updates the url value of the first entry in the servers section, if this is an outdated value of the API URL.

This means that when you export an OAS API Definition to provide documentation for your developer portal, it will automatically tell users the correct way to call the API now that Tyk is handling it.

Authentication with Tyk OAS

OAS has the concept of securitySchemes which describes one way in which an API may be accessed, e.g. with a token. You can have multiple securitySchemes defined for an API. You decide which is actually active by declaring that in the security section. When hosting an API with Tyk, the only remaining question is which part of the flow does this security validation? If you do nothing more, then Tyk will pass the authentication to the upstream. However, if you do want Tyk to handle the authentication, then it is as simple as setting an authentication field in the x-tyk-api-gateway section of the Tyk OAS API Definition.

The OAS SecurityScheme Object accepts by default just 4 types:

apiKey
http
oauth2
openIdConnect

Note

The security section in the OAS API Definition can define a list of authentication mechanisms that the backend should use to authorize requests. For now, your Tyk Gateway will only take into consideration the first security item defined in the list.

Let’s go through the authentication mechanisms that Tyk supports and see how these can work together with OAS API Definition security schemes.

Authentication Token

When the apiKey securityScheme is configured in an OAS API Definition, this means that the authentication mechanism that can be configured in x-tyk-api-gateway, is an Authentication Token.

Since the location and token key name are documented in the OAS API Definition securityScheme, you only need to turn this authentication on at the Tyk level to tell Tyk to handle the authentication by setting enabled to true.

Example:

{
...
  securitySchemes: {
    petstore_auth: {
      "type": "apiKey",
      "name": "api_key",
      "in": "header"
    }
  ...
  },
  security: [
    {
      "petstore_auth": []
    }
  ],
  "x-tyk-api-gateway": {
  ...
  "server": {
      "authentication": {
        "securitySchemes": {
          "petstore_auth": {
            "enabled": true
          }
        }
      }
    }
  }
}

Note

OAS does not allow for an API to have both cookie and query parameter based token authentication at the same time. Since Tyk does allow this, we have allowed for this combination through the vendor specific fields. You can see how to do this next.

Advanced Configuration

Multiple locations for the authentication token

With Tyk’s configuration, API developers can tell the Tyk Gateway that the authentication token can be found in multiple locations. Since this is not possible with OAS, Tyk provides this capability within its vendor specific fields.

Example:

{
...
  securitySchemes: {
    petstore_auth: {
      "type": "apiKey",
      "name": "api_key",
      "in": "header"
    }
  ...
  },
  security: [
    {
      "petstore_auth": []
    }
  ],
  "x-tyk-api-gateway": {
  ...
  "server": {
      "authentication": {
        "securitySchemes": {
          "petstore_auth": {
            "enabled": true,
            "query": {
              "enabled": true,
              "name": "query-key"
            }
          }
        }
      }
    }
  }
}

In the above example, we can observe that, in securitySchemes the header location for the token is configured. In order to add another possible location for the token we can extend the Tyk configuration section.

Dynamic Client mTLS

Tyk can be configured to guess a user authentication key based on the provided client certificate. In other words, a user does not need to provide any key, except the certificate, and Tyk will be able to identify the user, apply policies, and do the monitoring - the same as with regular Tyk keys.

The basic idea here is that you can create a key based on a provided certificate. You can then use this key or the cert for one or more users. For that user, you can enable the enableClientCertificate option.

{
  ...
  "x-tyk-api-gateway": {
  ...
  "server": {
      "authentication": {
        "securitySchemes": {
          "petstore_auth": {
            "enabled": true,
            "enableClientCertificate": true
          }
        }
      }
    }
  }
}

Basic Authentication

Having the http type as the securityScheme defined in OAS API Definition, with the schema field set to basic, means that the Tyk Gateway uses basic authentication as the protection mechanism. It expects an access key in the same way as any other access method. For more information see the Basic Authentication documentation.

Example:

{
...
securitySchemes: {
  petstore_auth: {
    "type": "http",
    "scheme": "basic"
  },
  security: [
    {
      "petstore_auth": []
    }
  ],
  "x-tyk-api-gateway": {
  ...
  "server": {
    "authentication": {
      "securitySchemes": {
        "petstore_auth": {
          "enabled": true,
          "header": {
            "name": "Authorization"
          }
        }
      }
    }
  }
}

Json Web Token (JWT)

In order to configure a JWT authentication mechanism, the OAS API Definition securitySchemes section needs to define an http security type, but this time with a bearer scheme and with the JWT bearerFormat. On the Tyk configuration side, you just need to enable the authentication for the Tyk Gateway and specify the location where the token should be read from.

Example:

{
...
securitySchemes: {
  petstore_auth: {
    "type": "http",
    "scheme": "bearer",
    "bearerFormat": "JWT"
  },
  security: [
    {
      "petstore_auth": []
    }
  ],
  "x-tyk-api-gateway": {
  ...
  "server": {
    "authentication": {
      "securitySchemes": {
        "petstore_auth": {
          "enabled": true,
          "header": {
            "name": "Authorization"
          }
        }
      }
    }
  }
}

All you need to do in the Tyk configuration is to enable the authentication and specify the header details.

For more configuration options check the JWT documentation.

OAuth

The oauth2 securityScheme type tells your Tyk Gateway to expect an API with the OAuth authentication method configured. The OAuth authorization mechanism needs to be enabled on the Tyk configuration side with a few details.

Example:

{
  ...
  securitySchemes: {
    petstore_auth: {
      "type": "oauth2",
      "flows": {
        "authorizationCode": {
          "authorizationUrl": "https://example.com/api/oauth/dialog",
          "tokenUrl": "https://example.com/api/oauth/token",
          "scopes": {
            "write:pets": "modify pets in your account",
            "read:pets": "read your pets"
          }
        }
      }
    }
  },
  security: [
    {
      "petstore_auth": []
    }
  ],
  "x-tyk-api-gateway": {
    ...
    "server": {
        "authentication": {
          "securitySchemes": {
            "petstore_auth": {
              "enabled": true,
              "header": {
                "name": "Authorization"
              },
              "allowedAccessTypes": [
                "authorization_code"
              ],
              "allowedAuthorizeTypes": [
                "code"
              ],
              "authLoginRedirect": "https://example.com/api/oauth/dialog"
            },
          }
        }
      }
    }
  }
}

All you need to do in the Tyk configuration is to enable OAuth and specify the header details. See OAuth documentation for more details.

Multiple Authentication mechanisms

The security section in the OAS API Definition can define a list of security objects, and each security object can list a set of security schemes that the backend uses for authentication.

Tyk only takes into consideration the first security object in the security list. If this object contains multiple security schemes, the Tyk Gateway understands to protect requests with all of these authentication mechanisms.

Example:

{
  ...
  securitySchemes: {
    "auth-A": {...},
    "auth-B": {...},
    "auth-C": {...},
    "auth-D": {...},
  },
  security: [
    {
      "auth-A": [],
      "auth-C": []
    },
    {
      "auth-B": []
    },
    {
      "auth-D": []
    }
  ]
}

For the above OAS configuration, Tyk looks at only the first security object:

{      
  "auth-A": [],       
  "auth-C": []   
 },

These authentication mechanisms are then enabled for Tyk as follows:

{
 ...
 "x-tyk-api-gateway": {
   ...
   "server": {
     "authentication": {
       "enabled": true,
       "baseIdentityProvider": "auth_token",
       "securitySchemes": {
         "auth-A": {
           "enabled": true,
           ...
         },
         "auth-C": {
           "enabled": true,
           ...
         }
       }
     }
   }
 }
}

Please observe the presence of the baseIdentityProvider field, as this is required when enabling multiple authentication mechanisms at the same time. See Multiple Auth documentation for more details.

Other Authentication mechanisms

For now, the only authentication mechanisms enabled with OAS API Definition configuration are:

Authentication Token
Basic Authentication
JSON Web Token (JWT)
Tyk as OAuth authorization server

To find out about the other client authentication methods supported by Tyk, see Client Authentication.

Automatically protecting OAS API Definition APIs

All the Authentication mechanisms documented above can be automatically configured by Tyk at the time of import if the request is followed by the authentication=true query parameter. (Import task link)

Paths

The OAS API Definition represents the source of truth for the Tyk APIs, therefore, the configuration of the paths section within that will tell Tyk which endpoints are available to configure.

Tyk can use information specified within the paths configuration object to perform validation or mocking for incoming requests. For validation, Tyk looks at the requestBody JSON schemas. For mocking it looks at the response examples that have been included. Where Tyk offers middleware capabilities that are not part of the OAS specification, Tyk makes use of the OAS operationID to extend the OAS API with additional capabilities.

Operation Id

OAS gives the ability to define an operationID in an OAS API Definition. This allows for different parts of the definition to refer to each other. For instance in a Tyk OAS API Definition, if you turn on validation for a particular endpoint, the x-tyk-api-gateway middleware section will use the operationID to link the enabled validation middleware to the particular endpoint. This is needed because the endpoint is defined within the main OAS API Definition, whereas the details of how Tyk handles the validation is not, since a developer does not need to see that.

Configuring API Middleware

Whenever a middleware needs to be enabled for a specific API path, you need to make sure that the operationId of that path, is equal with the one under the middleware.operations section within x-tyk-api-gateway.

{
  ...
  "paths": {
    ...
    "/pet": {
      "post": {
        ...
        operationId: "someOperationId"
      }
    }
  },
  "x-tyk-api-gateway": {
    ...
    "middleware": {
      ...
      "operations": {
        ...
        "someOperationId": {
          "allowList": {
            "enabled": true
          }
        }
      }
    }
  }
}

Configuring middleware when importing an OAS API Definition

When importing an OAS API Definition, if the request is accompanied by either validateRequest or allowList query params, Tyk traverses the entire paths section, and if there is an existing operationId setting already configured for a path, Tyk will copy that value and uses it as a key for the path middleware configuration, under x-tyk-api-gateway.middleware.operations.

For example: We want to explicitly allow access for paths when importing the following OAS API Definition:

{
  ...
  "paths": {
    "/pet": {
      "post": {
        ...
        operationId: "addPet"
      }
    }
  }
}

The resulting Tyk OAS API Definition will use the addPet operationId to match the middleware configuration to the /pet post path and method.

Tyk OAS API Definition

{
  ...
  "paths": {
    "/pet": {
      "post": {
        ...
        operationId: "addPet"
      }
    }
  },
  "x-tyk-api-gateway": {
    "middleware": {
      "operations": {
        "addPet": {
          "allowList": {
            "enabled": true
          }
        }
      }
    }
  }
}

If there is no existing operationId setting for a path, then Tyk will concatenate the path value with the method value, to generate an operationId unique value. Tyk uses that in the x-tyk-api-gateway.middleware.operations to link the middleware configuration back to the paths section

For example: When you want to explicitly allow access for the paths when importing the following OAS API Definition:

{
  ...
  "paths": {
    "/pet": {
      "post": {
        ...
      }
    }
  }
}

The resulting Tyk OAS API Definition will generate the petpost operationId, and use this value in both paths operationId as well as in middleware.operations.

Tyk OAS API Definition:

{
  ...
  "paths": {
    "/pet": {
      "post": {
        ...
        operationId: "petpost"
      }
    }
  },
  "x-tyk-api-gateway": {
    "middleware": {
      "operations": {
        "petpost": {
          "allowList": {
            "enabled": true
          }
        }
      }
    }
  }
}

Note

The same logic for configuring middleware applies as well when updating a Tyk OAS API Definition by providing an updated OAS API Definition.

Tyk OAS API Feature Status

Tyk Gateway is extremely flexible with a great many features that you can use to configure and optimize the handling of requests to your APIs. During the Early Access phase, we gradually rolled out support for the configuration that is available through Tyk Classic API definitions into the new Tyk OAS API Definition format.

From Tyk Gateway and Dashboard v5.3.0 we have reached feature maturity, however there are still a few features to be added before we reach and surpass feature parity with Tyk Classic API.

In the tables below, Implemented means that the feature is available for use with Tyk OAS APIs while using the Tyk Gateway API or Tyk Dashboard API; the API Designer column shows the features that can be configured using the Tyk Dashboard UI.

If there’s a feature you’re looking to use that isn’t yet implemented, let us know via our community forum or your Tyk representative and help us to help you get started with Tyk OAS.

Management of APIs

Feature	Implemented	API Designer
API name	✅	✅
Status (draft/active)	✅	✅
API categories	✅	✅
API ID/API URL(s)	✅	✅
API ownership	✅	✅
API versioning	✅	✅
API segment tags	✅	✅

Traffic Routing

Feature	Implemented	Api Designer
Listen path	✅	✅
Target URL	✅	✅
Upstream load balancing	❌️	❌️
Uptime tests	❌️	❌️

Client to Gateway Authentication and Authorization

Feature	Implemented	API Designer
Keyless	✅	✅
Auth Token	✅	✅
JWT	✅	✅
OpenID Connect	✅	✅
OAuth 2	✅	✅
mTLS	✅	✅
HMAC	✅	✅
Basic authentication	✅	✅
Custom authentication plugin	✅	✅
Multiple authentication	✅	✅
IP access control	❌️	❌️
Client-GW request signing	❌️	❌️
Access token expiration	❌️	❌️

Gateway to Upstream Authentication

Feature	Implemented	API Designer
Upstream certificates (mTLS)	✅	✅
Public Key certificate pinning	✅	✅
GW-Upstream request signing	❌️	❌️

API-level (Global) Features

Feature	Implemented	API Designer
Custom config data	✅	✅
Context variables	✅	✅
CORS	✅	✅
Service discovery	✅	✅
Internal API (not exposed by Gateway)	✅	✅
Header Transform (API-level)	✅	✅
API-level Rate Limit	✅	✅
Plugin Bundles	✅	✅
Custom request plugins (pre/preAuth/post)	✅	✅
Custom response plugin	✅	✅
Batch requests	❌️	❌️
Request size limit (API-level)	❌️	❌️
Event handling: webhooks	✅	✅
Event handling: custom handlers	❌️	❌️
Preserve host header	❌️	❌️

Traffic Logs

Feature	Implemented	API Designer
Detailed recording (in Log Browser)	✅	✅
Traffic log custom tags	❌️	❌️
Set traffic log expiry	❌️	❌️
Do not track (API-level)	✅	✅
Custom Analytics Plugin	❌️	❌️

Endpoint-level Features

Feature	Implemented	API Designer
Allow	✅	✅
Block	✅	✅
Cache	✅	✅
Circuit breaker	✅	✅
Track endpoint	✅	✅
Do not track	✅	✅
Enforced timeout	✅	✅
Ignore authentication	✅	✅
Internal endpoint (not exposed by Gateway)	✅	✅
URL rewrite	✅	✅
Validate request	✅	✅
Request size limit	✅	✅
Request method transform	✅	✅
Request header transform	✅	✅
Request body transform	✅	✅
Response header transform	✅	✅
Response body transform	✅	✅
Mock response	✅	✅
Virtual endpoint	✅	✅

OAS Glossary

OpenAPI Specification (OAS)

The OpenAPI Specification is an open standard specification managed by the OpenAPI Initiative that describes a language-agnostic interface to HTTP APIs which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection.

OpenAPI Description

An OpenAPI Description is an instance of the OpenAPI Specification that describes a service. This is vendor (i.e. API Gateway) agnostic and so, on its own, is not sufficient to configure an API Gateway such as Tyk. Typically you would ‘import’ this into Tyk to convert it into a Tyk OAS API definition by addition of the Tyk vendor fields. You could also add the appropriate fields manually in your editor of choice.

OpenAPI Document

A file (usually in JSON or YAML format) containing an OpenAPI Description. There is an option to export a Tyk OAS API Definition from Tyk as an OpenAPI Document. This provides all the information a developer needs to use the API, without the Tyk configuration fields they don’t need to know about.

Tyk OAS API definition

An API definition that combines an OpenAPI Description with the Tyk vendor fields (x-tyk-api-gateway) that provide the instructions on how Tyk should be configured to resolve calls made to the API that is described in the OAS part. The structure of the Tyk OAS API definition is documented here.

Tyk Classic API definition

An API definition written in Tyk’s proprietary API Specification format. This fully describes how Tyk should be configured to resolve calls made to the API. An example of the structure of the Tyk Classic API definition is provided here.

Tyk OAS API Definition Object

XTykAPIGateway contains custom Tyk API extensions for the OpenAPI definition. The values for the extensions are stored inside the OpenAPI document, under the key x-tyk-api-gateway.

Field: info (Info) Info contains the main metadata for the API definition.

Field: upstream (Upstream) Upstream contains the configurations related to the upstream.

Field: server (Server) Server contains the configurations related to the server.

Field: middleware (Middleware) Middleware contains the configurations related to the Tyk middleware.

Info

Info contains the main metadata for the API definition.

Field: id (string) ID is the unique identifier of the API within Tyk.

Tyk classic API definition: api_id.

Field: dbId (string) DBID is the unique identifier of the API within the Tyk database.

Tyk classic API definition: id.

Field: orgId (string) OrgID is the ID of the organisation which the API belongs to.

Tyk classic API definition: org_id.

Field: name (string) Name is the name of the API.

Tyk classic API definition: name.

Field: expiration (string) Expiration date.

Field: state (State) State holds configuration for API definition states (active, internal).

Field: versioning (Versioning) Versioning holds configuration for API versioning.

Upstream

Upstream holds configuration for the upstream server to which Tyk should proxy requests.

Field: url (string) URL defines the upstream address (or target URL) to which requests should be proxied.

Tyk classic API definition: proxy.target_url.

Field: serviceDiscovery (ServiceDiscovery) ServiceDiscovery contains the configuration related to Service Discovery.

Tyk classic API definition: proxy.service_discovery.

Field: test (Test) Test contains the configuration related to uptime tests.

Field: mutualTLS (MutualTLS) MutualTLS contains the configuration for establishing a mutual TLS connection between Tyk and the upstream server.

Field: certificatePinning (CertificatePinning) CertificatePinning contains the configuration related to certificate pinning.

Field: rateLimit (RateLimit) RateLimit contains the configuration related to API level rate limit.

Field: authentication (UpstreamAuth) Authentication contains the configuration related to upstream authentication.

Server

Server contains the configuration that sets Tyk up to receive requests from the client applications.

Field: listenPath (ListenPath) ListenPath is the base path on Tyk to which requests for this API should be sent. Tyk listens for any requests coming into the host at this path, on the port that Tyk is configured to run on and processes these accordingly.

Field: authentication (Authentication) Authentication contains the configurations that manage how clients can authenticate with Tyk to access the API.

Field: clientCertificates (ClientCertificates) ClientCertificates contains the configurations related to establishing static mutual TLS between the client and Tyk.

Field: gatewayTags (GatewayTags) GatewayTags contain segment tags to indicate which Gateways your upstream service is connected to (and hence where to deploy the API).

Field: customDomain (Domain) CustomDomain is the domain to bind this API to. This enforces domain matching for client requests.

Tyk classic API definition: domain.

Field: detailedActivityLogs (DetailedActivityLogs) DetailedActivityLogs configures detailed analytics recording.

Field: detailedTracing (DetailedTracing) DetailedTracing enables OpenTelemetry’s detailed tracing for this API.

Tyk classic API definition: detailed_tracing.

Field: eventHandlers (EventHandlers) EventHandlers contains the configuration related to Tyk Events.

Tyk classic API definition: event_handlers.

Middleware

Middleware holds configuration for Tyk’s native middleware.

Field: global (Global) Global contains configuration for middleware that affects the whole API (all endpoints).

Field: operations (Operations) Operations contains configuration for middleware that can be applied to individual endpoints within the API (per-endpoint).

State

State holds configuration for the status of the API within Tyk - if it is currently active and if it is exposed externally.

Field: active (boolean) Active enables the API so that Tyk will listen for and process requests made to the listenPath.

Tyk classic API definition: active.

Field: internal (boolean) Internal makes the API accessible only internally.

Tyk classic API definition: internal.

Versioning

Versioning holds configuration for API versioning.

Tyk classic API definition: version_data.

Field: enabled (boolean) Enabled is a boolean flag, if set to true it will enable versioning of the API.

Field: name (string) Name contains the name of the version as entered by the user (“v1” or similar).

Field: default (string) Default contains the default version name if a request is issued without a version.

Field: location (string) Location contains versioning location information. It can be one of the following:

header,
url-param,
url.

Field: key (string) Key contains the name of the key to check for versioning information.

Field: versions ([]VersionToID) Versions contains a list of versions that map to individual API IDs.

Field: stripVersioningData (boolean) StripVersioningData is a boolean flag, if set to true, the API responses will be stripped of versioning data.

Field: urlVersioningPattern (string) UrlVersioningPattern is a string that contains the pattern that if matched will remove the version from the URL.

Field: fallbackToDefault (boolean) FallbackToDefault controls the behaviour of Tyk when a versioned API is called with a nonexistent version name. If set to true then the default API version will be invoked; if set to false Tyk will return an HTTP 404 This API version does not seem to exist error in this scenario.

ServiceDiscovery

ServiceDiscovery holds configuration required for service discovery.

Field: enabled (boolean) Enabled activates Service Discovery.

Tyk classic API definition: service_discovery.use_discovery_service.

Field: queryEndpoint (string) QueryEndpoint is the endpoint to call, this would usually be Consul, etcd or Eureka K/V store.

Tyk classic API definition: service_discovery.query_endpoint.

Field: dataPath (string) DataPath is the namespace of the data path - where exactly in your service response the namespace can be found. For example, if your service responds with:

{
 "action": "get",
 "node": {
   "key": "/services/single",
   "value": "http://httpbin.org:6000",
   "modifiedIndex": 6,
   "createdIndex": 6
 }
}

then your namespace would be node.value.

Tyk classic API definition: service_discovery.data_path.

Field: useNestedQuery (boolean) UseNestedQuery enables the use of a combination of dataPath and parentDataPath. It is necessary when the data lives within this string-encoded JSON object.

{
 "action": "get",
 "node": {
   "key": "/services/single",
   "value": "{"hostname": "http://httpbin.org", "port": "80"}",
   "modifiedIndex": 6,
   "createdIndex": 6
 }
}

Tyk classic API definition: service_discovery.use_nested_query.

Field: parentDataPath (string) ParentDataPath is the namespace of the where to find the nested value if useNestedQuery is true. In the above example, it would be node.value. You would change the dataPath setting to be hostname, since this is where the host name data resides in the JSON string. Tyk automatically assumes that dataPath in this case is in a string-encoded JSON object and will try to deserialize it.

Tyk classic API definition: service_discovery.parent_data_path.

Field: portDataPath (string) PortDataPath is the port of the data path. In the above nested example, we can see that there is a separate port value for the service in the nested JSON. In this case, you can set the portDataPath value and Tyk will treat dataPath as the hostname and zip them together (this assumes that the hostname element does not end in a slash or resource identifier such as /widgets/). In the above example, the portDataPath would be port.

Tyk classic API definition: service_discovery.port_data_path.

Field: useTargetList (boolean) UseTargetList should be set to true if you are using load balancing. Tyk will treat the data path as a list and inject it into the target list of your API definition.

Tyk classic API definition: service_discovery.use_target_list.

Field: cacheTimeout (int64) CacheTimeout is the timeout of a cache value when a new data is loaded from a discovery service. Setting it too low will cause Tyk to call the SD service too often, setting it too high could mean that failures are not recovered from quickly enough.

Deprecated: The field is deprecated. Use service_discovery to configure service discovery cache options.

Tyk classic API definition: service_discovery.cache_timeout.

Field: cache (ServiceDiscoveryCache) Cache holds cache related flags.

Tyk classic API definition:.

service_discovery.cache_disabled
service_discovery.cache_timeout

Field: targetPath (string) TargetPath is used to set a target path that will be appended to the discovered endpoint, since many service discovery services only provide host and port data. It is important to be able to target a specific resource on that host. Setting this value will enable that.

Tyk classic API definition: service_discovery.target_path.

Field: endpointReturnsList (boolean) EndpointReturnsList is set true when the response type is a list instead of an object.

Tyk classic API definition: service_discovery.endpoint_returns_list.

Test

Test holds the test configuration for service discovery.

Field: serviceDiscovery (ServiceDiscovery) ServiceDiscovery contains the configuration related to test Service Discovery.

Tyk classic API definition: proxy.service_discovery.

MutualTLS

MutualTLS contains the configuration for establishing a mutual TLS connection between Tyk and the upstream server.

Field: enabled (boolean) Enabled activates upstream mutual TLS for the API.

Tyk classic API definition: upstream_certificates_disabled.

Field: domainToCertificateMapping ([]DomainToCertificate) DomainToCertificates maintains the mapping of domain to certificate.

Tyk classic API definition: upstream_certificates.

CertificatePinning

CertificatePinning holds the configuration about mapping of domains to pinned public keys.

Field: enabled (boolean) Enabled is a boolean flag, if set to true, it enables certificate pinning for the API.

Tyk classic API definition: certificate_pinning_disabled.

Field: domainToPublicKeysMapping (PinnedPublicKeys) DomainToPublicKeysMapping maintains the mapping of domain to pinned public keys.

Tyk classic API definition: pinned_public_keys.

RateLimit

RateLimit holds the configurations related to rate limit. The API-level rate limit applies a base-line limit on the frequency of requests to the upstream service for all endpoints. The frequency of requests is configured in two parts: the time interval and the number of requests that can be made during each interval. Tyk classic API definition: global_rate_limit.

Field: enabled (boolean) Enabled activates API level rate limiting for this API.

Tyk classic API definition: !disable_rate_limit.

Field: rate (int) Rate specifies the number of requests that can be passed to the upstream in each time interval (per). This field sets the limit on the frequency of requests to ensure controlled resource access or to prevent abuse. The rate is defined as an integer value.

A higher value indicates a higher number of allowed requests in the given time frame. For instance, if Per is set to 1m (one minute), a Rate of 100 means up to 100 requests can be made per minute.

Tyk classic API definition: global_rate_limit.rate.

Field: per (ReadableDuration) Per defines the time interval for rate limiting using shorthand notation. The value of Per is a string that specifies the interval in a compact form, where hours, minutes and seconds are denoted by ‘h’, ’m’ and ’s’ respectively. Multiple units can be combined to represent the duration.

Examples of valid shorthand notations:

“1h” : one hour
“20m” : twenty minutes
“30s” : thirty seconds
“1m29s”: one minute and twenty-nine seconds
“1h30m” : one hour and thirty minutes

An empty value is interpreted as “0s”, implying no rate limiting interval, which disables the API-level rate limit. It’s important to format the string correctly, as invalid formats will be considered as 0s/empty.

Tyk classic API definition: global_rate_limit.per.

UpstreamAuth

UpstreamAuth holds the configurations related to upstream API authentication.

Field: enabled (boolean) Enabled enables upstream API authentication.

Field: basicAuth (UpstreamBasicAuth) BasicAuth holds the basic authentication configuration for upstream API authentication.

Field: oauth (UpstreamOAuth) OAuth contains the configuration for OAuth2 Client Credentials flow.

ListenPath

ListenPath is the base path on Tyk to which requests for this API should be sent. Tyk listens out for any requests coming into the host at this path, on the port that Tyk is configured to run on and processes these accordingly.

Field: value (string) Value is the value of the listen path e.g. /api/ or / or /httpbin/.

Tyk classic API definition: proxy.listen_path.

Field: strip (boolean) Strip removes the inbound listen path (as accessed by the client) when generating the outbound request for the upstream service.

For example, consider the scenario where the Tyk base address is http://acme.com/', the listen path is example/and the upstream URL ishttp://httpbin.org/`:

If the client application sends a request to http://acme.com/example/get then the request will be proxied to http://httpbin.org/example/get
If stripListenPath is set to true, the example listen path is removed and the request would be proxied to http://httpbin.org/get.

Tyk classic API definition: proxy.strip_listen_path.

Authentication

Authentication contains configuration about the authentication methods and security policies applied to requests.

Field: enabled (boolean) Enabled makes the API protected when one of the authentication modes is enabled.

Tyk classic API definition: !use_keyless.

Field: stripAuthorizationData (boolean) StripAuthorizationData ensures that any security tokens used for accessing APIs are stripped and not passed to the upstream.

Tyk classic API definition: strip_auth_data.

Field: baseIdentityProvider (string) BaseIdentityProvider enables the use of multiple authentication mechanisms. It provides the session object that determines access control, rate limits and usage quotas.

It should be set to one of the following:

auth_token
hmac_key
basic_auth_user
jwt_claim
oidc_user
oauth_key
custom_auth

Tyk classic API definition: base_identity_provided_by.

Field: hmac (HMAC) HMAC contains the configurations related to HMAC authentication mode.

Tyk classic API definition: auth_configs["hmac"].

Field: oidc (OIDC) OIDC contains the configurations related to OIDC authentication mode.

Tyk classic API definition: auth_configs["oidc"].

Field: custom (CustomPluginAuthentication) Custom contains the configurations related to Custom authentication mode.

Tyk classic API definition: auth_configs["coprocess"].

Field: securitySchemes (SecuritySchemes) SecuritySchemes contains security schemes definitions.

ClientCertificates

ClientCertificates contains the configurations related to establishing static mutual TLS between the client and Tyk.

Field: enabled (boolean) Enabled activates static mTLS for the API.

Field: allowlist ([]string) Allowlist is the list of client certificates which are allowed.

GatewayTags

GatewayTags holds a list of segment tags that should apply for a gateway.

Field: enabled (boolean) Enabled activates use of segment tags.

Field: tags ([]string) Tags contains a list of segment tags.

Domain

Domain holds the configuration of the domain name the server should listen on.

Field: enabled (boolean) Enabled allow/disallow the usage of the domain.

Field: name (string) Name is the name of the domain.

Field: certificates ([]string) Certificates defines a field for specifying certificate IDs or file paths that the Gateway can utilise to dynamically load certificates for your custom domain.

Tyk classic API definition: certificates.

DetailedActivityLogs

DetailedActivityLogs holds the configuration related to recording detailed analytics.

Field: enabled (boolean) Enabled activates detailed activity logs.

Tyk classic API definition: enable_detailed_recording.

DetailedTracing

DetailedTracing holds the configuration of the detailed tracing.

Field: enabled (boolean) Enabled activates detailed tracing.

EventHandlers

EventHandlers holds the list of events to be processed for the API.

Type defined as array of EventHandler values, see EventHandler definition.

Global

Global contains configuration that affects the whole API (all endpoints).

Field: pluginConfig (PluginConfig) PluginConfig contains the common configuration for custom plugins.

Field: cors (CORS) CORS contains the configuration related to Cross Origin Resource Sharing.

Tyk classic API definition: CORS.

Field: prePlugin (PrePlugin) PrePlugin contains configuration related to the custom plugin that is run before authentication. Deprecated: Use PrePlugins instead.

Field: prePlugins (CustomPlugins) PrePlugins contains configuration related to the custom plugin that is run before authentication.

Tyk classic API definition: custom_middleware.pre.

Field: postAuthenticationPlugin (PostAuthenticationPlugin) PostAuthenticationPlugin contains configuration related to the custom plugin that is run immediately after authentication. Deprecated: Use PostAuthenticationPlugins instead.

Field: postAuthenticationPlugins (CustomPlugins) PostAuthenticationPlugins contains configuration related to the custom plugin that is run immediately after authentication.

Tyk classic API definition: custom_middleware.post_key_auth.

Field: postPlugin (PostPlugin) PostPlugin contains configuration related to the custom plugin that is run immediately prior to proxying the request to the upstream. Deprecated: Use PostPlugins instead.

Field: postPlugins (CustomPlugins) PostPlugins contains configuration related to the custom plugin that is run immediately prior to proxying the request to the upstream.

Tyk classic API definition: custom_middleware.post.

Field: responsePlugin (ResponsePlugin) ResponsePlugin contains configuration related to the custom plugin that is run during processing of the response from the upstream service. Deprecated: Use ResponsePlugins instead.

Field: responsePlugins (CustomPlugins) ResponsePlugins contains configuration related to the custom plugin that is run during processing of the response from the upstream service.

Tyk classic API definition: custom_middleware.response.

Field: cache (Cache) Cache contains the configurations related to caching.

Tyk classic API definition: cache_options.

Field: transformRequestHeaders (TransformHeaders) TransformRequestHeaders contains the configurations related to API level request header transformation.

Tyk classic API definition: global_headers/global_headers_remove.

Field: transformResponseHeaders (TransformHeaders) TransformResponseHeaders contains the configurations related to API level response header transformation.

Tyk classic API definition: global_response_headers/global_response_headers_remove.

Field: contextVariables (ContextVariables) ContextVariables contains the configuration related to Tyk context variables.

Field: trafficLogs (TrafficLogs) TrafficLogs contains the configurations related to API level log analytics.

Operations

Operations holds Operation definitions.

Type defined as object of Operation values, see Operation definition.

VersionToID

VersionToID contains a single mapping from a version name into an API ID.

Field: name (string) Name contains the user chosen version name, e.g. v1 or similar.

Field: id (string) ID is the API ID for the version set in Name.

ServiceDiscoveryCache

ServiceDiscoveryCache holds configuration for caching ServiceDiscovery data.

Field: enabled (boolean) Enabled turns service discovery cache on or off.

Tyk classic API definition: service_discovery.cache_disabled.

Field: timeout (int64) Timeout is the TTL for a cached object in seconds.

Tyk classic API definition: service_discovery.cache_timeout.

DomainToCertificate

DomainToCertificate holds a single mapping of domain name into a certificate.

Field: domain (string) Domain contains the domain name.

Field: certificate (string) Certificate contains the certificate mapped to the domain.

PinnedPublicKeys

PinnedPublicKeys is a list of domains and pinned public keys for them.

Type defined as array of PinnedPublicKey values, see PinnedPublicKey definition.

ReadableDuration

ReadableDuration is an alias maintained to be used in imports.

UpstreamBasicAuth

UpstreamBasicAuth holds upstream basic authentication configuration.

Field: enabled (boolean) Enabled enables upstream basic authentication.

Field: header (AuthSource) Header contains configurations for the header value.

Field: username (string) Username is the username to be used for upstream basic authentication.

Field: password (string) Password is the password to be used for upstream basic authentication.

UpstreamOAuth

UpstreamOAuth holds the configuration for OAuth2 Client Credentials flow.

Field: enabled (boolean) Enabled activates upstream OAuth2 authentication.

Field: allowedAuthorizeTypes ([]string) AllowedAuthorizeTypes specifies the allowed authorization types for upstream OAuth2 authentication.

Field: clientCredentials (ClientCredentials) ClientCredentials holds the configuration for OAuth2 Client Credentials flow.

Field: password (PasswordAuthentication) PasswordAuthentication holds the configuration for upstream OAauth password authentication flow.

HMAC

HMAC holds the configuration for the HMAC authentication mode.

Field: enabled (boolean) Enabled activates the HMAC authentication mode.

Tyk classic API definition: enable_signature_checking.

Field: allowedAlgorithms ([]string) AllowedAlgorithms is the array of HMAC algorithms which are allowed.

Tyk supports the following HMAC algorithms:

hmac-sha1
hmac-sha256
hmac-sha384
hmac-sha512

and reads the value from the algorithm header.

Tyk classic API definition: hmac_allowed_algorithms.

Field: allowedClockSkew (float64) AllowedClockSkew is the amount of milliseconds that will be tolerated for clock skew. It is used against replay attacks. The default value is 0, which deactivates clock skew checks.

Tyk classic API definition: hmac_allowed_clock_skew.

OIDC

OIDC contains configuration for the OIDC authentication mode. OIDC support will be deprecated starting from 5.7.0. To avoid any disruptions, we recommend that you use JSON Web Token (JWT) instead, as explained in https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/openid-connect/.

Field: enabled (boolean) Enabled activates the OIDC authentication mode.

Tyk classic API definition: use_openid.

Field: segregateByClientId (boolean) SegregateByClientId is a boolean flag. If set to `true, the policies will be applied to a combination of Client ID and User ID.

Tyk classic API definition: openid_options.segregate_by_client.

Field: providers ([]Provider) Providers contains a list of authorized providers, their Client IDs and matched policies.

Tyk classic API definition: openid_options.providers.

Field: scopes (Scopes) Scopes contains the defined scope claims.

CustomPluginAuthentication

CustomPluginAuthentication holds configuration for custom plugins.

Field: enabled (boolean) Enabled activates the CustomPluginAuthentication authentication mode.

Tyk classic API definition: enable_coprocess_auth/use_go_plugin_auth.

Field: config (AuthenticationPlugin) Config contains configuration related to custom authentication plugin.

Tyk classic API definition: custom_middleware.auth_check.

SecuritySchemes

SecuritySchemes holds security scheme values, filled with Import().

EventHandler

EventHandler holds information about individual event to be configured on the API.

Field: enabled (boolean) Enabled enables the event handler.

Field: trigger (event.Event) Trigger specifies the TykEvent that should trigger the event handler.

Field: type (Kind) Kind specifies the action to be taken on the event trigger.

Field: id (string) ID is the ID of event handler in storage.

Field: name (string) Name is the name of event handler.

Field: `` (WebhookEvent) Webhook contains WebhookEvent configs. Encoding and decoding is handled by the custom marshaller.

PluginConfig

PluginConfig holds configuration for custom plugins.

Field: driver (string) Driver configures which custom plugin driver to use. The value should be set to one of the following:

otto,
python,
lua,
grpc,
goplugin.

Tyk classic API definition: custom_middleware.driver.

Field: bundle (PluginBundle) Bundle configures custom plugin bundles.

Field: data (PluginConfigData) Data configures custom plugin data.

CORS

CORS holds configuration for cross-origin resource sharing.

Field: enabled (boolean) Enabled is a boolean flag, if set to true, this option enables CORS processing.

Tyk classic API definition: CORS.enable.

Field: maxAge (int) MaxAge indicates how long (in seconds) the results of a preflight request can be cached. The default is 0 which stands for no max age.

Tyk classic API definition: CORS.max_age.

Field: allowCredentials (boolean) AllowCredentials indicates if the request can include user credentials like cookies, HTTP authentication or client side SSL certificates.

Tyk classic API definition: CORS.allow_credentials.

Field: exposedHeaders ([]string) ExposedHeaders indicates which headers are safe to expose to the API of a CORS API specification.

Tyk classic API definition: CORS.exposed_headers.

Field: allowedHeaders ([]string) AllowedHeaders holds a list of non simple headers the client is allowed to use with cross-domain requests.

Tyk classic API definition: CORS.allowed_headers.

Field: optionsPassthrough (boolean) OptionsPassthrough is a boolean flag. If set to true, it will proxy the CORS OPTIONS pre-flight request directly to upstream, without authentication and any CORS checks. This means that pre-flight requests generated by web-clients such as SwaggerUI or the Tyk Portal documentation system will be able to test the API using trial keys.

If your service handles CORS natively, then enable this option.

Tyk classic API definition: CORS.options_passthrough.

Field: debug (boolean) Debug is a boolean flag, If set to true, this option produces log files for the CORS middleware.

Tyk classic API definition: CORS.debug.

Field: allowedOrigins ([]string) AllowedOrigins holds a list of origin domains to allow access from. Wildcards are also supported, e.g. http://*.foo.com

Tyk classic API definition: CORS.allowed_origins.

Field: allowedMethods ([]string) AllowedMethods holds a list of methods to allow access via.

Tyk classic API definition: CORS.allowed_methods.

PrePlugin

PrePlugin configures pre-request plugins.

Pre-request plugins are executed before the request is sent to the upstream target and before any authentication information is extracted from the header or parameter list of the request.

Field: plugins (CustomPlugins) Plugins configures custom plugins to be run on pre authentication stage. The plugins would be executed in the order of configuration in the list.

CustomPlugins

CustomPlugins is a list of CustomPlugin objects.

Type defined as array of CustomPlugin values, see CustomPlugin definition.

PostAuthenticationPlugin

PostAuthenticationPlugin configures post authentication plugins.

Field: plugins (CustomPlugins) Plugins configures custom plugins to be run on pre authentication stage. The plugins would be executed in the order of configuration in the list.

CustomPlugins

CustomPlugins is a list of CustomPlugin objects.

Type defined as array of CustomPlugin values, see CustomPlugin definition.

PostPlugin

PostPlugin configures post plugins.

Field: plugins (CustomPlugins) Plugins configures custom plugins to be run on post stage. The plugins would be executed in the order of configuration in the list.

CustomPlugins

CustomPlugins is a list of CustomPlugin objects.

Type defined as array of CustomPlugin values, see CustomPlugin definition.

ResponsePlugin

ResponsePlugin configures response plugins.

Field: plugins (CustomPlugins) Plugins configures custom plugins to be run on post stage. The plugins would be executed in the order of configuration in the list.

CustomPlugins

CustomPlugins is a list of CustomPlugin objects.

Type defined as array of CustomPlugin values, see CustomPlugin definition.

Cache

Cache holds configuration for caching the requests.

Field: enabled (boolean) Enabled turns global cache middleware on or off. It is still possible to enable caching on a per-path basis by explicitly setting the endpoint cache middleware.

Tyk classic API definition: cache_options.enable_cache.

Field: timeout (int64) Timeout is the TTL for a cached object in seconds.

Tyk classic API definition: cache_options.cache_timeout.

Field: cacheAllSafeRequests (boolean) CacheAllSafeRequests caches responses to (GET, HEAD, OPTIONS) requests overrides per-path cache settings in versions, applies across versions.

Tyk classic API definition: cache_options.cache_all_safe_requests.

Field: cacheResponseCodes ([]int) CacheResponseCodes is an array of response codes which are safe to cache e.g. 404.

Tyk classic API definition: cache_options.cache_response_codes.

Field: cacheByHeaders ([]string) CacheByHeaders allows header values to be used as part of the cache key.

Tyk classic API definition: cache_options.cache_by_headers.

Field: enableUpstreamCacheControl (boolean) EnableUpstreamCacheControl instructs Tyk Cache to respect upstream cache control headers.

Tyk classic API definition: cache_options.enable_upstream_cache_control.

Field: controlTTLHeaderName (string) ControlTTLHeaderName is the response header which tells Tyk how long it is safe to cache the response for.

Tyk classic API definition: cache_options.cache_control_ttl_header.

TransformHeaders

TransformHeaders holds configuration about request/response header transformations.

Field: enabled (boolean) Enabled activates Header Transform for the given path and method.

Field: remove ([]string) Remove specifies header names to be removed from the request/response.

Field: add (Headers) Add specifies headers to be added to the request/response.

TransformHeaders

TransformHeaders holds configuration about request/response header transformations.

Field: enabled (boolean) Enabled activates Header Transform for the given path and method.

Field: remove ([]string) Remove specifies header names to be removed from the request/response.

Field: add (Headers) Add specifies headers to be added to the request/response.

ContextVariables

ContextVariables holds the configuration related to Tyk context variables.

Field: enabled (boolean) Enabled enables context variables to be passed to Tyk middlewares.

Tyk classic API definition: enable_context_vars.

TrafficLogs

TrafficLogs holds configuration about API log analytics.

Field: enabled (boolean) Enabled enables traffic log analytics for the API.

Tyk classic API definition: do_not_track.

PinnedPublicKey

PinnedPublicKey contains a mapping from the domain name into a list of public keys.

Field: domain (string) Domain contains the domain name.

Field: publicKeys ([]string) PublicKeys contains a list of the public keys pinned to the domain name.

AuthSource

AuthSource defines an authentication source.

Field: enabled (boolean) Enabled activates the auth source.

Tyk classic API definition: auth_configs[X].use_param/use_cookie.

Field: name (string) Name is the name of the auth source.

Tyk classic API definition: auth_configs[X].param_name/cookie_name.

ClientCredentials

ClientCredentials holds the configuration for OAuth2 Client Credentials flow.

Field: header (AuthSource) Header holds the configuration for the custom header to be used for OAuth authentication.

Field: tokenUrl (string) TokenURL is the resource server’s token endpoint URL. This is a constant specific to each server.

Field: scopes ([]string) Scopes specifies optional requested permissions.

Field: extraMetadata ([]string) ExtraMetadata holds the keys that we want to extract from the token and pass to the upstream.

PasswordAuthentication

PasswordAuthentication holds the configuration for upstream OAuth2 password authentication flow.

Field: header (AuthSource) Header holds the configuration for the custom header to be used for OAuth authentication.

Field: username (string) Username is the username to be used for upstream OAuth2 password authentication.

Field: password (string) Password is the password to be used for upstream OAuth2 password authentication.

Field: tokenUrl (string) TokenURL is the resource server’s token endpoint URL. This is a constant specific to each server.

Field: scopes ([]string) Scopes specifies optional requested permissions.

Field: extraMetadata ([]string) ExtraMetadata holds the keys that we want to extract from the token and pass to the upstream.

Provider

Provider defines an issuer to validate and the Client ID to Policy ID mappings.

Field: issuer (string) Issuer contains a validation value for the issuer claim, usually a domain name e.g. accounts.google.com or similar.

Field: clientToPolicyMapping ([]ClientToPolicy) ClientToPolicyMapping contains mappings of Client IDs to Policy IDs.

Scopes

Scopes holds the scope to policy mappings for a claim name.

Field: claimName (string) ClaimName contains the claim name.

Field: scopeToPolicyMapping ([]ScopeToPolicy) ScopeToPolicyMapping contains the mappings of scopes to policy IDs.

AuthenticationPlugin

AuthenticationPlugin holds the configuration for custom authentication plugin.

Field: enabled (boolean) Enabled activates custom authentication plugin.

Field: functionName (string) FunctionName is the name of authentication method.

Field: path (string) Path is the path to shared object file in case of goplugin mode or path to JS code in case of otto auth plugin.

Field: rawBodyOnly (boolean) RawBodyOnly if set to true, do not fill body in request or response object.

Field: idExtractor (IDExtractor) IDExtractor configures ID extractor with coprocess custom authentication.

Kind

Kind is an alias maintained to be used in imports.

WebhookEvent

WebhookEvent stores the core information about a webhook event.

Field: url (string) URL is the target URL for the webhook.

Field: method (string) Method is the HTTP method for the webhook.

Field: cooldownPeriod (ReadableDuration) CoolDownPeriod defines cool-down for the event, so it does not trigger again. It uses shorthand notation. The value of CoolDownPeriod is a string that specifies the interval in a compact form, where hours, minutes and seconds are denoted by ‘h’, ’m’ and ’s’ respectively. Multiple units can be combined to represent the duration.

Examples of valid shorthand notations:

“1h” : one hour
“20m” : twenty minutes
“30s” : thirty seconds
“1m29s”: one minute and twenty-nine seconds
“1h30m” : one hour and thirty minutes

An empty value is interpreted as “0s”, implying no cool-down. It’s important to format the string correctly, as invalid formats will be considered as 0s/empty.

Field: bodyTemplate (string) BodyTemplate is the template to be used for request payload.

Field: headers (Headers) Headers are the list of request headers to be used.

PluginBundle

PluginBundle holds configuration for custom plugins.

Field: enabled (boolean) Enabled activates the custom plugin bundles.

Tyk classic API definition: custom_middleware_bundle_disabled.

Field: path (string) Path is the path suffix to construct the URL to fetch plugin bundle from. Path will be suffixed to bundle_base_url in gateway config.

PluginConfigData

PluginConfigData configures config data for custom plugins.

Field: enabled (boolean) Enabled activates custom plugin config data.

Field: value (any) Value is the value of custom plugin config data.

CustomPlugin

CustomPlugin configures custom plugin.

Field: enabled (boolean) Enabled activates the custom pre plugin.

Field: functionName (string) FunctionName is the name of authentication method.

Field: path (string) Path is the path to shared object file in case of goplugin mode or path to JS code in case of otto auth plugin.

Field: rawBodyOnly (boolean) RawBodyOnly if set to true, do not fill body in request or response object.

Field: requireSession (boolean) RequireSession if set to true passes down the session information for plugins after authentication. RequireSession is used only with JSVM custom middleware.

CustomPlugin

CustomPlugin configures custom plugin.

Field: enabled (boolean) Enabled activates the custom pre plugin.

Field: functionName (string) FunctionName is the name of authentication method.

Field: path (string) Path is the path to shared object file in case of goplugin mode or path to JS code in case of otto auth plugin.

Field: rawBodyOnly (boolean) RawBodyOnly if set to true, do not fill body in request or response object.

Field: requireSession (boolean) RequireSession if set to true passes down the session information for plugins after authentication. RequireSession is used only with JSVM custom middleware.

CustomPlugin

CustomPlugin configures custom plugin.

Field: enabled (boolean) Enabled activates the custom pre plugin.

Field: functionName (string) FunctionName is the name of authentication method.

Field: path (string) Path is the path to shared object file in case of goplugin mode or path to JS code in case of otto auth plugin.

Field: rawBodyOnly (boolean) RawBodyOnly if set to true, do not fill body in request or response object.

Field: requireSession (boolean) RequireSession if set to true passes down the session information for plugins after authentication. RequireSession is used only with JSVM custom middleware.

CustomPlugin

CustomPlugin configures custom plugin.

Field: enabled (boolean) Enabled activates the custom pre plugin.

Field: functionName (string) FunctionName is the name of authentication method.

Field: path (string) Path is the path to shared object file in case of goplugin mode or path to JS code in case of otto auth plugin.

Field: rawBodyOnly (boolean) RawBodyOnly if set to true, do not fill body in request or response object.

Field: requireSession (boolean) RequireSession if set to true passes down the session information for plugins after authentication. RequireSession is used only with JSVM custom middleware.

Headers

Headers is an array of Header.

Type defined as array of Header values, see Header definition.

ClientToPolicy

ClientToPolicy contains a 1-1 mapping between Client ID and Policy ID.

Field: clientId (string) ClientID contains a Client ID.

Field: policyId (string) PolicyID contains a Policy ID.

ScopeToPolicy

ScopeToPolicy contains a single scope to policy ID mapping.

Field: scope (string) Scope contains the scope name.

Field: policyId (string) PolicyID contains the Policy ID.

IDExtractor

IDExtractor configures ID Extractor.

Field: enabled (boolean) Enabled activates ID extractor with coprocess authentication.

Field: source (string) Source is the source from which ID to be extracted from.

Field: with (string) With is the type of ID extractor to be used.

Field: config (IDExtractorConfig) Config holds the configuration specific to ID extractor type mentioned via With.

Header holds a header name and value pair.

Field: name (string) Name is the name of the header.

Field: value (string) Value is the value of the header.

IDExtractorConfig

IDExtractorConfig specifies the configuration for ID extractor.

Field: headerName (string) HeaderName is the header name to extract ID from.

Field: formParamName (string) FormParamName is the form parameter name to extract ID from.

Field: regexp (string) Regexp is the regular expression to match ID.

Field: regexpMatchIndex (int) RegexpMatchIndex is the index from which ID to be extracted after a match. Default value is 0, ie if regexpMatchIndex is not provided ID is matched from index 0.

Field: xPathExp (string) XPathExp is the xpath expression to match ID.

Allowance

Allowance describes allowance actions and behaviour.

Field: enabled (boolean) Enabled is a boolean flag, if set to true, then individual allowances (allow, block, ignore) will be enforced.

Field: ignoreCase (boolean) IgnoreCase is a boolean flag, If set to true, checks for requests allowance will be case insensitive.

AllowanceType

AllowanceType holds the valid allowance types values.

AuthSources

AuthSources defines authentication source configuration: headers, cookies and query parameters.

Tyk classic API definition: auth_configs{}.

Field: header (AuthSource) Header contains configurations for the header value auth source, it is enabled by default.

Tyk classic API definition: auth_configs[x].header.

Field: cookie (AuthSource) Cookie contains configurations for the cookie value auth source.

Tyk classic API definition: auth_configs[x].cookie.

Field: query (AuthSource) Query contains configurations for the query parameters auth source.

Tyk classic API definition: auth_configs[x].query.

Basic

Basic type holds configuration values related to http basic authentication.

Field: enabled (boolean) Enabled activates the basic authentication mode.

Tyk classic API definition: use_basic_auth.

Field: disableCaching (boolean) DisableCaching disables the caching of basic authentication key.

Tyk classic API definition: basic_auth.disable_caching.

Field: cacheTTL (int) CacheTTL is the TTL for a cached basic authentication key in seconds.

Tyk classic API definition: basic_auth.cache_ttl.

Field: extractCredentialsFromBody (ExtractCredentialsFromBody) ExtractCredentialsFromBody helps to extract username and password from body. In some cases, like dealing with SOAP, user credentials can be passed via request body.

CachePlugin

CachePlugin holds the configuration for the cache plugins.

Field: enabled (boolean) Enabled is a boolean flag. If set to true, the advanced caching plugin will be enabled.

Field: cacheByRegex (string) CacheByRegex defines a regular expression used against the request body to produce a cache key.

Example value: \"id\":[^,]* (quoted json value).

Field: cacheResponseCodes ([]int) CacheResponseCodes contains a list of valid response codes for responses that are okay to add to the cache.

Field: timeout (int64) Timeout is the TTL for the endpoint level caching in seconds. 0 means no caching.

CircuitBreaker

CircuitBreaker holds configuration for the circuit breaker middleware. Tyk classic API definition: version_data.versions..extended_paths.circuit_breakers[*].

Field: enabled (boolean) Enabled activates the Circuit Breaker functionality.

Tyk classic API definition: version_data.versions..extended_paths.circuit_breakers[*].disabled.

Field: threshold (float64) Threshold is the proportion from each sampleSize requests that must fail for the breaker to be tripped. This must be a value between 0.0 and 1.0. If sampleSize is 100 then a threshold of 0.4 means that the breaker will be tripped if 40 out of every 100 requests fails.

Tyk classic API definition: version_data.versions..extended_paths.circuit_breakers[*].threshold_percent.

Field: sampleSize (int) SampleSize is the size of the circuit breaker sampling window. Combining this with threshold gives the failure rate required to trip the circuit breaker.

Tyk classic API definition: version_data.versions..extended_paths.circuit_breakers[*].samples.

Field: coolDownPeriod (int) CoolDownPeriod is the period of time (in seconds) for which the circuit breaker will remain open before returning to service.

Tyk classic API definition: version_data.versions..extended_paths.circuit_breakers[*].return_to_service_after.

Field: halfOpenStateEnabled (boolean) HalfOpenStateEnabled , if enabled, allows some requests to pass through the circuit breaker during the cool down period. If Tyk detects that the path is now working, the circuit breaker will be automatically reset and traffic will be resumed to the upstream.

Tyk classic API definition: version_data.versions..extended_paths.circuit_breakers[*].disable_half_open_state.

ClientAuthData

ClientAuthData holds the client ID and secret for OAuth2 authentication.

Field: clientId (string) ClientID is the application’s ID.

Field: clientSecret (string) ClientSecret is the application’s secret.

EndpointPostPlugin

EndpointPostPlugin contains endpoint level post plugin configuration.

Field: enabled (boolean) Enabled activates post plugin.

Field: name (string) Name is the name of plugin function to be executed. Deprecated: Use FunctionName instead.

Field: functionName (string) FunctionName is the name of plugin function to be executed.

Field: path (string) Path is the path to plugin.

EndpointPostPlugins

EndpointPostPlugins is a list of EndpointPostPlugins. It’s used where multiple plugins can be run.

Type defined as array of EndpointPostPlugin values, see EndpointPostPlugin definition.

EnforceTimeout

EnforceTimeout holds the configuration for enforcing request timeouts.

Field: enabled (boolean) Enabled is a boolean flag. If set to true, requests will enforce a configured timeout.

Field: value (int) Value is the configured timeout in seconds.

ExternalOAuth

ExternalOAuth holds configuration for an external OAuth provider. ExternalOAuth support will be deprecated starting from 5.7.0. To avoid any disruptions, we recommend that you use JSON Web Token (JWT) instead, as explained in https://tyk.io/docs/basic-config-and-security/security/authentication-authorization/ext-oauth-middleware/.

Field: enabled (boolean) Enabled activates external oauth functionality.

Field: providers ([]OAuthProvider) Providers is used to configure OAuth providers.

ExtractCredentialsFromBody

ExtractCredentialsFromBody configures extracting credentials from the request body.

Field: enabled (boolean) Enabled activates extracting credentials from body.

Tyk classic API definition: basic_auth.extract_from_body.

Field: userRegexp (string) UserRegexp is the regex for username e.g. <User>(.*)</User>.

Tyk classic API definition: basic_auth.userRegexp.

Field: passwordRegexp (string) PasswordRegexp is the regex for password e.g. <Password>(.*)</Password>.

Tyk classic API definition: basic_auth.passwordRegexp.

FromOASExamples

FromOASExamples configures mock responses that should be returned from OAS example responses.

Field: enabled (boolean) Enabled activates getting a mock response from OAS examples or schemas documented in OAS.

Field: code (int) Code is the default HTTP response code that the gateway reads from the path responses documented in OAS.

Field: contentType (string) ContentType is the default HTTP response body type that the gateway reads from the path responses documented in OAS.

Field: exampleName (string) ExampleName is the default example name among multiple path response examples documented in OAS.

Internal

Internal holds the endpoint configuration, configuring the endpoint for internal requests. Tyk classic API definition: version_data.versions...extended_paths.internal[*].

Field: enabled (boolean) Enabled if set to true makes the endpoint available only for internal requests.

Introspection

Introspection holds configuration for OAuth token introspection.

Field: enabled (boolean) Enabled activates OAuth access token validation by introspection to a third party.

Field: url (string) URL is the URL of the third party provider’s introspection endpoint.

Field: clientId (string) ClientID is the public identifier for the client, acquired from the third party.

Field: clientSecret (string) ClientSecret is a secret known only to the client and the authorisation server, acquired from the third party.

Field: identityBaseField (string) IdentityBaseField is the key showing where to find the user id in the claims. If it is empty, the sub key is looked at.

Field: cache (IntrospectionCache) Cache is the caching mechanism for introspection responses.

IntrospectionCache

IntrospectionCache holds configuration for caching introspection requests.

Field: enabled (boolean) Enabled activates the caching mechanism for introspection responses.

Field: timeout (int64) Timeout is the duration in seconds of how long the cached value stays. For introspection caching, it is suggested to use a short interval.

JWT

JWT holds the configuration for the JWT middleware.

Field: enabled (boolean) Enabled activates the basic authentication mode.

Tyk classic API definition: enable_jwt.

Field: source (string) Source contains the source for the JWT.

Tyk classic API definition: jwt_source.

Field: signingMethod (string) SigningMethod contains the signing method to use for the JWT.

Tyk classic API definition: jwt_signing_method.

Field: identityBaseField (string) IdentityBaseField specifies the claim name uniquely identifying the subject of the JWT. The identity fields that are checked in order are: kid, IdentityBaseField, sub.

Tyk classic API definition: jwt_identity_base_field.

Field: skipKid (boolean) SkipKid controls skipping using the kid claim from a JWT (default behaviour). When this is true, the field configured in IdentityBaseField is checked first.

Tyk classic API definition: jwt_skip_kid.

Field: policyFieldName (string) PolicyFieldName is a configurable claim name from which a policy ID is extracted. The policy is applied to the session as a base policy.

Tyk classic API definition: jwt_policy_field_name.

Field: clientBaseField (string) ClientBaseField is used when PolicyFieldName is not provided. It will get a session key and use the policies from that. The field ensures that requests use the same session.

Tyk classic API definition: jwt_client_base_field.

Field: scopes (Scopes) Scopes holds the scope to policy mappings for a claim name.

Field: defaultPolicies ([]string) DefaultPolicies is a list of policy IDs that apply to the session.

Tyk classic API definition: jwt_default_policies.

Field: issuedAtValidationSkew (uint64) IssuedAtValidationSkew contains the duration in seconds for which token issuance can predate the current time during the request.

Field: notBeforeValidationSkew (uint64) NotBeforeValidationSkew contains the duration in seconds for which token validity can predate the current time during the request.

Field: expiresAtValidationSkew (uint64) ExpiresAtValidationSkew contains the duration in seconds for which the token can be expired before we consider it expired.

Field: idpClientIdMappingDisabled (boolean) IDPClientIDMappingDisabled prevents Tyk from automatically detecting the use of certain IDPs based on standard claims that they include in the JWT: client_id, cid, clientId. Setting this flag to true disables the mapping and avoids accidentally misidentifying the use of one of these IDPs if one of their standard values is configured in your JWT.

JWTValidation

JWTValidation holds configuration for validating access tokens by inspecing them against a third party API, usually one provided by the IDP.

Field: enabled (boolean) Enabled activates OAuth access token validation.

Field: signingMethod (string) SigningMethod to verify signing method used in jwt - allowed values HMAC/RSA/ECDSA.

Field: source (string) Source is the secret to verify signature. Valid values are:

a base64 encoded static secret,
a valid JWK URL in plain text,
a valid JWK URL in base64 encoded format.

Field: identityBaseField (string) IdentityBaseField is the identity claim name.

Field: issuedAtValidationSkew (uint64) IssuedAtValidationSkew is the clock skew to be considered while validating the iat claim.

Field: notBeforeValidationSkew (uint64) NotBeforeValidationSkew is the clock skew to be considered while validating the nbf claim.

Field: expiresAtValidationSkew (uint64) ExpiresAtValidationSkew is the clock skew to be considered while validating the exp claim.

MockResponse

MockResponse configures the mock responses.

Field: enabled (boolean) Enabled activates the mock response middleware.

Field: code (int) Code is the HTTP response code that will be returned.

Field: body (string) Body is the HTTP response body that will be returned.

Field: headers (Headers) Headers are the HTTP response headers that will be returned.

Field: fromOASExamples (FromOASExamples) FromOASExamples is the configuration to extract a mock response from OAS documentation.

Notifications

Notifications holds configuration for updates to keys.

Field: sharedSecret (string) SharedSecret is the shared secret used in the notification request.

Field: onKeyChangeUrl (string) OnKeyChangeURL is the URL a request will be triggered against.

OAuth

OAuth configures the OAuth middleware.

Field: enabled (boolean) Enabled activates the OAuth middleware.

Field: allowedAuthorizeTypes ([]string) AllowedAuthorizeTypes is an array of OAuth authorization types.

Field: refreshToken (boolean) RefreshToken enables clients using a refresh token to get a new bearer access token.

Field: authLoginRedirect (string) AuthLoginRedirect configures a URL to redirect to after a successful login.

Field: notifications (Notifications) Notifications configures a URL trigger on key changes.

OAuthProvider

OAuthProvider holds the configuration for validation and introspection of OAuth tokens.

Field: jwt (JWTValidation) JWT configures JWT validation.

Field: introspection (Introspection) Introspection configures token introspection.

Operation

Operation holds a request operation configuration, allowances, tranformations, caching, timeouts and validation.

Field: allow (Allowance) Allow request by allowance.

Field: block (Allowance) Block request by allowance.

Field: ignoreAuthentication (Allowance) IgnoreAuthentication ignores authentication on request by allowance.

Field: internal (Internal) Internal makes the endpoint only respond to internal requests.

Field: transformRequestMethod (TransformRequestMethod) TransformRequestMethod allows you to transform the method of a request.

Field: transformRequestBody (TransformBody) TransformRequestBody allows you to transform request body. When both path and body are provided, body would take precedence.

Field: transformResponseBody (TransformBody) TransformResponseBody allows you to transform response body. When both path and body are provided, body would take precedence.

Field: transformRequestHeaders (TransformHeaders) TransformRequestHeaders allows you to transform request headers.

Field: transformResponseHeaders (TransformHeaders) TransformResponseHeaders allows you to transform response headers.

Field: urlRewrite (URLRewrite) URLRewrite contains the URL rewriting configuration.

Field: cache (CachePlugin) Cache contains the caching plugin configuration.

Field: enforceTimeout (EnforceTimeout) EnforceTimeout contains the request timeout configuration.

Field: validateRequest (ValidateRequest) ValidateRequest contains the request validation configuration.

Field: mockResponse (MockResponse) MockResponse contains the mock response configuration.

Field: virtualEndpoint (VirtualEndpoint) VirtualEndpoint contains virtual endpoint configuration.

Field: postPlugins (EndpointPostPlugins) PostPlugins contains endpoint level post plugins configuration.

Field: circuitBreaker (CircuitBreaker) CircuitBreaker contains the configuration for the circuit breaker functionality.

Field: trackEndpoint (TrackEndpoint) TrackEndpoint contains the configuration for enabling analytics and logs.

Field: doNotTrackEndpoint (TrackEndpoint) DoNotTrackEndpoint contains the configuration for disabling analytics and logs.

Field: requestSizeLimit (RequestSizeLimit) RequestSizeLimit limits the maximum allowed size of the request body in bytes.

Field: rateLimit (RateLimitEndpoint) RateLimit contains endpoint level rate limit configuration.

Path

Path holds plugin configurations for HTTP method verbs.

Field: DELETE (Plugins) Delete holds plugin configuration for DELETE requests.

Field: GET (Plugins) Get holds plugin configuration for GET requests.

Field: HEAD (Plugins) Head holds plugin configuration for HEAD requests.

Field: OPTIONS (Plugins) Options holds plugin configuration for OPTIONS requests.

Field: PATCH (Plugins) Patch holds plugin configuration for PATCH requests.

Field: POST (Plugins) Post holds plugin configuration for POST requests.

Field: PUT (Plugins) Put holds plugin configuration for PUT requests.

Field: TRACE (Plugins) Trace holds plugin configuration for TRACE requests.

Field: CONNECT (Plugins) Connect holds plugin configuration for CONNECT requests.

Paths

Paths is a mapping of API endpoints to Path plugin configurations.

Type defined as object of Path values, see Path definition.

Plugins

Plugins configures common settings for each plugin, allowances, transforms, caching and timeouts.

Field: allow (Allowance) Allow request by allowance.

Field: block (Allowance) Block request by allowance.

Field: ignoreAuthentication (Allowance) IgnoreAuthentication ignores authentication on request by allowance.

Field: transformRequestMethod (TransformRequestMethod) TransformRequestMethod allows you to transform the method of a request.

Field: cache (CachePlugin) Cache allows you to cache the server side response.

Field: enforcedTimeout (EnforceTimeout) EnforceTimeout allows you to configure a request timeout.

RateLimitEndpoint

RateLimitEndpoint carries same settings as RateLimit but for endpoints.

Type defined as RateLimit, see RateLimit definition.

RequestSizeLimit

RequestSizeLimit limits the maximum allowed size of the request body in bytes.

Field: enabled (boolean) Enabled activates the Request Size Limit functionality.

Field: value (int64) Value is the maximum allowed size of the request body in bytes.

SecurityScheme

SecurityScheme defines an Importer interface for security schemes.

Signature

Signature holds the configuration for signature validation.

Field: enabled (boolean) Enabled activates signature validation.

Tyk classic API definition: auth_configs[X].validate_signature.

Field: algorithm (string) Algorithm is the signature method to use.

Tyk classic API definition: auth_configs[X].signature.algorithm.

Field: header (string) Header is the name of the header to consume.

Tyk classic API definition: auth_configs[X].signature.header.

Field: query (AuthSource) Query is the name of the query parameter to consume.

Tyk classic API definition: auth_configs[X].signature.use_param/param_name.

Field: secret (string) Secret is the signing secret used for signature validation.

Tyk classic API definition: auth_configs[X].signature.secret.

Field: allowedClockSkew (int64) AllowedClockSkew configures a grace period in seconds during which an expired token is still valid.

Tyk classic API definition: auth_configs[X].signature.allowed_clock_skew.

Field: errorCode (int) ErrorCode configures the HTTP response code for a validation failure. If unconfigured, a HTTP 401 Unauthorized status code will be emitted.

Tyk classic API definition: auth_configs[X].signature.error_code.

Field: errorMessage (string) ErrorMessage configures the error message that is emitted on validation failure. A default error message is emitted if unset.

Tyk classic API definition: auth_configs[X].signature.error_message.

Token

Token holds the values related to authentication tokens.

Field: enabled (boolean) Enabled activates the token based authentication mode.

Tyk classic API definition: auth_configs["authToken"].use_standard_auth.

Field: enableClientCertificate (boolean) EnableClientCertificate allows to create dynamic keys based on certificates.

Tyk classic API definition: auth_configs["authToken"].use_certificate.

Field: signatureValidation (Signature) Signature holds the configuration for verifying the signature of the token.

Tyk classic API definition: auth_configs["authToken"].use_certificate.

TrackEndpoint

TrackEndpoint configures Track or DoNotTrack behaviour for an endpoint. Tyk classic API definition: version_data.versions..extended_paths.track_endpoints, version_data.versions..extended_paths.do_not_track_endpoints.

Field: enabled (boolean) Enabled if set to true enables or disables tracking for an endpoint depending if it’s used in trackEndpoint or doNotTrackEndpoint.

TransformBody

TransformBody holds configuration about request/response body transformations.

Field: enabled (boolean) Enabled activates transform request/request body middleware.

Field: format (string) Format of the request/response body, xml or json.

Field: path (string) Path file path for the template.

Field: body (string) Body base64 encoded representation of the template.

TransformRequestMethod

TransformRequestMethod holds configuration for rewriting request methods.

Field: enabled (boolean) Enabled activates Method Transform for the given path and method.

Field: toMethod (string) ToMethod is the http method value to which the method of an incoming request will be transformed.

URLRewrite

URLRewrite configures URL rewriting. Tyk classic API definition: version_data.versions[].extended_paths.url_rewrite.

Field: enabled (boolean) Enabled activates URL rewriting if set to true.

Field: pattern (string) Pattern is the regular expression against which the request URL is compared for the primary rewrite check. If this matches the defined pattern, the primary URL rewrite is triggered.

Field: rewriteTo (string) RewriteTo specifies the URL to which the request shall be rewritten if the primary URL rewrite is triggered.

Field: triggers ([]*URLRewriteTrigger) Triggers contain advanced additional triggers for the URL rewrite. The triggers are processed only if the requested URL matches the pattern above.

URLRewriteCondition

URLRewriteCondition defines the matching mode for an URL rewrite rules.

Value any means any of the defined trigger rules may match.
Value all means all the defined trigger rules must match.

URLRewriteInput

URLRewriteInput defines the input for an URL rewrite rule.

The following values are valid:

url, match pattern against URL
query, match pattern against named query parameter value
path, match pattern against named path parameter value
header, match pattern against named header value
sessionMetadata, match pattern against session metadata
requestBody, match pattern against request body
requestContext, match pattern against request context

The default url is used as the input source.

URLRewriteRule

URLRewriteRule represents a rewrite matching rules.

Field: in (URLRewriteInput) In specifies one of the valid inputs for URL rewriting.

Field: name (string) Name is the index in the value declared inside in.

Example: for in=query, name=q, the parameter q would be read from the request query parameters.

The value of name is unused when in is set to requestBody, as the request body is a single value and not a set of values.

Field: pattern (string) Pattern is the regular expression against which the in values are compared for this rule check. If the value matches the defined pattern, the URL rewrite is triggered for this rule.

Field: negate (boolean) Negate is a boolean negation operator. Setting it to true inverts the matching behaviour such that the rewrite will be triggered if the value does not match the pattern for this rule.

URLRewriteTrigger

URLRewriteTrigger represents a set of matching rules for a rewrite.

Field: condition (URLRewriteCondition) Condition indicates the logical combination that will be applied to the rules for an advanced trigger.

Field: rules ([]*URLRewriteRule) Rules contain individual checks that are combined according to the condition to determine if the URL rewrite will be triggered. If empty, the trigger is ignored.

Field: rewriteTo (string) RewriteTo specifies the URL to which the request shall be rewritten if indicated by the combination of condition and rules.

ValidateRequest

ValidateRequest holds configuration required for validating requests.

Field: enabled (boolean) Enabled is a boolean flag, if set to true, it enables request validation.

Field: errorResponseCode (int) ErrorResponseCode is the error code emitted when the request fails validation. If unset or zero, the response will returned with http status 422 Unprocessable Entity.

VirtualEndpoint

VirtualEndpoint contains virtual endpoint configuration.

Field: enabled (boolean) Enabled activates virtual endpoint.

Field: name (string) Name is the name of plugin function to be executed. Deprecated: Use FunctionName instead.

Field: functionName (string) FunctionName is the name of plugin function to be executed.

Field: path (string) Path is the path to JS file.

Field: body (string) Body is the JS function to execute encoded in base64 format.

Field: proxyOnError (boolean) ProxyOnError proxies if virtual endpoint errors out.

Field: requireSession (boolean) RequireSession if enabled passes session to virtual endpoint.

XTykStreaming

XTykStreaming represents the structure for Tyk streaming configurations.

Field: streams (any) Streams contains the configurations related to Tyk Streams.