Introduction
Transport Layer Security (TLS) and Mutual TLS (mTLS) can be used to secure access to Tyk components and to the hosted APIs that provide access to your upstream services. Tyk can also connect securely to those upstream services using TLS and mTLS. For more details on security protocols and public key cryptography, see our TLS and Certificates guide.Tyk Gateway as a TLS Server (Inbound Connections)
This section covers scenarios in which the Tyk Gateway terminates TLS connections from an external client. The Gateway has two distinct interfaces where it acts as a server:- Control API Interface: The Tyk Gateway API used for managing the Gateway (adding APIs, hot reloads, etc.)
- Hosted API Interface: The public-facing interface where API clients connect to access your APIs
Basic Server Configuration
Configure TLS for these interfaces in the Gateway config file (tyk.conf) or environment variables:
Optionally, expose the Control API on a separate hostname from Hosted APIs. This is required to secure the Control API with mTLS. See the Planning For Production guide for details.
Configure Server Certificates
In the TLS handshake, Tyk Gateway proves its identity using its private key and certificate, known as the server certificate pair. Server certificate pairs are registered in the Gateway config file (tyk.conf) or equivalent environment variable:
During the TLS handshake, Tyk Gateway inspects the hostname sent in the Server Name Indication (SNI) extension of the client request. It then searches its list of registered server certificates to find one with a matching Subject Alternative Name (SAN). The search prioritises certificates assigned to specific API custom domains before checking globally configured certificates. If a matching certificate pair is found, it is presented to the client. If no specific match is found, the Gateway will use the first certificate loaded from its configuration as the default to complete the handshake.
The referenced server certificate pairs are used to verify Tyk’s identity in the TLS handshake and so must contain both the certificate (public key) and private key.
Configure Server Certificates for API Custom Domains
APIs hosted on Tyk can be exposed on individual hostnames (custom domains), for which separate server certificate pairs can be registered. Tyk Gateway must first be configured to allow the use of custom domains in the Gateway config file (tyk.conf) or equivalent environment variables:
Within the API definition, the custom domain is configured in the Tyk Vendor Extension:
Note: If you are using Tyk Classic APIs, the equivalent configuration fields are
domain_disabled, domain, and certificate_pairs[] in the root of the API definition.
Secure the Gateway Control API with mTLS
With TLS enabled for the Gateway you can enforce mutual TLS for requests to the Control API if it is exposed on a different hostname by setting the following options in the Gateway config file (tyk.conf) or equivalent environment variables:
The referenced certificates are used to verify the client’s identity in the mTLS handshake and so will typically be the CA certificates that can be used to validate the client certificate.
Secure Hosted APIs with mTLS
Tyk takes a very flexible approach to mutual TLS for securing access to hosted APIs. With TLS enabled for the Gateway you can selectively enforce mTLS per API. For each API, you can determine a list of one or more allowed client certificates. Once the mTLS handshake completes, Tyk will check the client’s certificate against the allow list for that API. The request will be authorized only if the client certificate matches. For complete flexibility, Tyk offers two different types of allow list:- a static list stored in the API definition (historically referred to by Tyk as static mTLS)
- a dynamic list in the Redis/temporal storage (historically referred to by Tyk as dynamic mTLS)
Tyk must be the server that terminates the TLS request from the client. If a load balancer sits between the client and Tyk and terminates TLS then the client certificate won’t be presented to Tyk for verification.In this scenario, neither of Tyk’s static nor dynamic allow lists can be used to secure your APIs. You can, of course, secure the connection between clients and your load balancer using mTLS but this is outside the scope of Tyk.
Using a static client certificate allow list
The Mutual TLS with a static allow list will be enforced for requests to an API if the Tyk Vendor Extension contains the following configuration: If using Tyk Classic, the fields are
use_mutual_tls_auth and client_certificates.Using a dynamic client certificate allow list
Tyk’s powerful dynamic client certificate allow list provides an alternative to declaring the allow list in the API definition. This is a separate authentication method historically called Dynamic mTLS but, from Tyk 5.12, referred to as Certificate Auth. Changes were implemented with the introduction of Certificate Auth to address some limitations in Dynamic mTLS. The allow list is described as dynamic because it is stored in Redis rather than the API definition. The entries in the list can thus be managed without making any changes to the API definition, no need to reload the Gateway to make changes, unlike the static allow list described above. When a request is made to an API secured with mTLS and a dynamic allow list, the client certificate in the request is used to locate a matching session in Redis. If a match is found, the request is authorized. From Tyk 5.12, this is called Certificate Authentication. Please see the dedicated section for more details.
The
enableClientCertificate field will still work in Tyk 5.12 but will be deprecated in a future release. Users are encouraged to adopt Certificate Authentication. If using Tyk Classic, the equivalent field is auth_configs.authToken.useCertificate.Legacy Dynamic mTLS mode
Prior to Tyk 5.12, this method was called Dynamic mTLS and permitted authentication using either the client certificate or an Auth Token matching the Redis key for the session state object. If the token was presented, then Tyk treated the certificate as optional and did not enforce the mutual TLS handshake. A key concept of the mTLS handshake is that it ensures that the client has possession of the private key. Possession of the certificate (i.e., the public key) does not confirm the client’s identity (since this is by its nature public information). With the Dynamic API, the token can be constructed if you have knowledge of the certificate ID/hash and Organization ID - so possession of the token does not guarantee possession of the private key and hence is not equivalent to completion of the mTLS handshake (which requires possession of the private key). From Tyk 5.12, the option to authenticate using only the token has been placed behind a Gateway configuration optionallow_unsafe_dynamic_mtls_token. If this is not set (the default behavior), then requests presenting just the token will be rejected; the certificate must be presented and the mTLS handshake is enforced.
The legacy behavior is maintained for existing Tyk users who require this method for testing, but it is strongly discouraged; hence, the default setting is to restrict authentication to the certificate only.
In Tyk 5.12, the option to use only the token to authenticate has been placed behind the Gateway configuration option
allow_unsafe_dynamic_mtls_token.Advanced Server-Side TLS Settings
Controlling TLS Version and Cipher Suites
The Transport Layer Security specification has evolved through multiple versions, the most recent being TLS 1.3 which is the fastest and most secure. TLS 1.0 and 1.1 have been deprecated due to vulnerabilities and should no longer be used; Tyk has not supported these since Tyk 5.6. Whilst TLS 1.3 is often recommended, some legacy systems continue to use TLS 1.2, so Tyk has full support including the specification of allowed ciphers. When using TLS 1.3 the standard only allows secure ciphers and these are automatically negotiated during the handshake. You can configure Tyk Gateway with a minimum and maximum TLS version, and select the cipher suites to be used with TLS 1.2 using thehttp_server_options configuration:
Tyk uses Golang libraries to provide TLS functionality, so the range of supported TLS versions depends on the underlying library. Support for TLS 1.0 and 1.1 was removed in Go 1.22 (which was adopted in Tyk 5.3.6/5.6.0), so these are no longer supported by Tyk.The default minimum and maximum TLS versions are inherited from the Golang library and thus are presently 1.2 and 1.3 respectively.Prior to Tyk 5.8.14/5.13.0 the default for the maximum TLS version was set to 1.2.
Supporting HTTP/2
Tyk supports the use of HTTP/2 for hosted APIs with compatible clients by configuring:Skipping Client CA Announcement
When using mTLS, the server (Tyk Gateway) announces to the client which Certificate Authorities it trusts, so the client can ensure it presents a certificate signed by a mutually trusted authority. If there are many Certificate Authorities, this can add overhead to the mTLS handshake. Tyk provides an opportunity to skip the announcement (which is an optional step in the handshake) by configuring:Tyk Gateway as a TLS Client (Outbound Connections)
This section covers scenarios where the Tyk Gateway is initiating a TLS connection to another service, such as an upstream service, the Tyk Dashboard, or other external services like Redis.Integrating with Dashboard
If TLS is in use for the Dashboard’s Control API, i.e., the Dashboard is the TLS server, then the Gateway will need to verify the server certificate presented by the Dashboard (unless configured to skip verification of the server certificate). The following must be configured in the Gateway (viatyk.conf or the equivalent environment variable):
Connecting Securely to Upstream Services
When communicating with upstream services, Tyk acts as the TLS client and must therefore hold both the client certificate and the private key. When mTLS is implemented with the upstream service, the Gateway will verify the upstream’s identity by examining the server certificate it presents.- CA certificates can be directly registered with the Tyk Certificate Store
- Client certificates with a private key can be registered as a pair with the Tyk Certificate Store - The client certificate must be concatenated with the private key before being PEM encoded
The minimum and maximum TLS versions are both set to TLS 1.2 by default, unless set otherwise in the Gateway or API configuration.
Common Gateway-level Configuration
The following common settings for upstream TLS connections are set in the Gateway config (tyk.conf or the equivalent environment variables):API-Specific Configuration
Granular configuration of the TLS connection is controlled via theupstream.tlsTransport object in the Tyk Vendor Extension:
Full details for configuring certificates for mTLS with upstream services are in the dedicated upstream mTLS section.
Routing Through a Forward Proxy
The “custom proxy” feature in Tyk lets you configure the Gateway to route requests to your upstream services via a forward proxy (also known as an HTTP proxy). This is often required in enterprise environments where outbound traffic must pass through a centralized proxy for security, logging, or policy enforcement. When you define an API in Tyk, you specify a Target URL for your upstream service. By default, the Tyk Gateway connects directly to this URL. The custom proxy feature allows you to insert an intermediary proxy for this connection. The configuration is handled within theupstream.proxy object of the Tyk Vendor Extension (proxy in the Tyk Classic API definition):
If you are using a secure proxy with an
https:// URL, Tyk will apply the TLS configuration for the target upstream, using the host operating system’s standard root CA store to validate the proxy’s server certificate. Tyk does not support mTLS connections to the forward proxy; only to the upstream target beyond the proxy.Connecting Securely to Other External Services
Tyk Gateway can be integrated with various external services that support proxying hosted APIs, for example, Identity Providers (for authentication), webhook targets (for event handling), and storage (for example, to Redis). Tyk’s External Services Configuration guide provides the details required to secure these connections using mTLS.Advanced Client-Side TLS Settings
Common Name (CN) Check
Use of a server Common Name (CN) was deprecated by RFC 2818 in May 2000 in favor of Subject Alternative Names (SANs). Since Go 1.17, the standard library no longer validates hostnames against the CN field. When Tyk acts as a TLS client connecting to upstream services, it can perform a manual CN check to support:- Legacy systems that still rely on Common Name
- Internal certificates with CN but incomplete or missing SANs
tyk.conf) or equivalent environment variable:
proxy.transport.ssl_force_common_name_check.
Behavior
When the CN check is enabled, Tyk performs manual hostname verification against the certificate’s Common Name field:
- Direct connections: Tyk bypasses standard Go TLS verification and manually validates that the CN matches the upstream hostname
- Proxy connections: Tyk performs standard certificate chain verification then additionally validates the CN
proxy.ssl_insecure_skip_verify=true during the handshake to bypass Go’s standard verification, then performs custom validation. Use only when necessary for legacy systems.
Recommendation
For modern integrations, ensure upstream certificates include proper SANs and avoid relying on CN validation.
TLS 1.2 Renegotiation Behavior
Prior to TLS 1.3, after completing the TLS handshake, either party (client or server) could request to renegotiate the session parameters (such as keys or ciphers). This introduced a potential security vulnerability, such as man-in-the-middle prefix injection attacks (e.g., CVE-2009-3555). Theproxy.ssl_disable_renegotiation option in the Gateway configuration mitigates this risk. Setting it to true disallows renegotiation once the TLS connection has been established, which is the most secure configuration.
By default, this option is false, which permits the Gateway (acting as a client) to initiate a renegotiation. This is for backward compatibility with legacy upstream services that may require it. However, even in this default mode, the Gateway will reject renegotiation requests initiated by the upstream server.
This setting is only relevant to TLS 1.2 connections, as renegotiation is not supported in TLS 1.3.
Skipping Server Certificate Verification
In trusted environments, such as development environments, it is often easier to use self-signed certificates for expediency. During the TLS handshake, the client will be unable to verify the server’s certificate, and the connection will be rejected. When acting as the client in the TLS handshake (for example, when connecting to Tyk Dashboard), Tyk Gateway can skip the verification of the server certificate if you configure:true this:
- Disables verification of the server’s certificate chain
- Skips hostname validation against the certificate’s Subject Alternative Names (SANs)
- Accepts any certificate presented by the server, regardless of its validity or trust status
It is important to note that this skips TLS security and so is not recommended for production environments. This setting does not affect Tyk’s behaviour when interacting with your upstream API servers - there is a separate configuration for that, as explained here.
Using TLS with Tyk Dashboard
TLS Server Configuration
The Tyk Dashboard can be configured to use HTTPS for its Control API using thehttp_server_options section in its configuration file (tyk_analytics.conf) or equivalent environment variables. This is similar to the section of the same name in the Gateway config, allowing configuration of TLS certificates (generic and for specific domains using SNI), the minimum TLS version, the cipher suites to be used (for TLS 1.2), and the option to skip certificate verification (recommended only for non-production deployments).
Note however that, unlike the Gateway, the Dashboard does not support configuring a maximum TLS version. It relies on Go’s default behavior, which automatically supports up to the highest available TLS version (currently TLS 1.3).
The Dashboard does not have access to the Tyk Certificate Store when configuring its own interfaces, so certificates and keys must be available on the filesystem and referenced by path.
If both
certificates[] and ssl_certificates[] are provided, all certificates from both configurations will be loaded, with domain-specific certificates from certificates[] taking precedence for their specified domains.true so that your Dashboard URL starts with HTTPS. This will also set the default protocol for Target URLs to https:// when creating APIs in the Dashboard’s API Designer if no protocol is explicitly set.
Integrating with Tyk Gateway
For management communications with a Tyk Gateway (such as reloading APIs, managing keys, and updating configurations), where the Gateway is the TLS server, the Dashboard uses a dedicated internal client. This client is hardcoded to always skip TLS certificate verification. This behavior is not configurable and is intended to simplify setup in environments where the Gateway may use self-signed certificates. You do not need to configure anything for the Dashboard to skip TLS verification when communicating with a Gateway for management tasks; this is the default and the only behavior.Using mTLS between Dashboard and storage
Integrating with Redis
To enable mTLS for the connection between Dashboard and Redis, add the following settings to yourtyk_analytics.conf file:
Important Notes
- Certificate Format: The cert and key files should be in PEM format
- File Permissions: Ensure the Dashboard process has read access to the certificate and key files
- Redis Server Configuration: Your Redis server must be configured to require client certificates for mTLS to work
- Gateway Sync: Ensure your Tyk Gateway is also configured with the same Redis mTLS settings
Integrating with MongoDB
To enable mTLS for the connection between Dashboard and MongoDB persistent storage, add the following settings to yourtyk_analytics.conf file:
Important Notes
- Certificate Format: The ca and key files should be in PEM format
- File Permissions: Ensure the Dashboard process has read access to the certificate and key files
- Redis Server Configuration: Your MongoDB server must be configured to require client certificates for mTLS to work
Integrating with PostgreSQL
PostgreSQL uses connection string parameters for TLS configuration. To enable mTLS for the connection between Dashboard and PostgreSQL persistent storage, add the following settings to yourtyk_analytics.conf file:
Alternative values for
sslmode:
require: Encrypts the connection but doesn’t verify the server certificateverify-ca: Verifies server certificate against CAverify-full: Verifies server certificate and hostname (most secure)
Using TLS with MDCB
In a distributed deployment, MDCB is the server and the Data Plane Gateways are the clients. If you want to secure this connection using TLS you must configure both components.Configuring MDCB
MDCB has two separate servers that can be configured individually in thetyk-sink.conf file or environment variables:
server_options: the main RPC (Remote Procedure Call) server is the primary endpoint that Tyk Gateways connect to in order to synchronize API definitions, policies, and security keys.http_server_options: the HTTP control API server used for administrative, monitoring, and debugging purposes.
security.private_certificate_encoding_secret in the MDCB configuration file to the same value as specified in your Control Plane Gateway and Dashboard configuration files, to ensure that MDCB can decode private keys that have been added to the Tyk Certificate Store.
MDCB does not have access to the Tyk Certificate Store when configuring its own interfaces, so certificates and keys must be available on the filesystem and referenced by path.
Configuring Data Plane Gateways
The following must be configured in the Data Plane Gateways (viatyk.conf or environment variables) to set up TLS for the connection to MDCB’s RPC server:
The MDCB’s server certificate will be verified against the CA certificates in the Gateway host’s standard root CA store. This is not separately configurable.
During the mTLS handshake, the server (MDCB) will advertise the Certificate Authorities it will use to verify the client certificate. The client (Data Plane Gateway) will present the first valid certificate in the
certificates.mdcb_api list that matches one of these CAs. Multiple certificates allow rotation scenarios with overlapping validity periods.
Frequently Asked Questions
How to create a self-signed certificate pair
How to create a self-signed certificate pair
You can create self-signed client and server certificates with this command:
How to calculate the certificate fingerprint
How to calculate the certificate fingerprint
To get the certificate SHA256 fingerprint, use the following command:
How to make a request using cURL
How to make a request using cURL
If you are testing using cURL, your request to an mTLS secured API will look like: