Skip to main content

Documentation Index

Fetch the complete documentation index at: https://tyk.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

Prerequisite: Complete the Getting Started guide to set up your Tyk Self-Managed environment before continuing.
In this section, we will explore the core API management capabilities of Tyk Self-Managed using the pre-configured APIs. We will explore how to your secure APIs, manage API traffic, and monitor your API usage. The following sections will guide you through the key features of Tyk API Management platform.

API Security in Action

API security is an important aspect of API management. Tyk provides multiple authentication methods to secure your APIs and control access. In this section, we’ll explore the security features available in your trial environment.

Exploring Authentication Methods

Tyk supports various authentication methods including Auth Token, JWT, OAuth 2.0, and more. In your trial environment, the httpbingo API is pre-configured with Auth Token authentication. Auth Tokens are the simplest form of authentication. They’re easy to implement and understand, making them perfect for your first exploration of Tyk.
  1. Create an API Key:
    • In the Dashboard, navigate to the “Keys” section in the left menu
    • Click the “ADD KEY” button Click on Add Key
    • Under “Access Rights,” select the HTTPBIN API Access policy
    • Now under the “Configuration” tab, add an alias httpbin
    • Click “Create Key” to generate your API key Click on Create Key
    • Copy the displayed API key ID for testing
      Note: This key will be used in the upcoming sections to authenticate requests to the httpbingo API.
  2. Test API Access with Your Key:
    • Open a terminal or API client like Postman
    • Make a request to the API including your key in the Authorization header: 
      curl -H "Authorization: <your-api-key>" http://localhost:8080/httpbingo/get
    • You should receive a successful response with details about your request 
      {
   "args": {},
   "headers": {
      "Accept": [
         "*/*"
      ],
      "Accept-Encoding": [
         "gzip"
      ],
      "Authorization": [
         "eyJvcmciOiI2ODkxYTllMzExZDY2NTAwMDE4M2M5Y2MiLCJpZCI6ImM4MmNiYzRhY2Q4NTQyMGZiZGNiZjViN2U2NjY1MWU3IiwiaCI6Im11cm11cjY0In0="
      ],
      "Host": [
         "httpbin:8080"
      ],
      "User-Agent": [
         "curl/8.7.1"
      ],
      "X-Forwarded-For": [
         "192.168.65.1"
      ]
   },
   "method": "GET",
   "origin": "192.168.65.1",
   "url": "http://httpbin:8080/get"
}
  3. Try Without Authentication:
    • Make the same request without the Authorization header: 
      curl -H "Authorization: invalid-key" http://localhost:8080/httpbingo/get
    • You should receive an error, confirming that authentication is working 
      {
   "error": "Access to this API has been disallowed"
}

Rate Limiting and Quota Management

Rate limiting is a technique that allows you to control the rate at which clients can consume your APIs and is one of the fundamental aspects of managing traffic to your services. It serves as a safeguard against abuse, overloading, and denial-of-service attacks by limiting the rate at which an API can be accessed. In this section we will implement and test rate limiting in Tyk. Testing Rate Limiting:
  1. Create an API Key:
    • In the Dashboard, navigate to the “Keys” section in the left menu
    • Click the “ADD KEY” button
    • Under “Access Rights,” select the HTTPBIN API Access policy
    • Under “Key Global Limits and Quota” set the following:
      • Requests: 3 requests
      • Per (seconds):: 10 seconds
    • Now under the “Configuration” tab, add an alias httpbin rate limit
    • Click “CREATE” to generate your API key Docker Container Status of Tyk Self Managed Trial
    • Copy the displayed API key ID for testing
  2. Observe Rate Limiting in Action:
    • Open a terminal and run multiple requests in quick succession: 
       for i in {1..5}; do
    curl -H "Authorization: <your-api-key>" http://localhost:8080/httpbingo/get
    echo -e "\n--- Request $i completed ---\n"
 done
    • After the third request within 10 seconds, you should see a rate limit exceeded error 
        {
     "error": "Rate Limit Exceeded"
  }
  3. Compare with a Higher Limit:
    • Now update the httpbin rate limit key and set a value of 100 in the “requests” section of rate limiting.
    • Run the same test and observe that you can make more requests before hitting limits
  4. Clean Up
    • After testing, you can delete the httpbin rate limit API key from the Dashboard. Delete API Key
By exploring these security features, you’ll gain a solid understanding of how Tyk helps protect your APIs while providing the right level of access to authorized consumers.

API Monitoring

Understanding how your APIs are performing is important for optimizing performance, planning capacity, and ensuring security. Tyk provides comprehensive monitoring capabilities to give you visibility into your API traffic.

Generating Test Traffic

To explore Tyk’s monitoring capabilities, you’ll need to generate some API traffic that simulates real-world usage patterns and populates the monitoring dashboard. Creating Test Traffic:
  1. Using Command Line Tools:
    • You can use simple bash loops to generate multiple requests: 
      for i in {1..20}; do curl -H "Authorization: <your-api-key>" http://localhost:8080/httpbingo/get; sleep 0.5; done
    • This sends 20 requests with a half-second delay between each
  2. Generating Diverse Traffic:
    • Try accessing different endpoints to create a more realistic traffic pattern: 
      curl -H "Authorization: <your-api-key>" http://localhost:8080/httpbingo/headers
curl -H "Authorization: <your-api-key>" http://localhost:8080/httpbingo/ip
curl -H "Authorization: <your-api-key>" http://localhost:8080/httpbingo/user-agent
    • Include some errors by attempting to exceed rate limits or access without authentication 
      curl -H "Authorization: invalid-key" http://localhost:8080/httpbingo/headers

Exploring Real-time Analytics

Once you’ve generated some traffic, you can explore Tyk’s analytics capabilities to gain insights into API usage. Accessing Monitoring Dashboard:
  1. View the Main Dashboard:
    • In the Tyk Dashboard, go to the Activity Overview section under “Monitoring”
    • This provides an overview of API usage, errors, and performance metrics
    • The dashboard updates in near real-time as new requests are processed Docker Container Status of Tyk Self Managed Trial
    • Explore Key Metrics:
      • Request Volume: See how many requests are being processed
      • Error Rates: Monitor authentication failures and other errors
      • Response Times: Track API performance and identify slow endpoints
  2. View Detailed Logs:
    • In the Activity Logs section, you can view detailed logs of all API requests
    • Filter by API, status code, or time range to focus on specific events
    • This is useful for troubleshooting and understanding user behavior Docker Container Status of Tyk Self Managed Trial
  3. Multiple Analytics Views: Tyk provides multiple views to analyze API traffic:
    • By API: See metrics for individual APIs
    • By Endpoint: Analyze performance and usage of specific endpoints
    • By Key: Understand how different API keys are being used
    • By Error: Identify common errors and their causes
Using Analytics for Decision Making: The monitoring dashboard helps you answer important questions about your APIs:
  • Which endpoints are most popular?
  • Are there performance bottlenecks?
  • Are users experiencing errors?
  • How is usage changing over time?
These insights can guide your API development priorities, capacity planning, and troubleshooting efforts. Tyk’s monitoring capabilities provide the visibility you need to manage your APIs effectively, ensuring they meet the needs of your users while maintaining performance and security standards.

Traffic Control & Transformation

Tyk API Gateway can control and transform incoming API traffic. It provides various mechanisms to modify requests and responses, control traffic flow, and optimize performance. Let’s explore these capabilities in your trial environment.

Testing Request/Response Transformations

Transformations allow you to modify API requests and responses without changing your backend services. This is useful for adapting legacy APIs, standardizing formats, or enhancing responses. The httpbingo API in your trial includes a pre-configured transformation on the /xml endpoint that converts XML responses to JSON format. Testing the XML to JSON Transformation:
  1. Access the XML Endpoint Directly:
    • Before testing the transformation, you can access the XML endpoint (httpbin) directly to see the raw XML response: 
      curl http://localhost:8081/xml
    • You should see an XML response from the backend service
  2. Make a Request to the XML Endpoint:
    • Using your API key from the previous section, make a request to the XML endpoint (on the Tyk Gateway): 
      curl -s -H "Authorization: <your-api-key>" http://localhost:8080/httpbingo/xml | jq
    • Notice that even though the backend returns XML, you receive a JSON response
    • This transformation happens in the gateway, not in the backend service
  3. Examine the Transformation Configuration:
    • In the Dashboard, go to the “APIs” section
    • Click on the httpbingo API
    • Navigate to the “Endpoints” tab
    • Find the /xml path and click on it
    • You’ll see the response transformation that converts XML to JSON
    XML endpoint in Tyk OAS API
Transformations are a powerful way to adapt APIs to your needs without modifying backend code, making them ideal for modernizing legacy services or standardizing API responses across different systems.

Exploring Caching Configurations

Caching improves API performance by storing responses and serving them without hitting your backend services for every request. This reduces latency and backend load. Understanding API Caching: The httpbingo API includes a caching example on the /get endpoint with a 10-second cache lifetime. This means that repeated requests within 10 seconds will receive the same cached response. Testing Caching Behavior:
  1. Make an Initial Request with a Unique Value:
    • Using your API key, make a request to the endpoint with a unique Unique-Header: 
      curl -s -H "Authorization: <your-api-key>" \
     -H "Unique-Header: $(uuidgen)" \
     http://localhost:8080/httpbingo/get | jq '.headers["Unique-Header"]'
    • You’ll see the Unique-Header value in the response, for example: 
      [
  "62ACF2DD-9116-4B4B-B80E-5F8538C12957"
]
    • The httpbingo service echoes back the headers it receives, including your unique Unique-Header
  2. Make an Immediate Second Request with a Different Header Value:
    • Immediately make another request with a new unique header value: 
      curl -s -H "Authorization: <your-api-key>" \
     -H "Unique-Header: $(uuidgen)" \
     http://localhost:8080/httpbingo/get | jq '.headers["Unique-Header"]'
    • Notice that the Unique-Header value in the response is identical to the first request
    • This confirms you’re receiving a cached response, not a new one from the backend
    • Even though you sent a different header value in your request, you got back the same header value from the first request because the response was cached
  3. Wait and Test Again:
    • Wait 11 seconds (just past the 10-second cache lifetime)
    • Make another request with a new unique value 
      curl -s -H "Authorization: <your-api-key>" \
     -H "Unique-Header: $(uuidgen)" \
     http://localhost:8080/httpbingo/get | jq '.headers["Unique-Header"]'
    • You should see a different Unique-Header value in the response, matching your new request
    • This indicates the cache has expired and you’re getting a fresh response from the backend
    Note: You can also check the X-Tyk-Cached-Response header in the response to confirm whether the response was served from cache or not.
Caching is particularly valuable for responses that are expensive to generate but don’t change frequently. By implementing appropriate caching strategies, you can significantly improve API performance and reduce backend load.

Next Steps

Now that you have a basic understanding of Tyk Self-Managed and have set up your trial environment, you can explore more advanced features and capabilities.