How to secure your APIs in Tyk

Last updated: 2 minutes read.


Securing your APIs is one of the primary uses of Tyk API management solution. Out of the box, the Gateway offers a lot of functionality for securing your APIs and the Gateway itself.

This section outlines all of the security configurations and components that are available to you when securing your Tyk stack.


This section outlines some of the key security concepts that Tyk uses and that you should be familiar with before setting up and using a Tyk stack to secure your API.

Key Hashing

See Key Hashing for details on how Tyk obfuscates keys in Redis.


Tyk supports TLS connections and Mutual TLS. All TLS connections also support HTTP/2. Tyk also supports Let’s Encrypt. See TLS and SSL for more details.

Trusted Certificates

As part of using Mutual TLS, you can create a list of trusted certificates. See Authorisation for more details.

Certificate Pinning

Introduced in Tyk Gateway 2.6.0, certificate pinning is a feature which allows you to allow only specified public keys used to generate certificates, so you will be protected in case an upstream certificate is compromised.

API Security

Tyk supports various ways to secure your APIs, including:

  • Bearer Tokens
  • HMAC
  • JSON Web Tokens (JWT)
  • Multi Chained Authentication
  • OAuth 2.0
  • OpenID Connect

See Authentication and Authorization for more details.

Security Policies

A Tyk security policy incorporates several security options that can be applied to an API key. These include Partioned Policies and securing by Method and Path.

See Security Policies for more details.