> ## Documentation Index
> Fetch the complete documentation index at: https://tyk.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Tyk Gateway Release Notes
> Release notes documenting updates, enhancements, and changes for Tyk Gateway.
**Open Source** ([Mozilla Public License](https://github.com/TykTechnologies/tyk/blob/master/LICENSE.md))
**This page contains all release notes for Gateway displayed in a reverse chronological order**
## Support Lifetime
Our minor releases are supported until our next minor comes out.
***
## 5.13 Release Notes
### 5.13.0 Release Notes
#### Release Date 19 May 2026
#### Release Highlights
Tyk 5.13.0 introduces MCP (Model Context Protocol) Gateway support, bringing AI agent tool servers into Tyk's API management platform. This release also completes Tyk's observability stack with full OpenTelemetry metrics export, and delivers a comprehensive API error response customization system.
**Gateway support for MCP**
We have introduced the MCP (Model Context Protocol) Gateway, enabling teams to proxy, secure, and manage AI agent tool servers within Tyk API management.
The MCP Gateway is not a new component - the capabilities are generally available in this release of Tyk Gateway.
MCP Proxies support Server-Sent Events (SSE) streaming, enabling long-lived agent sessions that survive beyond the configured write timeout. A configurable idle timeout terminates stale SSE streams cleanly, and the Gateway sends a structured error event to the client when an upstream connection drops unexpectedly.
Tool-Based Access Control (TBAC) enforces fine-grained access rules at two levels: JSON-RPC method level (e.g., `tools/call`, `resources/read`) and MCP primitive level (individual tool, resource, or prompt by name).
Per-primitive rate limiting sets independent rate limits for each method or named primitive within a Session or Policy. When multiple Policies apply, access lists merge as a union and rate limits use the most permissive value.
MCP traffic appears in Gateway access logs with dedicated fields (`mcp_method`, `mcp_primitive_type`, `mcp_primitive_name`) alongside a new `api_type` field present on all access log entries.
OpenTelemetry custom metrics expose the same four MCP dimensions, including `mcp_error_code`, aligned with the OpenTelemetry `mcp.*` semantic conventions.
**Complete Observability with OpenTelemetry Metrics**
We have introduced comprehensive real-time metrics export through OpenTelemetry, completing Tyk's observability stack alongside existing distributed tracing and logging.
Teams have complete operational visibility with automatic RED metrics (Rate, Errors, Duration), Go runtime health monitoring, and configuration state tracking.
The new custom metrics framework enables multi-tenant billing, tier-based SLOs, and business KPI tracking through configurable dimensions sourced from request headers, JWT claims, session data, and API metadata. Built-in cardinality controls and metric-to-trace correlation through exemplars ensure production-ready performance while enabling seamless navigation from metric anomalies to specific traces during incident investigation.
**Fully Customizable API Error Responses**
Transform your API's error experience with the new comprehensive [error override](/nightly/api-management/custom-error-responses#error-overrides) system. This feature provides complete control over HTTP error responses from both the Gateway and upstream services, enabling standardized, branded error formats that guide users toward solutions rather than leaving them confused.
Configure error overrides at multiple levels - globally and per API - with flexible matching by status codes, error types, message patterns, or response content. Support for dynamic templates with validation context enables RFC 7807 compliance and actionable error feedback, while seamless integration with existing analytics and logging ensures complete observability of overridden responses.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.13.0) below.
#### Breaking Changes
**Default maximum and minimum TLS versions** are now inherited from the underlying Golang library and so will be TLS 1.3 and TLS 1.2, respectively (previously were both set to TLS 1.2).
You must set [http\_server\_options.max\_version](/nightly/tyk-oss-gateway/configuration#http_server_options-max_version) (or the equivalent environment variable) to `771` if you require an upper limit of TLS 1.2.
See [here](/nightly/api-management/implement-tls#controlling-tls-version-and-cipher-suites) for details how to control TLS version and cipher suites.
**Query parameters from original request are no longer automatically preserved when looping using `tyk://` protocol)**
We have fixed an inconsistent behavior when using the URL rewrite middleware to loop requests using the Tyk protocol (`tyk://api-id/path`).
Previously, query parameters added to the `rewrite_to` URL were silently dropped, while original request parameters were automatically preserved in the looped request.
This behavior was inconsistent with standard HTTP URL rewrites and prevented proper parameter transformation during internal API routing.
**Impact**
* Original request query parameters are no longer automatically forwarded through internal loops
* Existing URL rewrite configurations may lose query parameters that were previously passed through automatically
* APIs relying on automatic parameter forwarding will receive incomplete requests
**Migration Required**
Update your URL rewrite configurations to **explicitly include** any original query parameters you want to preserve. For example:
* **Before:** `"rewrite_to": "tyk://api-123/endpoint"` (original params auto-forwarded)
* **After:** `"rewrite_to": "tyk://api-123/endpoint?param1=$tyk_context.request_data.param1"`
**Strict Validation of Characters Allowed in Policy IDs**
To avoid an issue where Policy IDs containing special characters could cause problems when parsing API endpoint requests, we have introduced strict validation of Policy IDs during Policy creation and update.
The allowed characters are:
* alphanumeric characters
* `_`
* `-`
* `.`
* `~`
Strict validation can be disabled, if required for existing Policies with incompatible Policy IDs, using the new Gateway configuration `allow_unsafe_policy_ids`. If using this mode, care must be taken not to use characters that could affect URL parsing.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| --------------- | -------------------- | ----------------------- |
| 5.13.0 | MDCB v2.11.0 | MDCB v2.11.0 |
| | Operator v1.4.0 | Operator v0.17 |
| | Sync v2.1.8 | Sync v2.1.0 |
| | Helm Chart v5.2.0 | Helm all versions |
| | Pump v1.15.0 | Pump all versions |
To use MCP Gateway features introduced in 5.13.0, upgrade the following Tyk components at the same time:
* **Dashboard 5.13.0**: MCP Proxy management and access control configuration
* **Pump 1.15.0**: MCP analytics (MongoDB, PostgreSQL, Elasticsearch, and Prometheus backends)
* **MDCB 2.11.0**: MCP analytics routing in distributed deployments
* **Operator 1.4.0**: MCP Proxy management via Kubernetes CRDs
* **Sync 2.1.7**: MCP Proxy support in `dump` and `sync` operations
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| ------------------------------------------------------------------ | ------------------- | ------------------- | -------------------------------------------------------------------------------- |
| [Golang](https://go.dev/dl/) | 1.25 | 1.25 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.25 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.1.2.html) | 3.1.x, 3.0.x | 3.1.x, 3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.13.0, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
If your deployment uses MCP Gateway, additional component ordering applies. In distributed deployments, MDCB 2.11.0 must be deployed before Gateway and Dashboard. Tyk Operator 1.4.0 must be deployed after Gateway and Dashboard are running. See [MCP Gateway upgrade considerations](/nightly/developer-support/upgrading#mcp-upgrade-considerations) for the full sequence.
#### Downloads
* [Docker Image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.13.0)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.13.0
```
* Helm charts
* [tyk-charts](/nightly/developer-support/release-notes/helm-chart)
Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.13.0.
* [Source code tarball of Tyk Gateway v5.13.0](https://github.com/TykTechnologies/tyk/releases/tag/v5.13.0)
#### Changelog
##### Changed
We have updated all OpenTelemetry Go SDK dependencies to their latest compatible versions, addressing significant version skew across core packages, OTLP exporters, and contrib instrumentation libraries.
The upgrade delivers cumulative performance improvements to span lifecycle methods, trace context propagation, metrics recording, and attribute handling that benefit hot paths exercised on every HTTP request. This change maintains full backward compatibility with existing functionality and serves as a prerequisite for upcoming metrics features.
##### Added
We have introduced the MCP (Model Context Protocol) Gateway, enabling teams to proxy, secure, and manage AI agent tool servers using Tyk API management. MCP Proxy definitions use OpenAPI Specification (OAS) format and support the JSON-RPC over HTTP transport used by MCP clients and servers.
This release includes:
* **SSE streaming**: MCP Proxies support long-lived Server-Sent Events connections. The write deadline is cleared for SSE streams so connections survive beyond the configured write timeout. A structured `event: error` message is sent to the client if the upstream connection drops unexpectedly.
* **Protected Resource Metadata (PRM)**: The `/.well-known/oauth-protected-resource` endpoint is served as a middleware in the Gateway chain, making `$tyk_context.*` substitution variables available for use in PRM resource field values.
For configuration details, see the [MCP Gateway documentation](/nightly/ai-management/mcp-gateway/overview).
MCP Proxies support granular access control at the JSON-RPC method and MCP primitive levels. Two new middleware components enforce access rules independently for each request:
* **JSON-RPC method access control**: Allows or denies requests by method name (e.g., `tools/call`, `resources/read`, `prompts/get`). Configured via `json_rpc_methods_access_rights` in a key or policy access definition.
* **MCP primitive access control**: Allows or denies requests by primitive type (tool, resource, or prompt) and name. Configured via `mcp_access_rights` in a key or policy access definition.
When multiple policies apply to a key, access control lists merge using union semantics: a primitive allowed by any policy is accessible. Block rules take precedence over allow rules. Denied requests receive a JSON-RPC error response rather than an HTTP error, maintaining protocol compatibility with MCP clients.
For configuration details, see the [MCP proxy policies documentation](/nightly/ai-management/mcp-gateway/policies).
MCP Proxies support independent rate limits for each JSON-RPC method and for individual tools, resources, and prompts. Two new fields are available in key and policy access definitions:
* `json_rpc_methods`: rate limits keyed by JSON-RPC method name (e.g., `tools/call`)
* `mcp_primitives`: rate limits keyed by primitive type and name
Limits are translated into Virtual Endpoint Method (VEM) entries at session load time and enforced by the existing rate limiting middleware with no additional processing overhead. The translation is in-memory only and is never persisted to Redis.
When multiple Policies apply to a Session, rate limits merge using most-permissive semantics: the highest rate allowed by any Policy applies.
For configuration details, see the [MCP Proxy policies documentation](/nightly/ai-management/mcp-gateway/policies).
Gateway access logs now include MCP-specific fields for requests handled by MCP Proxies:
* `mcp_method`: the JSON-RPC method name (e.g., `tools/call`)
* `mcp_primitive_type`: the primitive category (`tool`, `resource`, or `prompt`)
* `mcp_primitive_name`: the name of the specific tool, resource, or prompt invoked
A new `api_type` field is also added to all access log entries, distinguishing MCP traffic from `classic`, `oas`, and `graphql` API types.
For details, see the [MCP access logs documentation](/nightly/ai-management/mcp-gateway/mcp-access-logs).
OpenTelemetry custom metrics now expose four MCP-specific dimensions, enabling observability of MCP Proxy traffic through configurable metric instruments:
* `mcp_method`: the JSON-RPC method name
* `mcp_primitive_type`: the primitive category (tool, resource, or prompt)
* `mcp_primitive_name`: the name of the specific primitive invoked
* `mcp_error_code`: the JSON-RPC error code when an error is returned; empty otherwise
The dimensions are aligned with the OpenTelemetry `mcp.*` semantic conventions. MCP context is propagated before access control runs, so rejected requests still carry full MCP dimension data.
For details, see the [MCP metrics documentation](/nightly/ai-management/mcp-gateway/mcp-metrics).
We have uplifted the existing error response templating system with a new comprehensive mechanism to customize HTTP error responses generated by both the Tyk Gateway and upstream services.
This allows users to fully control error responses to standardize formats, mask sensitive information, and comply with industry standards.
**Key capabilities:**
* **Multi-level Configuration:** Configure error overrides globally (Gateway-wide), or per API with clear precedence rules
* **Flexible Matching:** Target errors by exact status codes (401, 500), patterns (4xx, 5xx), error flags, message patterns, or response body content
* **Rich Response Customization:** Override status codes, response bodies, headers, and use template files with dynamic variables
* **Universal Coverage:** Customize both Gateway-generated errors (authentication, rate limiting, validation) and upstream service errors (4xx/5xx responses)
**Configuration:** Error overrides use a map-based structure indexed by HTTP status code in the new [error\_overrides](/nightly/tyk-oss-gateway/configuration#error_overrides) configuration.
**Template Support:** Response templates support dynamic variables including `{{.StatusCode}}`, `{{.Message}}`, and validation-specific context like `{{.InvalidParams}}` for detailed error feedback.
**Precedence Order:**
1. API-level overrides
2. Gateway-level overrides
3. Default Tyk responses (fallback)
**Supported Error Types:**
* Gateway errors: Authentication failures, rate limits, validation errors, transform failures
* Proxy errors: DNS failures, timeouts, circuit breaker events
* Upstream errors: 4xx/5xx responses from backend services
**Benefits:**
* Standardize error responses across APIs and environments
* Mask sensitive internal error details for security
* Provide consistent error formats for client applications
* Enable RFC 7807 Problem Details compliance
* Reduce client-side error handling complexity
This feature integrates seamlessly with existing analytics, logging, and observability systems; all overridden responses are properly captured in access logs, analytics records, and distributed traces. The system is fully backward compatible with no configuration required; existing error responses remain unchanged unless explicitly overridden.
When an API exceeded its rate limit and returned an HTTP 429 status code, the `X-RateLimit-Limit` and `X-RateLimit-Remaining` response headers were populated from quota data (e.g. monthly limits) rather than rate-limit data (e.g. per-minute thresholds). This was inconsistent with the RFC conventions for these headers and a common source of confusion.
This release adds a new Gateway configuration option [rate\_limit\_response\_headers](/nightly/tyk-oss-gateway/configuration#rate_limit_response_headers). When set to "rate\_limits", the `X-RateLimit-*` headers are populated from rate-limit data instead of quota data:
* `X-RateLimit-Limit`: the configured rate limit threshold
* `X-RateLimit-Remaining`: remaining requests in the current rate limit window
* `X-RateLimit-Reset`: time until the rate limit window resets
Backward compatibility is preserved: when the option is unset, the headers continue to reflect quota data as before.
We have added a new, simplified, approach to configuring [Session lifetime](/nightly/api-management/access-control/sessions-and-keys/session-lifecycle) within Redis.
Two new fields have been added to the Session object, which can be directly configured when creating Sessions using the [Keys API](https://tyk.io/docs/api-reference/keys/create-a-key-1) or [Policy API](https://tyk.io/docs/api-reference/policies/create-a-policy):
* [post\_expiry\_action](/nightly/api-management/access-control/sessions-and-keys/session-lifecycle#2-define-the-post-expiry-action) - determines what happens to the data in Redis after the `expires` timestamp is reached.
* [post\_expiry\_grace\_period](/nightly/api-management/access-control/sessions-and-keys/session-lifecycle#3-configure-the-grace-period) - defines how long (in seconds) the Session is kept in Redis after expiration (if the `post_expiry_actions` is to retain the Session)
The existing Gateway-wide [global session lifetime](/nightly/api-management/access-control/sessions-and-keys/session-lifecycle#gateway-level-settings) override is still respected.
The [legacy API level controls](/nightly/api-management/access-control/sessions-and-keys/session-lifecycle#legacy-controls) can still be used if both new fields are set to `0` (or unset) so **there is no change in behavior for existing Sessions**.
Rotating the mTLS certificates used by the Gateway to authenticate with external Identity Providers — for the OAuth external service integration, covering both client and upstream authentication — previously required a Gateway restart. For organizations using short-lived certificates (e.g. 90-day rotation cycles), this added operational overhead, forced infrastructure changes, and in some cases required custom image rebuilds during routine rotation.
This release extends KV store reference support to the following Gateway configuration fields:
* `external_services.oauth.mtls.cert_file`
* `external_services.oauth.mtls.key_file`
* `external_services.oauth.mtls.ca_file`
These fields now accept KV store references such as vault:// and consul://, in line with how other sensitive Gateway configuration fields already do. After updating the referenced certificate in the KV store, triggering a Gateway hot reload causes the new value to be picked up — no process restart required.
Backward compatibility is preserved: existing OAuth external service configurations using absolute file paths or certificate IDs from the Tyk Certificate Store continue to work without modification.
When configuring mTLS for both upstream authentication and the OAuth external service integration, the same certificate often had to be configured in two places — once for upstream auth, and again in the External Services OAuth configuration. For deployments using the same certificate for both, this created a redundant configuration that needed to be kept in sync.
This release adds an optional configuration toggle that allows the Gateway to reuse the mTLS certificate configured for upstream connections when making OAuth calls to the external Identity Provider. When the toggle is enabled, the upstream certificate is used for both purposes, removing the need to maintain duplicate configurations.
The toggle is intentionally optional: deployments may legitimately use different certificates for the two endpoints.
When the toggle is unset, the OAuth external service continues to use its own dedicated certificate configuration.
We have added support for underscore characters in `$secret_vault` and `$secret_consul` secret reference paths. Previously, the underscore character was not supported in these Key-Value store reference paths due to regex pattern limitations, causing references to be truncated at the first underscore. For example, `$secret_vault.kv-v2/path.API_KEY` would only match up to `.API`, silently dropping `_KEY`.
This enhancement aligns `$secret_vault` and `$secret_consul` patterns with existing `$secret_env`, `$tyk_context`, and `$tyk_meta` patterns that already support underscores. Users can now reference secrets using standard naming conventions like `API_KEY` and `DB_PASSWORD` without needing to duplicate secrets under underscore-free names. The change maintains full backward compatibility with existing references that don't contain underscores.
Building on the API definition compression introduced in 5.12.0, this release extends Data Plane Redis storage optimisation to security policies and makes the previously hardcoded decompression size limit configurable. These improvements help customers with large API and policy footprints (for example, deployments with 100MB+ of API definitions and 60MB+ of security policies) reduce Redis storage costs without impacting request handling performance.
Compression is opt-in per asset type via independent configuration flags: [`storage.compress_api_definitions`](/nightly/tyk-oss-gateway/configuration#storage-compress_api_definitions) (introduced in 5.12.0) for API definitions, and the new [`storage.compress_policies`](/nightly/tyk-oss-gateway/configuration#storage-compress_policies) for security policies. Both are disabled by default and remain backward compatible — Gateways transparently load both compressed and uncompressed data from Redis.
The decompression size limit is now configurable via the new [`storage.max_decompressed_size`](/nightly/tyk-oss-gateway/configuration#storage-max_decompressed_size) option (default 100MB, minimum 1MB) and is applied independently to API definitions and policies, so each asset type has its own ceiling. As with the original feature, compression and decompression occur only during Gateway reloads, with no impact on the request hot path.
We have introduced comprehensive OpenTelemetry metrics export, providing real-time operational visibility into Gateway performance, health, and business KPIs. This complements existing distributed tracing and logging to deliver a complete observability solution.
**Key Features:**
* **Default Gateway Metrics:** Automatic export of RED metrics (Rate, Errors, Duration), Go runtime health metrics (CPU, memory, goroutines, garbage collection), and configuration state tracking (loaded APIs/policies, reload operations)
* **Custom Business Metrics:** Define custom counters and histograms with dynamic dimensions sourced from request headers, JWT claims, session data, context variables, and API config\_data
* **Endpoint-Level Granularity:** Track metrics per endpoint using the new listen\_path and endpoint dimensions for detailed API monitoring
* **Multi-Tenant Support:** Track usage per customer, tier, or organization using dynamic dimensions
* **Universal Backend Support:** Export via OTLP to Prometheus, Grafana, Datadog, New Relic, Dynatrace, and other observability platforms
* **Metric-to-Trace Correlation:** Automatic exemplar support links metric anomalies directly to distributed traces, enabling seamless navigation from metrics to traces during incident investigation.
* **Gateway Identity Attributes:** Configurable resource attributes help identify and filter individual Gateway instances in multi-node deployments.
**Configuration:** Metrics are configured under the new [opentelemetry.metrics](/nightly/tyk-oss-gateway/configuration#opentelemetry-metrics) object with independent control from tracing.
**Default Metrics Exported:**
* **Request Metrics:** `http.server.request.duration`, `tyk.gateway.request.duration`, `tyk.upstream.request.duration`, `tyk.api.requests.total`
* **Go Runtime Metrics:** CPU utilisation and processing time, memory usage breakdown (heap, stack, allocations), active goroutine count and lifecycle, garbage collection duration and frequency, thread count
* **Configuration Metrics:** Loaded APIs and policies count, reload operations and duration
The Go runtime metrics enable teams to correlate system-level resource constraints with API latency patterns, detect potential goroutine or memory leaks early, and right-size infrastructure based on actual resource utilisation.
**Production Controls:** To ensure safe metric collection on the request hot path, the system includes built-in cardinality limits (default: 2,000 combinations per metric) and conditional data loading to prevent performance degradation.
##### Fixed
We have resolved an issue where "Client TLS certificate is required" errors were logged at `warning` level, creating unnecessary noise in production logs.
Previously, these common client-side authentication failures generated excessive warning-level log entries that could trigger false alerts and obscure more critical issues. The Gateway now logs these authentication failures at `info` level, maintaining security visibility while reducing log noise and alert fatigue for operations teams.
We have resolved an issue where a Go plugin returning an error status code would result in malformed response bodies that concatenated the original plugin response with additional Gateway error messages.
The Gateway now correctly handles plugin-generated error responses without double-writing headers, ensuring response bodies contain only the payload generated by the plugin and eliminating superfluous warnings in logs.
We have resolved inconsistent query parameter handling in URL rewrites when [internally looping](/nightly/advanced-configuration/transform-traffic/looping) using the `tyk://` scheme. Previously, custom query parameters specified in the `rewrite_to` URL were silently dropped, while original request parameters were unexpectedly preserved.
**What's Fixed:**
* Query parameters explicitly added to `rewrite_to` URLs are now correctly passed to target APIs
* Control parameters (`method`, `loop_limit`, `check_limits`) are properly consumed and removed
* Behavior now matches URL rewrites using `http://` protocol
It is important to note that **query parameters provided with the original request are no longer automatically forwarded**. You must update your [URL rewrite configuration](/nightly/transform-traffic/url-rewriting) to explicitly include any required parameters in the `rewrite_to` URL.
We have resolved an issue where a Tyk Gateway acting as a client (using upstream mTLS) would fail to authenticate against another Tyk Gateway acting as the mTLS server, resulting in `HTTP 403 Forbidden: Client TLS certificate is required` errors.
The Gateway now reliably presents the configured upstream client certificate whenever requested by the target server, ensuring seamless mTLS communication between APIs hosted on different Tyk Gateways.
We have resolved an issue where the Tyk Gateway default maximum TLS version was incorrectly set to TLS 1.2 instead of TLS 1.3.
Tyk Gateway now follows Go's native TLS defaults (TLS 1.2 minimum, TLS 1.3 maximum), aligning with industry security standards. This maintains full backward compatibility for existing deployments that explicitly configure TLS versions.
To change the maximum TLS version, you must explicitly set [TYK\_GW\_HTTPSERVEROPTIONS\_MAXVERSION](/nightly/tyk-oss-gateway/configuration#http_server_options-max_version) for client-to-Gateway connections or [TYK\_GW\_PROXYSSLMAXVERSION](/nightly/tyk-oss-gateway/configuration#proxy_ssl_max_version) for Gateway-to-upstream connections.
To change the minimum TLS version, you must explicitly set [TYK\_GW\_HTTPSERVEROPTIONS\_MINVERSION](/nightly/tyk-oss-gateway/configuration#http_server_options-min_version) for client-to-Gateway connections or [TYK\_GW\_PROXYSSLMINVERSION](/nightly/tyk-oss-gateway/configuration#proxy_ssl_min_version) for Gateway-to-upstream connections.
For full details of TLS version configuration see [here](/nightly/api-management/implement-tls#controlling-tls-version-and-cipher-suites).
We have resolved an issue where CORS preflight OPTIONS requests were incorrectly blocked by the AllowList middleware when `options_passthrough` was disabled.
Previously, when APIs had CORS enabled with Tyk handling OPTIONS requests internally (`options_passthrough: false`), preflight requests would fail AllowList validation because users typically don't explicitly define OPTIONS endpoints in their AllowList configurations, causing "Requested endpoint is forbidden" errors.
The Tyk Gateway now properly recognizes CORS preflight requests and allows them to bypass AllowList middleware checks when Tyk is configured to handle OPTIONS internally, restoring the expected behavior where CORS preflight handling works automatically without requiring explicit OPTIONS endpoint definitions.
We have resolved an issue where Tyk OAS APIs with mock endpoints stopped generating analytics data. This functionality was inadvertently broken while fixing an unrelated internal API proxying issue in Tyk Gateway 5.8.6.
Note that analytics are not generated for mock endpoints in Tyk Classic APIs as has always been the case.
We have resolved an issue where OpenTelemetry settings could only be set using environment variables and not the Gateway configuration file (`tyk.conf`).
Now OpenTelemetry can be configured via the [`opentelemetry`](/nightly/tyk-oss-gateway/configuration#opentelemetry) section in the Gateway config file (including `enabled`, `exporter`, and `endpoint` fields) or their equivalent environment variables.
We have fixed an issue where the Gateway could fail to load APIs and policies if the Control Plane database was temporarily unavailable during startup (either directly or via MDCB). The Gateway will now automatically retry loading configurations with exponential backoff until successful, restoring self-healing capabilities without requiring a manual restart.
We have resolved an issue where Policy IDs containing special characters could cause problems when parsing API endpoint requests. Previously, Policy IDs with characters such as `#`, `?`, `%`, and `/` would interfere with URL parsing in Tyk Gateway API endpoints that use the Policy ID as a path parameter, potentially causing request failures or unexpected behavior.
Strict validation has been introduced to restrict policy identifiers to a safe character set (alphanumeric characters plus `_`, `-`, `.`, `~`). The validation occurs during Policy creation and updates via the following endpoints:
* `POST /tyk/policies`
* `PUT /tyk/policies/{polID}`
A new Gateway configuration option `allow_unsafe_policy_ids` has been added to disable this character validation in case of existing non-compliant Policy IDs. If you must use other characters in your Policy IDs, be careful to avoid any that might cause URL parsing issues.
We have resolved an issue where requests with the `application/soap+xml` Content-Type received JSON-formatted error responses instead of the expected XML format. The Gateway now correctly returns XML-formatted errors for SOAP requests.
Resolved an issue introduced alongside the `span_batch_config` feature in 5.12.0 where, when the configuration was omitted or left unset, Gateway startup logs reported the batch processor settings (`max_queue_size`, `max_export_batch_size`, `batch_timeout`) as zero values. The Gateway was internally applying the standard Go SDK defaults correctly, but the logs misrepresented this, making it appear that the OpenTelemetry exporter was misconfigured. Startup logs now report the actual default values in use, giving operators an accurate view of the active configuration.
Resolved an issue where responses served from the Redis cache middleware did not emit access log entries, making cache hits invisible in access logs even when `access_logs.enabled` was set to `true`. Cache hits now generate access log entries with the same structure as non-cached responses. The same fix ensures that cache hits are also captured by the newly introduced OpenTelemetry API metrics.
We have resolved a set of related issues affecting Gateway registration with the Dashboard at scale for deployments using an **unlimited node license**. During mass registrations or rolling upgrades, a combination of lock contention, excessive Redis load, and incorrect handling of `409 Conflict` responses could leave Gateways stuck in registration loops without the credentials needed to serve traffic.
Gateway registration is now significantly more robust at scale: registration requests are no longer serialized across the fleet, Gateways recover cleanly from transient `409 Conflict` responses instead of looping, and the Redis load generated during registration storms is substantially reduced.
A dedicated fix for **limited node license** deployments will be provided in an upcoming release.
Resolved an issue where the [Distributed Rate Limiter's](/nightly/api-management/rate-limit#distributed-rate-limiter) cache cleanup stopped running after its first execution. This could cause unbounded memory growth on APIs using rate limits with high-cardinality keys (such as per-client-IP rate limiting or custom plugins generating unique keys), and could briefly reset active rate-limit buckets shortly after Gateway startup, allowing requests that should have been blocked to pass through. Memory usage now stays bounded, and rate limits are enforced as configured.
##### Security Fixes
We have addressed CVEs reported in dependent libraries, providing increased protection against security
vulnerabilities, including, but not limited to:
* CVE-2025-15558
* CVE-2026-33812
* CVE-2026-39883
* CVE-2026-39882
***
## 5.12 Release Notes
### 5.12.1 Release Notes
#### Release Date 21st April 2026
#### Release Highlights
Tyk Gateway has been updated to Golang 1.25 and Debian 13 (Trixie) for enhanced security and performance, including updated FIPS-compliant images. This release addresses multiple CVEs in dependent libraries and fixes a path matching inconsistency for Tyk OAS APIs.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.12.1) below.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| --------------- | -------------------- | ----------------------- |
| 5.12.1 | MDCB v2.9.0 | MDCB v2.9.0 |
| | Operator v1.3.0 | Operator v0.17 |
| | Sync v2.1.6 | Sync v2.1.0 |
| | Helm Chart v5.1 | Helm all versions |
| | Pump v1.14.1 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| ------------------------------------------------------------------ | ------------------- | ------------------- | -------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.25 | 1.25 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.25 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.1.2.html) | 3.1.x, 3.0.x | 3.1.x, 3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.12.1, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.12.1)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.12.1
```
* Helm charts
* [tyk-charts v5.1.0](/nightly/developer-support/release-notes/helm-chart#5-1-0-release-notes)
Please note that the Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.12.1.
* [Source code tarball of Tyk Gateway v5.12.1](https://github.com/TykTechnologies/tyk/releases/tag/v5.12.1)
#### Changelog
##### Changed
The Tyk Gateway has been updated to Golang 1.25, improving security by staying up-to-date with Go versions.
Updated the Docker images for Tyk Gateway to Debian 13 (Trixie) to address multiple vulnerabilities in the underlying operating system.
##### Fixed
Resolved an issue where parameterized paths could incorrectly take precedence over static paths when using the Request Validation or Mock Response middleware in Tyk OAS APIs. Static paths will now correctly bypass these middleware if not explicitly configured, restoring the expected routing behavior.
##### Security Fixes
Addressed the following CVEs, providing increased protection against security vulnerabilities:
* CVE-2025-15281
* CVE-2026-0861
* CVE-2026-0915
* CVE-2026-25679
* CVE-2026-32285
* CVE-2026-32286
* CVE-2026-33186
* CVE-2026-34986
### 5.12.0 Release Notes
#### Release 06 March 2026
#### Release Highlights
**OpenAPI Specification 3.1 is now supported**
In this release, we are delighted to bring initial support for OAS 3.1 in Tyk OAS APIs covering:
* Import and validation of OpenAPI 3.1 descriptions using Tyk Dashboard to create Tyk OAS APIs
* OAS 3.1 features:
* Full JSON Schema Support and \$schema keyword
* The single `example` keyword is deprecated in OAS 3.1
* `type` can be an array
* `exclusiveMinimum` and `exclusiveMaximum` keywords
We do not yet have support for all new features. For more details, see the [documentation](/nightly/api-management/gateway-config-tyk-oas#openapi-specification-3-1)
**Enhanced OpenTelemetry Tracing and Log Correlation**
In this release, we've significantly improved observability by bridging the gap between logs and distributed traces. When OpenTelemetry is enabled, Tyk Gateway now automatically injects W3C trace IDs into access logs, and both trace and span IDs into application logs.
This allows your DevOps and SRE teams to seamlessly correlate Gateway operational events with distributed traces across platforms such as Grafana Tempo, Jaeger, and OpenSearch, providing full visibility into the request journey.
Additionally, we've introduced flexible support for custom trace headers. If your organization uses custom correlation ID systems (like `X-Correlation-ID`), the Gateway can now recognize these as trace context sources. With multiple propagation modes, you can gradually migrate to standard OpenTelemetry tracing without modifying existing downstream systems.
**Enhanced Error Observability in Access Logs**
Troubleshooting API errors in production just got significantly faster. We've enhanced Gateway [access logs](/nightly/api-management/logs#access-logs) to include rich, structured error context for 4XX and 5XX errors, eliminating the need to cross-reference multiple log sources during an incident.
Users can now instantly identify the root cause of failures—whether it's an expired TLS certificate, a network connectivity issue, or a backend service problem—directly from the access logs. This comprehensive visibility drastically reduces time-to-resolution and simplifies debugging.
**Programmatic Configuration Inspection for Faster Troubleshooting**
Verifying configuration settings and debugging deployment issues can be time-consuming when multiple configuration sources (files, environment variables, defaults) are involved.
To streamline troubleshooting, we've introduced configuration inspection endpoints to the Tyk Gateway API. Platform engineers and support teams can now programmatically access the Gateway's actual runtime configuration directly through the control API. This eliminates the need for manual configuration file sharing and supports automated drift detection, while built-in redaction automatically protects sensitive data like passwords and secrets.
**Enhanced Security with Client Certificate-Token Binding**
To provide an additional layer of security for your APIs, we've introduced [Client Certificate-Token Binding](/nightly/api-management/authentication/bearer-token#client-certificate-token-binding). This feature allows you to form a strict binding association between an Auth Token issued to a client and their specific client certificate.
By ensuring that a token can be used only with its bound certificate, you can significantly reduce the risk of token theft or misuse. The feature fully supports certificate rotation scenarios by allowing multiple certificates to be bound to a single key, ensuring uninterrupted access during credential updates.
**Certificate Authentication as a Standalone Auth Method for Tyk OAS**
We have restructured [Certificate Authentication](/nightly/api-management/authentication/certificate-auth) (formerly known as Dynamic mTLS) to be a dedicated, standalone authentication method in Tyk OAS API definitions.
Previously configured as an adjunct to Auth Token authentication, this change aligns Certificate Authentication with other Tyk proprietary methods like HMAC and Custom Auth. This improves API design consistency and makes it much more intuitive to configure certificate-based access, all while maintaining full backward compatibility with your existing API definitions.
**Optimized Redis Storage for Data Planes**
We have significantly reduced Redis memory consumption for Data Plane deployments, delivering immediate storage cost savings and improved efficiency for large-scale environments.
By implementing intelligent storage optimization, the Gateway now automatically omits empty fields when storing session data, reducing memory usage for typical API keys by up to 20%. Additionally, we've introduced optional compression for cached API definitions, reducing storage requirements by up to 75% without impacting API response times. These enhancements are fully backward compatible and require no migration of existing keys or definitions.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.12.0) below.
#### Breaking Changes
A change has been made to improve security of the legacy [**Auth Token + Dynamic mTLS**](/nightly/api-management/implement-tls#legacy-dynamic-mtls-mode) method for securing access to APIs deployed on Tyk. This removes the option to authenticate using only the auth token and enforces the mTLS handshake.
Previously, API clients could authenticate without presenting the client certificate or holding the client's private key.
For any user relying on that behavior, we have added a new Gateway configuration option: `allow_unsafe_dynamic_mtls_token`. Unless deliberately configured in the config file or environment, this is set to `false` to ensure that Tyk is secure by default.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| --------------- | -------------------- | ----------------------- |
| 5.12.0 | MDCB v2.9.0 | MDCB v2.9.0 |
| | Operator v1.3.0 | Operator v0.17 |
| | Sync v2.1.6 | Sync v2.1.0 |
| | Helm Chart v5.1 | Helm all versions |
| | Pump v1.14.0 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| ------------------------------------------------------------------ | ------------------- | ------------------- | -------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.1.2.html) | 3.1.x, 3.0.x | 3.1.x, 3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
The introduction of [Certificate Authentication](/nightly/api-management/authentication/certificate-auth) as a standalone auth method in place of Auth Token + dynamic mTLS means that the configuration field `authentication.securitySchemes.authToken.enableClientCertificate` in the Tyk Vendor Extension is now deprecated in favour of `authentication.certificateAuth.enabled`. The legacy field remains valid for backward compatibility at this time, but users are recommended to switch to the new configuration.
#### Upgrade instructions
If you are upgrading to 5.12.0, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.12.0)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.12.0
```
* Helm charts
* [tyk-charts v5.1.0](/nightly/developer-support/release-notes/helm-chart#5-1-0-release-notes)
Please note that the Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.12.0.
* [Source code tarball of Tyk Gateway v5.12.0](https://github.com/TykTechnologies/tyk/releases/tag/v5.12.0)
#### Changelog
##### Added
This release introduces initial support for importing and validating OpenAPI 3.1 descriptions to create Tyk OAS APIs. The implementation maintains backward compatibility with OAS 3.0 while adding support for the new JSON Schema 2020-12 validator:
* Added full JSON Schema support, including the `$schema` keyword.
* Added support for defining `type` as an array (e.g., `["string", "null"]`).
* Support for `exclusiveMinimum` and `exclusiveMaximum`
Please note the following limitations in this initial release:
* Reusable Path Item Objects and the new `mutualTLS` security scheme are not currently supported.
This release introduces significant storage optimizations for Data Plane Redis caching, reducing memory consumption while maintaining full backward compatibility:
* *Session Object Optimization*: The Gateway now automatically omits empty and zero-value fields when storing API keys and session objects. This results in up to a 20% reduction in memory usage, with minimal keys now consuming only 500-700 bytes.
* *API Definition Compression*: Added optional Zstd compression for API definitions cached in Redis, achieving up to 75% storage reduction. Compression and decompression occur during Gateway reloads, ensuring zero impact on the request hot path.
* *Configuration*: API definition compression is disabled by default. It can be enabled via the new `storage.enable_api_definition_compression` configuration option.
* *Security Limit*: To mitigate the risk of decompression bombs, the maximum combined uncompressed size for the API definitions is limited to 100MB.
This release brings significant improvements to OpenTelemetry tracing and log correlation capabilities within the Gateway. These enhancements ensure better observability and easier debugging across distributed systems by unifying trace context across all log types:
* Added the `trace_id` field to Gateway [access logs](/nightly/api-management/logs#access-logs) when OpenTelemetry is enabled, matching the `X-Tyk-Trace-Id` response header.
* Added `trace_id` and `span_id` fields to all request-scoped Gateway [application logs](/nightly/api-management/logs#application-logs) (middleware execution, errors, and debugging).
* Introduced custom trace header configuration (e.g., `X-Correlation-ID`) to support non-standard header names as trace context sources with three trace propagation modes:
* **Custom-only** (read and write custom headers exclusively)
* **Hybrid** (read custom headers, write standard traceparent)
* **Composite** (read custom headers, write both custom and standard formats)
* Implemented automatic fallback to standard W3C propagators when custom trace headers are missing or invalid.
In high-throughput production environments, default OpenTelemetry settings can cause silent span loss and incomplete traces under heavy load. To address this, we've introduced the ability to tune OpenTelemetry `BatchSpanProcessor` settings to match your specific traffic patterns. By adjusting queue sizes and batch parameters, you can significantly reduce orphaned child spans and ensure trace completeness, giving you full visibility into your API traffic.
Added a new `span_batch_config` section to the OpenTelemetry configuration to prevent span loss in high-throughput environments. Users can now override default Go SDK settings by tuning `max_queue_size`, `max_export_batch_size`, and `batch_timeout`. This configuration is optional and backward compatible; omitted or zero values will default to standard SDK values.
This release introduces detailed error context fields to access logs for 4XX and 5XX gateway and upstream errors, providing immediate technical insight into failure root causes including:
* `response_flag` for standardized error codes (e.g., `TLE` for TLS expired, `UCF` for connection refused, `RLT` for rate limiting).
* `response_code_details` for human-readable error descriptions.
* `error_source` (originating component) and `error_target` (upstream address).
* `upstream_status` to capture the HTTP status returned from the upstream service.
* context-specific fields that appear only when relevant: `tls_cert_expiry` and `tls_cert_subject` for certificate errors, and `circuit_breaker_state` for circuit breaker errors.
The full list of response flag codes is available in the [Access Logs documentation](/nightly/api-management/logs#access-logs).
Added new `/config` and `/env` endpoints to the Tyk Gateway API to provide programmatic access to runtime configuration and environment variable mappings. This enables targeted troubleshooting and configuration auditing directly through authenticated API calls:
* Supports both full configuration dumps and targeted single-field queries (e.g., `/config?field=storage.host`).
* Automatically redacts sensitive data (passwords, secrets, connection strings) to preserve configuration structure visibility securely.
* Clarifies configuration precedence and naming conventions from multiple sources.
This feature is disabled by default and is enabled using [`enable_config_inspection`](/nightly/tyk-oss-gateway/configuration#enable_config_inspection).
This release introduces the ability to bind client certificates to Auth Tokens for APIs secured with a static mTLS allow list. This provides enhanced token security by ensuring tokens are only used with their associated certificates:
* Added a new `mtls_static_certificate_bindings` field to the session object, which accepts a list of one or more certificate IDs.
* Enforces that the certificate presented in the request matches the bound certificate IDs; otherwise, the request is rejected.
* Supports binding multiple client certificates to a single key (token) to facilitate certificate rotation.
Please note that bound certificates must also be present in the client certificate allow list within the API definition for successful post-handshake validation. This feature maintains full backward compatibility with existing keys that do not specify certificate bindings.
Extended [certificate expiry monitoring](/nightly/api-management/certificates#monitoring-certificate-expiry) to include TLS certificates used by the Gateway as the client in connections to upstream services. When a certificate used by the Gateway to authenticate itself with the upstream has expired or is within the configured number of days prior to expiry, an entry will be added to the application log and the appropriate Gateway event will be generated. The new `cert_role` field in the event metadata indicates whether the certificate was used in `client` or `upstream` authentication.
With this addition, the certificate expiry monitor now tracks all certificates used to represent the Gateway in TLS handshakes.
This release introduces a new, dedicated configuration structure for Certificate Authentication (formerly Dynamic mTLS) in Tyk OAS API definitions, separating it from Auth Token authentication:
* Introduced the new `authentication.certificateAuth.enabled` field to configure Certificate Authentication as a standalone method.
* Deprecated the legacy `authentication.securitySchemes.authToken.enableClientCertificate` field (it remains fully supported for backward compatibility).
* When both the new and deprecated fields are present, the new `certificateAuth.enabled` field takes precedence.
In Tyk 5.10.0, we introduced API-level configuration for the validity period of the JWKS cache for Tyk OAS APIs. Now we have made the Gateway default (which is applied if no API-level configuration is set) configurable via a new option in the Gateway config file: [`jwks.cache.timeout`](/nightly/tyk-oss-gateway/configuration#jwks-cache-timeout) or the equivalent environment variable. If this is not set, the timeout will continue to default to 240 seconds. This will be applied to both Tyk Classic and Tyk OAS APIs, simplifying JWKS cache management across large API deployments while providing flexibility for APIs that require specific caching behaviors.
This release introduces improvements to how the Gateway handles policy IDs, particularly in multi-Organisation deployments. These changes ensure that policies are correctly applied and provide better visibility into potential configuration conflicts:
* The Gateway now correctly discriminates between policies with identical `id` fields across different Organisations (Orgs), ensuring that policies are only applied to keys within their respective `org_id`.
* Added a new warning-level log message that triggers if multiple policies are loaded with the same `id` within a single Org. The log details the shared `id` and the individual internal `_id` values of the conflicting policies to assist with troubleshooting.
These enhancements allow users to safely use custom policy IDs without risking cross-Org conflicts. The new warning logs help administrators identify and resolve legacy configuration issues in which duplicate policy IDs may exist within the same Organisation.
Gateway now includes a list of the loaded APIs and policies in the information it provides to MDCB. This provides a clear picture of what is running on each Gateway in a distributed deployment, simplifying monitoring and troubleshooting of your deployed Data Planes.
This release introduces a usage-aware certificate synchronization system for distributed deployments (MDCB). Data Planes can now be configured to only sync and store certificates that are actually required by their loaded APIs when using the [MDCB Synchroniser](/nightly/api-management/mdcb#mdcb-synchroniser), rather than pulling all certificates from the Control Plane:
* Added a new `sync_used_certs_only` boolean flag to the `slave_options` configuration.
* When enabled alongside `use_rpc: true`, the data plane tracks certificate usage by analyzing loaded API specifications and filters synchronization to only pull required certificates.
* Reduces memory usage and eliminates log noise caused by expired certificates that are not relevant to the specific Data Plane's APIs.
This feature is disabled by default (`sync_used_certs_only: false`) to ensure backward compatibility. When disabled, the Gateway will continue to synchronize all certificates from the Control Plane as before.
Fixed a performance issue introduced in v5.8.7 where bundle verification significantly increased CPU and memory consumption, particularly when using multiple APIs with plugin bundles.
We have introduced a new Gateway configuration option `skip_verify_existing_plugin_bundle` that allows you to skip cryptographic verification when loading signed plugin bundles from disk. When set to true, this option reduces performance overhead in environments with large numbers of APIs using signed bundles, while still maintaining security by validating signatures during initial bundle download.
Note: This option only affects signed bundles loaded from disk, unsigned bundles and initial downloads will continue to follow standard verification procedures.
##### Fixed
Resolved path matching inconsistencies that could lead to Tyk OAS-specific middleware not being executed when expected.
These inconsistencies could cause the [Request Validation](/nightly/api-management/traffic-transformation/request-validation) and [Mock Response](/nightly/api-management/traffic-transformation/mock-response#mock-response) middleware to be skipped in certain scenarios when using Tyk OAS APIs.
These scenarios included:
* Some subpaths, for example, the middleware configured for `/users` would not execute for `/users/123`
* some child API versions
* wildcard regexes in paths
* root paths
Now, Tyk will apply the same decisions to these middleware as it does to the rest of the request processing chain.
Resolved an issue where swapping certificates in multi-auth (mTLS + Basic auth) keys prevented the original certificate from being reused. Previously, when updating a key's certificate, the original certificate remained incorrectly associated with the key internally, causing "key with given certificate already found" errors when attempting to reuse that certificate.
Tyk now properly detaches certificates during key updates, allowing certificates to be freely reused across different keys after being removed from their original association.
Enhanced Gateway error logging for JWT authentication failures related to JWKS endpoints. Previously, JWKS configuration issues generated vague error messages that didn't indicate the root cause, making troubleshooting difficult and time-consuming.
The Gateway now provides specific, actionable error messages that clearly identify whether failures stem from Base64 decoding issues, network connectivity problems, or invalid JWKS content.
Resolved an issue where the Gateway could crash with a panic if the API definition contained an illegal reference to a secret in HashiCorp Vault. If the requested path did not exist in Vault, this could cause the Gateway process to exit, resulting in a complete service outage during API loads, hot reloads, or Dashboard saves. The Gateway now gracefully handles the missing Vault path and logs a clear error message.
Resolved a floating-point precision issue where mathematically valid multipleOf values were incorrectly rejected due to binary representation limitations. This could cause incorrect failures when performing Request Validation for Tyk OAS APIs.
The Gateway now properly handles floating-point precision in multipleOf validation, ensuring that all mathematically valid decimal multiples pass validation consistently while continuing to correctly reject invalid values.
Resolved an issue where Tyk only validated the first instance of multi-value headers when processing requests to Tyk OAS APIs, allowing invalid header values to bypass schema constraints.
The Gateway now properly normalizes and validates all header values according to HTTP standards, ensuring that all values in multi-value headers comply with the defined OpenAPI schema constraints.
Resolved a routing issue where APIs could return `HTTP 404 Not Found` errors depending on custom domain settings, with differing behavior between Tyk OAS and Tyk Classic APIs. Previously, when APIs had similar listen path prefixes (e.g., `/caa` and `/caas2itsamu0456w2ayl9`), the Gateway's routing logic would incorrectly match requests, causing legitimate API calls to fail. The issue affected Tyk OAS APIs when custom domains were disabled, and Tyk Classic APIs when they were enabled.
The Gateway now properly sorts and matches API specifications by listen path length, while correctly considering domain configuration options, ensuring all APIs are accessible via their configured paths regardless of custom domain settings or API type.
Resolved an issue where the Gateway incorrectly logged 0ms duration for error responses, including `HTTP 504 Gateway Timeout`, `HTTP 499 Client Closed Request`, and `HTTP 500 Internal Server Error`, creating gaps in API observability and monitoring. Previously, these error responses were hardcoded with zero-latency values, making it impossible to determine the actual processing time, gateway saturation, or connection utilization for failed requests.
The Gateway now accurately calculates and logs the actual request duration from start to error occurrence for all error responses, providing complete timing visibility across successful and failed API requests. This enhancement improves observability for performance monitoring, capacity planning, and troubleshooting workflows.
Resolved an issue where OpenTelemetry traces were missing the "alias" field when using JWT-protected APIs, making it impossible to identify API consumers in tracing data. Previously, while the alias was correctly populated in Redis sessions and pump metrics, it was not included in OTEL spans for JWT-authenticated requests.
The Gateway now ensures that OTEL spans include the alias attribute for all authentication methods, enabling proper consumer identification and request attribution in distributed tracing systems.
Resolved an issue where NewRelic OpenTracing integration worked inconsistently in Tyk Gateway. The Gateway now properly mounts NewRelic middleware on all routers, including reused ones, with thread-safe duplicate prevention and improved memory management during router swaps. This fix ensures consistent NewRelic APM visibility across all API calls and gateway versions, supporting both legacy NewRelic configurations and newer OpenTelemetry collector setups.
Resolved an issue where custom authentication plugins failed to execute properly when APIs were configured with Compliant Mode security processing. Previously, switching from Legacy Mode to Compliant Mode caused custom plugins to generate "JSVM isn't enabled" errors and return 500 Internal Server Error responses, even when JSVM was correctly configured. Custom authentication plugins now function identically in both Legacy and Compliant modes, allowing users to leverage flexible OR/AND authentication logic without breaking existing plugin functionality. Users can now seamlessly switch between authentication modes and use custom plugins with individual authentication methods in Compliant Mode's OR logic scenarios.
Resolved an issue where the `X-RateLimit-Reset` header showed an incorrect timestamp on the first API request after rate limit or quota counter initialization. Previously, when quota windows expired and were reset within the distributed lock, the Gateway failed to update its local timestamp variable, causing the first request to return stale timing information while subsequent requests showed correct values.
The Gateway now properly synchronizes its internal timer with the storage backend during quota window resets, ensuring that `X-RateLimit-Reset` headers accurately reflect the correct expiration time from the very first request.
Resolved an issue where policies with identical custom IDs across different organizations could overwrite each other in the Gateway's memory storage, causing incorrect policy application. Previously, when multiple organizations used the same policy ID, the Gateway would retain only the last loaded policy, potentially applying incorrect rate limits, quotas, or access controls to API requests. The Gateway now properly isolates policies by organization, ensuring that policy lookups correctly match both the policy ID and organization ID. This fix prevents cross-organizational policy conflicts, ensures that keys and JWT tokens apply the correct policies from their respective organizations, and maintains proper tenant isolation in multi-organization deployments. Organizations can now safely use identical policy IDs without risk of policy collision or incorrect access control enforcement.
Resolved an issue where OpenTelemetry traces were missing the `alias` attribute for JWT-authenticated requests in multi-auth APIs using compliant security processing mode. Previously, while the alias was correctly populated in analytics records and Redis session data (e.g., JWT claims or API key names), it was not included in OpenTelemetry spans for JWT authentication, making request attribution difficult in distributed tracing systems. The fix ensures that OTEL spans now include the alias attribute for all authentication methods in multi-auth configurations, providing consistent identity information across analytics records, pump output, and distributed traces. This enhancement improves observability for APIs using multiple authentication schemes, allowing operators to easily identify request sources in tracing backends like Jaeger, Tempo, or Zipkin when analyzing JWT-authenticated traffic alongside API key requests.
Resolved an issue where data plane gateways failed to load SSL certificates from MDCB during startup, preventing HTTPS listeners from functioning correctly. The fix implements exponential backoff retry logic that waits for the MDCB connection to become available during certificate loading, ensuring SSL certificates are properly retrieved, and HTTPS listeners start correctly. This resolves startup failures for new data plane deployments using HTTPS.
##### Security Fixes
The Gateway now enforces certificate presence for dynamic mTLS authentication by default, rejecting requests that provide only tokens without valid client certificates. A new configuration option `allow_unsafe_dynamic_mtls_token` has been added for backward compatibility, but defaults to `false` to ensure secure behavior. When enabled, this option restores the previous (insecure) behavior of accepting token-only authentication for dynamic mTLS APIs.
## 5.11 Release Notes
### 5.11.1 Release Notes
#### Release 13th February 2026
#### Release Highlights
In this release, we have fixed a memory leak that could occur when using JWT authentication; we have resolved a performance issue with bundle verification that significantly impacted resource consumption when using plugin bundles; and we have fixed some priority CVEs. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.11.1) below.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| --------------- | -------------------- | ----------------------- |
| 5.11.1 | MDCB v2.8.8 | MDCB v2.8.7 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.5 | Sync v2.1.0 |
| | Helm Chart v5.0 | Helm all versions |
| | Pump v1.13.3 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| ------------------------------------------------------------- | ------------------- | ------------------- | -------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this patch release.
#### Upgrade instructions
If you are upgrading to 5.11.1, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.11.1)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.11.1
```
* Helm charts
* [tyk-charts v5.0.0](/nightly/developer-support/release-notes/helm-chart#5-0-0-release-notes)
Please note that the Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.11.1.
* [Source code tarball of Tyk Gateway v5.11.1](https://github.com/TykTechnologies/tyk/releases/tag/v5.11.1)
#### Changelog
##### Fixed
Resolved a memory leak issue that could occur when APIs used JWT authentication with JWKS URL cache.
Fixed a performance issue introduced in v5.8.7 where bundle verification significantly increased CPU and memory consumption, particularly when using multiple APIs with plugin bundles.
We have introduced a new Gateway configuration option `skip_verify_existing_plugin_bundle` that allows you to skip cryptographic verification when loading signed plugin bundles from disk. When set to `true`, this option reduces the performance overhead for environments with large numbers of APIs using signed bundles, while still maintaining security by validating signatures during the initial bundle download.
**Note**: This option only affects signed bundles loaded from disk, unsigned bundles and initial downloads will continue to follow standard verification procedures.
##### Security Fixes
Addressed CVEs reported in dependent libraries, providing increased protection against security
vulnerabilities, including, but not limited to:
* CVE-2025-15467
* CVE-2025-69419
* CVE-2025-61726
* CVE-2025-61728
* CVE-2025-68121
### 5.11.0 Release Notes
#### Release Date 18 December 2025
#### Release Highlights
Tyk 5.11 delivers security enhancements and deeper operational visibility - empowering teams to scale their API programs with confidence and efficiency.
**Strengthened API Security & Authentication**
This release advances our security foundation with enhanced JWT authentication capabilities. Teams can now leverage scope-to-policy mapping without requiring default policies, while new support for nested claims enables more granular policy and subject identification. We've also added IP spoofing protection through configurable depth selection in X-Forwarded-For headers.
**Advanced Operational Control**
Operations teams gain greater flexibility with the ability to temporarily remove targets from upstream load balancers during maintenance windows. Enhanced observability comes through OTel trace propagation to custom gRPC plugins, trace ID inclusion in API traffic logs, and dedicated Gateway latency metrics alongside upstream measurements. Data Plane Gateways now recover more quickly from interruptions to the MDCB link to the Control Plane.
**Enhanced Stability & Performance**
This release includes important stability improvements, resolving crash conditions in JWT authentication and concurrent processing scenarios, eliminating blocking operations that could cause significant delays during MDCB connectivity issues, and improving performance for OAuth key retrieval in hybrid deployments. These fixes collectively deliver a more reliable and responsive API gateway experience for enterprise environments.
These enhancements collectively strengthen Tyk's position as the platform of choice for organizations requiring enterprise-scale API management with robust security, operational excellence, and developer productivity.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.11.0).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| --------------- | -------------------- | ----------------------- |
| 5.11.0 | MDCB v2.8.8 | MDCB v2.8.7 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.5 | Sync v2.1.0 |
| | Helm Chart v5.0 | Helm all versions |
| | Pump v1.13.3 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| ------------------------------------------------------------- | ------------------- | ------------------- | -------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
In this release we've deprecated the [policies.allow\_explicit\_policy\_id](/nightly/tyk-oss-gateway/configuration#policies-allow_explicit_policy_id) configuration option. This was previously added to allow the use of custom policy IDs, which is now the default behaviour so this option is redundant.
#### Upgrade instructions
If you are upgrading to 5.11.0, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.11.0)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.11.0
```
* Helm charts
* [tyk-charts v5.0.0](/nightly/developer-support/release-notes/helm-chart#5-0-0-release-notes)
Please note that the Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.11.0.
* [Source code tarball of Tyk Gateway v5.10.1](https://github.com/TykTechnologies/tyk/releases/tag/v5.11.0)
#### Changelog
##### Added
Added support for nested JWT claims for subject and policy fields, enabling hierarchical claim structures to be used in authentication and policy application. Now you can configure the `subjectClaims`, `basePolicyClaims`, and `scopes.claims fields` to use nested claim names, such as `test.sub` or `policy.base`.
We have enhanced request-level timing by tracking precise timestamps when requests enter the Gateway, enabling accurate end-to-end latency calculations that extend beyond previous proxy-only measurements.
* Added `gateway` field to the `latency` struct in traffic logs to capture Gateway-specific processing time separate from upstream latency.
* Extended Prometheus and StatsD pumps to expose Gateway-only latency metrics alongside existing total and upstream measurements for improved observability.
We have added support for custom scalar values when working with GraphQL APIs. Custom scalars can accept any valid GraphQL value literal (string, number, boolean, enum, object, list, null, variable), matching the GraphQL specification's requirements for custom scalars.
Existing standard scalar types (Int, Float, String, Boolean, ID) continue to work as before.
We have implemented background monitoring of MDCB endpoint DNS resolution to ensure rapid response to changes without waiting for failures, which block API consumer requests. When a DNS change is detected, Tyk will now automatically reconnect the RPC client to minimise downtime and risk of request blocking. The DNS monitor checks for changes at a configurable interval (default: 30 seconds, minimum: 10 seconds). This can be set using the `slave_options.dns_monitor` configuration.
You can now temporarily remove upstream targets (servers) from Tyk's upstream load balancing group. If a target is removed from the group, Tyk will route no traffic to it. This allows temporary target removal for maintenance, troubleshooting or environment issues.
Simply set the weight for the target to zero, and it will be removed from the round robin list. Multiple targets can be removed, but at least one must have a non-zero weight and thus will be served traffic.
We’ve removed the need to supply a default policy when using scope-to-policy mapping with JWT Authentication. Now, if you enable scope-to-policy mapping by configuring `scopes.claimName`, you do not need to provide a policy ID in `defaultPolicies`. If a request does not contain any valid scopes, it will be rejected with `HTTP 403 Forbidden` (default deny). You can still provide a default policy if you require a different behaviour.
When OpenTelemetry is enabled, the Trace ID allocated to each request is tagged in traffic logs as `trace-id-{traceID}` and also exposed in `$tyk_context.tyk_trace_id`. This makes it easier to correlate traffic logs with OTel traces in observability platforms and also allows transformation middleware and custom plugins to correlate logs with traces.
Added `xff_depth` configuration parameter to the Gateway's HTTP server options for improved security. This specifies which entry in the `X-Forwarded-For` header chain should be considered to contain the real client IP. The value set in `xff_depth` is used when counting from the rightmost (most trusted) end of the IP chain, where a value of 1 is the first (counting from the right). If `xff_depth` is set to 0 or not configured, Tyk continues using the first IP address as before, maintaining backward compatibility. We have updated the default configurations across Tyk Demo, Helm Charts, and example files to use `xff_depth=1` for enhanced security in new deployments.
Implemented OpenTelemetry trace context propagation to maintain request tracing visibility as requests flow through plugins, with specific support for gRPC plugins. Enhanced the Protocol Buffer definitions and Dispatcher interface to include trace context fields, updated the `CoProcessor` and `GRPCDispatcher` to preserve trace information, and added OpenTelemetry gRPC interceptors for seamless context propagation. This eliminates observability blind spots in plugin processing, allowing customers to see complete end-to-end traces of API requests, including all plugin activities.
##### Fixed
Fixed a bug causing JWT authentication to panic in MDCB emergency mode. When processing tokens with new sub-claims, the gateway returned an uninitialized session missing its KeyID, leading to a crash when generating the session’s KeyHash. The fix ensures the KeyID is preserved in the emergency-mode path, allowing sessions to be created and cached correctly and preventing panics during MDCB outages.
Fixed an issue where Gateways using Redis-based rate limiters would crash when sharing Redis with Gateways using Distributed Rate Limiting (DRL). Non-DRL Gateways now properly ignore DRL update messages instead of attempting to process them, enabling mixed rate-limiter deployments across shared Redis instances.
Fixed an issue where a Data Plane Gateway could fail to load API definitions the MDCB link failed during initialisation. This would lead to client requests returning HTTP 404 errors. The expected behaviour, if MDCB is unavailable, is for the Data Plane Gateway to retrieve policies and API definitions from the local storage (Redis), but this was not occurring in certain scenarios. We have improved the robustness of the Gateway startup so that, if MDCB goes down, it will automatically switch to the local storage (Redis) as expected.
Fixed an issue where Tyk Gateway advertised leaf certificate Subject DNs instead of Certificate Authority DNs during mTLS handshakes, causing connection failures with RFC-compliant TLS clients. The Gateway now properly extracts and advertises CA DNs from certificate chains in the CertificateRequest message, ensuring compatibility with standards-compliant clients like `Apache mod_ssl` while maintaining backward compatibility with existing configurations.
We fixed a logging bug in the JSON formatter that could cause error logs to fail to serialize when an error message contained very large numeric values (for example a big integer), which sometimes resulted in missing or broken log output; the formatter now writes the error as a plain text string instead of attempting to encode the underlying error object, so logs reliably serialize to JSON.
Fixed an issue where the Gateway would incorrectly retry RPC calls repeatedly when MDCB is unavailable, but the DNS hasn't changed. This would cause API requests to block for over 90 seconds before returning an error. Now it takes into account the fact that DNS has not changed and so fails fast, entering Emergency Mode after one retry (30 seconds).
Fixed redundant boolean enum definitions in OpenAPI specification by removing unnecessary enum: \[true, false] declarations from boolean type fields in swagger.yml files. Boolean parameters now use only type: boolean, following OpenAPI best practices.
Resolved an issue where JWT APIs using Keycloak authentication experienced significant delays on hybrid gateways due to failed local key lookups. The gateway was unable to find OAuth client keys in local Redis and had to fetch them from the control plane on every request, causing performance degradation and "key not found" errors in logs. JWT API requests now retrieve keys efficiently from local storage, eliminating unnecessary round-trip requests and providing consistent response times.
Fixed blocking synchronous RPC calls in the request pipeline that occurred every 10 minutes during organization expiry checks when MDCB was unavailable. The organization expiry validation is now asynchronous and non-blocking, preventing API request timeouts and latency spikes (up to 90 seconds) when MDCB connectivity issues occur. This ensures consistent API response times regardless of MDCB availability status.
Resolved an issue where Tyk Gateway would crash when multiple users simultaneously accessed APIs with JWT claims validation enabled. The Gateway now processes JWT validation configurations once during API startup instead of during each request, eliminating the race conditions that caused service interruptions under concurrent load.
Resolved an issue where API keys continued to process traffic even after being marked as inactive through API updates.
## 5.10 Release Notes
### 5.10.2 Release Notes
#### Release Date 2 December 2025
#### Release Highlights
This is a version bump to align with Dashboard v5.10.2, no changes have been implemented in this release.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| --------------- | -------------------- | ----------------------- |
| 5.10.2 | MDCB v2.8.6 | MDCB v2.8.6 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.4 | Sync v2.1.0 |
| | Helm Chart v4.0 | Helm all versions |
| | Pump v1.13.0 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| ------------------------------------------------------------- | ------------------- | ------------------- | -------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.10.2, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.10.2)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.10.2
```
* Helm charts
* [tyk-charts v4.0.0](/nightly/developer-support/release-notes/helm-chart#4-1-0-release-notes)
Please note that the Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.10.2.
* [Source code tarball of Tyk Gateway v5.10.2](https://github.com/TykTechnologies/tyk/releases/tag/v5.10.2)
#### Changelog
No changes in this release.
### 5.10.1 Release Notes
#### Release Date 19 November 2025
#### Release Highlights
This patch release contains various bug and security fixes. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.10.1).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| --------------- | -------------------- | ----------------------- |
| 5.10.1 | MDCB v2.8.5 | MDCB v2.8.5 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.4 | Sync v2.1.0 |
| | Helm Chart v4.0 | Helm all versions |
| | Pump v1.13.0 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| ------------------------------------------------------------- | ------------------- | ------------------- | -------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.10.1, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.10.1)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.10.1
```
* Helm charts
* [tyk-charts v4.0.0](/nightly/developer-support/release-notes/helm-chart#4-0-0-release-notes)
Please note that the Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.10.1.
* [Source code tarball of Tyk Gateway v5.10.1](https://github.com/TykTechnologies/tyk/releases/tag/v5.10.1)
#### Changelog
##### Fixed
Fixed an issue where [Custom Authentication](/nightly/api-management/authentication/custom-auth) could fall back to a previously configured alternative authentication method if the custom plugin bundle was not loaded. Now this is treated as for any other failed plugin load, and requests to the API will be rejected with `HTTP 500 Internal Server Error` to prevent access to an improperly configured endpoint.
Fixed an issue where the Gateway would load and attempt to use plugin bundles even when the manifest file was invalid or missing. The Gateway now properly validates bundle manifests and fails safely by rejecting API requests when bundles cannot be properly loaded or verified.
This prevents risks from corrupted or tampered bundles and ensures that APIs with invalid plugin configurations are not accessible, maintaining the integrity of authentication and authorization checks implemented by plugins.
Fixed an issue where keys could remain deactivated when a policy applied to them was changed from `draft` to `active` status. When an access key/token is presented to Tyk in a request, policies linked to the key will be applied, configuring the authorization for that request. If any policy is in `draft` state, the key will be rejected.
Toggling the policy to the `active` state should activate any keys to which the policy is applied. Previously, if the policy had never been applied when it was in `draft` state, there was an issue where keys would incorrectly be marked as `inactive`. This has now been resolved, and the policy state is correctly mapped to keys.
Added a new configuration option, [HttpServerOptions.MaxResponseBodySize](/nightly/tyk-oss-gateway/configuration#http_server_options-max_response_body_size) to limit the maximum size of the response bodies processed during any response body transformations. When the limit is exceeded, the Gateway returns `HTTP 500 Response Body Too Large` instead of attempting to process the oversized content.
Fixed an issue where plugin loading failure errors were ignored for gRPC, Python, and Lua plugins, allowing API requests to be processed even when plugins failed to load. The Gateway now properly validates plugin drivers during request processing and fails safely by returning `HTTP 500 Internal Server Error` when any plugin fails to load, ensuring consistent behavior across all plugin types.
Fixed an issue where a **Tyk Classic API** with inconsistent versioning configuration would process requests using a **random version’s configuration**.
A non-versioned API should:
* Contain a single entry in `version_data.versions` with the API configuration.
* Have the `version_data.not_versioned` flag set to `true`.
Previously, if multiple entries existed in the `version_data.versions` array while `not_versioned` was set to `true`, the Gateway would **randomly select one** of those versions to process incoming requests.
**New behavior:**
When `version_data.not_versioned` is set to `true` and multiple versions are present, Tyk now deterministically selects the configuration for the **default version** instead of picking one at random.
Tyk determines the default version as follows:
* First, it looks for an entry named `"Default"`.
* If not found, it checks for `"default"`.
* If neither exists, it checks for an entry with an **empty string key** (`""`).
* If none of these are found, Tyk returns an **error**, indicating a misconfigured non-versioned API.
Tyk Gateway now validates all file paths in zip bundles before extraction, rejecting bundles that contain invalid paths. Bundle extraction fails immediately upon detecting invalid paths, with detailed error logging, ensuring that only proper bundles with valid relative paths are processed.
Fixed an issue where a Data Plane Gateway could hang for all client requests when the MDCB connection was lost. This was caused by the Gateway incorrectly checking the Organisation quota when `TYK_GW_ENFORCEORGQUOTAS` was not set. If the Organisation quota cache expired before the Gateway performed a health check, the Gateway could hang.
From this release, the Gateway does not check the Organisation quota cache if this is not set. For users relying on Organisation quotas (setting `TYK_GW_ENFORCEORGQUOTAS=true`), the scenario is different and the lock does not occur.
##### Security Fixes
Fixed the following high-priority CVEs, providing increased protection against security
vulnerabilities:
* CVE-2025-47912
* CVE-2025-58183
* CVE-2025-58185
* CVE-2025-58186
* CVE-2025-58187
* CVE-2025-58188
* CVE-2025-58189
* CVE-2025-61723
* CVE-2025-61724
* CVE-2025-61725
* CVE-2025-63811
* CVE-2025-31133
* CVE-2025-52565
* CVE-2025-52881
### 5.10.0 Release Notes
#### Release Date 13th October 2025
#### Release Highlights
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.10.0).
##### OpenAPI Compliant Multi-Authentication for Tyk OAS APIs
Tyk Gateway now supports true OpenAPI specification compliant authentication workflows, giving developers the flexibility to implement industry-standard security patterns while maintaining backward compatibility.
OpenAPI compliant authentication brings:
* **Multiple authentication paths**: Process all entries in the OpenAPI `security` section, not just the first one
* **Flexible security combinations**: Enable authentication scenarios like "OAuth2 OR Auth Token" where clients can choose their preferred method
* **Proprietary method integration**: Seamlessly combine standard OpenAPI authentication with Tyk's proprietary methods (Custom Authentication plugin, HMAC) using the same flexible logic
* **Standards compliance**: Follow OpenAPI security specification patterns that developers expect
Backward compatibility guaranteed:
* **Legacy mode preserved**: Existing APIs continue to work unchanged with the current AND-only logic
* **Opt-in enhancement**: Switch to compliant mode via the `securityProcessingMode` configuration when ready
* **No breaking changes**: Existing multi-security configurations remain functional
**Real-world applications**
* Support diverse client authentication capabilities within the same API
* Implement progressive authentication strategies (basic → advanced security)
* Align with OpenAPI tooling and documentation expectations
* Reduce integration complexity for API consumers
Perfect for organizations wanting to leverage standard OpenAPI security patterns while maintaining the flexibility of Tyk's advanced authentication features.
For more details, please see the dedicated [Multi Auth](/nightly/basic-config-and-security/security/authentication-authorization/multiple-auth) section.
##### Comprehensive JWT Claim Validation for Tyk OAS APIs
Tyk Gateway now provides enterprise-grade JWT validation capabilities exclusively for Tyk OAS APIs, enabling complete control over token validation beyond basic expiry and signature checks.
**Complete registered claim validation**
* **Multi-Identity Provider support**: Validate issuer, audience, and subject claims against multiple allowed values
* **Flexible claim mapping**: Configure different claim names for subject, policy, and scope mapping to support various Identity Providers (Keycloak, Okta, Auth0, etc.) within the same API
* **JWT ID enforcement**: Require unique token identifiers for enhanced security
**Advanced custom claim validation**
* **Flexible validation rules**: Define validation for any JWT claim using required, exact match, or containment rules
* **Rich data type support**: Handle strings, numbers, booleans, and arrays with nested claim access using dot notation
* **Non-blocking validation**: Monitor claim compliance without rejecting requests, perfect for gradual policy enforcement
**Real-world applications**
* Role-based access control with custom permission claims
* Department or organization-based API access restrictions
* Multi-tenant scenarios with flexible claim validation
* Gradual migration from legacy authentication systems
This enhancement makes Tyk's JWT middleware the primary validation mechanism for complex enterprise authentication scenarios, providing the flexibility needed for modern Identity Provider integrations while maintaining backward compatibility.
Ideal for organizations that require sophisticated JWT validation beyond standard token checks.
For more details, please see the dedicated [JWT Auth](/nightly/api-management/authentication/jwt-authorization) section.
##### Advanced JWKS Cache Management for Tyk OAS APIs
Tyk Gateway now provides comprehensive JWKS (JSON Web Key Set) cache control for Tyk OAS APIs, delivering significant performance improvements and operational flexibility for JWT validation workflows with:
* **Configurable cache timeouts**: Set custom cache durations per Identity Provider to match their key rotation schedules
* **On-demand cache invalidation**: Instantly refresh cached keys for any API (Classic or OAS) when Identity Providers rotate their signing keys
* **Intelligent pre-fetching**: Eliminate first-request latency by fetching JWKS data during Tyk OAS API initialization
**Key benefits**
* Faster JWT validation with reduced Identity Provider round-trips
* Zero cold-start delays for JWT-protected endpoints
* Immediate response to Identity Provider key rotations
* Better performance in high-traffic JWT validation scenarios
This enhancement is particularly valuable for organizations migrating to Tyk OAS APIs or those requiring consistent low-latency JWT validation performance with multiple Identity Providers that have different key rotation policies.
For more details, please see the [JWT Auth](/nightly/basic-config-and-security/security/authentication-authorization/json-web-tokens) section.
##### Centralized External Service Configuration
Tyk Gateway now provides unified configuration for all external service connections through the new
`external_services` section. This enhancement brings together previously scattered and incomplete configuration options into a single, coherent system that supports:
* **Proxy configuration**: Apply proxy settings globally or per service, with automatic support for standard environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY`)
* **mTLS certificate management**:Centralized certificate configuration for secure connections to external services
* **Comprehensive service coverage**: Covers all external integrations, including databases, OAuth providers, and webhook endpoints
This improvement simplifies deployment in enterprise environments where proxy servers and certificate management are critical, while maintaining full backward compatibility with existing configurations.
**Key benefits**
* Reduced configuration complexity and duplication
* Better security through centralized certificate management
* Simplified proxy configuration for containerized deployments
* Consistent external service connection handling across all Tyk components
For more details, please see the dedicated [section](/nightly/configure/external-service).
##### Proactive Certificate Expiry Monitoring
Tyk Gateway now automatically monitors certificate health and proactively alerts administrators before certificates expire, helping prevent service outages caused by expired mTLS certificates.
The new certificate monitoring system provides:
* **Early warning notifications**: Configurable alerts when certificates approach expiry (default: 30 days)
* **Immediate expiry detection**: Real-time notifications when expired certificates are detected in use
* **Comprehensive coverage**: Monitors certificates used in both client-to-Gateway and Gateway-to-upstream connections
* **Smart throttling**: Built-in cooldown mechanisms prevent alert flooding while ensuring visibility
These events integrate seamlessly with existing monitoring and alerting systems through Tyk's standard event framework, enabling teams to set up automated workflows for certificate renewal and replacement.
**Key benefits**
* Prevent unexpected API outages due to expired certificates
* Reduce manual certificate monitoring overhead
* Enable proactive certificate lifecycle management
* Improve overall API reliability and uptime
Perfect for organizations managing multiple certificates across complex API infrastructures where manual tracking becomes impractical.
For more details, please see the dedicated [Gateway events](/nightly/api-management/gateway-events) section.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------- | :---------------------- |
| 5.10.0 | MDCB v2.8.5 | MDCB v2.8.5 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.3 | Sync v2.1.0 |
| | Helm Chart v4.0 | Helm all versions |
| | Pump v1.12.2 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :------------------ | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.10.0, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.10.0)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.10.0
```
* Helm charts
* [tyk-charts v4.0.0](/nightly/developer-support/release-notes/helm-chart#4-0-0-release-notes)
Please note that the Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.10.0.
* [Source code tarball of Tyk Gateway v5.10.0](https://github.com/TykTechnologies/tyk/releases/tag/v5.10.0)
#### Changelog
##### Added
Added OpenAPI Specification compliant multi-authentication support for Tyk OAS APIs, providing flexible authentication workflows that follow standard OpenAPI security patterns.
**Compliant mode (new)**
* Processes all entries in the OpenAPI `security` section sequentially, not just the first entry
* Supports a local `security` section in the Tyk vendor extension for proprietary authentication methods (Custom Authentication plugin, HMAC)
* Uses AND logic within each security entry and OR logic between entries, enabling flexible authentication combinations such as: OAuth2 OR Auth Token
* Allows clients to authenticate using any of the defined security combinations
**Legacy mode (existing behavior)**
* Continues to use only the first entry from the OpenAPI `security` section
* Combines all declared methods with proprietary vendor extension methods using AND logic
* Requires clients to satisfy ALL authentication methods
The authentication processing mode is controlled by the new `server.authentication.securityProcessingMode`
field in the Tyk Vendor Extension, with `legacy` as the default to ensure backward compatibility. In compliant mode, proprietary authentication methods are configured in the new `server.authentication.security` section within the vendor extension, following the same array structure as the OpenAPI `security` section. This prevents breaking changes for existing API definitions that contain multiple entries in the
`security` section but were designed for legacy processing behavior.
Tyk OAS APIs now support comprehensive validation of JWT registered claims, extending beyond basic token validation to provide complete access control capabilities. This enhancement includes:
**Registered claim validation**
* **Subject, issuer, and audience validation**: Validate tokens against allowed values with support for multiple entries per claim type
* **JWT ID enforcement**: Require presence of unique token identifiers (`jti`) when needed
* **Flexible claim mapping**: Configure different claim names for subject, base policy, and scope-to-policy mapping to support multiple Identity Providers within the same API setup (e.g., Keycloak's `scope` vs Okta's `scp`)
**Custom claim validation framework**
* **Flexible validation rules**: Define validation for any custom JWT claim using three rule types: `required` (claim must exist), `exact_match` (claim equals specific values), or `contains` (claim contains specific values)
* **Advanced data support**: Handle string, number, boolean, and array data types with nested claim access using dot notation (e.g., `user.department`)
* **Non-blocking validation**: Configure rules to log warnings instead of rejecting requests for monitoring and gradual enforcement scenarios
These features enable advanced use cases, such as role-based access control, department validation, and custom permission schemes, while maintaining backward compatibility with existing JWT configurations.
**Note:** Available only for Tyk OAS APIs and configured directly in the API definition via the Tyk Vendor Extension.
Enhanced the JWKS (JSON Web Key Set) caching system with three key improvements to reduce latency and provide better control over JWT validation:
Configurable cache timeout - Tyk OAS APIs can now specify custom cache timeout values for JWKS endpoints in their JWT validation configuration, allowing fine-tuned control over cache refresh intervals based on Identity Provider requirements.
* Cache invalidation API - Administrators can now manually invalidate JWKS cache entries via new Gateway API endpoints (`DELETE /tyk/cache/jwks/{apiID}` and `DELETE /tyk/cache/jwks`), either targeting specific APIs or purging all cached JWKS data. This enables immediate cache refresh when Identity Provider keys are rotated.
* Automatic pre-fetching - For Tyk OAS APIs, JWKS data is now automatically fetched and cached when API definitions are loaded, eliminating cold-start delays for JWT validation. Pre-fetching includes comprehensive logging of fetch attempts and results, and failures do not prevent API initialization.
**Note:** For Tyk Classic APIs, JWKS caching behavior remains unchanged with on-demand fetching during token validation using the default cache timeout (60 seconds). Cache invalidation via the new API endpoints works for both Classic and OAS APIs.
These enhancements improve JWT validation performance for Tyk OAS APIs and provide administrators with better tools for managing JWKS cache lifecycle when Identity Provider keys change.
Added a new `external_services` section in the [Gateway configuration](/nightly/configure/external-service) to provide centralized configuration for proxy settings and mTLS certificates when communicating with external services. This includes connections to persistent and temporal storage, OAuth 2.0 Authorization Servers, and webhook targets.
Tyk Gateway can now apply proxy settings from standard environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY`) or use the new granular configuration options. All existing configuration methods remain supported, including legacy options such as `jwt_ssl_insecure_skip_verify` and `http_proxy`.
Introduced a proactive event system to warn administrators when mTLS certificates are approaching expiry. The Gateway now emits two new [API events](/nightly/api-management/gateway-events#api-events) to provide visibility into certificate status:
* `CertificateExpiringSoon` - Generated when a certificate is used in an API request (either client-to-Gateway or Gateway-to-upstream) within a configurable time period of its expiry date
* `CertificateExpired` - Generated when an attempt is made to use an already expired certificate, in addition to the standard error response sent to the API client
A cooldown mechanism prevents event flooding by throttling the generation of these notifications. The threshold for the `CertificateExpiringSoon` event and cooldown parameters are configured in the Gateway configuration:
```
"security": {
"certificate_expiry_monitor": {}
}
```
The default threshold is 30 days before expiry.
##### Changed
The Tyk Gateway has been updated to [Golang 1.24](https://tip.golang.org/doc/go1.24), improving security by staying up-to-date with Go versions.
Implemented changes to the validation of Tyk OAS API definitions to support the enhanced versioning workflow implemented in Tyk Dashboard v5.10.0. This allows the pre-configuration of versioning settings before creating any child versions. You can now define the version identifier location (header, URL path, or query parameter) and key/name/pattern, and the request proxying behavior on a non-versioned API, preparing it to become a base API.
##### Fixed
Fixed an issue where sending certain unexpected query parameters to the `GET /tyk/apis/oas/{id}` endpoint could cause a panic.
Fixed an issue where importing an OpenAPI description with an `apiKey` security scheme, while using the `authentication` query parameter, resulted in the unnecessary generation of a `header` object within the Tyk Vendor Extension (`x-tyk-api-gateway`), duplicating information already present in the declared OpenAPI security scheme.
Fixed an issue where Tyk OAS mock response middleware failed to execute when internal API proxying was enabled. Mock responses configured in the target API are now correctly returned when a request is redirected to another API on the same Tyk Gateway instance via [internal looping](/nightly/advanced-configuration/transform-traffic/looping).
Fixed an issue where CORS settings from the base API were incorrectly applied to all versions of a Tyk OAS API, preventing child API versions from using their own CORS configuration. This occurred because the CORS check was performed before the request was routed to the correct API version.
The processing order has been corrected so that requests are first routed to the appropriate version (base or child), then the correct CORS settings are applied, allowing each API version to have its own CORS configuration.
Fixed an issue where Response Body Transformation middleware failed to apply to endpoints that used URL rewrite with regex patterns. When the endpoint path contained regex metacharacters (e.g., \$, ^, (), \[]), these characters interfered with the body transformation's internal pattern-matching process, preventing the middleware from executing.
Resolved an issue where the Gateway automatically converted Readable Duration values (such as uptime test timeouts) in Tyk OAS API definitions from integer-based formats to decimal formats, which triggered schema validation warnings. The effect of this was seen in the Tyk OAS API editor in the Dashboard UI where, for example, a duration of '4s500ms' would be converted to '4.5s' when reopening an API definition.
Duration values are now consistently serialized and maintained in their original, integer-based format, preventing these validation errors.
Fixed an issue where Tyk Gateway did not properly apply the configured TLS settings when connecting to Redis for rate limiting operations. This could result in connection failures and incorrect `HTTP 429 Too Many Requests` responses being returned to clients. The rate limiter now correctly establishes TLS connections to Redis.
Fixed a bug where deleting an API with the Uptime Test feature enabled could cause the Gateway to crash due to a nil pointer dereference during cleanup operations. The Gateway now properly handles memory cleanup when removing APIs with active uptime tests, preventing crashes and ensuring stable API lifecycle management.
Fixed an issue where Gateways could fail to re-register with the Dashboard after a restart, particularly during upgrades or in large-scale deployments. This resulted in `Authorization failed (Nonce empty)` errors and Gateway crash loops that prevented successful registration.
The fix includes an updated license handler with hardened registration logic, enhanced Dashboard authentication retry mechanisms, and support for new "Unlimited Gateway" licenses, ensuring Gateways register reliably without entering failure loops even during heavy churn or rolling upgrades.
Fixed an issue that caused repeated `Body decompression error: EOF` log messages when analytics were enabled for GraphQL APIs. The problem occurred because the Gateway attempted to decompress the response body after it had already been consumed for analytics processing, resulting in End of File (EOF) errors.
The Gateway now properly handles response body consumption for GraphQL APIs with analytics, eliminating the spurious error logs.
Fixed an issue where users could create child Tyk OAS API versions using the `/tyk/apis/oas` endpoint without specifying a valid version name (`new_version_name`). The Gateway API now rejects such requests with an `HTTP 422 Unprocessable Entity` error, ensuring all versions have meaningful identifiers and preventing the creation of unusable or empty version entries.
Fixed an issue where updating a Tyk OAS API via `PATCH /tyk/apis/oas/{apiId}` did not properly update the Tyk Vendor Extension (`x-tyk-api-gateway`). When endpoints were removed or modified in the OpenAPI description, their corresponding middleware definitions could persist incorrectly in the vendor extension, leaving the API definition in an inconsistent state.
The vendor extension is now correctly rebuilt to reflect all changes made to the OpenAPI description.
## 5.9 Release Notes
### 5.9.2 Release Notes
#### Release Date 5th September 2025
#### Release Highlights
This is a version bump to align with Dashboard v5.9.2, no changes have been implemented in this release. For further information, please see the release notes for Dashboard [v5.9.2](/nightly/developer-support/release-notes/dashboard#5-9-2-release-notes).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------- | :---------------------- |
| 5.9.2 | MDCB v2.8.4 | MDCB v2.8.4 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.3 | Sync v2.1.0 |
| | Helm Chart v4.0 | Helm all versions |
| | Pump v1.12.1 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :------------------ | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 | 1.23 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.9.2, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.9.2)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.9.2
```
* Helm charts
* [tyk-charts v4.0.0](/nightly/developer-support/release-notes/helm-chart#4-0-0-release-notes)
Please note that the Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.9.2.
* [Source code tarball of Tyk Gateway v5.9.2](https://github.com/TykTechnologies/tyk/releases/tag/v5.9.2)
#### Changelog
Since this release was version-bumped only to align with Dashboard v5.9.2, no changes were encountered in this release.
### 5.9.1 Release Notes
#### Release Date 14th August 2025
#### Release Highlights
This release restores the stable /hello health-check behavior for Kubernetes probes. Deployments using /hello for liveness or readiness will now behave consistently again.
It also fixes a schema compatibility issue in the URL Rewrite middleware, ensuring that API promotion and validation flows no longer fail due to schema mismatches.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.9.1).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------- | :---------------------- |
| 5.9.1 | MDCB v2.8.3 | MDCB v2.8.3 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.2 | Sync v2.1.0 |
| | Helm Chart v4.0 | Helm all versions |
| | Pump v1.12.0 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :------------------ | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 | 1.23 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.9.1, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.9.1)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.9.1
```
* Helm charts
* [tyk-charts v4.0.0](/nightly/developer-support/release-notes/helm-chart#4-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.9.1](https://github.com/TykTechnologies/tyk/releases/tag/v5.9.1)
#### Changelog
##### Fixed
Reverted the change introduced in versions 5.9.0 and 5.8.3 to the `/hello` health check endpoint, restoring its original functionality. This fix resolves an issue where the endpoint returned a 503 error when Redis was down. The `/hello` endpoint now correctly returns HTTP 200 during normal operations, ensuring compatibility with Kubernetes liveness and readiness probes.
Fixed a breaking change in the URL Rewrite middleware schema where the ’negate’ field inadvertently became mandatory in versions 5.8.3 and 5.9.0. This change caused validation errors when promoting APIs created in earlier versions (e.g., 5.8.1) to newer environments. The ’negate’ field is now optional again, restoring backward compatibility and defaulting to ‘false’ when omitted.
### 5.9.0 Release Notes
#### Release Date 4th August 2025
#### Release Highlights
This release builds on the recent release of [Tyk 5.8.3](/nightly/developer-support/release-notes/gateway#5-8-3-release-notes), adding a collection of new capabilities. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.9.0).
##### Accept JSON Web Tokens (JWTs) Issued By Multiple Identity Providers
Tyk can now validate JWTs against multiple JSON Web Key Set (JWKS) endpoints, allowing you to use different IdPs to issue JWTs for the same API. Previously, we supported only a single JWKS endpoint in the `source` field, but now you can register multiple JWKS endpoints in the Tyk OAS API definition.
When a request is received bearing a JWT, Tyk will retrieve JWKS from all registered IdPs to check the token's validity, for full details of how to use this powerful feature see the improved [JWT Authentication](/nightly/api-management/authentication/jwt-signature-validation#remotely-stored-keys-jwks-endpoint) section.
**Please note that this functionality is not available for Tyk Classic APIs.**
##### Compatibility with Valkey
Tyk is now fully compatible with [Valkey](https://valkey.io/), the open-source (BSD) high-performance key/value datastore backed by the Linux Foundation, as an alternative to Redis.
##### Enhancements to Tyk Streams for Enterprise Edition
We've added support for additional processors, inputs and outputs for [Tyk Streams event driven APIs](/nightly/api-management/event-driven-apis), extending the flexibility of this powerful feature.
#### Breaking Changes
**1. Modified `/hello` endpoint behavior affects kubernetes deployments**
In Tyk Gateway version 5.9.0, we introduced a breaking change to the `/hello` health check endpoint behavior. Previously, this endpoint would always return HTTP 200 during normal operations, regardless of Redis connectivity. The change made the endpoint return HTTP 503 when Redis was unavailable (which shouldn't be the case), which caused issues for Kubernetes deployments using this endpoint for liveness probes.
##### Impact
* Kubernetes pods may be unnecessarily terminated when Redis becomes temporarily unavailable
* Deployments using `/hello` for both liveness and readiness probes experience disruption
* This contradicts the documented behavior that the Gateway continues functioning when Redis is unavailable
##### Expected Fix Version
This issue will be fixed in Tyk Gateway version 5.9.1, where we will:
* Revert the `/hello` endpoint to its pre-5.8.3 behavior (always return HTTP 200 during normal operations)
* Ensure backward compatibility for existing Kubernetes deployments
**2. URL rewrite rules now require explicit `negate` field**
A breaking change has been identified in Tyk 5.9.0 regarding [URL rewrite rules](/nightly/transform-traffic/url-rewriting). The `negate` field, which was optional in previous versions, is now mandatory in all URL rewrite rule configurations.
##### What Changed
In Tyk 5.8.2 and earlier, the `negate` field in [URL rewrite rules](/nightly/transform-traffic/url-rewriting) included an omitempty tag, making it optional in JSON. If not provided, it would default to false
In Tyk 5.9.0, this omitempty tag has been removed, making the negate field mandatory in all URL rewrite rule configurations.
##### Impact
API definitions that worked in Tyk 5.8.2 will fail validation in Tyk 5.9.0 if they contain URL rewrite rules without an explicit negate field. This may cause API updates, or promotion between environments failures between environments with error messages similar to:
```
Error: API Updating Returned error: {
"Status": "Error",
"Message": "x-tyk-api-gateway.middleware.operations.(.*)OPTIONS.urlRewrite.triggers.0.rules.0: negate is required"
}
```
##### Workarounds
When using Tyk 5.9.0, you must explicitly include the negate field in all URL rewrite rules:
```
{
"rules": [
{
"in": "header",
"name": "x-example",
"pattern": "test",
"negate": false // This field is now required
}
]
}
```
Set negate: false for standard matching behavior, or negate: true
##### Expected fix version
This issue will be fixed in Tyk 5.9.1, where we're going to make negate field optional again.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------- | :---------------------- |
| 5.9.0 | MDCB v2.8.2 | MDCB v2.8.2 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.2 | Sync v2.1.0 |
| | Helm Chart v4.0 | Helm all versions |
| | Pump v1.12.0 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :------------------ | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 | 1.23 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.9.0, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.9.0)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.9.0
```
* Helm charts
* [tyk-charts v4.0.0](/nightly/developer-support/release-notes/helm-chart#4-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.9.0](https://github.com/TykTechnologies/tyk/releases/tag/v5.9.0)
#### Changelog
##### Added
Added compatibility with Valkey database as an alternative to Redis. This is for fresh environments, with no migration support from Redis.
Added support for configuration of multiple JWKS (JSON Web Key Set) endpoints in the Tyk OAS API definition. This enables the Gateway to authenticate JSON Web Tokens (JWTs) in multi-identity provider environments. The JWKS endpoints are configured in the new `jwksURIs` array in the JWT Auth `securityScheme`. This will take precedence over the existing `source` field, and existing API definitions will be automatically migrated to use the new field, while maintaining backward compatibility in case of rollback.
Enabled configuration for GraphQL SSE subscriptions to use `POST` requests instead of `GET`, addressing compatibility issues with upstream servers that require `POST`. We’ve added a new option `proxy.sse_use_post` which can be set if `proxy.subscription_type=sse` to cause Tyk to issue `POST` requests. This allows for larger subscription payloads and keeps the subscription payload out of the URL.
Added support for AMQP (0.9 and 1.0) and MQTT to be used for input and output methods when constructing Tyk Streams APIs.
Added support for Bloblang to be used as a new processor option for Tyk Streams APIs.
Added the missing `KeyID` field to the coprocess `SessionState` proto, allowing gRPC plugins to access it and aligning it with the Go `SessionState` struct. This enables full feature parity for custom authentication and session management in gRPC plugins.
##### Changed
Upgraded to use the latest upstream version of kin-openapi (v0.132.0). This ensures improved compatibility, full stack interoperability, and continued support for existing OpenAPI 3.0.x specifications.
***
## 5.8 Release Notes
### 5.8.14 Release Notes
#### Release Date 21 May 2026
#### Release Highlights
This patch implements several changes and fixes to improve the stability and correct the behavior of the Gateway.
The default minimum and maximum TLS versions are now inherited directly from the underlying Go library, ensuring that Tyk users will benefit from best practice. If non-standard defaults are required, these must be deliberately configured.
We have fixed an issue that was preventing CORS preflight checks from running properly if an allow list was in use and various other issues in observability, internal looping, and Gateway stability.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.14) below.
#### Breaking Changes
**Default maximum and minimum TLS versions** are now inherited from the underlying Golang library and so will be TLS 1.3 and TLS 1.2 respectively (previously were both set to TLS 1.2).
You must set [http\_server\_options.max\_version](/nightly/tyk-oss-gateway/configuration#http_server_options-max_version) (or the equivalent environment variable) to `771` if you require an upper limit of TLS 1.2.
See [here](/nightly/api-management/implement-tls#controlling-tls-version-and-cipher-suites) for details how to control TLS version and cipher suites.
**Query parameters from original request are no longer automatically preserved when looping using `tyk://` protocol)**
We have fixed an inconsistent behavior when using the URL rewrite middleware to loop requests using the Tyk protocol (`tyk://api-id/path`).
Previously, query parameters added to the `rewrite_to` URL were silently dropped, while original request parameters were automatically preserved in the looped request.
This behavior was inconsistent with standard HTTP URL rewrites and prevented proper parameter transformation during internal API routing.
**Impact**
* Original request query parameters are no longer automatically forwarded through internal loops
* Existing URL rewrite configurations may lose query parameters that were previously passed through automatically
* APIs relying on automatic parameter forwarding will receive incomplete requests
**Migration Required**
Update your URL rewrite configurations to **explicitly include** any original query parameters you want to preserve. For example:
* **Before:** `"rewrite_to": "tyk://api-123/endpoint"` (original params auto-forwarded)
* **After:** `"rewrite_to": "tyk://api-123/endpoint?param1=$tyk_context.request_data.param1"`
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------- | :---------------------- |
| 5.8.14 | MDCB v2.11.0 | MDCB v2.11.0 |
| | Operator v1.4.0 | Operator v0.17 |
| | Sync v2.1.8 | Sync v2.1.0 |
| | Helm Chart v5.2.0 | Helm all versions |
| | Pump v1.15.0 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Golang](https://go.dev/dl/) | 1.25 | 1.25 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.25 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.14, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker Image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.14)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.14
```
* Helm charts
* [tyk-charts v5.2.0](/nightly/developer-support/release-notes/helm-chart#5-2-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.14](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.14)
#### Changelog
##### Fixed
We have resolved an issue where "Client TLS certificate is required" errors were logged at `warning` level, creating unnecessary noise in production logs.
Previously, these common client-side authentication failures generated excessive warning-level log entries that could trigger false alerts and obscure more critical issues. The Gateway now logs these authentication failures at `info` level, maintaining security visibility while reducing log noise and alert fatigue for operations teams.
We have resolved an issue where a Go plugin returning an error status code would result in malformed response bodies that concatenated the original plugin response with additional Gateway error messages.
The Gateway now correctly handles plugin-generated error responses without double-writing headers, ensuring response bodies contain only the payload generated by the plugin and eliminating superfluous warnings in logs.
We have resolved inconsistent query parameter handling in URL rewrites when [internally routing](/nightly/advanced-configuration/transform-traffic/looping) using the `tyk://` scheme. Previously, custom query parameters specified in the `rewrite_to` URL were silently dropped, while original request parameters were unexpectedly preserved.
**What's Fixed:**
* Query parameters explicitly added to `rewrite_to` URLs are now correctly passed to target APIs
* Control parameters (`method`, `loop_limit`, `check_limits`) are properly consumed and removed
* Behavior now matches URL rewrites using `http://` protocol
It is important to note that **query parameters provided with the original request are no longer automatically forwarded**. You must update your [URL rewrite configuration](/nightly/transform-traffic/url-rewriting) to explicitly include any required parameters in the `rewrite_to` URL.
We have resolved an issue where a Tyk Gateway acting as a client (using upstream mTLS) would fail to authenticate against another Tyk Gateway acting as the mTLS server, resulting in `HTTP 403 Forbidden: Client TLS certificate is required` errors.
The Gateway now reliably presents the configured upstream client certificate whenever requested by the target server, ensuring seamless mTLS communication between APIs hosted on different Tyk Gateways.
We have resolved an issue where the Tyk Gateway default maximum TLS version was incorrectly set to TLS 1.2 instead of TLS 1.3.
Tyk Gateway now follows Go's native TLS defaults (TLS 1.2 minimum, TLS 1.3 maximum), aligning with industry security standards. This maintains full backward compatibility for existing deployments that explicitly configure TLS versions.
To change the maximum TLS version, you must explicitly set [TYK\_GW\_HTTPSERVEROPTIONS\_MAXVERSION](/nightly/tyk-oss-gateway/configuration#http_server_options-max_version) for client-to-Gateway connections or [TYK\_GW\_PROXYSSLMAXVERSION](/nightly/tyk-oss-gateway/configuration#proxy_ssl_max_version) for Gateway-to-upstream connections.
To change the minimum TLS version, you must explicitly set [TYK\_GW\_HTTPSERVEROPTIONS\_MINVERSION](/nightly/tyk-oss-gateway/configuration#http_server_options-min_version) for client-to-Gateway connections or [TYK\_GW\_PROXYSSLMINVERSION](/nightly/tyk-oss-gateway/configuration#proxy_ssl_min_version) for Gateway-to-upstream connections.
For full details of TLS version configuration see [here](/nightly/api-management/implement-tls#controlling-tls-version-and-cipher-suites).
We have resolved an issue where CORS preflight OPTIONS requests were incorrectly blocked by the AllowList middleware when `options_passthrough` was disabled.
Previously, when APIs had CORS enabled with Tyk handling OPTIONS requests internally (`options_passthrough: false`), preflight requests would fail AllowList validation because users typically don't explicitly define OPTIONS endpoints in their AllowList configurations, causing "Requested endpoint is forbidden" errors.
The Tyk Gateway now properly recognizes CORS preflight requests and allows them to bypass AllowList middleware checks when Tyk is configured to handle OPTIONS internally, restoring the expected behavior where CORS preflight handling works automatically without requiring explicit OPTIONS endpoint definitions.
We have resolved an issue where Tyk OAS APIs with mock endpoints stopped generating analytics data. This functionality was inadvertently broken while fixing an unrelated internal API proxying issue in Tyk Gateway 5.8.6.
Note that analytics are not generated for mock endpoints in Tyk Classic APIs as has always been the case.
We have resolved an issue where OpenTelemetry settings could only be set using environment variables and not the Gateway configuration file (`tyk.conf`).
Now OpenTelemetry can be configured via the [`opentelemetry`](/nightly/tyk-oss-gateway/configuration#opentelemetry) section in the Gateway config file (including `enabled`, `exporter`, and `endpoint` fields) or their equivalent environment variables.
We have fixed an issue where the Gateway could fail to load APIs and policies if the Control Plane database was temporarily unavailable during startup (either directly or via MDCB). The Gateway will now automatically retry loading configurations with exponential backoff until successful, restoring self-healing capabilities without requiring a manual restart.
We have resolved an issue where requests with the `application/soap+xml` Content-Type received JSON-formatted error responses instead of the expected XML format. The Gateway now correctly returns XML-formatted errors for SOAP requests.
We have resolved a set of related issues affecting Gateway registration with the Dashboard at scale for deployments using an **unlimited node license**. During mass registrations or rolling upgrades, a combination of lock contention, excessive Redis load, and incorrect handling of `409 Conflict` responses could leave Gateways stuck in registration loops without the credentials needed to serve traffic.
Gateway registration is now significantly more robust at scale: registration requests are no longer serialized across the fleet, Gateways recover cleanly from transient `409 Conflict` responses instead of looping, and the Redis load generated during registration storms is substantially reduced.
A dedicated fix for **limited node license** deployments will be provided in an upcoming release.
Resolved an issue where the [Distributed Rate Limiter's](/nightly/api-management/rate-limit#distributed-rate-limiter) cache cleanup stopped running after its first execution. This could cause unbounded memory growth on APIs using rate limits with high-cardinality keys (such as per-client-IP rate limiting or custom plugins generating unique keys), and could briefly reset active rate-limit buckets shortly after Gateway startup, allowing requests that should have been blocked to pass through. Memory usage now stays bounded, and rate limits are enforced as configured.
##### Security Fixes
We have addressed CVEs reported in dependent libraries, providing increased protection against security vulnerabilities, including, but not limited to:
* CVE-2026-39883
* CVE-2026-39882
***
### 5.8.13 Release Notes
#### Release Date 22 April 2026
#### Release Highlights
Tyk Gateway has been updated to Go 1.25 and Debian 13 (Trixie) for enhanced security and performance, including updated FIPS-compliant images. This release addresses multiple CVEs in dependent libraries and resolves a path matching inconsistency for Tyk OAS APIs. It also resurrects two fixes that have been missing since Tyk 5.8.6.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.13).
#### Breaking Changes
There are no breaking changes in this release
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------- | :---------------------- |
| 5.8.13 | MDCB v2.9.0 | MDCB v2.9.0 |
| | Operator v1.3.0 | Operator v0.17 |
| | Sync v2.1.6 | Sync v2.1.1 |
| | Helm Chart v5.1.0 | Helm all versions |
| | Pump v1.14.1 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
No deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.13, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.13)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.13
```
* Helm charts
* [tyk-charts v5.1.0](/nightly/developer-support/release-notes/helm-chart#5-1-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.13](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.13)
#### Changelog
##### Changed
The Tyk Gateway has been updated to Golang 1.25, improving security by staying up-to-date with Go versions.
Updated the Docker images for Tyk Gateway to Debian 13 (Trixie) to address multiple vulnerabilities in the underlying operating system.
##### Fixed
Resolved an issue where parameterized paths could incorrectly take precedence over static paths when using the Request Validation or Mock Response middleware in Tyk OAS APIs. Static paths will now correctly bypass these middleware if not explicitly configured, restoring the expected routing behavior.
Reverted the change introduced in versions 5.9.0 and 5.8.3 to the /hello health check endpoint, restoring its original functionality. This fix resolves an issue where the endpoint returned a 503 error when Redis was down. The /hello endpoint now correctly returns HTTP 200 during normal operations, ensuring compatibility with Kubernetes liveness and readiness probes.
*This issue was originally fixed in Tyk 5.8.4 but then was omitted from Tyk 5.8.6 onwards*
Resolved an issue introduced in Tyk 5.7.1 where Gateways in distributed Data Planes failed to cache TLS certificates correctly in the local Redis, resulting in potential service disruptions if MDCB became unavailable. Data plane gateways now reliably serve HTTPS and mTLS traffic even if MDCB is unavailable.
*This issue was originally fixed in Tyk 5.8.2 but then was omitted from Tyk 5.8.6 onwards*
##### Security Fixes
Addressed the following CVEs, providing increased protection against security
vulnerabilities, including, but not limited to:
* CVE-2025-15281
* CVE-2026-0861
* CVE-2026-0915
* CVE-2026-25679
* CVE-2026-32285
* CVE-2026-32286
* CVE-2026-33186
* CVE-2026-34986
***
### 5.8.12 Release Notes
#### Release Date 11 March 2026
#### Release Highlights
In this release, we have fixed some discrepancies in the path matching decision making for different middleware when using Tyk OAS APIs. This corrects a number of unexpected behaviors and ensures consistent application of the expected transformations and checks to API requests. We have also addressed several issues that improve API reliability, observability, and user experience.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.12).
#### Breaking Changes
A change has been made to improve security of the *Auth Token + Dynamic mTLS* method for securing access to APIs deployed on Tyk. This removes the option to authenticate using only the auth token and enforces the mTLS handshake.
Previously API clients could authenticate without presenting the client certificate or holding the client's private key.
For any user relying on that behavior, we have added a new Gateway configuration option: `allow_unsafe_dynamic_mtls_token`. Unless deliberately configured in the config file or environment, this is set to `false` to ensure that Tyk is secure by default.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------- | :---------------------- |
| 5.8.12 | MDCB v2.9.0 | MDCB v2.9.0 |
| | Operator v1.3.0 | Operator v0.17 |
| | Sync v2.1.6 | Sync v2.1.1 |
| | Helm Chart v5.1.0 | Helm all versions |
| | Pump v1.14.0 | Pump all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
No deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.12, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.12)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.12
```
* Helm charts
* [tyk-charts v5.1.0](/nightly/developer-support/release-notes/helm-chart#5-1-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.12](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.12)
#### Changelog
##### Fixed
Resolved path matching inconsistencies that could lead to Tyk OAS-specific middleware not being executed when expected.
These inconsistencies could see the [Request Validation](/nightly/api-management/traffic-transformation/request-validation) and [Mock Response](/nightly/api-management/traffic-transformation/mock-response#mock-response) middleware being skipped in certain scenarios when using Tyk OAS APIs.
These scenarios included:
* some subpaths, for example the middleware configured for `/users` would not execute for `/users/123`
* some child API versions
* wildcard regexes in paths
* root paths
Now Tyk will apply the same decisions for these middleware as for the rest of the request processing chain.
Enhanced Gateway error logging for JWT authentication failures related to JWKS endpoints. Previously, JWKS configuration issues generated vague error messages that didn't indicate the root cause, making troubleshooting difficult and time-consuming.
The Gateway now provides specific, actionable error messages that clearly identify whether failures stem from Base64 decoding issues, network connectivity problems, or invalid JWKS content.
Resolved an issue where the Gateway could crash with a panic if the API definition contained an illegal reference to a secret in HashiCorp Vault. If the requested path did not exist in Vault, the Gateway process could exit, resulting in a complete service outage during API loads, hot reloads, or Dashboard saves. The Gateway now gracefully handles the missing Vault path and logs a clear error message.
Resolved an issue where Tyk only validated the first instance of multi-value headers when processing requests to Tyk OAS APIs, allowing invalid header values to bypass schema constraints.
The Gateway now properly normalizes and validates all header values according to HTTP standards, ensuring that all values in multi-value headers comply with the defined OpenAPI schema constraints.
Resolved a routing issue where APIs could return `HTTP 404 Not Found` errors depending on custom domain settings, with differing behavior between Tyk OAS and Tyk Classic APIs. Previously, when APIs had similar listen path prefixes (e.g., `/caa` and `/caas2itsamu0456w2ayl9`), the Gateway's routing logic would incorrectly match requests, causing legitimate API calls to fail. The issue affected Tyk OAS APIs when custom domains were disabled, and Tyk Classic APIs when they were enabled.
The Gateway now properly sorts and matches API specifications by listen path length, while correctly considering domain configuration options, ensuring all APIs are accessible via their configured paths regardless of custom domain settings or API type.
Resolved an issue where the Gateway incorrectly logged 0ms duration for error responses, including `HTTP 504 Gateway Timeout`, `HTTP 499 Client Closed Request`, and `HTTP 500 Internal Server Error`, creating gaps in API observability and monitoring. Previously, these error responses were hardcoded with zero-latency values, making it impossible to determine the actual processing time, gateway saturation, or connection utilization for failed requests.
The Gateway now accurately calculates and logs the actual request duration from start to error occurrence for all error responses, providing complete timing visibility across successful and failed API requests. This enhancement improves observability for performance monitoring, capacity planning, and troubleshooting workflows.
Resolved an issue where OpenTelemetry traces were missing the "alias" field when using JWT-protected APIs, making it impossible to identify API consumers in tracing data. Previously, while the alias was correctly populated in Redis sessions and pump metrics, it was not included in OTEL spans for JWT-authenticated requests.
The Gateway now ensures that OTEL spans include the alias attribute for all authentication methods, enabling proper consumer identification and request attribution in distributed tracing systems.
Resolved an issue where NewRelic OpenTracing integration worked inconsistently in Tyk Gateway. The Gateway now properly mounts NewRelic middleware on all routers, including reused ones, with thread-safe duplicate prevention and improved memory management during router swaps. This fix ensures consistent NewRelic APM visibility across all API calls and gateway versions, supporting both legacy NewRelic configurations and newer OpenTelemetry collector setups.
Resolved an issue where the `X-RateLimit-Reset` header showed an incorrect timestamp in the response to the first API request after rate limit or quota counter initialization. Previously, when quota windows expired and were reset within the distributed lock, the Gateway would return stale timing information in the first response.
The Gateway now properly synchronizes its internal timer with the storage backend during quota window resets, ensuring that `X-RateLimit-Reset` headers accurately reflect the correct expiration time from the very first response.
Resolved a floating-point precision issue where mathematically valid multipleOf values were incorrectly rejected due to binary representation limitations. This could cause incorrect failures when performing Request Validation for Tyk OAS APIs.
The Gateway now properly handles floating-point precision in multipleOf validation, ensuring that all mathematically valid decimal multiples pass validation consistently while continuing to correctly reject invalid values.
Resolved an issue where data plane gateways failed to load SSL certificates from MDCB during startup, preventing HTTPS listeners from functioning correctly. The fix implements exponential backoff retry logic that waits for the MDCB connection to become available during certificate loading, ensuring SSL certificates are properly retrieved, and HTTPS listeners start correctly. This resolves startup failures for new data plane deployments using HTTPS.
##### Security Fixes
The Gateway now enforces the mutual TLS handshake when an API is secured using Auth Token with Dynamic mTLS. The client must therefore present a valid client certificate in the request. Previously Dynamic mTLS would permit authentication using only the Auth Token and the mTLS handshake was not enforced.
A new configuration option `allow_unsafe_dynamic_mtls_token` has been added for any users relying on the legacy behavior. This defaults to `false`.
A new Gateway configuration option `allow_unsafe_dynamic_mtls_token` has been added for backward compatibility, but defaults to `false` to ensure secure behavior. When enabled, this option restores the previous (insecure) behavior of accepting token-only authentication for APIs secured with Auth Token + Dynamic mTLS.
### 5.8.11 Release Notes
#### Release Date 12 February 2026
#### Release Highlights
In this release, we have resolved a performance issue with bundle verification that significantly impacted resource consumption when using plugin bundles, and we have fixed some priority CVEs.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.11).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.11 | MDCB v2.8.7 | MDCB v2.8.7 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.5 | Sync v2.1.1 |
| | Helm Chart v5.0.0 | Helm all versions |
| | Pump v1.13.2 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
No deprications in this release.
#### Upgrade instructions
If you are upgrading to 5.8.11, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.11)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.11
```
* Helm charts
* [tyk-charts v5.0.0](/nightly/developer-support/release-notes/helm-chart#5-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.11](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.11)
#### Changelog
##### Fixed
Fixed a performance issue introduced in v5.8.7 where bundle verification significantly increased CPU and memory consumption, particularly when using multiple APIs with plugin bundles.
We have introduced a new Gateway configuration option `skip_verify_existing_plugin_bundle` that allows you to skip cryptographic verification when loading signed plugin bundles from disk. When set to `true`, this option reduces the performance overhead for environments with large numbers of APIs using signed bundles, while still maintaining security by validating signatures during the initial bundle download.
**Note**: This option only affects signed bundles loaded from disk. Unsigned bundles and initial downloads will continue to follow standard verification procedures.
##### Security Fixes
Addressed CVEs reported in dependent libraries, providing increased protection against security
vulnerabilities, including, but not limited to:
* CVE-2025-15467
* CVE-2025-69419
* CVE-2025-61726
* CVE-2025-61728
* CVE-2025-68121
### 5.8.10 Release Notes
#### Release Date 23 December 2025
#### Release Highlights
This patch release addresses a CVE present in 5.8.9 and fixes an issue where API keys remained active when set to inactive status. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.10).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.10 | MDCB v2.8.7 | MDCB v2.8.7 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.5 | Sync v2.1.1 |
| | Helm Chart v5.0.0 | Helm all versions |
| | EDP v1.16.0 | EDP all versions |
| | Pump v1.13.2 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
In this release we've deprecated the [policies.allow\_explicit\_policy\_id](/nightly/tyk-oss-gateway/configuration#policies-allow_explicit_policy_id) configuration option. This was previously added to allow the use of custom policy IDs, which is now the default behaviour so this option is redundant.
#### Upgrade instructions
If you are upgrading to 5.8.10, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.10)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.10
```
* Helm charts
* [tyk-charts v5.0.0](/nightly/developer-support/release-notes/helm-chart#5-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.10](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.10)
#### Changelog
##### Fixed
Resolved an issue where API keys continued to process traffic even after being marked as inactive through API updates.
##### Security Fixes
Fixed the following high-priority CVE, providing increased protection against security
vulnerabilities:
* CVE-2021-41248
### 5.8.9 Release Notes
#### Release Date 12 December 2025
#### Release Highlights
This patch release contains various bug fixes and introduces enhanced DNS monitoring for MDCB deployments. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.9).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.9 | MDCB v2.8.7 | MDCB v2.8.7 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.4 | Sync v2.1.1 |
| | Helm Chart v5.0.0 | Helm all versions |
| | EDP v1.15.0 | EDP all versions |
| | Pump v1.13.1 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
In this release we've deprecated the [policies.allow\_explicit\_policy\_id](/nightly/tyk-oss-gateway/configuration#policies-allow_explicit_policy_id) configuration option. This was previously added to allow the use of custom policy IDs, which is now the default behaviour so this option is redundant.
#### Upgrade instructions
If you are upgrading to 5.8.9, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.9)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.9
```
* Helm charts
* [tyk-charts v5.0.0](/nightly/developer-support/release-notes/helm-chart#5-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.9](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.9)
#### Changelog
##### Added
We have implemented background monitoring of MDCB endpoint DNS resolution to ensure rapid response to changes without waiting for failures, which block API consumer requests. When a DNS change is detected, Tyk will now automatically reconnect the RPC client to minimise downtime and risk of request blocking. The DNS monitor checks for changes at a configurable interval (default: 30 seconds, minimum: 10 seconds). This can be set using the `slave_options.dns_monitor` configuration.
##### Fixed
Fixed a bug causing JWT authentication to panic in MDCB emergency mode. When processing tokens with new sub-claims, the gateway returned an uninitialized session missing its KeyID, leading to a crash when generating the session’s KeyHash. The fix ensures the KeyID is preserved in the emergency-mode path, allowing sessions to be created and cached correctly and preventing panics during MDCB outages.
Fixed an issue where Gateways using [Redis Rate Limiters](/nightly/api-management/rate-limit#redis-rate-limiter) would crash when sharing Redis with Gateways using [Distributed Rate Limiting](/nightly/api-management/rate-limit#distributed-rate-limiter) (DRL). Non-DRL Gateways now properly ignore DRL update messages instead of attempting to process them, enabling mixed rate-limiter deployments across shared Redis instances.
Fixed redundant boolean enum definitions in OpenAPI specification by removing unnecessary enum: \[true, false] declarations from boolean type fields in swagger.yml files. Boolean parameters now use only type: boolean, following OpenAPI best practices.
Fixed an issue where a Data Plane Gateway could return HTTP 404 errors to client requests if the MDCB link failed during initialisation. The expected behaviour, if MDCB is unavailable, is for the Data Plane Gateway to retrieve policies and API definitions from the local storage (Redis), but this was not occurring in certain scenarios.
We have improved the robustness of the Gateway startup so that, if MDCB goes down, it will automatically switch to the local storage (Redis) as expected.
Resolved an issue where JWT APIs using Keycloak authentication experienced significant delays on hybrid gateways due to failed local key lookups. The Gateway was unable to find OAuth client keys in local Redis and had to fetch them from the Control Plane for every request, causing performance degradation and "key not found" errors in logs.
JWT API requests now retrieve keys efficiently from local storage, eliminating unnecessary round-trip requests and providing consistent response times.
Fixed an issue where Tyk Gateway advertised leaf certificate Subject DNs instead of Certificate Authority DNs during mTLS handshakes, causing connection failures with RFC-compliant TLS clients. The Gateway now properly extracts and advertises CA DNs from certificate chains in the CertificateRequest message, ensuring compatibility with standards-compliant clients like `Apache mod_ssl` while maintaining backward compatibility with existing configurations.
We fixed a logging bug in the JSON formatter that could cause error logs to fail to serialize when an error message contained very large numeric values (for example a big integer), which sometimes resulted in missing or broken log output; the formatter now writes the error as a plain text string instead of attempting to encode the underlying error object, so logs reliably serialize to JSON
Fixed an issue where the request pipeline could be blocked by synchronous RPC calls when MDCB was unavailable. The Gateway check for Organisation expiry every 10 minutes is now asynchronous and non-blocking, so it no longer causes API request timeouts and latency spikes (up to 90 seconds) when MDCB is unavailable. Previously this validity check would block the Gateway. This fix ensures consistent API response times regardless of MDCB availability.
Fixed an issue where the Gateway would incorrectly retry RPC calls repeatedly when MDCB is unavailable, but the DNS hasn't changed. This would cause API requests to block for over 90 seconds before returning an error. Now it takes into account the fact that DNS has not changed and so fails fast, entering Emergency Mode after one retry (30 seconds).
### 5.8.8 Release Notes
#### Release Date 20th November 2025
#### Release Highlights
This patch release fixes some high-priority CVEs. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.8).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.8 | MDCB v2.8.6 | MDCB v2.8.6 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.4 | Sync v2.1.1 |
| | Helm Chart v4.1.0 | Helm all versions |
| | EDP v1.15.0 | EDP all versions |
| | Pump v1.13.1 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.8, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.8)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.8
```
* Helm charts
* [tyk-charts v4.0.0](/nightly/developer-support/release-notes/helm-chart#4-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.8](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.8)
#### Changelog
##### Security Fixes
Fixed the following high-priority CVEs, providing increased protection against security
vulnerabilities:
* CVE-2025-47912
* CVE-2025-58183
* CVE-2025-58185
* CVE-2025-58186
* CVE-2025-58187
* CVE-2025-58188
* CVE-2025-58189
* CVE-2025-61723
* CVE-2025-61724
* CVE-2025-61725
### 5.8.7 Release Notes
#### Release Date 29 October 2025
#### Release Highlights
This patch release contains various bug fixes. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.7).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.7 | MDCB v2.8.5 | MDCB v2.8.5 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.4 | Sync v2.1.1 |
| | Helm Chart v4.0 | Helm all versions |
| | EDP v1.14.1 | EDP all versions |
| | Pump v1.13.0 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.7, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.7)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.7
```
* Helm charts
* [tyk-charts v4.0.0](/nightly/developer-support/release-notes/helm-chart#4-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.7](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.7)
#### Changelog
##### Fixed
Fixed an issue where [Custom Authentication](/nightly/api-management/authentication/custom-auth) could fall back to a previously configured alternative authentication method if the custom plugin bundle was not loaded. Now this is treated as for any other failed plugin load, and requests to the API will be rejected with `HTTP 500 Internal Server Error` to prevent access to an improperly configured endpoint.
Fixed an issue where sending certain unexpected query parameters to the Gateway's `GET /tyk/apis/oas/{apiID}` endpoint could cause a panic instead of returning a proper `HTTP 400 Bad Request` response. The Gateway now handles unexpected query parameters gracefully without crashing, improving system stability and providing appropriate error responses to clients.
Fixed an issue where the Gateway would load and attempt to use plugin bundles even when the manifest file was invalid or missing. The Gateway now properly validates bundle manifests and fails safely by rejecting API requests when bundles cannot be properly loaded or verified.
This prevents risks from corrupted or tampered bundles and ensures that APIs with invalid plugin configurations are not accessible, maintaining the integrity of authentication and authorization checks implemented by plugins.
Fixed an issue where keys could remain deactivated when a policy applied to them was changed from `draft` to `active` status. When an access key/token is presented to Tyk in a request, policies linked to the key will be applied, configuring the authorization for that request. If any policy is in `draft` state, the key will be rejected.
Toggling the policy to the `active` state should activate any keys to which the policy is applied. Previously, if the policy had never been applied when it was in `draft` state, there was an issue where keys would incorrectly be marked as `inactive`. This has now been resolved, and the policy state is correctly mapped to keys.
Added a new configuration option, [HttpServerOptions.MaxResponseBodySize](/nightly/tyk-oss-gateway/configuration#http_server_options-max_response_body_size) to limit the maximum size of the response bodies processed during any response body transformations. When the limit is exceeded, the Gateway returns `HTTP 500 Response Body Too Large` instead of attempting to process the oversized content.
Fixed an issue where plugin loading failure errors were ignored for gRPC, Python, and Lua plugins, allowing API requests to be processed even when plugins failed to load. The Gateway now properly validates plugin drivers during request processing and fails safely by returning `HTTP 500 Internal Server Error` when any plugin fails to load, ensuring consistent behavior across all plugin types.
Tyk Gateway now validates all file paths in zip bundles before extraction, rejecting bundles that contain invalid paths. Bundle extraction fails immediately upon detecting invalid paths, with detailed error logging, ensuring that only proper bundles with valid relative paths are processed.
Fixed an issue where a **Tyk Classic API** with inconsistent versioning configuration would process requests using a **random version’s configuration**.
A non-versioned API should:
* Contain a single entry in `version_data.versions` with the API configuration.
* Have the `version_data.not_versioned` flag set to `true`.
Previously, if multiple entries existed in the `version_data.versions` array while `not_versioned` was set to `true`, the Gateway would **randomly select one** of those versions to process incoming requests.
**New behavior:**
When `version_data.not_versioned` is set to `true` and multiple versions are present, Tyk now deterministically selects the configuration for the **default version** instead of picking one at random.
Tyk determines the default version as follows:
* First, it looks for an entry named `"Default"`.
* If not found, it checks for `"default"`.
* If neither exists, it checks for an entry with an **empty string key** (`""`).
* If none of these are found, Tyk returns an **error**, indicating a misconfigured non-versioned API.
Fixed an issue where the mock response middleware generated incorrect warning-level messages stating `session not found`, sending inappropriate rate-limit headers in the Gateway system logs.
This warning was introduced incorrectly and caused confusion, as mock responses don't require session objects by design. The Gateway now returns to the previous behavior where mock response requests execute without generating spurious warning messages, reducing log noise.
Fixed an issue where a Data Plane Gateway could hang for all client requests when the MDCB connection was lost. This was caused by the Gateway incorrectly checking the Organisation quota when `TYK_GW_ENFORCEORGQUOTAS` was not set. If the Organisation quota cache expired before the Gateway performed a health check, the Gateway could hang.
From this release, the Gateway does not check the Organisation quota cache if this is not set. For users relying on Organisation quotas (setting `TYK_GW_ENFORCEORGQUOTAS=true`), the scenario is different and the lock does not occur.
### 5.8.6 Release Notes
#### Release Date 25th September 2025
#### Release Highlights
This patch release contains various bug fixes. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.6).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.6 | MDCB v2.8.4 | MDCB v2.8.4 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.3 | Sync v2.1.1 |
| | Helm Chart v4.0 | Helm all versions |
| | EDP v1.14.1 | EDP all versions |
| | Pump v1.12.2 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.6, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.6)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.6
```
* Helm charts
* [tyk-charts v4.0.0](/nightly/developer-support/release-notes/helm-chart#4-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.6](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.6)
#### Changelog
##### Changed
The Tyk Gateway has been updated to [Golang 1.24](https://tip.golang.org/doc/go1.24), enhancing security by staying up-to-date with the latest Go versions.
##### Fixed
Fixed an issue that caused repeated `Body decompression error: EOF` log messages when analytics were enabled for GraphQL APIs. The problem occurred because the Gateway attempted to decompress the response body after it had already been consumed for analytics processing, resulting in EOF (End of File) errors. The Gateway now correctly handles response body consumption for GraphQL APIs with analytics, eliminating the spurious error logs.
Fixed an issue where Gateways could fail to re-register with the Dashboard after a restart, particularly during upgrades or in large-scale deployments. This resulted in `Authorization failed (Nonce empty)` errors and Gateway crash loops that prevented successful registration. The fix includes an updated license handler with hardened registration logic, enhanced Dashboard authentication retry mechanisms, and support for new "Unlimited Gateway" licenses, ensuring Gateways register reliably without entering failure loops even during heavy churn or rolling upgrades.
Fixed a bug where deleting an API with the Uptime Test feature enabled could cause the Gateway to crash due to a nil pointer dereference during cleanup operations. The Gateway now properly handles memory cleanup when removing APIs with active uptime tests, preventing crashes and ensuring stable API lifecycle management.
Fixed an issue where Tyk Gateway did not properly apply the configured TLS settings when connecting to Redis for rate limiting operations. This could result in connection failures and incorrect `HTTP 429 Too Many Requests` responses being returned to clients. The rate limiter now correctly establishes TLS connections to Redis.
Fixed an issue where Response Body Transformation middleware failed to apply to endpoints that used URL rewrite with regex patterns. When the endpoint path contained regex metacharacters (e.g., \$, ^, (), \[]), these characters interfered with the body transformation's internal pattern-matching process, preventing the middleware from executing.
Fixed an issue where CORS settings from the base API were incorrectly applied to all versions of a Tyk OAS API, preventing child API versions from using their own CORS configuration. This occurred because the CORS check was performed before the request was routed to the correct API version. The processing order has been corrected so that requests are first routed to the appropriate version (base or child), then the correct CORS settings are applied, allowing each API version to have its own CORS configuration.
Fixed an issue where Tyk OAS mock response middleware failed to execute when internal API proxying was enabled. Mock responses configured in the target API are now correctly returned when a request is redirected to another API on the same Tyk Gateway instance via [internal looping](/nightly/advanced-configuration/transform-traffic/looping).
Fixed an issue where importing an OpenAPI description with an `apiKey` security scheme, while using the `authentication` query parameter, resulted in the unnecessary generation of a `header` object within the Tyk Vendor Extension (`x-tyk-api-gateway`), duplicating information already present in the declared OpenAPI security scheme.
Resolved an issue where the Gateway automatically converted Readable Duration values (such as uptime test timeouts) in Tyk OAS API definitions from integer-based formats to decimal formats, which triggered schema validation warnings. The effect of this was seen in the Tyk OAS API editor in the Dashboard UI where, for example, a duration of '4s500ms' would be converted to '4.5s' when reopening an API definition. Duration values are now consistently serialized and maintained in their original integer-based format to prevent these validation errors.
Fixed an issue where users could create child Tyk OAS API versions using the `/tyk/apis/oas` endpoint without specifying a valid version name (`new_version_name`). The Gateway API now rejects such requests with an `HTTP 422 Unprocessable Entity` error, ensuring all versions have meaningful identifiers and preventing the creation of unusable or empty version entries.
Fixed an issue where updating a Tyk OAS API via `PATCH /tyk/apis/oas/{apiId}` did not properly update the Tyk Vendor Extension (`x-tyk-api-gateway`). When endpoints were removed or modified in the OpenAPI description, their corresponding middleware definitions could persist incorrectly in the vendor extension, leaving the API definition in an inconsistent state. The vendor extension is now correctly rebuilt to reflect all changes made to the OpenAPI description.
### 5.8.5 Release Notes
#### Release Date 18th August 2025
#### Release Highlights
Gateway 5.8.5 was version bumped only to align with Dashboard 5.8.5. Subsequently, no changes were encountered in release 5.8.5. For further information, please see the release notes for Dashboard [v5.8.5](/nightly/developer-support/release-notes/dashboard#5-8-5-release-notes).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.5 | MDCB v2.8.4 | MDCB v2.8.4 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.1 | Sync v2.1.1 |
| | Helm Chart v3.0 | Helm all versions |
| | EDP v1.14 | EDP all versions |
| | Pump v1.12.1 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 | 1.23 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.5, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.5)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.5
```
* Helm charts
* [tyk-charts v3.0.0](/nightly/developer-support/release-notes/helm-chart#3-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.5](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.5)
#### Changelog
Since this release was version-bumped only to align with Dashboard v5.8.5, no changes were encountered in this release.
### 5.8.4 Release Notes
#### Release Date 13th August 2025
#### Release Highlights
This release restores the stable /hello health-check behavior for Kubernetes probes. Deployments using /hello for liveness or readiness will now behave consistently again.
It also fixes a schema compatibility issue in the URL Rewrite middleware, ensuring that API promotion and validation flows no longer fail due to schema mismatches.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.4).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.4 | MDCB v2.8.3 | MDCB v2.8.3 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.1 | Sync v2.1.1 |
| | Helm Chart v3.0 | Helm all versions |
| | EDP v1.14 | EDP all versions |
| | Pump v1.12.0 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 | 1.23 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.4, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.4)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.4
```
* Helm charts
* [tyk-charts v3.0.0](/nightly/developer-support/release-notes/helm-chart#3-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.4](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.4)
#### Changelog
##### Fixed
Reverted the change introduced in versions 5.9.0 and 5.8.3 to the `/hello` health check endpoint, restoring its original functionality. This fix resolves an issue where the endpoint returned a 503 error when Redis was down. The `/hello` endpoint now correctly returns HTTP 200 during normal operations, ensuring compatibility with Kubernetes liveness and readiness probes.
Fixed a breaking change in the URL Rewrite middleware schema where the 'negate' field incorrectly became mandatory in versions 5.8.3 and 5.9.0. This change caused validation errors when promoting APIs created in earlier versions (e.g., 5.8.1) to newer environments. The 'negate' field is now optional again, restoring backward compatibility and defaulting to 'false' when omitted.
### 5.8.3 Release Notes
#### Release Date 15th July 2025
#### Release Highlights
This patch release contains various bug fixes. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.3) below.
#### Breaking Changes
**1. Modified `/hello` endpoint behavior affects kubernetes deployments**
In Tyk Gateway version 5.8.3, we introduced a breaking change to the `/hello` health check endpoint behavior. Previously, this endpoint would always return HTTP 200 during normal operations, regardless of Redis connectivity. The change made the endpoint return HTTP 503 when Redis was unavailable (which shouldn't be the case), which caused issues for Kubernetes deployments using this endpoint for liveness probes.
##### Impact
* Kubernetes pods may be unnecessarily terminated when Redis becomes temporarily unavailable
* Deployments using `/hello` for both liveness and readiness probes experience disruption
* This contradicts the documented behavior that the Gateway continues functioning when Redis is unavailable
##### Expected Fix Version
This issue will be fixed in Tyk Gateway version 5.8.4, where we will:
* Revert the `/hello` endpoint to its pre-5.8.3 behavior (always return HTTP 200 during normal operations)
* Ensure backward compatibility for existing Kubernetes deployments
**2. URL rewrite rules now require explicit `negate` field**
A breaking change has been identified in Tyk 5.8.3 regarding [URL rewrite rules](/nightly/transform-traffic/url-rewriting). The `negate` field, which was optional in previous versions, is now mandatory in all URL rewrite rule configurations.
##### What Changed
In Tyk 5.8.2 and earlier, the `negate` field in [URL rewrite rules](/nightly/transform-traffic/url-rewriting) included an omitempty tag, making it optional in JSON. If not provided, it would default to false
In Tyk 5.8.3, this omitempty tag has been removed, making the negate field mandatory in all URL rewrite rule configurations.
##### Impact
API definitions that worked in Tyk 5.8.2 will fail validation in Tyk 5.8.3 if they contain URL rewrite rules without an explicit negate field. This may cause API updates, or promotion between environments failures between environments with error messages similar to:
```
Error: API Updating Returned error: {
"Status": "Error",
"Message": "x-tyk-api-gateway.middleware.operations.(.*)OPTIONS.urlRewrite.triggers.0.rules.0: negate is required"
}
```
##### Workarounds
When using Tyk 5.8.3, you must explicitly include the negate field in all URL rewrite rules:
```
{
"rules": [
{
"in": "header",
"name": "x-example",
"pattern": "test",
"negate": false // This field is now required
}
]
}
```
Set negate: false for standard matching behavior, or negate: true
##### Expected fix version
This issue will be fixed in Tyk 5.8.4, where we're going to make negate field optional again.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.3 | MDCB v2.8.2 | MDCB v2.8.2 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.1 | Sync v2.1.1 |
| | Helm Chart v3.0 | Helm all versions |
| | EDP v1.14 | EDP all versions |
| | Pump v1.12.0 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 | 1.23 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.3, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.3)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.3
```
* Helm charts
* [tyk-charts v3.0.0](/nightly/developer-support/release-notes/helm-chart#3-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.3](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.3)
#### Changelog
##### Added
The Gateway now supports a configurable [graceful shutdown](/nightly/planning-for-production/ensure-high-availability/graceful-shutdown) period, waiting up to `graceful_shutdown_timeout_duration` seconds (default value is 30s) for open connections to close before terminating. Additionally, improvements have been made to the liveness (`hello`) and readiness (`/ready`) endpoints.
##### Fixed
Fixed support for `dns:///` protocol for load balancing when using [gRPC plugins](/nightly/api-management/plugins/rich-plugins#load-balancing-between-grpc-servers). Setting the new configuration option `TYK_GW_COPROCESSOPTIONS_GRPCROUNDROBINLOADBALANCING` to `true` will cause Tyk to balance the load between multiple gRPC servers; the default behavior (`false`) is to use a sticky connection to a single server.
Fixed an issue introduced in Tyk 5.8.1 where several previously supported cipher suites were no longer recognized when configured, causing them to be silently skipped for clients relying on those ciphers. The issue was only visible with debug-level logging, making it difficult to diagnose in production environments. Support for these cipher suites has now been restored.
Gateway no longer returns `HTTP 500` when calling an invalid path on a streams API and will instead return `HTTP 404` as expected.
Fixed an issue where Tyk has trouble proxying a GraphQL edge case; a request that includes an argument on an interface leads to errors proxying.
Gateway no longer produces endless "unsupported protocol scheme" errors for Tyk Streams APIs
Fixed a panic triggered by starting GraphQL subscriptions and resolved an issue where Kafka messages failed to resolve correctly.
Gateway no longer tries to start a garbage collection task after deleting a Tyk Streams API
Fixed an issue where the payload (request body) was not included in detailed traffic logs for the following scenarios:
* `Content-Type "application/x-www-form-urlencoded"`
* `Transfer-Encoding: chunked`
Browser clients can now reliably consume streams outputs (SSE and WebSocket)
Fixed an issue when using Tyk OAS where the API definition was not accessible from Response Plugins unless a Request Plugin was also loaded. The issue was caused by the `ctx.GetOASDefinition(req)` function not consistently returning the proper OpenAPI Specification (OAS).
***
### 5.8.2 Release Notes
#### Release Date 1st July 2025
#### Release Highlights
This patch release contains fixes to some bugs experienced when using MDCB and distributed data planes. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.2) below.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.2 | MDCB v2.8.1 | MDCB v2.8.1 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.0 | Sync v2.1.0 |
| | Helm Chart v3.0 | Helm all versions |
| | EDP v1.13 | EDP all versions |
| | Pump v1.12.0 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 | 1.23 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.2, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.2)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.2
```
* Helm charts
* [tyk-charts v3.0.0](/nightly/developer-support/release-notes/helm-chart#3-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.2](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.2)
#### Changelog
##### Fixed
Resolved an issue introduced in Tyk 5.7.1 where Gateways in distributed Data Planes failed to cache TLS certificates correctly in the local Redis, resulting in potential service disruptions if MDCB became unavailable. Data plane gateways now reliably serve HTTPS and mTLS traffic even if MDCB is unavailable.
The Data Plane could lose connectivity to MDCB when DNS records changed (for example due to ELB updates). The RPC address became stale and the Gateways could not reconnect.
We have improved the RPC connection handling in the gateway to properly detect and respond to DNS changes, ensuring seamless reconnection when remote IPs become unavailable.
Fixed a bug where a timeout in an RPC call to MDCB could lead to policies not being synchronised to the data plane.
***
### 5.8.1 Release Notes
#### Release Date 9 May 2025
#### Release Highlights
This patch release contains various bug fixes. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.1) below.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.1 | MDCB v2.8.1 | MDCB v2.8.1 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.0 | Sync v2.1.0 |
| | Helm Chart v3.0 | Helm all versions |
| | EDP v1.13 | EDP all versions |
| | Pump v1.12.0 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 | 1.23 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.1, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.1)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.1
```
* Helm charts
* [tyk-charts v3.0.0](/nightly/developer-support/release-notes/helm-chart#3-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.1](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.1)
#### Changelog
##### Fixed
Addressed an issue for UDG APIs where caching led to the forwarding of stale values for headers that contained content variables towards the upstream of the UDG apis.
Resolved an issue where requests could be routed incorrectly due to inverted prioritisation of dynamically declared paths over those with similar static paths. Now, statically declared paths take priority in the path matching algorithm, so if API1 has listen path `/path/{param}/endpoint` and API2 has listen path `/path/specific/endpoint` a request to `/path/specific/endpoint/resource` will be correctly routed to API2.
Fixed an issue where an [enforced timeout](/nightly/planning-for-production/ensure-high-availability/enforced-timeouts) set for a specific API endpoint could be overruled by the configured [proxy\_default\_timeout](/nightly/tyk-oss-gateway/configuration#proxy_default_timeout). Now if an endpoint-level timeout is set then this will be honoured, regardless of any default timeout that is configured.
Resolved a race condition in self-managed deployments which occasionally lead to fewer Gateways registering with the Dashboard than the number that had been licensed. Now Tyk Self-Managed deployments will allow the licensed number of Gateways to register and serve traffic.
Resolved a bug where `allowed_types` from multiple policies were incorrectly merged using intersection logic. Policies now correctly merge fields to allow access to any fields listed across the applied policies.
### 5.8.0 Release Notes
#### Release Date 28 March 2025
#### Release Highlights
With Tyk 5.8.0 we are delighted to unlock the power and flexibility of Tyk OAS for all users, with full feature parity with the legacy Tyk Classic API definition. We are also bringing other updates and improvements, delivering more control, flexibility, and performance. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.8.0) below.
##### Full support for Gateway configuration using Tyk OAS
We have completed the journey with Tyk OAS that started in Tyk 4.1 - and now anything that you can configure using the Tyk Classic API definition is also available in the Tyk OAS API definition. Tyk OAS is now the recommended API style for all REST services, with Tyk Classic recommended for use only for GraphQL and TCP services.
With Tyk OAS we combine the industry standard OpenAPI description with the Tyk Vendor Extension, which encapsulates all of the Tyk Gateway settings that cannot be inferred from the OpenAPI Specification (OAS). You can keep your service description (OAS) as source of truth and update the OpenAPI description part of a Tyk OAS API independently from the Tyk Vendor Extension - no need to unpick distributed vendor extensions from your OAS. For more details, please see the [documentation](/nightly/api-management/gateway-config-introduction).
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.8.0 | MDCB v2.8.0 | MDCB v2.8.0 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.0 | Sync v2.1.0 |
| | Helm Chart v3.0 | Helm all versions |
| | EDP v1.13 | EDP all versions |
| | Pump v1.12.0 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 | 1.23 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.8.0, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.8.0)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.8.0
```
* Helm charts
* [tyk-charts v3.0.0](/nightly/developer-support/release-notes/helm-chart#3-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.8.0](https://github.com/TykTechnologies/tyk/releases/tag/v5.8.0)
#### Changelog
##### Added
In Tyk 5.8.0, we have added configuration of the following features into the Tyk OAS API definition, so that anything you can configure for a REST API via Tyk Classic you can also configure using Tyk OAS:
* IP access control
* API-Level request size limit
* API-level ignore endpoint case
* Skip rate limit middleware
* Skip quota middleware
* Skip quota reset on key creation
* Custom analytics tags
* Custom analytics retention period
* Custom analytics plugins
* Preserve client Host header
* Gateway HTTP settings
* Upstream uptime testing
* Upstream load balancing
* Upstream SSL configuration
* Upstream authentication: HMAC request signing
* Event handling: custom JS handler
* Event handling: custom log Handler
* Batch requests
Tyk Gateway now supports transaction logs, providing structured access logs for API requests. This improves debugging and observability without the overhead of enabling debug mode in production. Logs can be output in JSON format and customized via a template, ensuring flexibility while maintaining performance. Find more details in our [Transaction Logs documentation](/nightly/api-management/tyk-pump#configure-api-traffic-logs).
We have added GODEBUG flags to enable deprecated insecure ciphers by default for backward compatibility. Existing users will not be affected. New users or those who wish to override these settings can do so at runtime using environment variables.
##### Changed
Tyk Gateway now runs on Golang 1.23, bringing security and performance improvements. Key changes include:
* unbuffered Timer/Ticker channels
* removal of 3DES cipher suites
* updates to X509KeyPair handling.
**You may need to adjust your setup for compatibility**. For more detail please see the official Go [release notes](https://go.dev/doc/go1.23).
We have updated the library that supports JSON schema validation in the Tyk Classic Validate JSON middleware. This introduces improved error messaging when a request does not match the expected schema, reporting where the error exists in the request payload.
Modified the default values of allow\_explicit\_policy\_id and enable\_duplicate\_slugs to true in all example configuration files, ensuring consistency and alignment with recommended settings.
##### Fixed
We have fixed an issue where authentication was incorrectly handled for the Internal API when URL Rewrite middleware was used to redirect a request using the `tyk://` protocol. This fix ensures that when API A redirects to API B, authentication with API B will use the method configured for API B, improving access control and preventing access denials. Users can now rely on the expected authentication flow, providing a predictable experience when routing to internal APIs.
Resolved initialization errors that caused unnecessary error logging during gateway startup, improving PID file handling and Redis connection state management.
Fixed an issue where the gateway stopped processing traffic when restarted while MDCB was unavailable. Instead of entering “emergency” mode and loading APIs and policies from the Redis backup, the gateway remained unresponsive, continuously attempting to reconnect. With this fix, the gateway detects connection failure and enters emergency mode, ensuring traffic processing resumes even when MDCB is down.
Improved the performance of ctx.GetOASDefinition() in custom plugins by replacing the deep copy operation with a more efficient cloning method. This optimization reduces memory usage by 95% and CPU consumption by 46%, significantly speeding up API definition retrieval.
Thanks to @sebkehr for identifying this issue and providing valuable feedback to enhance Tyk's performance.
Multi-value response headers were previously lost after synchronization with coprocess middleware, as only the first value was retained. This has been resolved, ensuring all response headers are properly synchronized and preserved
Resolved an issue where the gateway incorrectly selected the OAuth upstream authentication flow when both client credentials and password flows were configured. The gateway now correctly respects the allowedAuthorizeTypes setting, ensuring the intended authentication flow is used.
***
## 5.7 Release Notes
### 5.7.3 Release Notes
#### Release Date 05 June 2025
#### Release Highlights
This patch release contains a bug fix. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.7.3) below.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.7.3 | MDCB v2.7.2 | MDCB v2.4.2 |
| | Operator v1.1.0 | Operator v0.17 |
| | Sync v2.0.2 | Sync v1.4.3 |
| | Helm Chart v2.2 | Helm all versions |
| | EDP v1.12 | EDP all versions |
| | Pump v1.11.1 | Pump all versions |
| | TIB (if using standalone) v1.6.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.22 | 1.22 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.22 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.7.3, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.7.3)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.7.3
```
* Helm charts
* [tyk-charts v2.2.0](/nightly/developer-support/release-notes/helm-chart#2-2-0-release-notes)
* [Source code tarball of Tyk Gateway v5.7.3](https://github.com/TykTechnologies/tyk/releases/tag/v5.7.3)
#### Changelog
##### Fixed
Resolved an issue introduced in Tyk 5.7.1 where Gateways in distributed Data Planes failed to cache TLS certificates correctly in the local Redis, resulting in potential service disruptions if MDCB became unavailable. Data plane gateways now reliably serve HTTPS and mTLS traffic even if MDCB is unavailable.
***
### 5.7.2 Release Notes
#### Release Date 19 February 2025
#### Release Highlights
This patch release contains a bug fix. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.7.2) below.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.7.2 | MDCB v2.7.2 | MDCB v2.4.2 |
| | Operator v1.1.0 | Operator v0.17 |
| | Sync v2.0.2 | Sync v1.4.3 |
| | Helm Chart v2.2 | Helm all versions |
| | EDP v1.12 | EDP all versions |
| | Pump v1.11.1 | Pump all versions |
| | TIB (if using standalone) v1.6.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.22 | 1.22 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.22 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.7.2, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.7.2)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.7.2
```
* Helm charts
* [tyk-charts v2.2.0](/nightly/developer-support/release-notes/helm-chart#2-2-0-release-notes)
* [Source code tarball of Tyk Gateway v5.7.2](https://github.com/TykTechnologies/tyk/releases/tag/v5.7.2)
#### Changelog
##### Fixed
Fixed an issue where the gateway stopped processing traffic when restarted while MDCB was unavailable. Instead of entering “emergency” mode and loading APIs and policies from the Redis backup, the gateway remained unresponsive, continuously attempting to reconnect. With this fix, the gateway detects connection failure and enters emergency mode, ensuring traffic processing resumes even when MDCB is down.
***
### 5.7.1 Release Notes
#### Release Date 31 December 2024
#### Release Highlights
This release focuses mainly on bug fixes. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.7.1) below.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.7.1 | MDCB v2.7.2 | MDCB v2.4.2 |
| | Operator v1.1.0 | Operator v0.17 |
| | Sync v2.0.1 | Sync v1.4.3 |
| | Helm Chart v2.2 | Helm all versions |
| | EDP v1.12 | EDP all versions |
| | Pump v1.11.1 | Pump all versions |
| | TIB (if using standalone) v1.6.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.22 | 1.22 | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.22 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.7.1, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.7.1)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.7.1
```
* Helm charts
* [tyk-charts v2.2.0](/nightly/developer-support/release-notes/helm-chart#2-2-0-release-notes)
* [Source code tarball of Tyk Gateway v5.7.1](https://github.com/TykTechnologies/tyk/releases/tag/v5.7.1)
#### Changelog
##### Fixed
Resolved an issue where the response body could be only partially recorded in the traffic log if a custom response plugin modified the payload. This was due to Tyk using the original, rather than the modified, content-length of the response when identifying the data to include in the traffic log.
Fixed a bug that prevented the control plane Gateway from loading APIs that use custom plugin bundles. The control plane Gateway is used to register OAuth clients and generate access tokens so this could result in an API being loaded to the data plane Gateways but clients unable to obtain access tokens. This issue was introduced in v5.3.1 as a side-effect of a change to address a potential security issue where APIs could be loaded without their custom plugins.
Addressed an issue where shared loggers caused debug logs to misidentify the middleware source, complicating debugging. Log entries now correctly indicate which middleware generated the log, ensuring clearer and more reliable diagnostics
Fixed an issue where a malformed listen path could cause the Gateway to crash. Now, such listen paths are properly validated, and if validation fails, an error is logged, and the API is skipped—preventing Gateway instability.
Resolved a bug that prevented upstream server-sent events (SSE) from being sent when OpenTelemetry was enabled, and fixed a gateway panic that occurred when detailed recording was active while SSE was in use. This ensures stable SSE streaming in configurations with OpenTelemetry.
Resolved an issue where API access keys remained valid even if all associated policies were deleted. The Gateway now attempts to apply all linked policies to the key when it is presented with a request. Warning logs are generated if any policies cannot be applied (for example, if they are missing). If no linked policy can be applied, the Gateway will reject the key to ensure no unauthorized access.
Resolved an issue where APIs using the Transfer-Encoding: chunked header alongside URL Rewrite or Validate Request middleware would lose the response payload body. The payload now processes correctly, ensuring seamless functionality regardless of header configuration.
OAuth 2.0 access tokens can now be issued even when data plane gateways are disconnected from the control plane. This is achieved by saving OAuth clients locally within the data plane when they are pulled from RPC.
Tyk now supports RSA-PSS signed JWTs (PS256, PS384, PS512), enhancing security while maintaining backward compatibility with RS256. No configuration changes are needed—just use RSA public keys, and Tyk will validate both algorithms seamlessly.
Resolved a problem in the request size limit middleware that caused GET and DELETE requests to fail validation.The middleware incorrectly expected a request body (payload) for these methods and blocked them when none was present.
Fixed an issue where GraphQL queries using variables for custom scalar types, such as UUID, failed due to incorrect input handling. Previously, the query would return an error when a variable was used but worked when the value was directly embedded in the query. This update ensures that variables for custom scalar types are correctly inferred and processed, enabling seamless query execution.
***
### 5.7.0 Release Notes
#### Release Date 03 December 2024
#### Release Highlights
We are thrilled to announce new updates and improvements in Tyk 5.7.0, bringing more control, flexibility, and performance. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.7.0) below.
##### Tyk Streams - asynchronous API management with Tyk
Tyk is now entering the asynchronous API management space with a bang by delivering Tyk Streams to our users!
Many API management solutions fail to fully support event-driven architectures, causing fragmented management, inconsistent security practices, and increased operational complexity. With event-driven architectures on the rise recently, keeping everything under control and enforcing standards at the organizational level has become a challenge.
**Tyk Streams** is an event streaming solution available within the Tyk API Management Platform, which applies proven API management principles to simplify event and streams handling.
This release brings capabilities to stream data and events using Kafka, Websocket, SSE and HTTP protocols. It also becomes possible to mediate the message format between Avro and JSON on the fly.
* Merge together various sources of events to present to consumers as a unified stream.
* Apply authentication and authorization to streams of messages, just as you do for your RESTful APIs
* Expose async APIs via Tyk Portal, so that they are easily discoverable
All of this possible in self-managed and k8s deployments of Tyk!
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.7.0 | MDCB v2.7.2 | MDCB v2.4.2 |
| | Operator v1.1.0 | Operator v0.17 |
| | Sync v2.0.1 | Sync v1.4.3 |
| | Helm Chart v2.2 | Helm all versions |
| | EDP v1.12 | EDP all versions |
| | Pump v1.11.1 | Pump all versions |
| | TIB (if using standalone) v1.6.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.22 | 1.22 | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.22 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
In 5.7.0, we have deprecated the dedicated [External OAuth](/nightly/api-management/client-authentication#integrate-with-external-authorization-server-deprecated) (Tyk Classic: `external_oauth`, Tyk OAS: `server.authentication.securitySchemes.externalOAuth`) and [OpenID Connect](/nightly/api-management/client-authentication#integrate-with-openid-connect-deprecated) (Tyk Classic: `auth_configs.oidc`, Tyk OAS: `server.authentication.oidc`) authentication methods. We advise users to switch to [JWT Authentication](/nightly/basic-config-and-security/security/authentication-authorization/json-web-tokens).
#### Upgrade instructions
If you are upgrading to 5.7.0, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.7.0)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.7.0
```
* Helm charts
* [tyk-charts v2.2.0](/nightly/developer-support/release-notes/helm-chart#2-2-0-release-notes)
* [Source code tarball of Tyk Gateway v5.7.0](https://github.com/TykTechnologies/tyk/releases/tag/v5.7.0)
#### Changelog
##### Added
Added to Streams analytics capability to capture and report common error scenarios, including broker connectivity issues and standard HTTP errors, ensuring comprehensive request tracking for Streams-processed requests.
Connected the new OAS validator to the /streams endpoint, adding proper error handling and validation responses for invalid stream configurations.
Extended the OAS validator to include Streams configuration validation, enforcing allowlisted components and validating nested broker configurations while implementing schema validation for Streams configurations.
Introduced a new validator derived from the existing OAS schema, adapting it for Streams validation with modified requirements for upstreamURL and x-tyk-streaming fields. This validator is now used by both the Dashboard API streams endpoint and streams configuration validator.
Refined streams logging behavior to match Tyk's logging patterns, reducing unnecessary log output and improving log clarity.
Implemented allowlist-based validation for components in streams configurations, replacing the previous blocklist approach. Supported components now include Kafka, WebSocket, SSE, and HTTP for both inputs and outputs (including broker combinations), along with JSON-Avro bidirectional conversion processors, while other components like scanners, caches, and buffers are blocked by default. This validation is enforced consistently across Gateway, Dashboard API, and UI.
##### Fixed
When using Tyk Streams and sending input via http, the requests sometimes timed out causing a problem for the consumers. The issue has been fixed and now inputs via http for Tyk Streams work as intended.
Fixed a backwards compatibility issue with Tyk OAS API schema validation. When downgrading from a Tyk version, schema validation could fail if new fields had been added to the Tyk OAS API definition. This change relaxes the strictness of validation to allow additional properties.
Resolved a bug where path-based permissions in policies were not preserved when policies were combined, potentially omitting URL values and incorrectly restricting access. The updated behavior ensures that URL access rights from all applicable policies are merged, regardless of policy order, allowing seamless enforcement of combined permissions.
Fixed a routing issue that caused incorrect API matching when dealing with APIs that lacked a trailing slash, used custom domains, or had similar listen path patterns. Previously, the router prioritized APIs with longer subdomains and shorter listen paths, leading to incorrect matches when listen paths shared prefixes. This fix ensures accurate API matching, even when subdomains and listen paths overlap.
Fixed an issue that caused increased memory consumption when proxying large response payloads. The Gateway now handles large payloads more efficiently in terms of speed and memory usage.
## 5.6 Release Notes
### 5.6.1 Release Notes
#### Release Date 18 October 2024
#### Release Highlights
This patch release for Tyk Gateway addresses critical stability issues for users running Tyk Gateway within the data
plane, connecting to the control plane or Tyk Hybrid. Affected users should upgrade immediately to version 5.6.1 to
avoid service interruptions and ensure reliable operations with the control plane or Tyk Hybrid.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.6.1) below.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.6.1 | MDCB v2.7.1 | MDCB v2.4.2 |
| | Operator v1.0.0 | Operator v0.17 |
| | Sync v2.0 | Sync v1.4.3 |
| | Helm Chart v2.1 | Helm all versions |
| | EDP v1.11 | EDP all versions |
| | Pump v1.11 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.22 | 1.22 | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.22 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
{/* ###### Future deprecations */}
#### Upgrade instructions
If you are upgrading to 5.6.1, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.6.1)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.6.1
```
* Helm charts
* [tyk-charts v2.1.0](/nightly/developer-support/release-notes/helm-chart#2-1-0-release-notes)
* [Source code tarball of Tyk Gateway v5.6.1](https://github.com/TykTechnologies/tyk/releases/tag/v5.6.1)
#### Changelog
##### Fixed
In version 5.6.0, Tyk Gateway could encounter a panic when attempting to reconnect to the control plane after it was
restarted. This patch version has resolved this issue, ensuring stable connectivity between the gateway and control
plane following reconnections and reducing the need for manual intervention.
{/* Required. use 3 hyphens --- between release notes of every patch (minors will be on a separate page) */}
### 5.6.0 Release Notes
#### Release Date 10 October 2024
**Important Update**
Date: 12 October 2024
Topic: Gateway panic when
reconnecting to MDCB control plane or Tyk Cloud
Workaround: Restart Gateway
Affected Product: Tyk
Gateway as an Edge Gateway
Affected versions: v5.6.0, v5.3.6, and v5.0.14
Issue Description:
We have identified an issue affecting Tyk Gateway deployed as a data plane connecting to the Multi-Data Center Bridge (MDCB) control plane or Tyk Cloud. In the above mentioned Gateway versions a panic may occur when gateway reconnect to the control plane after the control plane is restarted.
Our engineering team is actively working on a fix, and a patch (versions 5.6.1, 5.3.7, and 5.0.15) will be released soon.
Recommendations:
For users on versions 5.5.0, 5.3.5, and 5.0.13
We advise you to delay upgrading to the affected versions (5.6.0, 5.3.6, or 5.0.14) until the patch is available.
For users who have already upgraded to 5.6.0, 5.3.6, or 5.0.14 and are experiencing a panic in the gateway:
Restarting the gateway process will restore it to a healthy state. If you are operating in a *Kubernetes* environment, Tyk Gateway instance should automatically restart, which ultimately resolves the issue.
We appreciate your understanding and patience as we work to resolve this. Please stay tuned for the upcoming patch release, which will address this issue.
#### Release Highlights
We are thrilled to announce new updates and improvements in Tyk 5.6.0, bringing more control, flexibility, and
performance. For a comprehensive list of changes, please refer to the detailed
[changelog](/nightly/#Changelog-v5.6.0) below.
##### Per endpoint Rate Limiting for clients
Building on the [per-endpoint upstream rate
limits](/nightly/api-management/rate-limit#api-level-rate-limiting) introduced in Tyk 5.5.0 we have
now added [per-endpoint client
rate limits](/nightly/api-management/rate-limit#key-level-rate-limiting). This new feature allows
for more granular control over client consumption of API resources by associating the rate limit with the access key,
enabling you to manage and optimize API usage more effectively.
##### Gateway logs in JSON format
You can now output Tyk Gateway system logs in JSON format. This allows for easier integration with logging systems and
more structured log data.
##### Go upgrade to 1.22
We’ve upgraded the Tyk Gateway to Golang 1.22, bringing improved performance, better security, and enhanced stability to
the core system.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.6.0 | MDCB v2.7.1 | MDCB v2.4.2 |
| | Operator v1.0.0 | Operator v0.17 |
| | Sync v2.0 | Sync v1.4.3 |
| | Helm Chart v2.1 | Helm all versions |
| | EDP v1.11 | EDP all versions |
| | Pump v1.11 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.22 | 1.22 | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.22 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
{/* ###### Future deprecations */}
#### Upgrade instructions
If you are upgrading to 5.6.0, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.6.0)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.6.0
```
* Helm charts
* [tyk-charts v2.1.0](/nightly/developer-support/release-notes/helm-chart#2-1-0-release-notes)
* [Source code tarball of Tyk Gateway v5.6.0](https://github.com/TykTechnologies/tyk/releases/tag/v5.6.0)
#### Changelog
##### Added
Building on the [per-endpoint upstream rate
limits](/nightly/api-management/rate-limit#api-level-rate-limiting) introduced in Tyk 5.5.0 we have
added [per-endpoint client
rate limits](/nightly/api-management/rate-limit#key-level-rate-limiting). This new feature
provided users with more precise control over API resource consumption by linking rate limits to access keys, allowing
for better management and optimization of API usage.
The Tyk Gateway now supports logging in JSON format. To enable this feature, set the environment variable
`TYK_GW_LOGFORMAT` to `json`. If a different value is provided, the logs will default to the standard format. This
enhancement allows for improved log processing and integration with various monitoring tools.
##### Changed
The Tyk Gateway and Tyk Dashboard have been upgraded from Golang 1.21 to Golang 1.22, bringing enhanced performance,
strengthened security, and access to the latest features available in the new Golang release.
##### Fixed
We have enhanced the initial synchronization of Data Plane gateways with the Control Plane to ensure more reliable
loading of policies and APIs on start-up. A synchronous initialization process has been implemented to avoid sync
failures and reduce the risk of service disruptions caused by failed loads. This update ensures smoother and more
consistent syncing of policies and APIs in distributed deployments.
We have fixed an issue where the quota limit was not being consistently respected during request spikes, especially in
deployments with multiple gateways. The problem occurred when multiple gateways cached the current and remaining quota
counters at the end of quota periods. To address this, a distributed lock mechanism has been implemented, ensuring
coordinated quota resets and preventing discrepancies across gateways.
We have fixed an issue where API-level rate limits set in multiple policies were not correctly applied to the same key.
With this update, when multiple policies configure rate limits for a key, the key will now receive the highest rate
limit from the combined policies, ensuring proper enforcement of limits.
We have addressed a performance regression where key creation for policies with a large number of APIs (100+) became
significantly slower in Tyk 4.0.13/5.0.1. The operation, which previously took around 1.5 seconds, has been taking over
20 seconds since versions 4.0.13/5.0.1. This issue has been resolved by optimizing Redis operations during key creation,
restoring the process to the previous duration, even with a large number of APIs in the policy.
##### Security Fixes
Fixed the following high priority CVEs identified in the Tyk Gateway, providing increased protection against security
vulnerabilities:
* [CVE-2024-6104](https://nvd.nist.gov/vuln/detail/CVE-2024-6104)
{/* Repeat the release notes section above for every patch here */}
## 5.5 Release Notes
### 5.5.2 Release Notes
#### Release Date 03 October 2024
#### Release Highlights
This release replaces Tyk Gateway 5.5.1 which was accidentally released as a non-distroless image.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.5.2 | MDCB v2.7 | MDCB v2.4.2 |
| | Operator v0.18 | Operator v0.17 |
| | Sync v1.5 | Sync v1.4.3 |
| | Helm Chart v2.0.0 | Helm all versions |
| | EDP v1.10 | EDP all versions |
| | Pump v1.11 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.21 | 1.21 | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.21 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.5.2, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.5.2)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.5.2
```
* Helm charts
* [tyk-charts v2.0.0](/nightly/developer-support/release-notes/helm-chart#2-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.5.2](https://github.com/TykTechnologies/tyk/releases/tag/v5.5.2)
***
### 5.5.1 Release Notes
#### Release Date 26 September 2024
#### Release Highlights
This release fixes some issues related to the way that Tyk performs URL path matching, introducing two new Gateway configuration options to control path matching strictness.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.5.1) below.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.5.1 | MDCB v2.7 | MDCB v2.4.2 |
| | Operator v0.18 | Operator v0.17 |
| | Sync v1.5 | Sync v1.4.3 |
| | Helm Chart v2.0.0 | Helm all versions |
| | EDP v1.10 | EDP all versions |
| | Pump v1.11 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.21 | 1.21 | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.21 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.5.1, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.5.1)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.5.1
```
* Helm charts
* [tyk-charts v2.0.0](/nightly/developer-support/release-notes/helm-chart#2-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.5.1](https://github.com/TykTechnologies/tyk/releases/tag/v5.5.1)
#### Changelog
##### Added
We have introduced two new options in the `http_server_options` [Gateway configuration](/nightly/tyk-oss-gateway/configuration#http_server_options) that will enforce prefix and/or suffix matching when Tyk performs checks on whether middleware or other logic should be applied to a request:
* `enable_path_prefix_matching` ensures that the start of the request path must match the path defined in the API definition
* `enable_path_suffix_matching` ensures that the end of the request path must match the path defined in the API definition
* combining `enable_path_prefix_matching` and `enable_path_suffix_matching` will ensure an exact (explicit) match is performed
These configuration options provide control to avoid unintended matching of paths from Tyk's default *wildcard* match. Use of regex special characters when declaring the endpoint path in the API definition will automatically override these settings for that endpoint.
Tyk recommends that exact matching is employed, but both options default to `false` to avoid introducing a breaking change for existing users.
The example Gateway configuration file `tyk.conf.example` has been updated to set the recommended *exact matching* with:
* `http_server_options.enable_path_prefix_matching = true`
* `http_server_options.enable_path_suffix_matching = true`
* `http_server_options.enable_strict_routes = true`
##### Fixed
Fixed an issue when using [granular endpoint](/nightly/api-management/access-control/sessions-and-keys/access-rights#granular-endpoint-access) in access Policies and keys that led to authorization incorrectly being granted to endpoints if an invalid regular expression was configured in the key/Policy. Also fixed an issue where path-based parameters were not correctly handled by Path-Based Permissions. Now Tyk's authorization check correctly handles both of these scenarios granting access only to the expected resources.
Fixed an issue where a parameterized endpoint URL (e.g. `/user/{id}`) would be invoked if a request is made that omits the parameter. For example, a request to `/user/` will now be interpreted as a request to `/user` and not to `/user/{id}`.
***
### 5.5.0 Release Notes
#### Release Date 12 August 2024
#### Release Highlights
We are thrilled to introduce Tyk Gateway 5.5, bringing advanced rate-limiting capabilities, enhanced certificate authentication, and performance optimizations. For a comprehensive list of changes, please refer to the [changelog](/nightly/#Changelog-v5.5.0) below.
##### Per Endpoint Rate Limiting
Now configure rate limits at the endpoint level for both [Tyk OAS](/nightly/api-management/rate-limit#tyk-oas-api-definition) and [Tyk Classic APIs](/nightly/api-management/rate-limit#tyk-classic-api-definition), providing granular protection for upstream services against overloading and abuse.
##### Root CA Support for Client Certificates
Simplify certificate management with support for root Certificate Authority (CA) certificates, enabling clients to authenticate using certificates signed by the [configured root CA](/nightly/api-management/implement-tls#frequently-asked-questions).
##### Optimised AST Document Handling
Experience improved performance with optimised creation and usage of Abstract Syntax Tree (AST) documents in our GQL library, reducing memory usage and enhancing efficiency.
#### Breaking Changes
Docker images are now based on [distroless](https://github.com/GoogleContainerTools/distroless). No shell is shipped in the image.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.5.0 | MDCB v2.7 | MDCB v2.4.2 |
| | Operator v0.18 | Operator v0.17 |
| | Sync v1.5 | Sync v1.4.3 |
| | Helm Chart v1.6 | Helm all versions |
| | EDP v1.10 | EDP all versions |
| | Pump v1.11 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.21 | 1.21 | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.21 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
{/* ###### Future deprecations */}
#### Upgrade instructions
If you are upgrading to 5.5.0, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.5.0)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.5.0
```
* Helm charts
* [tyk-charts v1.6](/nightly/developer-support/release-notes/helm-chart#1-6-0-release-notes)
* [Source code tarball of Tyk Gateway v5.5.0](https://github.com/TykTechnologies/tyk/releases/tag/v5.5.0)
#### Changelog
##### Added
We've added support for you to register Certificate Authority (CA) certificates in your API definitions when using static mutual TLS (mTLS). Tyk can now authenticate clients presenting certificates signed by the registered root CA, simplifying certificate management for multiple clients sharing a common CA.
Optimised the creation and usage of AST documents in our GQL library to reduce significant memory allocations caused by pre-allocations during initial creation. These optimizations free up resources more efficiently, minimising performance penalties with increased requests to the Gateway.
Introduced new more granular controls for request rate limiting. Rate limits can now be configured at the endpoint level in Tyk OAS and Tyk Classic API definitions.
When using the URL path to indicate the API version (for example `/v1/my-api`) it is common to strip the version identifier (e.g. `/v1`) from the path before proxying the request to the upstream. If the client doesn't provide any version identifier this could lead to an invalid target URL and failed requests, rather than correctly redirecting to the default version. We have introduced an optional configuration `url_versioning_pattern` where you can specify a regex that Tyk will use to identify if the URL contains a version identifier and avoiding the accidental stripping of valid upstream path.
##### Fixed
Fixed an issue when using Tyk OAS APIs where nested API endpoints, such as '/test' and '/test/abc', might incorrectly apply middleware from the parent path to the nested path. The fix ensures that API endpoint definitions are correctly ordered so that the standard behaviour of Tyk is followed, whereby path matching is performed starting from the longest path, preventing middleware misapplication and ensuring both the HTTP method and URL match accurately.
Previously, key creation or reset led to an exponential number of Redis `DeleteRawKey` commands; this was especially problematic for access lists with over 100 entries. The key creation sequence now runs only once, eliminating redundant deletion of non-existent keys in Redis. This optimization significantly reduces deletion events, enhancing performance and stability for larger access lists.
Addressed a bug that caused Server Side Event (SSE) streaming responses to be considered for caching, which required buffering the response and prevented SSE from being correctly proxied.
Resolved an issue where Host and Latency fields (Total and Upstream) were not correctly reported for Tyk Gateways in MDCB data planes. The fix ensures accurate Host values and Latency measurements are now captured and displayed in the generated traffic logs.
##### Security Fixes
Fixed the following high priority CVEs identified in the Tyk Gateway, providing increased protection against security vulnerabilities:
* [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
* [CVE-2023-45283](https://nvd.nist.gov/vuln/detail/CVE-2023-45283)
***
{/* The footer of the release notes page. It contains a further information section with details of how to upgrade Tyk,
links to API documentation and FAQs. You can copy it from the previous release. */}
## 5.4 Release Notes
### 5.4.0 Release Notes
#### Release Date 2 July 2024
#### Breaking Changes
**Attention: Please read this section carefully**
We have fixed a bug in the way that Tyk calculates the [key-level rate limit](/nightly/api-management/rate-limit#key-level-rate-limiting) when multiple policies are applied to the same key. This fix alters the logic used to calculate the effective rate limit and so may lead to a different rate limit being applied to keys generated from your existing policies. See the [change log](/nightly/#fixed) for details of the change.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.4.0 | MDCB v2.6 | MDCB v2.4.2 |
| | Operator v0.18 | Operator v0.17 |
| | Sync v1.5 | Sync v1.4.3 |
| | Helm Chart v1.5.0 | Helm all versions |
| | EDP v1.9 | EDP all versions |
| | Pump v1.10.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
The above table needs reviewing and updating if necessary
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------------- | :-------------------- | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.21 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
**The above table needs reviewing and updating if necessary**
#### Deprecations
There are no deprecations in this release.
{/* ###### Future deprecations */}
#### Upgrade instructions
If you are upgrading to 5.4.0, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
Add upgrade steps here if necessary.
#### Release Highlights
We're thrilled to introduce exciting enhancements in Tyk Gateway 5.4, aimed at improving your experience with Tyk Gateway. For a comprehensive list of changes, please refer to the change log below.
##### Enhanced Rate Limiting Strategies
We've introducing a [Rate Limit Smoothing](/nightly/api-management/rate-limit#rate-limit-smoothing) option for the spike arresting Redis Rate Limiter to give the upstream time to scale in response to increased request rates.
##### Fixed MDCB Issue Relating To Replication Of Custom Keys To Dataplanes
Resolved an issue encountered in MDCB environments where changes to custom keys made via the Dashboard were not properly replicated to data planes. The issue impacted both key data and associated quotas, in the following versions:
* 5.0.4 to 5.0.12
* 5.1.1 and 5.1.2
* 5.2.0 to 5.2.6
* 5.3.0 to 5.3.2
###### Action Required
Customers should clear their edge Redis instances of any potentially affected keys to maintain data consistency and ensure proper synchronization across their environments. Please refer to the item in the [fixed](/nightly/#fixed) section of the changelog for recommended actions.
##### Fixed Window Rate Limiter
Ideal for persistent connections with load-balanced gateways, the [Fixed Window Rate Limiter](/nightly/api-management/rate-limit#fixed-window-rate-limiter) algorithm mechanism ensures fair handling of requests by allowing only a predefined number to pass per rate limit window. It uses a simple shared counter in Redis so requests do not need to be evenly balanced across the gateways.
##### Event handling with Tyk OAS
We’ve added support for you to [register webhooks](/nightly/api-management/gateway-events#event-handling-with-webhooks) with your Tyk OAS APIs so that you can handle events triggered by the Gateway, including circuit breaker and quota expiry. You can also assign webhooks to be fired when using the new [smoothing rate limiter](/nightly/api-management/rate-limit#rate-limit-smoothing) to notify your systems of ongoing traffic spikes.
##### Enhanced Header Handling in GraphQL APIs
Introduced a features object in API definitions for GQL APIs, including the `use_immutable_headers` attribute. This allows advanced header control, enabling users to add new headers, rewrite existing ones, and selectively remove specific headers. Existing APIs will have this attribute set to `false` by default, ensuring no change in behavior. For new APIs, this attribute is true by default, facilitating smoother migration and maintaining backward compatibility.
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.4.0)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.4.0
```
* Helm charts
* [tyk-charts v1.5](/nightly/developer-support/release-notes/helm-chart#1-5-0-release-notes)
* [Source code tarball of Tyk Gateway v5.4.0](https://github.com/TykTechnologies/tyk/releases/tag/v5.4.0)
#### Changelog
##### Added
Introduced a [Fixed Window Rate Limiting](/nightly/api-management/rate-limit#fixed-window-rate-limiter) mechanism to handle rate limiting for load balancers with keep-alives. This algorithm allows the defined number of requests to pass for every rate limit window and blocks any excess requests. It uses a simple shared counter in Redis to count requests. It is suitable for situations where traffic towards Gateways is not balanced fairly. To enable this rate limiter, set `enable_fixed_window_rate_limiter` in the gateway config or set the environment variable `TYK_GW_ENABLEFIXEDWINDOWRATELIMITER=true`.
Implemented [Rate Limit Smoothing](/nightly/api-management/rate-limit#rate-limit-smoothing) as an extension to the existing Redis Rate Limiter to gradually adjust the rate based on smoothing configuration. Two new Gateway events have been created (`RateLimitSmoothingUp` and `RateLimitSmoothingDown`) which will be triggered as smoothing occurs. These can be used to assist with auto-scaling of upstream capacity during traffic spikes.
We've added the `use_immutable_headers` option to the GraphQL API configuration, offering advanced header transformation capabilities. When enabled, users can add new headers, rewrite existing ones, and selectively remove specific headers, allowing granular control without altering the original request. Existing APIs will default to `false`, maintaining current behavior until ready for upgrade.
Introduced an option for users to manually provide GQL schemas when creating APIs in Tyk, eliminating the dependency on upstream introspection. This feature enables the creation and editing of GQL APIs in Tyk even when upstream introspection is unavailable, providing flexibility for schema management as upstream configurations evolve over time.
The new GraphQL engine, version 3-preview, is now available in Tyk Gateway. It can be used for any GQL API by using the following enum in raw API definition: *"version": "3-preview"*. This experimental version offers optimized GQL operation resolution, faster response times, and a more efficient data loader. It is currently not recommended for production use and will be stabilised in future releases, eventually becoming the default for new GQL APIs in Tyk.
Enhanced request headers handling in API definitions for GQL APIs by introducing a *features* object. Users can now set the `use_immutable_headers` attribute, which defaults to false for existing APIs, ensuring no change in header behavior. For new APIs, this attribute is `true` by default, facilitating smoother migration and maintaining backwards compatibility.
We’ve added some more features to the Tyk OAS API, moving closer to full parity with Tyk Classic. In this release we’ve added controls that allow you: to enable or prevent generation of traffic logs at the API-level and to enable or prevent the availability of session context to middleware. We’ve also added the facility to register webhooks that will be fired in response to Gateway events.
##### Fixed
Resolved a critical issue affecting MDCB environments, where changes to custom keys made via the dashboard were not properly replicated to data planes. This affected both the key data and associated quotas. This issue was present in versions:
* 5.0.4 to 5.0.12
* 5.1.1 and 5.1.2
* 5.2.0 to 5.2.6
* 5.3.0 to 5.3.2
**Action Required**
Customers are advised to clear their edge Redis instances of any keys that might have been affected by this bug to ensure data consistency and proper synchronization across their environments. There are several methods available to address this issue:
1. **Specific Key Deletion via API**: To remove individual buggy keys, you can use the following API call:
```bash theme={null}
curl --location --request DELETE 'http://tyk-gateway:{tyk-hybrid-port}/tyk/keys/my-custom-key' \ --header 'X-Tyk-Authorization: {dashboard-key}'
```
Replace `{tyk-hybrid-port}`, `my-custom-key` and `{dashboard-key}` with your specific configuration details. This method is safe and recommended for targeted removals without affecting other keys.
2. **Bulk Key Deletion Using Redis CLI**: For environments with numerous affected keys, you might consider using the Redis CLI to remove keys en masse:
```bash theme={null}
redis-cli --scan --pattern 'apikey-*' | xargs -L 1 redis-cli del
redis-cli --scan --pattern 'quota-*' | xargs -L 1 redis-cli del
```
This method can temporarily impact the performance of the Redis server, so it should be executed during a maintenance window or when the impact on production traffic is minimal.
3. **Complete Redis Database Flush**: If feasible, flushing the entire Redis database offers a clean slate:
```bash theme={null}
redis-cli FLUSHALL ASYNC
```
**Implications**
Regardless of the chosen method, be aware that quotas will be reset and will need to resynchronize across the system. This may temporarily affect reporting and rate limiting capabilities.
Addressed an issue with service discovery where an IP returned by Consul wasn't parsed correctly on the Gateway side, leading to unexpected errors when proxying requests to the service. Typically, service discovery returns valid domain names, which did not trigger the issue.
Fixed an issue where GQL Open Telemetry semantic conventions attribute names that lacked the 'graphql' prefix, deviating from the community standard. All attributes now have the correct prefix.
Corrected an issue where GraphQL OTel attributes were missing from spans when request validation failed in cases where `detailed_tracing` was set to `false`. Traces now include GraphQL attributes (operation name, type, and document), improving debugging for users.
Fixed a gateway panic issue observed by users when using the *Persist GQL* middleware without defined arguments. The gateway will no longer throw panics in these cases.
Fixed an issue with GraphQL API's Cross-Origin Resource Sharing (CORS) configuration, which previously caused the API to fail in respecting CORS settings. This resulted in an inability to proxy requests to upstream servers and handle OPTIONS/CORS requests correctly. With this fix, users can now seamlessly make requests, including OPTIONS method requests, without encountering the previously reported error.
Fixed an issue where the Gateway did not respect API domain settings when there was another API with the same listen path but no domain. This could lead to the custom domain API not functioning correctly, depending on the order in which APIs were loaded. APIs with custom domains are now prioritised before those without custom domains to ensure that the custom domain is not ignored.
Addressed a problem with nested field mapping in UDG for GraphQL (GQL) operations. Previously, querying a single nested field caused an error, while including another *normal* field from the same level allowed the query to succeed. This issue has been fixed to ensure consistent behavior regardless of the query composition.
Fixed a long-standing bug in the algorithm used to determine the effective rate limit when multiple policies are applied to a key. If more than one policy is applied to a key then Tyk will apply the highest request rate permitted by any of the policies that defines a rate limit.
Rate limits in Tyk are defined using two elements: `rate`, which is the number of requests and `per`, which is the period over which those requests can be sent. So, if `rate` is 90 and `per` is 30 seconds for a key, Tyk will permit a maximum of 90 requests to be made using the key in a 30 second period, giving an effective maximum of 180 requests per minute (or 3 rps).
Previously, Tyk would take the highest `rate` and the highest `per` from the policies applied to a key when determining the effective rate limit. So, if policy A had `rate` set to 90 and `per` set to 30 seconds (3rps) while policy B had `rate` set to 100 and `per` set to 10 seconds (10rps) and both were applied to a key, the rate limit configured in the key would be: `rate = 100` and `per = 30` giving a rate of 3.33rps.
With the fix applied in Tyk 5.4.0, the Gateway will now apply the highest effective rate to the key - so in this example, the key would take the rate limit from policy B: `rate = 100` and `per = 10` (10rps).
Note that this corrected logic is applied when access keys are presented in API requests. If you are applying multiple policies to keys, there may be a change in the effective rate limit when using Tyk 5.4.0 compared with pre-5.4.0 versions.
##### Security Fixes
Fixed the following high priority CVEs identified in the Tyk Gateway, providing increased protection against security vulnerabilities:
* [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
* [CVE-2023-45283](https://nvd.nist.gov/vuln/detail/CVE-2023-45283)
***
{/* The footer of the release notes page. It contains a further information section with details of how to upgrade Tyk,
links to API documentation and FAQs. You can copy it from the previous release. */}
## 5.3 Release Notes
### 5.3.13 Release Notes
#### Release Date 18 May 2026
#### Release Highlights
This release resolves a set of related issues affecting Gateway registration with the Dashboard at scale for deployments using an **unlimited node license**, where mass registrations or rolling upgrades could leave Gateways stuck in registration loops.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.3.13) below.
#### Breaking Changes
There are no breaking changes in this release.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.3.13 | MDCB v2.11.0 | MDCB v2.11.0 |
| | Operator v1.4.0 | Operator v0.17 |
| | Sync v2.1.6 | Sync v2.1.0 |
| | Helm Chart v5.2 | Helm all versions |
| | Pump v1.13.3 | Pump all versions |
| | TIB (if using standalone) v1.7.1 | TIB all versions |
##### Third-party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :---------------------------------------------------------------------------------------------------- |
| [GoLang](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.24 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas#tyk-vendor-extension-reference) |
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.3.13, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.13)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.13
```
* Helm charts
* [tyk-charts v5.2.0](/nightly/developer-support/release-notes/helm-chart#5-2-0-release-notes)
* [Source code tarball for OSS projects](https://github.com/TykTechnologies/tyk/releases)
Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.3.13.
#### Changelog
##### Changed
Updated the Tyk Gateway to use Golang 1.24, reducing exposure to potential security vulnerabilities in older versions.
##### Fixed
We have resolved a set of related issues affecting Gateway registration with the Dashboard at scale for deployments using an **unlimited node license**. During mass registrations or rolling upgrades, a combination of lock contention, excessive Redis load, and incorrect handling of `409 Conflict` responses could leave Gateways stuck in registration loops without the credentials needed to serve traffic.
Gateway registration is now significantly more robust at scale: registration requests are no longer serialized across the fleet, Gateways recover cleanly from transient `409 Conflict` responses instead of looping, and the Redis load generated during registration storms is substantially reduced.
### 5.3.12 Release Notes
#### Release Date 12th September 2025
#### Release Highlights
This patch release contains bug fixes. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.3.12) below.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.3.12 | MDCB v2.8.4 | MDCB v2.8.0 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.0 | Sync v2.1.0 |
| | Helm Chart v3.0 | Helm all versions |
| | EDP v1.13 | EDP all versions |
| | Pump v1.12.0 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 | 1.23 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.3.12, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.12)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.12
```
* Helm charts
* [tyk-charts v3.0.0](/nightly/developer-support/release-notes/helm-chart#3-0-0-release-notes)
* [Source code tarball for OSS projects](https://github.com/TykTechnologies/tyk/releases)
#### Changelog
##### Fixed
Resolved an issue introduced in Tyk 5.3.10 where Gateways in distributed Data Planes failed to cache TLS certificates correctly in the local Redis, resulting in potential service disruptions if MDCB became unavailable. Data plane gateways now reliably serve HTTPS and mTLS traffic even if MDCB is unavailable.
We’ve fixed an issue where RPC connections remained stale when DNS records changed (such as ELB IP updates), leading to timeout errors. Based on direct customer reports, we’ve enhanced DNS resolution so all connections in the RPC pool now properly reconnect when endpoint IPs change. This eliminates service disruptions during infrastructure updates and ensures more resilient connectivity.
Fixed a bug where a timeout in an RPC call to MDCB would lead to policies not being synchronised to the data plane.
We’ve resolved an issue that could cause Gateways to fail re-registration when restarting under certain licensing configurations during upgrades. This fix introduces support for new “Unlimited Gateway” licenses, enhances Gateway's Dashboard authentication retry logic, and ensures a smoother upgrade experience for large-scale deployments. Gateways now register reliably without entering failure loops, even under heavy churn or rolling upgrades.
***
### 5.3.11 Release Notes
#### Release Date 7 May 2025
#### Release Highlights
This patch release contains various bug fixes. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.3.11) below.
#### Breaking Changes
This release has no breaking changes.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :------------------------------- | :---------------------- |
| 5.3.11 | MDCB v2.8.0 | MDCB v2.8.0 |
| | Operator v1.2.0 | Operator v0.17 |
| | Sync v2.1.0 | Sync v2.1.0 |
| | Helm Chart v3.0 | Helm all versions |
| | EDP v1.13 | EDP all versions |
| | Pump v1.12.0 | Pump all versions |
| | TIB (if using standalone) v1.7.0 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 | 1.23 | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade instructions
If you are upgrading to 5.3.11, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.11)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.11
```
* Helm charts
* [tyk-charts v3.0.0](/nightly/developer-support/release-notes/helm-chart#3-0-0-release-notes)
* [Source code tarball of Tyk Gateway 5.3.11](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.11)
#### Changelog
##### Added
We have added GODEBUG flags to enable deprecated insecure ciphers by default for backward compatibility. Existing users will not be affected. New users or those who wish to override these settings can do so at runtime using environment variables.
##### Fixed
Addressed an issue for UDG APIs where caching led to the forwarding of stale values for headers that contained content variables towards the upstream of the UDG apis.
Resolved an issue where requests could be routed incorrectly due to inverted prioritisation of dynamically declared paths over those with similar static paths. Now, statically declared paths take priority in the path matching algorithm, so if API1 has listen path `/path/{param}/endpoint` and API2 has listen path `/path/specific/endpoint` a request to `/path/specific/endpoint/resource` will be correctly routed to API2.
Fixed an issue where an [enforced timeout](/nightly/planning-for-production/ensure-high-availability/enforced-timeouts) set for a specific API endpoint could be overruled by the configured [proxy\_default\_timeout](/nightly/tyk-oss-gateway/configuration#proxy_default_timeout). Now if an endpoint-level timeout is set then this will be honoured, regardless of any default timeout that is configured.
Resolved a race condition in self-managed deployments which occasionally lead to fewer Gateways registering with the Dashboard than the number that had been licensed. Now Tyk Self-Managed deployments will allow the licensed number of Gateways to register and serve traffic.
Resolved a bug where Gateway pods in Kubernetes would enter a crash loop on restart if MDCB was down. The issue occurred due to the HTTP router failing to initialize properly during cold start. This fix ensures stable Gateway recovery even when MDCB is offline.
Multi-value response headers were previously lost after synchronization with coprocess middleware, as only the first value was retained. This has been resolved, ensuring all response headers are properly synchronized and preserved
### 5.3.10 Release Notes
#### Release Date 19 February 2025
#### Release Highlights
In this release, we upgraded the Golang version to `v1.23` for security enhancement and fixed an API authentication issue with redirects. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.3.10) below.
#### Breaking Changes
This release has no breaking changes.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :----------------------------------------------------------------- | :---------------------- |
| 5.3.10 | MDCB v2.5.1 | MDCB v2.5.1 |
| | Operator v0.17 | Operator v0.16 |
| | Sync v1.4.3 | Sync v1.4.3 |
| | Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0 | Helm all versions |
| | EDP v1.8.3 | EDP all versions |
| | Pump v1.9.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.23 (GW) | 1.23 (GW) | [Go plugins](/nightly/api-management/plugins/golang) must be built using Go 1.23 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release
#### Upgrade Instructions
If you are upgrading to 5.3.10, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.10)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.10
```
* Helm charts
* [tyk-charts v2.0.0](/nightly/developer-support/release-notes/helm-chart#2-0-0-release-notes)
* [Source code tarball of Tyk Gateway 5.3.10](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.10)
#### Changelog
##### Fixed
Fixed an issue where the gateway stopped processing traffic when restarted while MDCB was unavailable. Instead of entering "emergency" mode and loading APIs and policies from the Redis backup, the gateway remained unresponsive, continuously attempting to reconnect.
With this fix, the gateway detects connection failure and enters `emergency` mode, ensuring traffic processing resumes even when MDCB is down.
Tyk Gateway now runs on Golang 1.23, bringing security and performance improvements. Key changes include unbuffered Timer/Ticker channels, removal of 3DES cipher suites, and updates to X509KeyPair handling. Users may need to adjust their setup for compatibility.
This fix ensures that when API A redirects to API B using the tyk:// scheme, API B will now correctly authenticate using its own credentials, improving access control and preventing access denials. Users can now rely on the expected authentication flow without workarounds, providing a smoother experience when integrating APIs.
### 5.3.9 Release Notes
#### Release Date 31 December 2024
#### Release Highlights
This release contains bug fixes. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.3.9) below.
#### Breaking Changes
This release has no breaking changes.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :----------------------------------------------------------------- | :---------------------- |
| 5.3.9 | MDCB v2.5.1 | MDCB v2.5.1 |
| | Operator v0.17 | Operator v0.16 |
| | Sync v1.4.3 | Sync v1.4.3 |
| | Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0 | Helm all versions |
| | EDP v1.8.3 | EDP all versions |
| | Pump v1.9.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.22 (GW) | 1.22 (GW) | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.22 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
There are no deprecations in this release
#### Upgrade Instructions
If you are upgrading to 5.3.9, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.9)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.9
```
* Helm charts
* [tyk-charts v2.0.0](/nightly/developer-support/release-notes/helm-chart#2-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.3.9](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.9)
#### Changelog
##### Fixed
Resolved an issue where the response body could be only partially recorded in the traffic log if a custom response plugin modified the payload. This was due to Tyk using the original, rather than the modified, content-length of the response when identifying the data to include in the traffic log.
Fixed a bug that prevented the control plane Gateway from loading APIs that use custom plugin bundles. The control plane Gateway is used to register OAuth clients and generate access tokens so this could result in an API being loaded to the data plane Gateways but clients unable to obtain access tokens. This issue was introduced in v5.3.1 as a side-effect of a change to address a potential security issue where APIs could be loaded without their custom plugins.
Addressed an issue where shared loggers caused debug logs to misidentify the middleware source, complicating debugging. Log entries now correctly indicate which middleware generated the log, ensuring clearer and more reliable diagnostics
Resolved an issue where APIs using the Transfer-Encoding: chunked header alongside URL Rewrite or Validate Request middleware would lose the response payload body. The payload now processes correctly, ensuring seamless functionality regardless of header configuration.
Resolved an issue where API access keys remained valid even if all associated policies were deleted. The Gateway now attempts to apply all linked policies to the key when it is presented with a request. Warning logs are generated if any policies cannot be applied (for example, if they are missing). If no linked policy can be applied, the Gateway will reject the key to ensure no unauthorized access.
Fixed a routing issue that caused incorrect API matching when dealing with APIs that lacked a trailing slash, used custom domains, or had similar listen path patterns. Previously, the router prioritized APIs with longer subdomains and shorter listen paths, leading to incorrect matches when listen paths shared prefixes. This fix ensures accurate API matching, even when subdomains and listen paths overlap.
Fixed an issue where a malformed listen path could cause the Gateway to crash. Now, such listen paths are properly validated, and if validation fails, an error is logged, and the API is skipped—preventing Gateway instability.
Fixed an issue where GraphQL queries using variables for custom scalar types, such as UUID, failed due to incorrect input handling. Previously, the query would return an error when a variable was used but worked when the value was directly embedded in the query. This update ensures that variables for custom scalar types are correctly inferred and processed, enabling seamless query execution.
Resolved a bug that prevented upstream server-sent events (SSE) from being sent when OpenTelemetry was enabled, and fixed a gateway panic that occurred when detailed recording was active while SSE was in use. This ensures stable SSE streaming in configurations with OpenTelemetry.
OAuth 2.0 access tokens can now be issued even when data plane gateways are disconnected from the control plane. This is achieved by saving OAuth clients locally within the data plane when they are pulled from RPC.
Tyk now supports RSA-PSS signed JWTs (PS256, PS384, PS512), enhancing security while maintaining backward compatibility with RS256. No configuration changes are needed—just use RSA public keys, and Tyk will validate both algorithms seamlessly.
Resolved a problem in the request size limit middleware that caused GET and DELETE requests to fail validation.The middleware incorrectly expected a request body (payload) for these methods and blocked them when none was present.
***
### 5.3.8 Release Notes
#### Release Date 07 November 2024
#### Release Highlights
This release focuses mainly on bug fixes. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.3.8) below.
#### Breaking Changes
This release has no breaking changes.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :----------------------------------------------------------------- | :---------------------- |
| 5.3.8 | MDCB v2.5.1 | MDCB v2.5.1 |
| | Operator v0.17 | Operator v0.16 |
| | Sync v1.4.3 | Sync v1.4.3 |
| | Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0 | Helm all versions |
| | EDP v1.8.3 | EDP all versions |
| | Pump v1.9.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.22 (GW) | 1.22 (GW) | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.22 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
This is an advanced notice that the dedicated External OAuth, OpenID Connect (OIDC) authentication options, and SQLite support will be deprecated starting in version 5.7.0. We recommend that users of the [External OAuth](/nightly/api-management/client-authentication#integrate-with-external-authorization-server-deprecated) and [OpenID Connect](/nightly/api-management/client-authentication#integrate-with-openid-connect-deprecated) methods migrate to Tyk's dedicated [JWT Auth](/nightly/basic-config-and-security/security/authentication-authorization/json-web-tokens) method. Please review your API configurations, as the Gateway logs will provide notifications for any APIs utilizing these methods.
#### Upgrade Instructions
If you are upgrading to 5.3.8, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.8)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.8
```
* Helm charts
* [tyk-charts v2.0.0](/nightly/developer-support/release-notes/helm-chart#2-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.3.8](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.8)
#### Changelog
##### Added
A deprecation notice for External OAuth and OpenID Connect (OIDC) authentication mechanisms has been implemented in the Gateway logs starting from version 5.3.8. This provides advanced notification to users regarding any APIs configured with these authentication methods in preparation for future upgrades where these middleware options may be removed in version 5.7.0.
##### Fixed
This update fixes a bug that caused increased memory usage when proxying large response payloads that was introduced in version 5.3.1, restoring memory requirements to the levels seen in version 5.0.6. Users experiencing out-of-memory errors with 1GB+ file downloads will notice improved performance and reduced latency.
We resolved an issue that caused path-based permissions in policies to be lost when policies were combined, potentially omitting URL values and restricting access based on the merge order. It ensures that all applicable policies merge their allowed URL access rights, regardless of the order in which they are applied.
A backwards compatibility issue in the way that the Gateway handles Tyk OAS API definitions has been addressed by reducing the strictness of validation against the expected schema. Since Tyk version 5.3, the Gateway has enforced strict validation, potentially causing problems for users downgrading from newer versions. With this change, Tyk customers can move between versions seamlessly, ensuring their APIs remain functional and avoiding system performance issues.
This update resolves an issue where API keys could be lost if the [keyspace synchronization](/nightly/api-management/mdcb#mdcb-synchroniser) between control and data planes was interrupted. The solution now enforces a resynchronization whenever a connection is re-established between MDCB and the data plane, ensuring key data integrity and seamless API access.
***
### 5.3.7 Release Notes
#### Release Date 22 October 2024
#### Release Highlights
This patch release for Tyk Gateway addresses critical stability issues for users running Tyk Gateway within the data
plane, connecting to the control plane or Tyk Hybrid. Affected users should upgrade immediately to version 5.3.7 to
avoid service interruptions and ensure reliable operations with the control plane or Tyk Hybrid.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.3.7) below.
#### Breaking Changes
There are no breaking changes in this release.
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
When upgrading to 5.3.7 please follow the [detailed upgrade instructions](/nightly/#upgrading-tyk).
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :----------------------------------------------------------------- | :---------------------- |
| 5.3.7 | MDCB v2.5.1 | MDCB v2.5.1 |
| | Operator v0.17 | Operator v0.16 |
| | Sync v1.4.3 | Sync v1.4.3 |
| | Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0 | Helm all versions |
| | EDP v1.8.3 | EDP all versions |
| | Pump v1.9.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.22 | 1.22 | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.22 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.7)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.7
```
* Helm charts
* [tyk-charts v2.0.0](/nightly/developer-support/release-notes/helm-chart#2-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.3.7](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.7)
#### Changelog
##### Fixed
In version 5.3.6, Tyk Gateway could encounter a panic when attempting to reconnect to the control plane after it was restarted. This patch version has resolved this issue, ensuring stable connectivity between the gateway and control plane following reconnections and reducing the need for manual intervention.
***
### 5.3.6 Release Notes
#### Release Date 04 October 2024
**Important Update**
Date: 12 October 2024
Topic: Gateway panic when
reconnecting to MDCB control plane or Tyk Cloud
Workaround: Restart Gateway
Affected Product: Tyk
Gateway as an Edge Gateway
Affected versions: v5.6.0, v5.3.6, and v5.0.14
Issue Description:
We have identified an issue affecting Tyk Gateway deployed as a data plane connecting to the Multi-Data Center Bridge (MDCB) control plane or Tyk Cloud. In the above mentioned Gateway versions a panic may occur when gateway reconnect to the control plane after the control plane is restarted.
Our engineering team is actively working on a fix, and a patch (versions 5.6.1, 5.3.7, and 5.0.15) will be released soon.
Recommendations:
For users on versions 5.5.0, 5.3.5, and 5.0.13
We advise you to delay upgrading to the affected versions (5.6.0, 5.3.6, or 5.0.14) until the patch is available.
For users who have already upgraded to 5.6.0, 5.3.6, or 5.0.14 and are experiencing a panic in the gateway:
Restarting the gateway process will restore it to a healthy state. If you are operating in a *Kubernetes* environment, Tyk Gateway instance should automatically restart, which ultimately resolves the issue.
We appreciate your understanding and patience as we work to resolve this. Please stay tuned for the upcoming patch release, which will address this issue.
#### Release Highlights
This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed
[changelog](/nightly/#Changelog-v5.3.6) below.
#### Breaking Changes
Docker images are now based on [distroless](https://github.com/GoogleContainerTools/distroless). No shell is shipped in
the image.
If moving from an version of Tyk older than 5.3.0 please read the explanation provided with [5.3.0 release](/nightly/#TykOAS-v5.3.0).
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
When upgrading to 5.3.6 please follow the [detailed upgrade instructions](/nightly/#upgrading-tyk).
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :----------------------------------------------------------------- | :---------------------- |
| 5.3.6 | MDCB v2.5.1 | MDCB v2.5.1 |
| | Operator v0.17 | Operator v0.16 |
| | Sync v1.4.3 | Sync v1.4.3 |
| | Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0 | Helm all versions |
| | EDP v1.8.3 | EDP all versions |
| | Pump v1.9.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------- | :------------------ | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.22 | 1.22 | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.22 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.6)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.6
```
* Helm charts
* [tyk-charts v2.0.0](/nightly/developer-support/release-notes/helm-chart#2-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.3.6](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.6)
#### Changelog
##### Changed
The Tyk Gateway has been upgraded from Golang 1.21 to Golang 1.22, bringing enhanced performance, strengthened security,
and access to the latest features available in the new Golang release.
In this release, we've enhanced the security of the Tyk Gateway image by changing the build process to support
[distroless](https://github.com/GoogleContainerTools/distroless) containers. This significant update addresses critical
CVEs associated with Debian, ensuring a more secure and minimal runtime environment. Distroless containers reduce the
attack surface by eliminating unnecessary packages, which bolsters the security of your deployments.
##### Fixed
We have resolved an issue where custom [response plugins](/nightly/api-management/plugins/plugin-types#response-plugins) were not being
triggered for Tyk OAS APIs. This fix ensures that all custom plugins are invoked as expected when using Tyk OAS APIs.
We have enhanced the initial synchronization of Data Plane gateways with the Control Plane to ensure more reliable
loading of policies and APIs on start-up. A synchronous initialization process has been implemented to avoid sync
failures and reduce the risk of service disruptions caused by failed loads. This update ensures smoother and more
consistent syncing of policies and APIs in distributed deployments.
We have fixed an issue where the quota limit was not being consistently respected during request spikes, especially in
deployments with multiple gateways. The problem occurred when multiple gateways cached the current and remaining quota
counters at the end of quota periods. To address this, a distributed lock mechanism has been implemented, ensuring
coordinated quota resets and preventing discrepancies across gateways.
We have addressed a performance regression identified in Tyk Gateway versions 4.0.13 and later, where key creation for
policies with a large number of APIs (100+) became significantly slower. The operation, which previously took around 1.5
seconds in versions 4.0.0 to 4.0.12, was taking over 20 seconds in versions 4.0.13 and beyond. This issue has been
resolved by optimizing Redis operations during key creation, restoring the process to its expected speed of
approximately 1.5 seconds, even with a large number of APIs in the policy.
##### Security Fixes
Fixed the following high priority CVEs identified in the Tyk Gateway, providing increased protection against security
vulnerabilities:
* [CVE-2024-6104](https://nvd.nist.gov/vuln/detail/CVE-2024-6104)
***
### 5.3.5 Release Notes
#### Release Date 26 September 2024
#### Release Highlights
This release fixes some issues related to the way that Tyk performs URL path matching, introducing two new Gateway
configuration options to control path matching strictness. For a comprehensive list of changes, please refer to the
detailed [changelog](/nightly/#Changelog-v5.3.5) below.
#### Breaking Changes
There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the
explanation provided with [5.3.0 release](/nightly/#TykOAS-v5.3.0).
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
When upgrading to 5.3.5 please follow the [detailed upgrade instructions](/nightly/#upgrading-tyk).
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :----------------------------------------------------------------- | :---------------------- |
| 5.3.5 | MDCB v2.5.1 | MDCB v2.5.1 |
| | Operator v0.17 | Operator v0.16 |
| | Sync v1.4.3 | Sync v1.4.3 |
| | Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0 | Helm all versions |
| | EDP v1.8.3 | EDP all versions |
| | Pump v1.9.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------------- | :-------------------- | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.21 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.5)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.5
```
* Helm charts
* [tyk-charts v2.0.0](/nightly/developer-support/release-notes/helm-chart#2-0-0-release-notes)
* [Source code tarball of Tyk Gateway v5.3.5](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.5)
#### Changelog
##### Added
We have introduced two new options in the `http_server_options` [Gateway
configuration](/nightly/tyk-oss-gateway/configuration#http_server_options) that will enforce prefix and/or suffix matching
when Tyk performs checks on whether middleware or other logic should be applied to a request:
* `enable_path_prefix_matching` ensures that the start of the request path must match the path defined in the API
definition
* `enable_path_suffix_matching` ensures that the end of the request path must match the path defined in the API
definition
* combining `enable_path_prefix_matching` and `enable_path_suffix_matching` will ensure an exact (explicit) match is
performed
These configuration options provide control to avoid unintended matching of paths from Tyk's default *wildcard* match.
Use of regex special characters when declaring the endpoint path in the API definition will automatically override these
settings for that endpoint. Tyk recommends that exact matching is employed, but both options default to `false` to avoid
introducing a breaking change for existing users.
The example Gateway configuration file `tyk.conf.example` has been updated to set the recommended exact matching with:
* `http_server_options.enable_path_prefix_matching = true`
* `http_server_options.enable_path_suffix_matching = true`
* `http_server_options.enable_strict_routes = true`
##### Fixed
Fixed an issue when using [granular endpoint](/nightly/api-management/access-control/sessions-and-keys/access-rights#granular-endpoint-access) in access Policies and keys that led to authorization incorrectly being granted to endpoints if an invalid regular expression was configured in the key/Policy. Also fixed an issue where path-based parameters were not correctly handled by Path-Based Permissions. Now Tyk's authorization check correctly handles both of these scenarios granting access only to the expected resources.
Fixed an issue where a parameterized endpoint URL (e.g. `/user/{id}`) would be invoked if a request is made that omits
the parameter. For example, a request to `/user/` will now be interpreted as a request to `/user` and not to
`/user/{id}`.
***
### 5.3.4 Release Notes
#### Release Date August 26th 2024
#### Release Highlights
Gateway 5.3.4 was version bumped only, to align with Dashboard 5.3.4. Subsequently, no changes were encountered in
release 5.3.4. For further information please see the release notes for Dashboard
[v5.3.4](/nightly/developer-support/release-notes/dashboard#5-3-0-release-notes)
#### Breaking Changes
**Attention**: Please read this section carefully.
There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the
explanation provided with [5.3.0 release](/nightly/#TykOAS-v5.3.0).
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
When upgrading to 5.3.4 please follow the [detailed upgrade instructions](/nightly/#upgrading-tyk).
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :----------------------------------------------------------------- | :---------------------- |
| 5.3.4 | MDCB v2.5.1 | MDCB v2.5.1 |
| | Operator v0.17 | Operator v0.16 |
| | Sync v1.4.3 | Sync v1.4.3 |
| | Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.4.0 | Helm all versions |
| | EDP v1.8.3 | EDP all versions |
| | Pump v1.9.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------------- | :-------------------- | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.21 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.4)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.4
```
* Helm charts
* [tyk-charts v1.4](/nightly/developer-support/release-notes/helm-chart#1-4-0-release-notes)
* [Source code tarball of Tyk Gateway v5.3.4](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.4)
#### Changelog
Since this release was version bumped only to align with Dashboard v5.3.4, no changes were encountered in this release.
***
### 5.3.3 Release Notes
#### Release Date August 2nd 2024
#### Breaking Changes
**Attention**: Please read this section carefully.
There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the
explanation provided with [5.3.0 release](/nightly/#TykOAS-v5.3.0).
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
When upgrading to 5.3.3 please follow the [detailed upgrade instructions](/nightly/#upgrading-tyk).
#### Release Highlights
##### Bug Fixes
This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed
[changelog](/nightly/#Changelog-v5.3.3) below.
##### FIPS Compliance
Tyk Gateway now offers [FIPS 140-2](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf) compliance. For further
details please consult [Tyk API Management
FIPS support](/nightly/developer-support/release-types/fips-release).
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :----------------------------------------------------------------- | :---------------------- |
| 5.3.3 | MDCB v2.5.1 | MDCB v2.5.1 |
| | Operator v0.17 | Operator v0.16 |
| | Sync v1.4.3 | Sync v1.4.3 |
| | Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.4.0 | Helm all versions |
| | EDP v1.8.3 | EDP all versions |
| | Pump v1.9.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------------- | :-------------------- | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.21 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.3)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.3
```
* Helm charts
* [tyk-charts v1.4](/nightly/developer-support/release-notes/helm-chart#1-4-0-release-notes)
* [Source code tarball of Tyk Gateway v5.3.3](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.3)
#### Changelog
##### Added
Added [FIPS compliance](/nightly/developer-support/release-types/fips-release) for Tyk Gateway.
Fixed an issue where nested API endpoints, such as '/test' and '/test/abc', might incorrectly apply middleware from the
parent path to the nested path. The fix ensures that API endpoint definitions are correctly ordered, preventing this
middleware misapplication and ensuring both the HTTP method and URL match accurately.
***
##### Fixed
Addressed an issue where creating or resetting a key caused an exponential number of Redis DeleteRawKey commands.
Previously, the key creation sequence repeated for every API in the access list, leading to excessive deletion events,
especially problematic for access lists with over 100 entries. Now, the key creation sequence executes only once, and
redundant deletion of non-existent keys in Redis has been eliminated, significantly improving performance and stability
for larger access lists.
Fixed a bug that caused Server Side Event (SSE) streaming responses to be considered for caching, which required
buffering the response and prevented SSE from being correctly proxied.
Resolved an issue where Host and Latency fields (Total and Upstream) were not correctly reported for edge gateways in
MDCB setups. The fix ensures accurate Host values and Latency measurements are now captured and displayed in analytics
data.
***
### 5.3.2 Release Notes
#### Release Date 5th June 2024
#### Breaking Changes
**Attention**: Please read this section carefully.
There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the
explanation provided with [5.3.0 release](/nightly/#TykOAS-v5.3.0).
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
When upgrading to 5.3.2 please follow the [detailed upgrade instructions](/nightly/#upgrading-tyk).
#### Release Highlights
This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed
[changelog](/nightly/#Changelog-v5.3.2) below.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :----------------------------------------------------------------- | :---------------------- |
| 5.3.2 | MDCB v2.5.1 | MDCB v2.5.1 |
| | Operator v0.17 | Operator v0.16 |
| | Sync v1.4.3 | Sync v1.4.3 |
| | Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.4.0 | Helm all versions |
| | EDP v1.8.3 | EDP all versions |
| | Pump v1.9.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------------- | :-------------------- | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.21 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.2)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.2
```
* Helm charts
* [tyk-charts v1.4](/nightly/developer-support/release-notes/helm-chart#1-4-0-release-notes)
* [Source code tarball of Tyk Gateway v5.3.2](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.2)
#### Changelog
##### Fixed
In Gateway version 5.2+ and 5.3+, we discovered a bug within the OpenTelemetry tracing feature that inadvertently
transmits sensitive information. Specifically, `tyk.api.apikey` and `tyk.api.oauthid` attributes were exposing API keys.
We have fixed the issue to ensure that only the hashed version of the API key is transmitted in traces.
Addressed an issue where an API with a custom domain might not be invoked if another API with the same listen path but
no custom domain was also deployed on the Gateway. Now APIs with custom domain names are loaded first, so requests will
be checked against these first before falling back to APIs without custom domains.
Addressed an issue in service discovery where an IP:port returned by Consul wasn't parsed correctly on the Gateway side,
leading to errors when proxying requests to the service. The issue primarily occurred with IP:port responses, while
valid domain names were unaffected.
Fixed an issue with nested field mapping in UDG when used with GraphQL (GQL) operations for a field's data source.
Previously, querying only the mentioned field resulted in an error, but querying alongside another 'normal' field from
the same level worked without issue.
Addressed a potential issue when working with Tyk OAS APIs where request context variables are automatically made
available to relevant Tyk and custom middleware. We have introduced a control in the Tyk OAS API definition to disable
this access if required.
***
### 5.3.1 Release Notes
#### Release Date 24 April 2024
#### Breaking Changes
**Attention**: Please read this section carefully.
There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the
explanation provided with [5.3.0 release](/nightly/#TykOAS-v5.3.0).
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
When upgrading to 5.3.1 please follow the [detailed upgrade instructions](/nightly/#upgrading-tyk).
#### Release Highlights
This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed
[changelog](/nightly/#Changelog-v5.3.1) below.
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :----------------------------------------------------------------- | :---------------------- |
| 5.3.1 | MDCB v2.5.1 | MDCB v2.5.1 |
| | Operator v0.17 | Operator v0.16 |
| | Sync v1.4.3 | Sync v1.4.3 |
| | Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.3.0 | Helm all versions |
| | EDP v1.8.3 | EDP all versions |
| | Pump v1.9.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------------- | :-------------------- | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.21 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.1)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.1
```
* Helm charts
* [tyk-charts v1.3](/nightly/developer-support/release-notes/helm-chart#1-3-0-release-notes)
* [Source code tarball of Tyk Gateway v5.3.1](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.1)
#### Changelog
##### Fixed
Issues were addressed where Tyk failed to properly reject custom plugin bundles with signature verification failures,
allowing APIs to load without necessary plugins, potentially exposing upstream services. With the fix, if the plugin
bundle fails to load (for example, due to failed signature verification) the API will not be loaded and an error will be
logged in the Gateway.
Fixed a panic scenario that occurred when a custom JavaScript plugin that requests access to the session metadata
(`require_session:true`) is assigned to the same endpoint as the Ignore Authentication middleware. While the custom
plugin expects access to a valid session, the configuration flag doesn't guarantee its presence, only that it's passed
if available. As such, the custom plugin should be coded to verify that the session metadata is present before
attempting to use it.
Fixed a bug where the Gateway could crash when using custom Python plugins that access the Redis storage. The Tyk Python
API methods `store_data` and `get_data` could fail due to connection issues with the Redis. With this fix, the Redis
connection will be created if required, avoiding the crash.
In some instances users were noticing gateway panics when using the **Persist GQL** middleware without arguments
defined. This issue has been fixed and the gateway will not throw panics in these cases anymore.
Fixed an issue with GraphQL APIs, where [headers](/nightly/api-management/graphql#graphql-apis-headers) were not properly forwarded upstream for [GQL/UDG subscriptions](/nightly/api-management/graphql#graphql-subscriptions).
In cases where `detailed_tracing` was set to `false` and the client was sending a malformed request to a GraphQL API,
the traces were missing GraphQL attributes (operation name, type and document). This has been corrected and debugging
GraphQL with OTel will be easier for users.
GQL Open Telemetry semantic conventions attribute names were missing `graphql` prefix and therefore were not in line
with the community standard. This has been fixed and all attributes have the correct prefix.
Fixed two bugs in the handling of usage quotas by the URL rewrite middleware when it was configured to rewrite to itself
(e.g. to `tyk://self`). Quota limits were not observed and the quota related response headers always contained `0`.
Resolved an issue in distributed deployments where the MDCB data plane gateway counter was inaccurately incremented when
a Gateway was stopped and restarted.
Addressed a bug where clearing the API cache from the Tyk Dashboard failed to invalidate the cache in distributed data
plane gateways. This fix requires MDCB 2.5.1.
Fixed a bug where custom Go plugins compiled in RHEL8 environments were unable to load into Tyk Gateway due to a
discrepancy in base images between the Gateway and Plugin Compiler environments. This fix aligns the plugin compiler
base image with the gateway build environment, enabling seamless plugin functionality on RHEL8 environments.
Removed several unused packages from the plugin compiler image. The packages include: docker, buildkit, ruc, sqlite, curl, wget, and other build tooling. The removal was done in order to address invalid CVE reporting, none of the removed dependencies are used to provide plugin compiler functionality.
***
### 5.3.0 Release Notes
#### Release Date 5 April 2024
#### Breaking Changes
**Attention: Please read this section carefully**
##### Tyk OAS APIs Compatibility Caveats - Tyk OSS
This upgrade transitions Tyk OAS APIs out of [Early Access](/nightly/developer-support/release-types/early-access-feature).
For licensed deployments (Tyk Cloud, Self Managed including MDCB), please refer to the [release notes of Tyk Dashboard 5.3.0](/nightly/developer-support/release-notes/dashboard#5-3-0-release-notes).
* **Out of Early Access**
* This means that from now on, all Tyk OAS APIs will be backwards compatible and in case of a downgrade from v5.3.X to
v5.3.0, the Tyk OAS API definitions will always work.
* **Not Backwards Compatible**
* Tyk OAS APIs in Tyk Gateway v5.3.0 are not [backwards compatible](https://tinyurl.com/3xy966xn). This means that the
new Tyk OAS API format created by Tyk Gateway v5.3.X does not work with older versions of Tyk Gateway, i.e. you
cannot export these API definitions from a v5.3.X Tyk Gateway and import them to an earlier version.
* The upgrade is **not reversible**, i.e. you cannot use version 5.3.X Tyk OAS API definitions with an older version
of Tyk Dashboard.
* This means that if you wish to downgrade or revert to your previous version of Tyk, you will need to restore these
API definitions from a backup. Please go to the [backup](/nightly/#upgrade-instructions) section for detailed
instructions on backup before upgrading to v5.3.0.
* If you are not using Tyk OAS APIs, Tyk will maintain backward compatibility standards.
* **Not Forward Compatible**
* Tyk OAS API Definitions prior to v5.3.0 are not [forward compatible](https://tinyurl.com/t3zz88ep) with Tyk Gateway
v5.3.X.
* This means that any Tyk OAS APIs created in any previous release (4.1.0-5.2.x) cannot work with the new Tyk Gateway
v5.3.X without being migrated to its latest format.
* **After upgrade (the good news)**
* Tyk OAS API definitions that are part of the file system **are not automatically converted** to the new
format. Subsequently, users will have to manually update their
OAS API Definitions to the new format.
* If users upgrade to 5.3.0, create new Tyk OAS APIs and then decide to rollback then the upgrade is non-reversible.
Reverting to your previous version requires restoring from a backup.
**Important:** Please go to the [backup](/nightly/#upgrade-instructions) section for detailed instructions on
backup before upgrading to v5.3.0
##### Python plugin support
Starting from Tyk Gateway version v5.3.0, Python is no longer bundled with the official Tyk Gateway Docker image to
reduce exposure to security vulnerabilities in the Python libraries.
Whilst the Gateway still supports Python plugins, you must [extend
the image](/nightly/api-management/plugins/rich-plugins#install-the-python-development-packages)
to add the language support.
{/* ##### Changed error log messages
Important for users who monitor Tyk components using the application logs (i.e. Tyk Gateway log, Tyk Dashboard log etc.).
We try to avoid making changes to our log messages, especially at error and critical levels. However, sometimes it's necessary. Please find the list of changes made to the application log in this release: */}
{/* ##### Planned Breaking Changes */}
#### Dependencies
##### Compatibility Matrix For Tyk Components
| Gateway Version | Recommended Releases | Backwards Compatibility |
| :-------------- | :----------------------------------------------------------------- | :---------------------- |
| 5.3.0 | MDCB v2.5 | MDCB v2.4.2 |
| | Operator v0.17 | Operator v0.16 |
| | Sync v1.4.3 | Sync v1.4.3 |
| | Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.3.0 | Helm all versions |
| | EDP v1.8.3 | EDP all versions |
| | Pump v1.9.0 | Pump all versions |
| | TIB (if using standalone) v1.5.1 | TIB all versions |
##### 3rd Party Dependencies & Tools
| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
| :------------------------------------------------------------ | :-------------------- | :-------------------- | :-------------------------------------------------------------------------------- |
| [Go](https://go.dev/dl/) | 1.19 (GQL), 1.21 (GW) | 1.19 (GQL), 1.21 (GW) | [Go plugins](/nightly/api-management/plugins/golang#) must be built using Go 1.21 |
| [Redis](https://redis.io/download/) | 6.2.x, 7.x | 6.2.x, 7.x | Used by Tyk Gateway |
| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS](/nightly/api-management/gateway-config-tyk-oas) |
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the
ongoing support of third-party dependencies they install, as their status may have changed since the release.
#### Deprecations
In 5.3.0, we have simplified the configuration of response transform middleware. We encourage users to embrace the
`global_headers` mechanism as the `response_processors.header_injector` is now an optional setting and will be removed
in a future release.
{/* ###### Future deprecations */}
#### Upgrade instructions
If you are upgrading to 5.3.0, please follow the detailed [upgrade instructions](/nightly/#upgrading-tyk).
**The following steps are essential to follow before upgrading** Tyk Cloud (including Hybrid Gateways) and Self Managed
users - Please refer to the [release notes of Tyk Dashboard 5.3.0](/nightly/developer-support/release-notes/dashboard#5-3-0-release-notes).
For OSS deployments -
1. Backup Your environment using the [usual guidance](/nightly/developer-support/upgrading) documented with every release (this includes
backup config file and database).
2. Backup all your API definitions (Tyk OAS API and Classic Definitions) by saving your API and policy files or by
exporting them using the `GET /tyk/apis` and `Get /tyk/policies`
3. Performing the upgrade - follow the instructions in the [upgrade
guide](/nightly/developer-support/upgrading) when upgrading Tyk.
#### Release Highlights
We’re thrilled to announce the release of 5.3.0, an update packed with exciting features and significant fixes to
elevate your experience with Tyk Gateway. For a comprehensive list of changes, please refer to the detailed
[changelog](/nightly/#Changelog-v5.3.0) below.
##### Tyk OAS Feature Maturity
Tyk OAS is now out of [Early
Access](/nightly/developer-support/release-types/early-access-feature) as we have reached feature maturity.
You are now able to make use of the majority of Tyk Gateway's features from your Tyk OAS APIs, so they are a credible alternative
to the legacy Tyk Classic APIs.
From Tyk 5.3.0 we support the following features when using Tyk OAS APIs with Tyk Gateway:
* Security
* All Tyk-supported client-gateway authentication methods including custom auth plugins
* Automatic configuration of authentication from the OpenAPI description
* Gateway-upstream mTLS
* CORS
* API-level (global) middleware including:
* Response caching
* Custom plugins for PreAuth, Auth, PostAuth, Post and Response hooks
* API-level rate limits
* Request transformation - headers
* Response transformation - headers
* Service discovery
* Internal API
* Endpoint-level (per-path) middleware including:
* Request validation - headers and body (automatically configurable from the OpenAPI description)
* Request transformation - method, headers and body
* Response transformation - headers and body
* URL rewrite and internal endpoints
* Mock responses (automatically configurable from the OpenAPI description)
* Response caching
* Custom Go Post-Plugin
* Request size limit
* Virtual endpoint
* Allow and block listing
* Do-not-track
* Circuit breakers
* Enforced timeouts
* Ignore authentication
* Observability
* Open Telemetry tracing
* Detailed log recording (include payload in the logs)
* Do-not-track endpoint
* Governance
* API Versioning
##### Enhanced KV storage of API Definition Fields
Tyk is able to store configuration data from the API definition in KV systems, such as Vault and Consul, and then
reference these values during configuration of the Tyk Gateway or APIs deployed on the Gateway. Previously this was
limited to the Target URL and Listen Path but from 5.3.0 you are able to store any `string` type field from your API
definition, unlocking the ability to store sensitive information in a centralised location. For full details check out
the [documentation](/nightly/tyk-configuration-reference/kv-store) of this powerful feature.
##### Redis v7.x Compatibility
We have upgraded Redis driver [go-redis](https://github.com/redis/go-redis) to v9. Subsequently, Tyk 5.3 is compatible
with Redis v7.x.
##### Gateway and Component Upgrades
We've raised the bar with significant upgrades to our Gateway and components. Leveraging the power and security of Go 1.21, upgrading [Sarama](https://github.com/Shopify/sarama), a widly used Kafka client in Go, to version 1.41.0 and enhancing the GQL engine with Go version 1.19, we ensure improved
functionality and performance to support your evolving needs seamlessly.
#### Downloads
* [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=\&page_size=\&ordering=\&name=v5.3.0)
* ```bash theme={null}
docker pull tykio/tyk-gateway:v5.3.0
```
* Helm charts
* [tyk-charts v1.3](/nightly/developer-support/release-notes/helm-chart#1-3-0-release-notes)
* [Source code tarball of Tyk Gateway v5.3.0](https://github.com/TykTechnologies/tyk/releases/tag/v5.3.0)
#### Changelog
##### Added
The following features have been added in 5.3.0 to bring Tyk OAS to feature maturity:
* Detailed log recording (include payload in the logs)
* Enable Open Telemetry tracing
* Context variables available to middleware chain
* API-level header transforms (request and response)
* Endpoint-level cache
* Circuit breakers
* Track endpoint logs for inclusion in Dashboard aggregated data
* Do-not-track endpoint
* Enforced upstream timeouts
* Configure endpoint as Internal, not available externally
* URL rewrite
* Per-endpoint request size limit
* Request transformation - method, header
* Response transformation - header
* Custom domain certificates
We have implemented support for all `string` type fields in the Tyk OAS and Tyk Classic API Definitions to be stored in
separate KV storage, including Hashicorp Consul and Vault.
Tyk 5.3 refactors Redis connection logic by using
[storage v1.2.2](https://github.com/TykTechnologies/storage/releases/tag/v1.2.2), which integrates with
[go-redis](https://github.com/redis/go-redis) v9. Subsequently, Tyk 5.3 supports Redis v7.0.x.
Some of the error messages generated by the GQL engine were unclear for users, especially relating to variable
validation. The errors have been changed and are now much more clearer and helpful in cases where engine processing
fails.
Upgraded Go version for GraphQL engine to [1.19](https://go.dev/doc/go1.19).
We've added OpenTelemetry semantic conventions for GraphQL spans. Spans will now incorporate ``,
`` and `` tags.
GraphQL APIs can now use the `detailed_tracing` setting in an API definition. With that property set to `true` any call
to a GraphQL API will create a span for each middleware involved in request processing. While it is set to `false`, only
two spans encapsulating the entire request lifecycle will be generated. This setting helps to reduce the size of traces,
which can get large for GraphQL APIs. Furthermore, this gives users an option to customize the level of tracing detail
to suit their monitoring needs.
This release introduces an enhanced trace generation system for Universal Data Graph (UDG). It consolidates all spans
from both Tyk-managed and external data source executions into a single trace when used together. Furthermore, when UDG
solely utilizes Tyk-managed data sources, trace management is simplified and operational visibility is improved.
For GraphQL requests normalization and validation has been disabled in the GraphQL engine. Both of those actions were
performed in the Tyk Gateway and were unnecessary to be done again in the engine. This enhances performance slightly and
makes detailed OTel traces concise and easier to read.
The Tyk Dashboard API endpoint */api/data-graphs/data-sources/import* now handles OpenAPI schemas with arrays of
objects. This addition means users can now import more complex OpenAPI documents and transform them into UDG
configurations.
The OAS-to-UDG converter now seamlessly handles OpenAPI descriptions that utilize the *allOf*, *anyOf* and *oneOf*
keywords, ensuring accurate and comprehensive conversion to a Tyk API definition. The feature expands the scope of
OpenAPI documents that the converter can handle and allows our users to import REST API data sources defined in OAS in
more complex cases.
The OAS-to-UDG converter can now create GraphQL types even if an object's definition doesn’t have an explicit name.
The OAS-to-UDG converter was unable to handle a document properly if an object within the OpenAPI description had no
properties defined. This limitation resulted in unexpected behavior and errors during the conversion process. The tool
will now handle such cases seamlessly, ensuring a smoother and more predictable conversion process.
Previously OAS-to-UDG converter had limitations in handling enums from OpenAPI descriptions, leading to discrepancies
and incomplete conversions. With the inclusion of enum support, the OAS converter now seamlessly processes enums defined
in your OpenAPI descriptions, ensuring accurate and complete conversion to GraphQL schemas.
OAS-to-UDG converter can now handle HTTP status code ranges that are defined by the OpenAPI Specification. This means
that code ranges defined as 1XX, 2XX, etc will be correctly converted by the tool.
We have added the capability for users to define a [custom rate limit
key](/nightly/tyk-stack/tyk-developer-portal/enterprise-developer-portal/api-access/configuring-custom-rate-limit-keys)
within session metadata. This increases flexibility with rate limiting, as the rate limit can be assigned to different entities
identifiable from the session metadata (such as a client app or organization) and is particularly useful for users of Tyk's
Enterprise Developer Portal.
##### Changed
Previously, when operating in a worker configuration (in the data plane), the Tyk Gateway fetched session expiry
information from the control plane the first time an API was accessed for a given organization. This approach led to a
significant issue: if the MDCB connection was lost, the next attempt to consume the API would incur a long response
time. This delay, typically around 30 seconds, was caused by the Gateway waiting for the session-fetching operation to
time out, as it tried to communicate with the now-inaccessible control plane.
Now, the worker gateway fetches the session expiry information up front, while there is an active connection to
MDCB. This ensures that this data is already available locally in the event of an MDCB disconnection.
This change significantly improves the API response time under MDCB disconnection scenarios by removing the need for
the Gateway to wait for a timeout when attempting to fetch session information from the control plane, avoiding the
previous 30-second delay. This optimization enhances the resilience and efficiency of Tyk Gateway in distributed
environments.
We have made some changes to the Tyk OAS API Definition to provide a stable contract that will now be under
breaking-change control for future patches and releases as Tyk OAS moves out of Early Access. Changes include the
removal of the unnecessary `slug` field and simplification of the custom plugin contract.
We have optimized the allocation behavior of our sliding window log rate limiter implementation ([Redis
Rate Limiter](/nightly/api-management/rate-limit#redis-rate-limiter)). Previously the complete
request log would be retrieved from Redis. With this enhancement only the count of the requests in the window is
retrieved, optimizing the interaction with Redis and decreasing the Gateway memory usage.
##### Fixed
In this release, we fixed automated token trimming in Redis, ensuring efficient management of OAuth tokens by
implementing a new hourly job within the Gateway and providing a manual trigger endpoint.
We fixed a bug in the Tyk OAS Validate Request middleware where we were not correctly validating date-time format
schema, which could lead to invalid date-time values reaching the upstream services.
Fixed an issue when using the Distributed Rate Limiter (DRL) where the Gateway did not apply any rate limit until a DRL
notification was received. Now the rate of requests will be limited at 100% of the configured rate limit until the DRL
notification is received, after which the limit will be reduced to an even share of the total (i.e. 100% divided by the
number of Gateways) per the rate limit algorithm design.
Fixed an issue where the OAS-to-UDG converter was sometimes adding the same field to an object type many times. This
caused issues with the resulting GQL schema and made it non-compliant with GQL specification.
Fixed an issue where the Gateway attempted to execute a query with GQL engine version 1 (which lacks OTel support),
while simultaneously trying to validate the same query with the OpenTelemetry (OTel) supported engine. It caused the API
to fail with an error message "Error socket hang up". Right now with OTel enabled, the gateway will enforce GQL engine
to default to version 2, so that this problem doesn't occur anymore.
The OAS-to-UDG converter now effectively handles array of objects within POST paths. Previously, there were instances
where the converter failed to accurately interpret and represent these structures in the generated UDG configuration.
An issue was identified where the encoding from the GQL upstream cache was causing readability problems in the response body. Specifically, the upstream GQL cache was utilizing [brotli compression](https://www.ietf.org/rfc/rfc7932.txt) and not respecting the Accept-Encoding header. Consequently, larger response bodies became increasingly unreadable for the GQL engine due to compression, leading to usability issues for users accessing affected content. The issue has now been fixed by adding the brotli encoder to the GQL engine.
OAS-to-UDG converter was unable to correctly process Tyk OAS API definitions where "JSON" was used as one of enum
values. This issue is now fixed and whenever "JSON" is used as one of enums in the OpenAPI description, it will get
correctly transformed into a custom scalar in GQL schema.
Fixed an issue where the Gateway could panic while updating a Tyk OAS API with the Virtual Endpoint middleware
configured.
Fixed an issue where reloading a bundle containing JS plugins could cause the Gateway to panic.
Fixed an issue where the *Disable introspection* setting was not working correctly in cases where field-based
permissions were set (allow or block list). It was not possible to introspect the GQL schema while introspection was
technically allowed but field-based permissions were enabled. Currently, Allow/Block list settings are ignored only for
introspection queries and introspection is only controlled by the *Disable introspection* setting.
The OAS-to-UDG converter was unable to handle a document properly if an object within the OpenAPI description had no
properties defined. This limitation resulted in unexpected behavior and errors during the conversion process. The tool
will now handle such cases seamlessly, ensuring a smoother and more predictable conversion process
Addressed a memory leak issue in Tyk Gateway linked to a logger mutex change introduced in v5.2.4. Reverting these
changes has improved connection management and enhanced system performance.
Resolved an issue where in certain conditions external clients could access internal endpoints. This was caused by incorrect combination of middleware which could lead to internal endpoints proxying traffic from external sources. This has now been addressed, so that an endpoint with the internal middleware configured will not be reachable from external requests.
##### Security Fixes
Fixed the following high priority CVEs identified in the Tyk Gateway, providing increased protection against security
vulnerabilities:
* [CVE-2023-39325](https://nvd.nist.gov/vuln/detail/CVE-2023-39325)
* [CVE-2023-45283](https://nvd.nist.gov/vuln/detail/CVE-2023-45283)
{/* Repeat the release notes section above for every patch here */}
## 5.2 Release Notes
### 5.2.5 Release Notes
#### Release Date 19 Dec 2023
#### Breaking Changes
**Attention**: Please read carefully this section. We have two topics to report:
#### Early Access Features:
Please note that the `Tyk OAS APIs` feature, currently marked as *Early Access*, is subject to breaking changes in subsequent releases. Please refer to our [Early Access guide](/nightly/developer-support/release-types/early-access-feature) for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.
Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the [Upgrading Tyk](/nightly/#upgrading-tyk) section for detailed upgrade instructions.
#### Release Highlights
This release implements a bug fix.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.2.5) below.
#### Downloads
* [Docker image to pull](https://hub.docker.com/layers/tykio/tyk-gateway/v5.2.5/images/sha256-c09cb03dd491e18bb84a0d9d4e71177eb1396cd5debef694f1c86962dbee10c6?context=explore)
* [source code](https://github.com/TykTechnologies/tyk/releases/tag/v5.2.5)
#### Changelog
##### Fixed
Fixed an issue where custom keys over 24 characters in length were deleted from Redis in the Data Plane when key update action signalled in distributed (MDCB) setups.
***
### 5.2.4 Release Notes
#### Release Date 7 Dec 2023
#### Breaking Changes
**Attention**: Please read carefully this section. We have two topics to report:
#### Early Access Features:
Please note that the `Tyk OAS APIs` feature, currently marked as *Early Access*, is subject to breaking changes in subsequent releases. Please refer to our [Early Access guide](/nightly/developer-support/release-types/early-access-feature) for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.
Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the [Upgrading Tyk](/nightly/#upgrading-tyk) section for detailed upgrade instructions.
#### Release Highlights
This release enhances security, stability, and performance.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.2.4) below.
#### Downloads
* [Docker image to pull](https://hub.docker.com/layers/tykio/tyk-gateway/v5.2.4/images/sha256-c0d9e91e4397bd09c85adf4df6bc401b530ed90c8774714bdafc55db395c9aa5?context=explore)
* [source code](https://github.com/TykTechnologies/tyk/releases/tag/v5.2.4)
#### Changelog
##### Fixed
Fixed an issue where the Validate Request middleware provided too much information when reporting a schema validation failure in a request to a Tyk OAS API.
Fixed a bug where the gateway didn't correctly apply Path-Based Permissions from different policies when using the same `sub` claim but different scopes in each policy. Now the session will be correctly configured for the claims provided in the policy used for each API request.
Fixed a bug when using the build\_id argument with the Tyk Plugin Compiler that prevents users from hot-reloading different versions of the same plugin compiled with different build\_ids. The bug was introduced with the plugin module build change implemented in the upgrade to Go version 1.19 in Tyk 5.1.0.
Fixed a bug that was introduced in the fix applied to the URL Rewrite middleware in Tyk 5.0.5/5.1.2. The previous fix did not correctly handle escaped characters in the query parameters. Now you can safely include escaped characters in your query parameters and Tyk will not modify them in the URL Rewrite middleware.
***
### 5.2.3 Release Notes
#### Release Date 21 Nov 2023
#### Breaking Changes
**Attention**: Please read carefully this section. We have two topics to report:
#### Early Access Features:
Please note that the `Tyk OAS APIs` feature, currently marked as *Early Access*, is subject to breaking changes in subsequent releases. Please refer to our [Early Access guide](/nightly/developer-support/release-types/early-access-feature) for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.
Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the [Upgrading Tyk](/nightly/#upgrading-tyk) section for detailed upgrade instructions.
#### Release Highlights
This release enhances security, stability, and performance.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.2.3) below.
#### Downloads
* [Docker image to pull](https://hub.docker.com/layers/tykio/tyk-gateway/v5.2.3/images/sha256-8a94658c8c52ddfe30f78c5438dd4308c4d019655d8af7773a33fdffda097992?context=explore)
* [source code](https://github.com/TykTechnologies/tyk/releases/tag/v5.2.3)
#### Changelog
##### Fixed
Fixed an issue where Tyk was not auto-detecting the installed Python version if it had multiple digits in the minor version (e.g. Python 3.11). The regular expression was updated to correctly identify Python versions 3.x and 3.xx, improving compatibility and functionality.
Improved the behavior when using JWTs and the MDCB (Multi Data Center Bridge) link is down; the Gateway will no longer be blocked attempting to fetch OAuth client info. We’ve also enhanced the error messages to specify which type of resource (API key, certificate, OAuth client) the data plane Gateway failed to retrieve due to a lost connection with the control plane.
Fixed an issue where the session object generated when creating a Custom Key in a Go Plugin did not inherit parameters correctly from the Security Policy.
Fixed an issue where uploading a public key instead of a certificate into the certificate store, and using that key for mTLS, caused all the Gateways that the APIs are published on to cease negotiating TLS. This fix improves the stability of the gateways and the successful negotiation of TLS.
##### Added
This prints the release version, git commit, Go version used, architecture and other build details.
Added new option for Tyk to use the default version of an API if the requested version does not exist. This is referred to as falling back to default and is enabled using a [configuration](/nightly/api-management/gateway-config-tyk-oas#versioning) flag in the API definition; for Tyk OAS APIs the flag is `fallbackToDefault`, for Tyk Classic APIs it is `fallback_to_default`.
Added a backoff limit for GraphQL subscription connection retry to prevent excessive error messages when the upstream stops working. The connection retries and linked error messages now occur in progressively longer intervals, improving error handling and user experience.
##### Community Contributions
Special thanks to the following member of the Tyk community for their contribution to this release:
Fixed a minor issue with Go Plugin virtual endpoints where a runtime log error was produced from a request, even if the response was successful. Thanks to [uddmorningsun](https://github.com/uddmorningsun) for highlighting the [issue](https://github.com/TykTechnologies/tyk/issues/4197) and proposing a fix.
***
### 5.2.2 Release Notes
#### Release Date 31 Oct 2023
#### Breaking Changes
**Attention**: Please read carefully this section. We have two topics to report:
#### Early Access Features:
Please note that the `Tyk OAS APIs` feature, currently marked as *Early Access*, is subject to breaking changes in subsequent releases. Please refer to our [Early Access guide](/nightly/developer-support/release-types/early-access-feature) for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.
Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the [Upgrading Tyk](/nightly/#upgrading-tyk) section for detailed upgrade instructions.
#### Release Highlights
This release primarily focuses on bug fixes.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.2.2) below.
#### Downloads
* [Docker image to pull](https://hub.docker.com/layers/tykio/tyk-gateway/v5.2.2/images/sha256-84d9e083872c78d854d3b469734ce40b7e77b9963297fe7945e214a0e6ccc614?context=explore)
* [source code](https://github.com/TykTechnologies/tyk/releases/tag/v5.2.2)
#### Changelog
##### Security
The following CVEs have been resolved in this release:
* [CVE-2022-40897](https://nvd.nist.gov/vuln/detail/CVE-2022-40897)
* [CVE-2022-1941](https://nvd.nist.gov/vuln/detail/CVE-2022-1941)
* [CVE-2021-23409](https://nvd.nist.gov/vuln/detail/CVE-2021-23409)
* [CVE-2021-23351](https://nvd.nist.gov/vuln/detail/CVE-2021-23351)
* [CVE-2019-19794](https://nvd.nist.gov/vuln/detail/CVE-2019-19794)
* [CVE-2018-5709](https://nvd.nist.gov/vuln/detail/CVE-2018-5709)
* [CVE-2010-0928](https://nvd.nist.gov/vuln/detail/CVE-2010-0928)
* [CVE-2007-6755](https://nvd.nist.gov/vuln/detail/CVE-2007-6755)
##### Fixed
Fixed an issue where [enforced timeouts](/nightly/planning-for-production/ensure-high-availability/enforced-timeouts) values were incorrect on a per-request basis. Since we enforced timeouts only at the transport level and created the transport only once within the value set by [max\_conn\_time](/nightly/tyk-oss-gateway/configuration#max_conn_time), the timeout in effect was not deterministic. Timeouts larger than 0 seconds are now enforced for each request.
Fixed an issue when using MongoDB and [Policies](/nightly/api-management/policies) where Tyk could incorrectly grant access to an API after that API had been deleted from the associated Policy. This was due to the Policy cleaning operation that is triggered when an API is deleted from a Policy in a MongoDB installation. With this fix, the Policy cleaning operation will not remove the final (deleted) API from the Policy; Tyk recognizes that the API record is invalid and denies granting access rights to the key.
The [Logstash](/nightly/api-management/logs#logstash) formatter timestamp is now in [RFC3339Nano](https://www.rfc-editor.org/rfc/rfc3339) format.
Fixed a potential race condition where the *DRL Manager* was not properly protected against concurrent read/write operations in some high-load scenarios.
Fixed a performance issue encountered when Tyk Gateway retrieves a key via MDCB for a JWT API. The token is now validated against [JWKS or the public key](/nightly/basic-config-and-security/security/authentication-authorization/json-web-tokens) in the API Definition.
Fixed a performance issue where JWT middleware introduced latency which significantly reduced the overall request/response throughput.
Fixed an issue that prevented *UDG* examples from being displayed in the dashboard when the *Open Policy Agent(OPA)* is enabled.
Fixed an issue where the Tyk Gateway logs would include sensitive information when the incorrect signature is provided in a request to an API protected by HMAC authentication.
##### Community Contributions
Special thanks to the following members of the Tyk community for their contributions to this release:
* Implemented *ULID Normalization*, replacing valid ULID identifiers in the URL with a `{ulid}` placeholder for analytics. This matches the existing UUID normalization. Thanks to [Mohammad Abdolirad](https://github.com/atkrad) for the contribution.
Fixed an issue where a duplicate error message was reported when a custom Go plugin returned an error. Thanks to [@PatrickTaibel](https://github.com/PatrickTaibel) for highlighting the issue and suggesting a fix.
***
### 5.2.1 Release Notes
#### Release Date 10 Oct 2023
#### Breaking Changes
**Attention**: Please read carefully this section. We have two topics to report:
#### Early Access Features:
Please note that the `Tyk OAS APIs` feature, currently marked as *Early Access*, is subject to breaking changes in subsequent releases. Please refer to our [Early Access guide](/nightly/developer-support/release-types/early-access-feature) for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.
Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.
#### Deprecations
There are no deprecations in this release.
#### Upgrade Instructions
If you are on a 5.2.0 we advise you to upgrade ASAP and if you are on an older version skip 5.2.0 and upgrade directly to this release. Go to the [Upgrading Tyk](/nightly/#upgrading-tyk) section for detailed upgrade instructions.
#### Release Highlights
This release primarily focuses on bug fixes.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.2.0) below.
#### Downloads
* [Docker image to pull](https://hub.docker.com/layers/tykio/tyk-gateway/v5.2.1/images/sha256-47cfffda64ba492f79e8cad013a476f198011f5a97cef32464f1f47e1a9be9a2?context=explore)
* [source code](https://github.com/TykTechnologies/tyk/releases/tag/v5.1.2)
#### Changelog
##### Changed
Enhance log message quality by eliminating unnecessary messages
Fixed a bug that occurs during Gateway reload where the Gateway would continue to load new API definitions even if policies failed to load. This led to a risk that an API could be invoked without the associated policies (for example, describing access control or rate limits) having been loaded. Now Tyk offers a configurable retry for resource loading, ensuring that a specified number of attempts will be made to load resources (APIs and policies). If a resource fails to load, an error will be logged and the Gateway reverts to its last working configuration.
We have introduced two new variables to configure this behavior:
* `resource_sync.retry_attempts` - defines the number of [retries](/nightly/tyk-oss-gateway/configuration#resource_sync-retry_attempts) that the Gateway should perform during a resource sync (APIs or policies), defaulting to zero which means no retries are attempted
* `resource_sync.interval` - setting the [fixed interval](/nightly/tyk-oss-gateway/configuration#resource_sync-interval) between retry attempts (in seconds)
For OpenTelemetry users, we've included much-needed attributes, `http.response.body.size` and `http.request.body.size`, in both Tyk HTTP spans and upstream HTTP spans. This addition enables users to gain better insight into incoming/outgoing request/response sizes within their traces.
##### Fixed
Fixed a memory leak issue in Gateway 5.2.0 if [OpenTelemetry](https://opentelemetry.io/) (abbreviated "OTel") is [enabled](/nightly/api-management/traces). It was caused by multiple `otelhttp` handlers being created. We have updated the code to use a single instance of `otelhttp` handler in 5.2.1 to improve performance under high traffic load.
Fixed a memory leak that occurred when enabling the [strict routes option](/nightly/tyk-oss-gateway/configuration#http_server_options-enable_strict_routes) to change the routing to avoid nearest-neighbor requests on overlapping routes (`TYK_GW_HTTPSERVEROPTIONS_ENABLESTRICTROUTES`)
Fixed a potential performance issue related to high rates of *Tyk Gateway* reloads (when the Gateway is updated due to a change in APIs and/or policies). The gateway uses a timer that ensures there's at least one second between reloads, however in some scenarios this could lead to poor performance (for example overloading Redis). We have introduced a new [configuration option](/nightly/tyk-oss-gateway/configuration#reload_interval), `reload_interval` (`TYK_GW_RELOADINTERVAL`), that can be used to adjust the duration between reloads and hence optimize the performance of your Tyk deployment.
Fixed a bug where the Gateway did not correctly close idle upstream connections (sockets) when configured to generate a new connection after a configurable period of time (using the [max\_conn\_time](/nightly/tyk-oss-gateway/configuration#max_conn_time) configuration option). This could lead to the Gateway eventually running out of sockets under heavy load, impacting performance.
Removed the extra chunked transfer encoding that was added unnecessarily to `rawResponse` analytics
Resolved a bug with HTTP GraphQL APIs where, when the [Persist GraphQL middleware](/nightly/api-management/graphql#persisting-graphql-queries) was used in combination with [Response Body Transform](/nightly/api-management/traffic-transformation/response-body), the response's body transformation was not being executed.
Fixed a bug where, if you created a key which provided access to an inactive or draft API, you would be unable to subsequently modify that key (via the Tyk Dashboard UI, Tyk Dashboard API or Tyk Gateway API)
##### Dependencies
* Updated TykTechnologies/gorm to v1.21 in Tyk Gateway
***
### 5.2.0 Release Notes
#### Release Date 29 Sep 2023
#### Breaking Changes
**Attention**: Please read carefully this section. We have two topics to report:
#### Early Access Features:
Please note that the `Tyk OAS APIs` feature, currently marked as *Early Access*, is subject to breaking changes in subsequent releases. Please refer to our [Early Access guide](/nightly/developer-support/release-types/early-access-feature) for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation.
Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.
#### Deprecations
There are no deprecations in this release.
#### Release Highlights
We're thrilled to bring you some exciting enhancements and crucial fixes to improve your experience with Tyk Gateway. For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.2.0) below.
##### Added Body Transform Middleware to Tyk OAS API Definition
With this release, we are adding the much requested *Body Transformations* to *Tyk OAS API Definition*. You can now [configure](/nightly/api-management/gateway-config-tyk-oas#transformbody) middleware for both [request](/nightly/api-management/traffic-transformation/request-body) and [response](/nightly/api-management/traffic-transformation/response-body) body transformations and - as a Tyk Dashboard user - you’ll be able to do so from within our simple and elegant API Designer tool.
##### Reference Tyk OAS API Definition From Within Your Custom Go Plugins
Reference the *Tyk OAS API definition* from within your custom *Go Plugins*, bringing them up to standard alongside those you might use with a *Tyk Classic API*.
##### Configure Caching For Each API Endpoint
We’ve added the ability to [configure](/nightly/api-management/response-caching#configuring-the-middleware-in-the-tyk-oas-api-definition) per-endpoint timeouts for Tyk’s response cache, giving you increased flexibility to tailor your APIs to your upstream services.
##### Added Header Management in Universal Data Graph
With this release we are adding a concept of [header management](/nightly/api-management/data-graph#header-management) in *Universal Data Graph*. With multiple upstream data sources, data graphs need to be sending the right headers upstream, so that our users can effectively track the usage and be able to enforce security rules at each stage. All *Universal Data Graph* headers now have access to *request context* variables like *JWT claims*, *IP address* of the connecting client or *request ID*. This provides extensive configurability of customizable information that can be sent upstream.
##### Added Further Support For GraphQL WebSocket Protocols
Support for [WebSocket](/nightly/api-management/graphql#graphql-websockets) protocols between client and the *Gateway* has also been expanded. Instead of only supporting the *graphql-ws protocol*, which is becoming deprecated, we now also support [graphql-transport-ws](https://github.com/enisdenjo/graphql-ws/blob/master/PROTOCOL.md) by setting the *Sec-WebSocket-Protocol* header to *graphql-transport-ws*.
##### Added OpenTelemetry Tracing
In this version, we're introducing the support for *OpenTelemetry Tracing*, the new [open standard](https://opentelemetry.io/) for exposing observability data. This addition gives you improved visibility into how API requests are processed, with no additional license required. It is designed to help you with monitoring and troubleshooting APIs, identify bottlenecks, latency issues and errors in your API calls. For detailed information and guidance, you can check out our [OpenTelemetry Tracing](/nightly/api-management/traces) resource.
*OpenTelemetry* makes it possible to isolate faults within the request lifetime through inspecting API and Gateway meta-data. Additionally, performance bottlenecks can be identified within the request lifetime. API owners and developers can use this feature to understand how their APIs are being used or processed within the Gateway.
*OpenTelemetry* functionality is also available in [Go Plugins](/nightly/api-management/plugins/advance-config#instrumenting-plugins-with-opentelemetry). Developers can write code to add the ability to preview *OpenTelemetry* trace attributes, error status codes etc., for their Go Plugins.
We offer support for integrating *OpenTelemetry* traces with supported open source tools such [Jaeger](/nightly/api-management/traces/jaeger), [Dynatrace](/nightly/api-management/traces/dynatrace) or [New Relic](/nightly/api-management/traces#new-relic). This allows API owners and developers to gain troubleshooting and performance insights from error logs, response times etc.
You can also find a direct link to our docs in the official [OpenTelemetry Integration page](https://opentelemetry.io/ecosystem/integrations/)
*Tyk Gateway 5.2* now includes *OpenTelemetry Tracing*. Over the next year, we'll be deprecating *OpenTracing*. We recommend migrating to *OpenTelemetry* for better trace insights and more comprehensive support. This change will offer you significant advantages in managing your distributed tracing needs.
#### Downloads
* [Docker image to pull](https://hub.docker.com/layers/tykio/tyk-gateway/v5.2.0/images/sha256-cf0c57619e8285b1985bd5e4bf86b8feb42abec56cbc241d315cc7f8c0d43025?context=explore)
* [source code](https://github.com/TykTechnologies/tyk/releases/tag/v5.2.0)
#### Changelog
##### Added:
Added support for [configuring](/nightly/tyk-oss-gateway/configuration#opentelemetry) distributed tracing behavior of *Tyk Gateway*. This includes enabling tracing, configuring exporter types, setting the URL of the tracing backend to which data is to be sent, customizing headers, and specifying enhanced connectivity for *HTTP*, *HTTPS* and *gRPC*. Subsequently, users have precise control over tracing behavior in *Tyk Gateway*.
Added support to configure *OpenTelemetry* [sampling types and rates](/nightly/tyk-oss-gateway/configuration#opentelemetry-sampling) in the *Tyk Gateway*. This allows users to manage the need for collected detailed tracing information against performance and resource usage requirements.
Added span attributes to simplify identifying Tyk API and request meta-data per request. Example span attributes include: *tyk.api.id*, *tyk.api.name*, *tyk.api.orgid*, *tyk.api.tags*, *tyk.api.path*, *tyk.api.version*, *tyk.api.apikey*, *tyk.api.apikey.alias* and *tyk.api.oauthid*. This allows users to use *OpenTelemetry* [semantic conventions](https://github.com/open-telemetry/opentelemetry-specification/blob/v1.25.0/specification/trace/semantic_conventions/README.md) to filter and create metrics for increased insight and observability.
Added custom resource attributes: *service.name*, *service.instance.id*, *service.version*, *tyk.gw\.id*, *tyk.gw\.dataplane*, *tyk.gw\.group.id*, *tyk.gw\.tags* to allow process information to be available in traces.
Added a new feature that allows clients to retrieve the trace ID from response headers. This feature is available when *OpenTelemetry* is [enabled](/nightly/tyk-oss-gateway/configuration#opentelemetry-enabled) and simplifies debugging API requests, empowering users to seamlessly correlate and analyze data for a specific trace in any *OpenTelemetry* backend like [Jaeger](https://www.jaegertracing.io/).
Added configuration parameter to enable/disable [detailed\_tracing](/nightly/api-management/tyk-pump#configure-detailed-recording) for *Tyk Classic API*.
Added *OpenTelemetry* support for GraphQL. This is activated by setting [opentelemetry.enabled](/nightly/tyk-oss-gateway/configuration#opentelemetry-enabled) to *true*. This integration enhances observability by enabling GQL traces in any OpenTelemetry backend, like [Jaeger](https://www.jaegertracing.io/), granting users comprehensive insights into the execution process, such as request times.
Added a new [timeout option](/nightly/api-management/response-caching#configuring-the-middleware-in-the-tyk-oas-api-definition), offering granular control over cache timeout at the endpoint level.
Added support for using [request context variables](/nightly/api-management/traffic-transformation/request-context-variables) in *UDG* global or data source headers. This feature enables much more advanced [header management](/nightly/api-management/data-graph#header-management) for UDG and allows users to extract header information from an incoming request and pass it to upstream data sources.
Added support for configuration of [global headers](/nightly/api-management/data-graph#header-management) for any *UDG*. These headers will be forwarded to all data sources by default, enhancing control over data flow.
Added the ability for Custom GoPlugin developers using *Tyk OAS APIs* to access the *API Definition* from within their plugin. The newly introduced *ctx.getOASDefinition* function provides read-only access to the *OAS API Definition* and enhances the flexibility of plugins.
Added support for the websocket protocol, *graphql-transport-ws protocol*, enhancing communication between the client and *Gateway*. Users [connecting](/nightly/api-management/graphql#graphql-websockets) with the header *Sec-WebSocket-Protocol* set to *graphql-transport-ws* can now utilize messages from this [protocol](https://github.com/enisdenjo/graphql-ws/blob/master/PROTOCOL.md) for more versatile interaction.
Added support for API Developers using *Tyk OAS API Definition* to [configure](/nightly/api-management/gateway-config-tyk-oas#transformbody) a body transform middleware that operates on API responses. This enhancement ensures streamlined and selective loading of the middleware based on configuration, enabling precise response data customization at the per-endpoint level.
* Added support for enhanced *Gateway* usage reporting. *MDCB v2.4* and *Gateway v5.2* can now report the number of connected gateways and data planes. Features such as data plane gateway visualisation are available in *Tyk Dashboard* for enhanced monitoring of your deployment.
##### Changed:
Updated *Response Body Transform* middleware for *Tyk Classic APIs* to remove unnecessary entries in the *API definition*. The dependency on the *response\_processor.response\_body\_transform* configuration has been removed to streamline middleware usage, simplifying API setup.
##### Fixed:
Fixed an issue with querying a *UDG* API containing a query parameter of array type in a REST data source. The *UDG* was dropping the array type parameter from the final request URL sent upstream.
Fixed an issue with introspecting GraphQL schemas that previously raised an error when dealing with custom root types other than *Query*, *Mutation* or *Subscription*.
Fixed an issue where the [Enforced Timeout](/nightly/planning-for-production/ensure-high-availability/enforced-timeouts) configuration parameter of an API endpoint accepted negative values, without displaying validation errors. With this fix, users receive clear feedback and prevent unintended configurations.
Fixed an issue where *allowedIPs* validation failures replaced the reported errors list, causing the loss of other error types. This fix appends IP validation errors to the list, providing users with a comprehensive overview of encountered errors. Subsequently, this enhances the clarity and completeness of validation reporting.
Fixed a critical issue in MDCB v2.3 deployments, relating to *Data Plane* stability. The *Data Plane* Gateway with versions older than v5.1 was found to crash with a panic when creating a Tyk OAS API. The bug has been addressed, ensuring stability and reliability in such deployments.
***
## 5.1 Release Notes
### Release Date 23 June 2023
### Breaking Changes
\**Attention warning*: Please read carefully this section.
#### Golang Version upgrade
Our Gateway is using [Golang 1.19](https://tip.golang.org/doc/go1.19) programming language starting with the 5.1 release. This brings improvements to the code base and allows us to benefit from the latest features and security enhancements in Go. Don’t forget that, if you’re using GoPlugins, you'll need to [recompile](/nightly/api-management/plugins/golang#upgrading-your-tyk-gateway) these to maintain compatibility with the latest Gateway.
#### Early Access Features:
Please note that the `Tyk OAS APIs` feature, currently marked as *Early Access*, is subject to breaking changes in subsequent releases. Please refer to our [Early Access guide](/nightly/developer-support/release-types/early-access-feature) for specific details. Upgrading to a new version may introduce changes that are not backward-compatible. Downgrading to a previous version after upgrading may result in a broken installation.
Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.
### Deprecations
There are no deprecations in this release.
### Upgrade Instructions
Go to the [Upgrading Tyk](/nightly/#upgrading-tyk) section for detailed upgrade instructions.
### Release Highlights
#### Request Body Size Limits
We have introduced a new Gateway-level option to limit the size of requests made
to your APIs. You can use this as a first line of defense against overly large
requests that might affect your Tyk Gateways or upstream services. Of course,
being Tyk, we also provide the flexibility to configure API-level and
per-endpoint size limits so you can be as granular as you need to protect and
optimize your services. Check out our improved documentation for full
description of how to use these powerful [features](/nightly/api-management/traffic-transformation/request-size-limits).
#### Changed default RPC pool size for MDCB deployments
We have reduced the default RPC pool size from 20 to 5. This can reduce the CPU and
memory footprint in high throughput scenarios. Please monitor the CPU and memory
allocation of your environment and adjust accordingly. You can change the pool
size using [slave\_options.rpc\_pool\_size](/nightly/tyk-oss-gateway/configuration#slave_options-rpc_pool_size)
### Downloads
* [docker image to pull](https://hub.docker.com/layers/tykio/tyk-gateway/v5.1/images/sha256-3d1e64722be1a983d4bc4be9321ca1cdad10af9bb3662fd6824901d5f22820f1?context=explore)
* [source code](https://github.com/TykTechnologies/tyk/releases/tag/v5.1.0)
### Changelog
#### Added
* Added `HasOperation`, `Operation` and `Variables` to GraphQL data source API definition for easier nesting
* Added abstractions/interfaces for ExecutionEngineV2 and ExecutionEngine2Executor with respect to graphql-go-tools
* Added support for the `:authority` header when making GRPC requests. If the `:authority` header is not present then some GRPC servers return PROTOCOL\_ERROR which prevents custom GRPC plugins from running. Thanks to [vanhtuan0409](https://github.com/vanhtuan0409) from the Tyk Community for his contribution!
#### Changed
* Tyk Gateway updated to use Go 1.19
* Updated [*kin-openapi*](https://github.com/getkin/kin-openapi) dependency to the version [v0.114.0](https://github.com/getkin/kin-openapi/releases/tag/v0.114.0)
* Enhanced the UDG parser to comprehensively extract all necessary information for UDG configuration when users import to Tyk their OpenAPI document as an API definition
* Reduced default CPU and memory footprint by changing the default RPC pool size from 20 to 5 connections.
#### Fixed
* Fixed an issue where invalid IP addresses could be added to the IP allow list
* Fixed an issue when using custom authentication with multiple authentication methods, custom authentication could not be selected to provide the base identity
* Fixed an issue where OAuth access keys were physically removed from Redis on expiry. Behavior for OAuth is now the same as for other authorization methods
* Fixed an issue where the `global_size_limit` setting didn't enable request size limit middleware. Thanks to [PatrickTaibel](https://github.com/PatrickTaibel) for the contribution!
* Fixed minor versioning, URL and field mapping issues when importing OpenAPI document as an API definition to UDG
* When the control API is not protected with mTLS we now do not ask for a cert, even if all the APIs registered have mTLS as an authorization mechanism
### Tyk Classic Portal Changelog
#### Changed
* Improved performance when opening the Portal page by optimizing the pre-fetching of required data
## 5.0 Release Notes
### 5.0.15 Release Notes
#### Release Date 24 October 2024
#### Breaking Changes
There are no breaking changes in this release.
#### Upgrade Instructions
Go to the [Upgrading Tyk](/nightly/developer-support/release-notes/gateway#upgrading-tyk)
section for detailed upgrade instructions.
#### Release Highlights
This patch release for Tyk Gateway addresses critical stability issues for users running Tyk Gateway within the data
plane, connecting to the control plane or Tyk Hybrid. Affected users should upgrade immediately to version 5.0.15 to
avoid service interruptions and ensure reliable operations with the control plane or Tyk Hybrid.
For a comprehensive list of changes, please refer to the detailed [changelog](/nightly/#Changelog-v5.0.15) below.
#### Changelog
##### Fixed
In version 5.0.14, Tyk Gateway could encounter panic when attempting to reconnect to the control plane after it was restarted. This patch version has resolved this issue, ensuring stable connectivity between the gateway and control plane following reconnections and reducing the need for manual intervention.
***
### 5.0.14 Release Notes
#### Release Date 18th September 2024
**Important Update**
Date: 12 October 2024
Topic: Gateway panic when
reconnecting to MDCB control plane or Tyk Cloud
Workaround: Restart Gateway
Affected Product: Tyk
Gateway as an Edge Gateway
Affected versions: v5.6.0, v5.3.6, and v5.0.14
Issue Description:
We have identified an issue affecting Tyk Gateway deployed as a data plane connecting to the Multi-Data Center Bridge (MDCB) control plane or Tyk Cloud. In the above mentioned Gateway versions a panic may occur when gateway reconnect to the control plane after the control plane is restarted.
Our engineering team is actively working on a fix, and a patch (versions 5.6.1, 5.3.7, and 5.0.15) will be released soon.
Recommendations:
For users on versions 5.5.0, 5.3.5, and 5.0.13
We advise you to delay upgrading to the affected versions (5.6.0, 5.3.6, or 5.0.14) until the patch is available.
For users who have already upgraded to 5.6.0, 5.3.6, or 5.0.14 and are experiencing a panic in the gateway:
Restarting the gateway process will restore it to a healthy state. If you are operating in a *Kubernetes* environment, Tyk Gateway instance should automatically restart, which ultimately resolves the issue.
We appreciate your understanding and patience as we work to resolve this. Please stay tuned for the upcoming patch release, which will address this issue.
#### Breaking Changes
**Attention:** Please read this section carefully.
There are no breaking changes in this release.
#### Upgrade Instructions
This release is not tightly coupled with Tyk Dashboard v5.0.14, so you do not have to upgrade both together.
Go to the [Upgrading Tyk](/nightly/developer-support/release-notes/gateway#upgrading-tyk)
section for detailed upgrade instructions.
#### Release Highlights
This release fixes some issues related to the way that Tyk performs URL path matching, introducing two new Gateway
configuration options to control path matching strictness.
#### Changelog
##### Added
We have introduced two new options in the `http_server_options` [Gateway
configuration](/nightly/tyk-oss-gateway/configuration#http_server_options) that will enforce prefix and/or suffix matching
when Tyk performs checks on whether middleware or other logic should be applied to a request:
* `enable_path_prefix_matching` ensures that the start of the request path must match the path defined in the API
definition
* `enable_path_suffix_matching` ensures that the end of the request path must match the path defined in the API
definition
* combining `enable_path_prefix_matching` and `enable_path_suffix_matching` will ensure an exact (explicit) match is
performed
These configuration options provide control to avoid unintended matching of paths from Tyk's default *wildcard* match.
Use of regex special characters when declaring the endpoint path in the API definition will automatically override these
settings for that endpoint.
**Tyk recommends that exact matching is employed, but both options default to `false` to avoid introducing a breaking
change for existing users.**
##### Fixed
Fixed an issue when using [granular endpoint](/nightly/api-management/access-control/sessions-and-keys/access-rights#granular-endpoint-access) in access Policies and keys that led to authorization incorrectly being granted to endpoints if an invalid regular expression was configured in the key/Policy. Also fixed an issue where path-based parameters were not correctly handled by Path-Based Permissions. Now Tyk's authorization check correctly handles both of these scenarios granting access only to the expected resources.
Fixed an issue where a parameterized endpoint URL (e.g. `/user/{id}`) would be invoked if a request is made that omits
the parameter. For example, a request to `/user/` will now be interpreted as a request to `/user` and not to
`/user/{id}`.
We have enhanced the Tyk Gateway's synchronization with MDCB to ensure more reliable loading of policies and APIs. A
synchronous initialization process has been implemented to prevent startup failures and reduce the risk of service
disruptions caused by asynchronous operations. This update ensures smoother and more consistent syncing of policies and
APIs from MDCB.
***
### 5.0.13 Release Notes
#### Release Date 4 July 2024
#### Release Highlights
Resolved an issue encountered in MDCB environments where changes to custom keys made via the Dashboard were not properly
replicated to data planes. The issue impacted both key data and associated quotas, in the following versions:
* 5.0.4 to 5.0.12
* 5.1.1 and 5.1.2
* 5.2.0 to 5.2.6
* 5.3.0 to 5.3.2
###### Action Required
Customers should clear their edge Redis instances of any potentially affected keys to maintain data consistency and
ensure proper synchronization across their environments. Please refer to the item in the [fixed](/nightly/#fixed) section of the
changelog for recommended actions.
#### Changelog
##### Fixed
Resolved a critical issue affecting MDCB environments, where changes to custom keys made via the dashboard were not
properly replicated to data planes. This affected both the key data and associated quotas. This issue was present in
versions:
* 5.0.4 to 5.0.12
* 5.1.1 and 5.1.2
* 5.2.0 to 5.2.6
* 5.3.0 to 5.3.2
**Action Required**
Customers are advised to clear their edge Redis instances of any keys that might have been affected by this bug to
ensure data consistency and proper synchronization across their environments. There are several methods available to
address this issue:
1. **Specific Key Deletion via API**: To remove individual buggy keys, you can use the following API call:
```bash theme={null}
curl --location --request DELETE 'http://tyk-gateway:{tyk-hybrid-port}/tyk/keys/my-custom-key' \ --header 'X-Tyk-Authorization: {dashboard-key}'
```
Replace `{tyk-hybrid-port}`, `my-custom-key` and `{dashboard-key}` with your specific configuration details. This method
is safe and recommended for targeted removals without affecting other keys.
2. **Bulk Key Deletion Using Redis CLI**: For environments with numerous affected keys, you might consider using the
Redis CLI to remove keys en masse:
```bash theme={null}
redis-cli --scan --pattern 'apikey-*' | xargs -L 1 redis-cli del
redis-cli --scan --pattern 'quota-*' | xargs -L 1 redis-cli del
```
This method can temporarily impact the performance of the Redis server, so it should be executed during a maintenance
window or when the impact on production traffic is minimal.
3. **Complete Redis Database Flush**: If feasible, flushing the entire Redis database offers a clean slate:
```bash theme={null}
redis-cli FLUSHALL ASYNC
```
**Implications** Regardless of the chosen method, be aware that quotas will be reset and will need to resynchronize
across the system. This may temporarily affect reporting and rate limiting capabilities.
***
### 5.0.12 Release Notes
Please refer to our GitHub [release notes](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.12).
***
### 5.0.11 Release Notes
Please refer to our GitHub [release notes](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.11).
***
### 5.0.10 Release Notes
Please refer to our GitHub [release notes](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.10).
***
### 5.0.9 Release Notes
Please refer to our GitHub [release notes](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.9).
***
### 5.0.8 Release Notes
Please refer to our GitHub [release notes](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.8).
***
### 5.0.7 Release Notes
Please refer to our GitHub [release notes](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.7).
***
### 5.0.6 Release Notes
Please refer to our GitHub [release notes](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.6).
***
### 5.0.5 Release Notes
Please refer to our GitHub [release notes](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.5).
***
### 5.0.4 Release Notes
Please refer to our GitHub [release notes](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.4).
***
### 5.0.3 Release Notes
Please refer to our GitHub [release notes](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.3).
***
### 5.0.2 Release Notes
#### Release Date 29 May 2023
#### Release Highlights
This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed
[changelog](/nightly/#Changelog-v5.0.2) below.
#### Downloads
* [docker image to pull](https://hub.docker.com/layers/tykio/tyk-gateway/v5.0.2/images/sha256-5e126d64571989f9e4b746544cf7a4a53add036a68fe0df4502f1e62f29627a7?context=explore)
* [source code](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.2)
#### Changelog
##### Updated
* Internal refactoring to make storage related parts more stable and less affected by potential race issues
***
### 5.0.1 Release Notes
#### Release Date 25 Apr 2023
#### Release Highlights
This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed
[changelog](/nightly/#Changelog-v5.0.1) below.
#### Downloads
* \[docker image to pull]\([https://hub.docker.com/layers/tykio/tyk-gateway/v5.0.1/images/sha256-5fa7aa910d62a7ed2c1cfbc68c69a988b4b0e9420d7a52018f80f9a45cadb083?context=explore](https://hub.docker.com/layers/tykio/tyk-gateway/v5.0.1/images/sha256-5fa7aa910d62a7ed2c1cfbc68c69a988b4b0e9420d7a52018f80f9a45cadb083?context=explore)
* [source code](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.1)
#### Changelog
##### Added
* Added a new `enable_distributed_tracing` option to the NewRelic config to enable support for Distributed Tracer
##### Fixed
* Fixed panic when JWK method was used for JWT authentication and the token didn't include kid
* Fixed an issue where failure to load GoPlugin middleware didn’t prevent the API from proxying traffic to the upstream:
now Gateway logs an error when the plugin fails to load (during API creation/update) and responds with HTTP 500 if the
API is called; at the moment this is fixed only for file based plugins
* Fixed MutualTLS issue causing leak of allowed CAs during TLS handshake when there are multiple mTLS APIs
* Fixed a bug during hot reload of Tyk Gateway where APIs with JSVM plugins stored in filesystem were not reloaded
* Fixed a bug where the gateway would remove the trailing `/`at the end of a URL
* Fixed a bug where nested field-mappings in UDG weren't working as intended
* Fixed a bug when using Tyk OAuth 2.0 flow on Tyk Cloud where a request for an Authorization Code would fail with a 404
error
* Fixed a bug where mTLS negotiation could fail when there are a large number of certificates and CAs; added an option
(`http_server_options.skip_client_ca_announcement`) to use the alternative method for certificate transfer
* Fixed CVE issue with go.uuid package
* Fixed a bug where rate limits were not correctly applied when policies are partitioned to separate access rights and
rate limits into different scopes
***
### 5.0.0 Release Notes
#### Release Date 28 Mar 2023
#### Deprecations
* Tyk Gateway no longer natively supports **LetsEncrypt** integration. You still can use LetsEncrypt CLI tooling to
generate certificates and use them with Tyk.
#### Release Highlights
##### Improved OpenAPI support
We have added some great features to the Tyk OAS API definition bringing it closer to parity with our Tyk Classic API
and to make it easier to get on board with Tyk using your Open API workflows.
Tyk’s OSS users can now make use of extensive [custom middleware](/nightly/api-management/plugins/overview) options with your OAS
APIs, to transform API requests and responses, exposing your upstream services in the way that suits your users and
internal API governance rules. We’ve enhanced the Request Validation for Tyk OAS APIs to include parameter validation
(path, query, headers, cookie) as well as the body validation that was introduced in Tyk 4.1.
[Versioning your Tyk OAS APIs](/nightly/api-management/api-versioning) is easier than ever, with the
Tyk OSS Gateway now looking after the maintenance of the list of versions associated with the base API for you; we’ve
also added a new endpoint on the Tyk API that will return details of the versions for a given API.
We’ve improved support for [Mock Responses](/nightly/api-management/traffic-transformation/mock-response#mock-response), with the Tyk OAS API
definition now allowing you to register multiple Mock Responses in a single API, providing you with increased testing
flexibility.
Of course, we’ve also addressed some bugs and usability issues as part of our ongoing ambition to make Tyk OAS API the
best way for you to create and manage your APIs.
Thanks to our community contributors [armujahid](https://github.com/armujahid),
[JordyBottelier](https://github.com/JordyBottelier) and [ls-michal-dabrowski](https://github.com/ls-michal-dabrowski)
for your PRs that further improve the quality of Tyk OSS Gateway!
#### Downloads
* [docker image to pull](https://hub.docker.com/layers/tykio/tyk-gateway/v5.0.0/images/sha256-196815adff2805ccc14c267b14032f23913321b24ea86c052b62a7b1568b6725?context=explore)
* [source code](https://github.com/TykTechnologies/tyk/releases/tag/v5.0.0)
#### Changelog
##### Added
* Support for request validation (including query params, headers and the rest of OAS rules) with Tyk OAS APIs
* Transform request/response middleware for Tyk OAS APIs
* Custom middleware for Tyk OAS APIs
* Added a new API endpoint to manage versions for Tyk OAS APIs
* Improved Mock API plugin for Tyk OAS APIs
* Universal Data Graph and GraphQL APIs now support using context variables in request headers, allowing passing
information it to your subgraphs
* Now you can control access to introspection on policy and key level
#### Fixed
* Fixed potential race condition when using distributed rate limiter
***
## 4.3 Release Notes
### 4.3.0 Release Notes
#### Release Highlights
##### Mock Responses with Tyk OAS API Definitions
Does your Tyk OAS API Definition define examples or a schema for your path responses? If so, starting with Tyk v4.3, Tyk can use those configurations to mock your API responses, enabling your teams to integrate easily without being immediately dependent on each other. Check it out! [Mock Responses Documentation](/nightly/api-management/traffic-transformation/mock-response#mock-response)
##### External OAuth - 3rd party OAuth IDP integration
If you’re using a 3rd party IDP to generate tokens for your OAuth applications, Tyk can now validate the generated tokens by either performing JWT validation or by communicating with the authorization server and executing token introspection.
This can be achieved by configuring the new External OAuth authentication mechanism. Find out more here [External OAuth Integration](/nightly/api-management/client-authentication#integrate-with-external-authorization-server-deprecated)
##### Updated the Tyk Gateway version of Golang, to 1.16.
**Our Gateway is using Golang 1.16 version starting with 4.3 release. This version of the Golang release deprecates x509 commonName certificates usage. This will be the last release where it's still possible to use commonName, users need to explicitly re-enable it with an environment variable.**
The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable.
Note that if the CommonName is an invalid host name, it's always ignored, regardless of GODEBUG settings. Invalid names include those with any characters other than letters, digits, hyphens and underscores, and those with empty labels or trailing dots.
##### Improved GQL security
4.3 adds two important features that improve security settings for GraphQL APIs in Tyk.
1. Ability to turn on/off introspection - this feature allows much more control over what consumers are able to do when interacting with a GraphQL API. In cases where introspection is not desirable, API managers can now disallow it. The setting is done on API key level, which means API providers will have very granular control over who can and who cannot introspect the API.
2. Support for allow list in field-based permissions - so far Tyk was offering field-based permissions as a “block list” only. That meant that any new field/query added to a graph was by default accessible for all consumers until API manager explicitly blocked it on key/policy level. Adding support for “allow list” gives API managers much more control over changing schemas and reduces the risk of unintentionally exposing part of the graph that are not ready for usage. See [Introspection](/nightly/api-management/graphql#introspection) for more details.
#### Changelog
##### Tyk Gateway
###### Added
* Minor modifications to the Gateway needed for enabling support for Graph Mongo Pump.
* Added header `X-Tyk-Sub-Request-Id` to each request dispatched by federated supergraph and Universal Data Graph, so that those requests can be distinguished from requests directly sent by consumers.
* Added a functionality that allows to block introspection for any GraphQL API, federated supergraph and Universal Data Graph (currently only supported via Gateway, UI support coming in the next release).
* Added an option to use allow list in field-based permissions. Implemented for full types and individual fields. (currently only supported via Gateway, UI support coming in the next release)
* Added new middleware that can be used with HTTP APIs to set up persisted queries for GraphQL upstreams.
* Added support for two additional subscription protocols for GraphQL subscriptions. Default protocol used between the gateway and upstream remains to be `graphql-ws`, two additional protocols are possible to configure and use: `graphql-transport-ws` and `SSE`.
###### Changed
Updated the Tyk Gateway version of Golang, to 1.16.
**SECURITY: The release deprecates x509 commonName certificates usage. This will be the last release where it's still possible to use commonName, users need to explicitly re-enable it with an environment variable.**
The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable.
Note that if the CommonName is an invalid host name, it's always ignored, regardless of GODEBUG settings. Invalid names include those with any characters other than letters, digits, hyphens and underscores, and those with empty labels or trailing dots.
###### Fixed
* Fixed an issue where introspection query was returning a wrong response in cases where introspection query had additional objects.
* Fixed an issue where gateway was crashing when a subscription was started while no datasource was connected to it.
* Fixed a problem with missing configuration in the GraphQL config adapter that caused issues with batching requests to subgraphs in GraphQL API federation setting.
* A HTTP OAS API version lifetime respects now the date value of the expiration field from Tyk OAS API Definition.
* Now it is possible to proxy traffic from a HTTP API (using Tyk Classic API Definition) to a HTTP OAS API (using Tyk OAS API Definition) and vice versa.
#### Updated Versions
Tyk Gateway 4.3 ([docker images](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=1\&name=4.3.0)
#### Upgrade process
Follow the [standard upgrade guide](/nightly/developer-support/upgrading), there are no breaking changes in this release.
If you want switch from MongoDB to SQL, you can [use our migration tool](/nightly/planning-for-production/database-settings#migrating-from-an-existing-mongodb-instance), but keep in mind that it does not yet support the migration of your analytics data.
Note: Upgrading the Golang version implies that all the Golang custom plugins that you are using need to be recompiled before migrating to 4.3 version of the Gateway. Check our docs for more details [Golang Plugins](/nightly/api-management/plugins/golang).
## 4.2 Release Notes
### 4.2.0 Release Notes
#### Release Highlights
##### GraphQL Federation improvements
###### Changed GUI in Universal Data Graph configuration section.
A new GUI introduces enhancements to the user experience and more consistent user journey for UDG.
This change does not yet cover all possible use cases and is released with a feature flag. To enable the new GUI, analytics.conf needs the following setting:
```
"ui": {
"dev": true
}
```
What’s possible with this change:
* Importing GraphQL schema created outside of Tyk (formats accepted .json, .graphql, .grahqls)
* Creating GraphQL schema in Tyk using schema editor
* Hide/Unhide schema editor to focus on graphical representation of the schema
* Resizing schema editor to adjust workspace look & feel to user preferences
* Improved search in schema editor (search and search & replace available)
* Quick link to UDG documentation from schema editor
> Note: Full configuration of new Universal Data Graph is not yet possible in the GUI, however any UDGs created earlier will not be broken and will work as previously.
##### Changes to federation entities
###### Defining the base entity
Entities must be defined with the `@key` directive. The fields argument must reference a field by which the entity can be uniquely identified. Multiple primary keys are possible. For example:
Subgraph 1 (base entity):
```
type MyEntity @key(fields: "id") @key(fields: "name") {
id: ID!
name: String!
}
```
Attempting to extend a non-entity with an extension that includes the @key directive or attempting to extend a base entity with an extension that does not include the @key directive will both result in errors.
###### Entity stubs
Entities cannot be shared types (be defined in more than one single subgraph).
If one subgraph references a base entity (an entity defined in another subgraph), that reference must be declared as a stub (stubs look like an extension without any new fields in federation v1). This stub would contain the minimal amount of information to identify the entity (referencing exactly one of the primary keys on the base entity regardless of whether there are multiple primary keys on the base entity). For example, a stub for MyEntity from Subgraph 1 (defined above):
Subgraph 2 (stub)
```
extend type MyEntity @key(fields: "id") {
id: ID! @external
}
```
###### Supergraph extension orphans
It is now possible to define an extension for a type in a subgraph that does not define the base type.
However, if an extension is unresolved (an extension orphan) after an attempted federation, the federation will fail and produce an error.
###### Improved Dashboard UI and error messages
GraphQL-related (for example when federating subgraphs into a supergraph) errors in the Dashboard UI will show a lean error message with no irrelevant prefixes or suffixes.
Changed the look & feel of request logs in Playground tab for GraphQL APIs. New component presents all logs in a clearer way and is easier to read for the user
###### Shared types
Types of the same name can be defined in more than one subgraph (a shared type). This will no longer produce an error if each definition is identical.
Shared types cannot be extended outside of the current subgraph, and the resolved extension must be identical to the resolved extension of the shared type in all other subgraphs (see subgraph normalization notes). Attempting to extend a shared type will result in an error.
The federated supergraph will include a single definition of a shared type, regardless of how many times it has been identically defined in its subgraphs.
###### Subgraph normalization before federation
Extensions of types whose base type is defined in the same subgraph will be resolved before an attempt at federation. A valid example involving a shared type:
Subgraph 1:
```
enum Example {
A,
B
}
extend enum Example {
C
}
```
Subgraph 2:
```
enum Example {
A,
B,
C
}
```
The enum named “Example” defined in Subgraph 1 would resolve to be identical to the same-named enum defined in Subgraph 2 before federation takes place. The resulting supergraph would include a single definition of this enum.
###### Validation
Union members must be both unique and defined.
Types must have bodies, e.g., enums must contain at least one value; inputs, interfaces, or objects must contain at least one field
##### OpenAPI
Added support for the Request Body Transform middleware, for new Tyk OAS API Definitions.
##### Universal Data Graph
Added support for Kafka as a data source in Universal Data Graph. Configuration allows the user to provide multiple topics and broker addresses.
#### Changelog
##### Tyk Gateway
###### Added
* Added support for Kafka as a data source in Universal Data Graph.
* Adding a way to defining the base GraphQL entity via @key directive
* It is now possible to define an extension for a type in a subgraph that does not define the base type.
* Added support for the Request Body Transform middleware, for the new Tyk OAS API Definition
* Session lifetime now can be controlled by Key expiration, e.g. key removed when it is expired. Enabled by setting `session_lifetime_respects_key_expiration` to `true`
###### Changed
* Generate API ID when API ID is not provided while creating API.
* Updated the Go plugin loader to load the most appropriate plugin bundle, honoring the Tyk version, architecture and OS
* When GraphQL query with a @skip directive is sent to the upstream it will no longer return “null” for the skipped field, but remove the field completely from the response
* Added validation to Union members - must be both unique and defined.
###### Fixed
* Fixed an issue where the Gateway would not create the circuit breaker events (BreakerTripped and BreakerReset) for which the Tyk Dashboard offers webhooks.
* Types of the same name can be defined in more than one subgraph (a shared type). This will no longer produce an error if each definition is exactly identical.
* Apply Federation Subgraph normalization do avoid merge errors. Extensions of types whose base type is defined in the same subgraph will be resolved before an attempt at federation.
#### Updated Versions
Tyk Gateway 4.2
#### Upgrade process
Follow the [standard upgrade guide](/nightly/developer-support/upgrading), there are no breaking changes in this release.
If you want switch from MongoDB to SQL, you can [use our migration tool](/nightly/planning-for-production/database-settings#migrating-from-an-existing-mongodb-instance), but keep in mind that it does not yet support the migration of your analytics data.
## 4.1 Release Notes
### 4.1.0 Release Notes
#### Release Highlights
##### OpenAPI as a native API definition format
Tyk has always had a proprietary specification for defining APIs. From Tyk v4.1 we now support defining APIs using the Open API Specification (OAS) as well, which can offer significant time and complexity savings. [This is an early access capability](/nightly/developer-support/release-types/early-access-feature).
As we extend our OAS support, we would very much like your feedback on how we can extend and update to best meet your needs: .
This capability is available in both the open source and paid versions of Tyk. See our [Tyk OAS documentation](/nightly/api-management/gateway-config-tyk-oas) for more details.
##### MDCB Synchroniser
Tyk Gateway v4.1 enables an improved synchroniser functionality within Multi Data Center Bridge (MDCB) v2.0. Prior to this release, the API keys, certificates and OAuth clients required by worker Gateways were synchronised from the controller Gateway on-demand. With Gateway v4.1 and MDCB v2.0 we introduce proactive synchronisation of these resources to the worker Gateways when they start up.
This change improves resilience in case the MDCB link or controller Gateway is unavailable, because the worker Gateways can continue to operate independently using the resources stored locally. There is also a performance improvement, with the worker Gateways not having to retrieve resources from the controller Gateway when an API is first called.
Changes to keys, certificates and OAuth clients are still synchronised to the worker Gateways from the controller when there are changes and following any failure in the MDCB link.
##### Go Plugin Loader
When upgrading your Tyk Installation you need to re-compile your plugin with the new version. At the moment of loading a plugin, the Gateway will try to find a plugin with the name provided in the API definition. If none is found then it will fallback to search the plugin file with the name: `{plugin-name}_{Gw-version}_{OS}_{arch}.so`
From v4.1.0 the plugin compiler automatically names plugins with the above naming convention. It enables you to have one directory with different versions of the same plugin. For example:
* `plugin_v4.1.0_linux_amd64.so`
* `plugin_v4.2.0_linux_amd64.so`
So, if you upgrade from Tyk v4.1.0 to v4.2.0 you only need to have the plugins compiled for v4.2.0 before performing the upgrade.
#### Changelog
##### Tyk Gateway
###### Added
* Added support for new OAS API definition format
* Added support for headers on subgraph level for federated GraphQL APIs
* Added support for interfaces implementing interfaces in GQL schema editor
* Added support for passing authorization header in GQL API Playgrounds for subscription APIs
* Added TYK\_GW\_OMITCONFIGFILE option for Tyk Gateway to ignore the values in the config file and load its configuration only from environment variables and default values
* Added a way to modify Tyk analytics record via Go plugins [configurable with API definition](/nightly/api-management/plugins/plugin-types#analytics-plugins). Can be used to sanitise analytics data.
* Added new policy API REST endpoints
* Added option to configure certificates for Tyk Gateway using [environment variable](/nightly/tyk-oss-gateway/configuration#http_server_options-certificates)
* Added support for Python 3.9 plugins
* Added support for headers on subgraph level for federated GraphQL APIs
* Added support for introspecting schemas with interfaces implementing interfaces for proxy only GQL
* Added support for input coercion in lists for GraphQL
* Added support for repeatable directives for GraphQL
###### Changed
* Generate API ID when API ID is not provided while creating API.
* Updated the Go plugin loader to load the most appropriate plugin bundle, honoring Tyk version, architecture and OS
* When a GraphQL query with a @skip directive is sent to the upstream it will no longer return “null” for the skipped field, but remove the field completely from the response
###### Fixed
* Fixed a bug where the MDCB worker Gateway could become unresponsive when a certificate is added in the Tyk Dashboard
* Fixed an issue with the calculation of TTL for keys in an MDCB deployment such that TTL could be different between worker and controller Gateways
* Fixed a bug when using Open ID where quota was not tracked correctly
* Fixed multiple issues with schema merging in GraphQL federation. Federation subgraphs with the same name shared types like objects, interfaces, inputs, enums, unions and scalars will no longer cause errors when users are merging schemas into a federated supergraph.
* Fixed an issue where schema merging in GraphQL federation could fail depending on the order or resolving subgraph schemas and only first instance of a type and its extension would be valid. Subgraphs are now individually normalized before a merge is attempted and all extensions that are possible in the federated schema are applied.
* Fixed an issue with accessing child properties of an object query variable for GraphQL where query `{{.arguments.arg.foo}}` would return `{ "foo":"123456" }` instead of "123456"
#### Updated Versions
Tyk Gateway 4.1
Tyk MDCB 2.0.1
#### Upgrade process
Follow the [standard upgrade guide](/nightly/developer-support/upgrading), there are no breaking changes in this release.
If you want switch from MongoDB to SQL, you can [use our migration tool](/nightly/planning-for-production/database-settings#migrating-from-an-existing-mongodb-instance), but keep in mind that it does not yet support the migration of your analytics data.
## 4.0 Release Notes
### 4.0.0 Release Notes
#### Release Highlights
##### GraphQL federation
As we know, ease-of-use is an important factor when adopting GraphQL. Modern enterprises have dozens of backend services and need a way to provide a unified interface for querying them. Building a single, monolithic GraphQL server is not the best option. It is hard to maintain and leads to a lot of dependencies and over-complication.
To remedy this, Tyk 4.0 offers GraphQL federation that allows the division of GraphQL implementation across multiple backend services, while still exposing them all as a single graph for the consumers. Subgraphs represent backend services and define a distinct GraphQL schema. A subgraph can be queried directly, as a separate service or federated in the Tyk Gateway into a larger schema of a supergraph – a composition of several subgraphs that allows execution of a query across multiple services in the backend.
[Federation docs](/nightly/api-management/graphql#overview-1)
[Subgraphs and Supergraphs docs](/nightly/api-management/graphql#subgraphs-and-supergraphs)
##### GraphQL subscriptions
Subscriptions are a way to push data from the server to the clients that choose to listen to real-time messages from the server, using the WebSocket protocol. There is no need to enable subscriptions separately; Tyk supports them alongside GraphQL as standard.
With release 4.0, users can federate GraphQL APIs that support subscriptions. Federating subscriptions means that events pushed to consumers can be enriched with information from other federated graphs.
[Subscriptions docs](/nightly/api-management/graphql#graphql-subscriptions)
#### Changelog
* Now it is possible to configure GraphQL upstream authentification, in order for Tyk to work with its schema
* JWT scopes now support array and comma delimiters
* Go plugins can be attached on per-endpoint level, similar to virtual endpoints
#### Updated Versions
Tyk Gateway 4.0
Tyk Pump 1.5
#### Upgrade process
Follow the [standard upgrade guide](/nightly/developer-support/upgrading), there are no breaking changes in this release.
If you want switch from MongoDB to SQL, you can [use our migration tool](/nightly/planning-for-production/database-settings#migrating-from-an-existing-mongodb-instance), but keep in mind that it does not yet support the migration of your analytics data.
## 3.2 Release Notes
### 3.2.0 Release Notes
#### Release Highlights
##### GraphQL and UDG improvements
We've updated the GraphQL functionality of our [Universal Data Graph](/nightly/api-management/data-graph#overview). You’re now able to deeply nest GraphQL & REST APIs and stitch them together in any possible way.
Queries are now possible via WebSockets and Subscriptions are coming in the next Release (3.3.0).
You're also able to configure [upstream Headers dynamically](/nightly/api-management/data-graph#header-forwarding), that is, you’re able to inject Headers from the client request into UDG upstream requests. For example, it can be used to access protected upstreams.
We've added an easy to use URL-Builder to make it easier for you to inject object fields into REST API URLs when stitching REST APIs within UDG.
Query-depth limits can now be configured on a per-field level.
If you’re using GraphQL upstream services with UDG, you’re now able to forward upstream error objects through UDG so that they can be exposed to the client.
##### Go response plugins
With Go response plugins you are now able to modify and create a full request round trip made through the Tyk Gateway.
Find out more about [plugins](/nightly/api-management/plugins/overview#) and how to write [Go response plugins](/nightly/api-management/plugins/golang#creating-a-custom-response-plugin).
#### Changelog
In addition to the above, version 3.2 includes all the fixes that are part of 3.0.5
[https://github.com/TykTechnologies/tyk/releases/tag/v3.0.5](https://github.com/TykTechnologies/tyk/releases/tag/v3.0.5)
#### Updated Versions
Tyk Gateway 3.2
#### Upgrade process
If you already have GraphQL or UDG APIs you need to follow this [upgrade guide](/nightly/api-management/graphql#migrating-to-3-2)
## 3.1 Release Notes
### 3.1.0 Release Notes
#### Release Highlights
##### Identity Management UX and SAML support
You will notice that the experience for creating a new profile in the Identity management section of the dashboard was changed to a ‘wizard’ approach which reduces the time it takes to get started and configure a profile.
In addition, users are now able to use SAML for the dashboard and portal login, whether you use TIB(Tyk Identity Broker) internally or externally of the dashboard.
This follows the recent changes that we have made to embed TIB (Tyk Identity Broker)in the dashboard. See 3.0 [release notes](/nightly/developer-support/release-notes/dashboard#tyk-identity-broker-now-built-in-to-the-dashboard) for more information regarding this.
To learn more [see the documentation](/nightly/tyk-identity-broker/overview)
##### UDG (Universal Data Graph) & GraphQL
###### Schema Validation
For any GraphQL API that is created via Dashboard or through our API, the GraphQL schema is now validated before saving the definition. Instant feedback is returned in case of error.
###### Sync / Update schema with upstream API (Proxy Only Mode)
If you’ve configured just a proxy GraphQL API, you can now keep in sync the upstream schema with the one from the API definition, just by clicking on the `Get latest version` button on the `Schema` tab from API Designer
Docs [here](/nightly/api-management/graphql#syncing-gql-schema)
###### Debug logs
You can now see what responses are being returned by the data sources used while configuring a UDG (universal data graph). These can be seen by calling the `/api/debug` API or using the playground tab within API designer.
The data that will be displayed will show information on the query before and after the request to a data source happens, as follows:
Before the request is sent:
Example log message: "Query.countries: preSendHttpHook executed”. Along with this message, the log entry will contain the following set of fields: Typename, Fieldname and Upstream url;
After the request is sent:
Example log message: "Query.countries: postReceiveHttpHook executed”. Along with this message, the log entry will contain the following set of fields: Typename, Filename, response body, status code.
Example:
`{"typename": "Query", "fielname": "countries", "response_body": "{\"data\":{}}", "status_code": 200}`
Docs [here](/nightly/api-management/graphql#graphql-playground)
##### Portal
###### GraphQL Documentation
Documentation for the GraphQL APIs that you are exposing to the portal is available now through a GraphQL Playground UI component, same as on the playground tab of API Designer.
Also to overcome the CORS issues that you might encounter while testing documentation pages on the portal, we have pre-filled the CORS settings section in API Designer with explicit values from the start. All you need to do is to check the “Enable CORS” option.
###### Portal - API key is hidden in email
You now have the option to hide the API key in the email generated after you approve the key request for a developer.
[Docs here](/nightly/tyk-developer-portal/tyk-portal-classic/key-requests)
#### Changelog
The 3.1 version includes the fixes that are part of 3.0.1.
[https://github.com/TykTechnologies/tyk/releases/tag/v3.0.1](https://github.com/TykTechnologies/tyk/releases/tag/v3.0.1)
#### Updated Versions
* Tyk Gateway 3.1
## 3.0 Release Notes
### 3.0.0 Release Notes
#### Release Highlights
##### Version changes and LTS releases
We have bumped our major Tyk Gateway version from 2 to 3, a long overdue change as we’ve been on version 2 for 3 years. We have also changed our Tyk Dashboard major version from 1 to 3, and from now on it will always be aligned with the Tyk Gateway for major and minor releases. The Tyk Pump has also now updated to 1.0, so we can better indicate major changes in future.
Importantly, such a big change in versions does not mean that we going to break backward compatibility. More-over we are restructuring our internal release strategy to guarantee more stability and to allow us to deliver all Tyk products at a faster pace. We aim to bring more clarity to our users on the stability criteria they can expect, based on the version number.
Additionally we are introducing Long Term Releases (also known as LTS).
Read more about this changes in our blog post: [https://tyk.io/blog/introducing-long-term-support-some-changes-to-our-release-process-product-versioning/](https://tyk.io/blog/introducing-long-term-support-some-changes-to-our-release-process-product-versioning/)
##### Universal Data Graph and GraphQL
Tyk now supports GraphQL **natively**. This means Tyk doesn’t have to use any external services or process for any GraphQL middleware. You can securely expose existing GraphQL APIs using our GraphQL core functionality.
In addition to this you can also use Tyk’s integrated GraphQL engine to build a Universal Data Graph. The Universal Data Graph (UDG) lets you expose existing services as one single combined GraphQL API.
All this without even have to build your own GraphQL server. If you have existing REST APIs all you have to do is configure the UDG and Tyk has done the work for you.
With the Universal Data Graph (UDG), Tyk becomes the central integration point for all your internal and external APIs.
It also benefits from the full set of capabilities included with your Tyk installation—meaning your data graph is secure from the start and can take advantage of a wide range of out-of-the-box middleware to power your graph.
Read more about the [GraphQL](/nightly/api-management/graphql) and [Universal Data Graph](/nightly/api-management/data-graph#overview)
##### Using external secret management services
Want to reference secrets from a KV store in your API definitions? We now have native Vault & Consul integration. You can even pull from a tyk.conf dictionary or environment variable file.
[Read more](/nightly/tyk-configuration-reference/kv-store)
##### Co-Process Response Plugins
We added a new middleware hook allowing middleware to modify the response from the upstream. Using response middleware you can transform, inspect or obfuscate parts of the response body or response headers, or fire an event or webhook based on information received by the upstream service.
At the moment the Response hook is supported for [Python and gRPC plugins](/nightly/api-management/plugins/rich-plugins#coprocess-dispatcher-hooks).
##### Enhanced Gateway health check API
Now the standard Health Check API response include information about health of the dashboard, redis and mdcb connections.
You can configure notifications or load balancer rules, based on new data. For example, you can be notified if your Tyk Gateway can’t connect to the Dashboard (or even if it was working correctly with the last known configuration).
[Read More](/nightly/planning-for-production/ensure-high-availability/health-check)
##### Enhanced Detailed logging
Detailed logging is used in a lot of the cases for debugging issues. Now as well as enabling detailed logging globally (which can cause a huge overhead with lots of traffic), you can enable it for a single key, or specific APIs.
New detailed logging changes are available only to our Self-Managed customers currently.
[Read More](/nightly/api-management/troubleshooting-debugging#capturing-detailed-logs)
##### Ability to shard analytics to different data-sinks
In a multi-org deployment, each organization, team, or environment might have their preferred analytics tooling. At present, when sending analytics to the Tyk Pump, we do not discriminate analytics by org - meaning that we have to send all analytics to the same database - e.g. MongoDB. Now the Tyk Pump can be configured to send analytics for different organizations to different places. E.g. Org A can send their analytics to MongoDB + DataDog. But Org B can send their analytics to DataDog + expose the Prometheus metrics endpoint.
It also becomes possible to put a blocklist in-place, meaning that some data sinks can receive information for all orgs, whereas others will not receive OrgA’s analytics if blocked.
This change requires updating to new Tyk Pump 1.0
[Read More](/nightly/api-management/tyk-pump#tyk-pump-configuration)
##### 404 Error logging - unmatched paths
Concerned that client’s are getting a 404 response? Could it be that the API definition or URL rewrites have been misconfigured? Telling Tyk to track 404 logs, will cause the Tyk Gateway to produce error logs showing that a particular resource has not been found.
The feature can be enabled by setting the config `track_404_logs` to `true` in the gateway's config file.
#### Changelog
##### Fixes
* Fixed the bug when tokens created with non empty quota, and quota expiration set to `Never`, were treated as having unlimited quota. Now such tokens will stop working, once initial quota is reached.
#### Updated Versions
* Tyk Gateway 3.0
* Tyk Pump 1.0
#### Upgrading From Version 2.9
No specific actions required.
If you are upgrading from version 2.8, please [read this guide](/nightly/developer-support/release-notes/archived#2-9-0-release-notes)
## Further Information
### Upgrading Tyk
Please refer to the [upgrading Tyk](/nightly/developer-support/upgrading) page for further guidance on the upgrade strategy.
### API Documentation
* [OpenAPI Document](/nightly/tyk-dashboard-api)
* [Postman Collection](https://www.postman.com/tyk-technologies/workspace/tyk-public-workspace/overview)
### FAQ
Please visit our [Developer Support](/nightly/developer-support/community) page for further information relating to reporting bugs, upgrading Tyk, technical support and how to contribute.