Availability
| Component | Version | Edition |
|---|
| Gateway | Available since v5.12.0 | All |
Configuration Inspection Endpoints
Gateway offers two endpoints for configuration inspection:
| Endpoint | Query Parameter | Description |
|---|
GET /config | field=<path> (optional) | Returns the full gateway configuration, or a single field if field is specified |
GET /env | env=<VAR> (optional) | Returns all environment variable mappings, or a single mapping if env is specified |
X-Tyk-Authorization header. Requests without this header return HTTP 403.
Enable Configuration Inspection
By default, configuration inspection endpoints are disabled to prevent accidental exposure of sensitive information. When disabled, all configuration inspection endpoints return HTTP 404.
To enable it, set enable_config_inspection to true in your tyk.conf or use the equivalent environment variable.
In production environments, we recommend keeping configuration inspection disabled.
Configuration File
Environment Variable
{
"enable_config_inspection": true
}
TYK_GW_ENABLECONFIGINSPECTION=true
Examples
Inspect Full Gateway Configuration
curl -H "X-Tyk-Authorization: $TYK_GW_SECRET" http://localhost:8080/config
{
"hostname": "",
"listen_address": "",
"listen_port": 8080,
"control_api_hostname": "",
"control_api_port": 0,
"secret": "*REDACTED*",
"node_secret": "*REDACTED*",
"pid_file_location": "./tyk-gateway.pid",
"allow_insecure_configs": true,
"public_key_path": "",
"allow_remote_config": true,
"enable_config_inspection": true,
"security": {
}
...
}
Inspect a Single Config Field
To retrieve the value of a specific configuration field, use the field query parameter with the field name:
curl -H "X-Tyk-Authorization: $TYK_GW_SECRET" \
"http://localhost:8080/config?field=listen_port"
{
"config_field": "listen_port",
"env": "TYK_GW_LISTENPORT",
"value": "8080",
"obfuscated": false
}
Sensitive Field Redaction
Fields that contain secrets (for example, secret, passwords, and connection strings) are automatically shown as *REDACTED* in all responses. The obfuscated field in the response indicates whether the value has been redacted.
{
"config_field": "secret",
"env": "TYK_GW_SECRET",
"value": "*REDACTED*",
"obfuscated": true
}
Inspect Environment Variables
To view all environment variable mappings:
curl -H "X-Tyk-Authorization: $TYK_GW_SECRET" http://localhost:8080/env
Gateway will only return environment variables that are prefixed with TYK_GW_.
[
"TYK_GW_ENABLECONFIGINSPECTION=true",
"TYK_GW_EXPERIMENTALPROCESSORGOFFTHREAD=false",
"TYK_GW_GRACEFULSHUTDOWNTIMEOUTDURATION=0",
"TYK_GW_CONTROLAPIPORT=0",
"TYK_GW_TEMPLATEPATH=./templates",
"TYK_GW_SSLFORCECOMMONNAMECHECK=false",
"TYK_GW_ENABLEBUNDLEDOWNLOADER=false",
"TYK_GW_JSVMTIMEOUT=0",
"TYK_GW_FORCEGLOBALSESSIONLIFETIME=false",
"TYK_GW_DISABLEDASHBOARDZEROCONF=false",
"TYK_GW_MANAGEMENTNODE=false",
...
]
