Plugin Types

Last updated: 2 minutes read.

Custom Plugins enable users to execute custom code to complete tasks specific to their particular use case. This allows users to complete tasks that would not otherwise be possible using Tyk’s standard middleware options. Tyk has a pre-defined execution order for the middleware which also includes seven hooks for the custom plugins. As such, users can execute, or “hook”, their plugin in these phases of the API request/response lifecycle based on their specific use case.

Plugin and Hook Types

This table includes all the plugin types with the relevant hooks, their place in the execution chain, description and examples:

Hook Type (in their execution order) Plugin Type HTTP Request/Response phase Executed before/after reverse proxy to the upstream API Details Common Use Cases
Pre (Request) Request Plugin HTTP request Before The first thing to be executed, before any middleware IP Rate Limit plugins, API Request enrichment
Authentication Authentication Plugin HTTP request Before Replaces Tyk’s authentication & authorization middleware with your own business logic When you need your a custom flow, for example, interfacing with legacy Auth database
Post-Auth (Request) Authentication Plugin HTTP request Before Executed immediately after authentication middleware Additional special custom authentication is needed
Post (Request) Request Plugin HTTP request Before The final middleware to be executed during the HTTP request phase (see Note below) Update the request before it gets to the upstream, for example, adding a header that might override another header, so we add it at the end to ensure it doesn’t get overridden
Response Plugin Response Plugin HTTP Response After Executed after the reverse proxy to the upstream API Executed straight after the reverse proxy returns from the upstream API to Tyk
Analytics Plugin (Request+Response) Analytics Plugin HTTP request After The final middleware to be executed during the HTTP response phase Change analytics records, for example, obfuscating sensitive data such as the Authorization header


There are two different options for the Post Plugin that is executed at the end of the request processing chain. The API-level Post Plugin is applied to all requests, whilst the endpoint-level custom Golang plugin is only applied to requests made to specific endpoints. If both are configured, the endpoint-level plugin will be executed first.