Skip to main content
Open Source (Mozilla Public License) This page contains all release notes for Gateway displayed in a reverse chronological order

Support Lifetime

Our minor releases are supported until our next minor comes out.

5.10 Release Notes

5.10.0 Release Notes

Release Date 13th October 2025

Release Highlights

For a comprehensive list of changes, please refer to the detailed changelog.
OpenAPI Compliant Multi-Authentication for Tyk OAS APIs
Tyk Gateway now supports true OpenAPI specification compliant authentication workflows, giving developers the flexibility to implement industry-standard security patterns while maintaining backward compatibility. OpenAPI compliant authentication brings:
  • Multiple authentication paths: Process all entries in the OpenAPI security section, not just the first one
  • Flexible security combinations: Enable authentication scenarios like “OAuth2 OR Auth Token” where clients can choose their preferred method
  • Proprietary method integration: Seamlessly combine standard OpenAPI authentication with Tyk’s proprietary methods (Custom Authentication plugin, HMAC) using the same flexible logic
  • Standards compliance: Follow OpenAPI security specification patterns that developers expect
Backward compatibility guaranteed:
  • Legacy mode preserved: Existing APIs continue to work unchanged with the current AND-only logic
  • Opt-in enhancement: Switch to compliant mode via the securityProcessingMode configuration when ready
  • No breaking changes: Existing multi-security configurations remain functional
Real-world applications
  • Support diverse client authentication capabilities within the same API
  • Implement progressive authentication strategies (basic → advanced security)
  • Align with OpenAPI tooling and documentation expectations
  • Reduce integration complexity for API consumers
Perfect for organizations wanting to leverage standard OpenAPI security patterns while maintaining the flexibility of Tyk’s advanced authentication features. For more details, please see the dedicated Multi Auth section.
Comprehensive JWT Claim Validation for Tyk OAS APIs
Tyk Gateway now provides enterprise-grade JWT validation capabilities exclusively for Tyk OAS APIs, enabling complete control over token validation beyond basic expiry and signature checks. Complete registered claim validation
  • Multi-Identity Provider support: Validate issuer, audience, and subject claims against multiple allowed values
  • Flexible claim mapping: Configure different claim names for subject, policy, and scope mapping to support various Identity Providers (Keycloak, Okta, Auth0, etc.) within the same API
  • JWT ID enforcement: Require unique token identifiers for enhanced security
Advanced custom claim validation
  • Flexible validation rules: Define validation for any JWT claim using required, exact match, or containment rules
  • Rich data type support: Handle strings, numbers, booleans, and arrays with nested claim access using dot notation
  • Non-blocking validation: Monitor claim compliance without rejecting requests, perfect for gradual policy enforcement
Real-world applications
  • Role-based access control with custom permission claims
  • Department or organization-based API access restrictions
  • Multi-tenant scenarios with flexible claim validation
  • Gradual migration from legacy authentication systems
This enhancement makes Tyk’s JWT middleware the primary validation mechanism for complex enterprise authentication scenarios, providing the flexibility needed for modern Identity Provider integrations while maintaining backward compatibility. Ideal for organizations that require sophisticated JWT validation beyond standard token checks. For more details, please see the dedicated JWT Auth section.
Advanced JWKS Cache Management for Tyk OAS APIs
Tyk Gateway now provides comprehensive JWKS (JSON Web Key Set) cache control for Tyk OAS APIs, delivering significant performance improvements and operational flexibility for JWT validation workflows with:
  • Configurable cache timeouts: Set custom cache durations per Identity Provider to match their key rotation schedules
  • On-demand cache invalidation: Instantly refresh cached keys for any API (Classic or OAS) when Identity Providers rotate their signing keys
  • Intelligent pre-fetching: Eliminate first-request latency by fetching JWKS data during Tyk OAS API initialization
Key benefits
  • Faster JWT validation with reduced Identity Provider round-trips
  • Zero cold-start delays for JWT-protected endpoints
  • Immediate response to Identity Provider key rotations
  • Better performance in high-traffic JWT validation scenarios
This enhancement is particularly valuable for organizations migrating to Tyk OAS APIs or those requiring consistent low-latency JWT validation performance with multiple Identity Providers that have different key rotation policies. For more details, please see the JWT Auth section.
Centralized External Service Configuration
Tyk Gateway now provides unified configuration for all external service connections through the new external_services section. This enhancement brings together previously scattered and incomplete configuration options into a single, coherent system that supports:
  • Proxy configuration: Apply proxy settings globally or per service, with automatic support for standard environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY)
  • mTLS certificate management:Centralized certificate configuration for secure connections to external services
  • Comprehensive service coverage: Covers all external integrations, including databases, OAuth providers, and webhook endpoints
This improvement simplifies deployment in enterprise environments where proxy servers and certificate management are critical, while maintaining full backward compatibility with existing configurations. Key benefits
  • Reduced configuration complexity and duplication
  • Better security through centralized certificate management
  • Simplified proxy configuration for containerized deployments
  • Consistent external service connection handling across all Tyk components
For more details, please see the dedicated section.
Proactive Certificate Expiry Monitoring
Tyk Gateway now automatically monitors certificate health and proactively alerts administrators before certificates expire, helping prevent service outages caused by expired mTLS certificates. The new certificate monitoring system provides:
  • Early warning notifications: Configurable alerts when certificates approach expiry (default: 30 days)
  • Immediate expiry detection: Real-time notifications when expired certificates are detected in use
  • Comprehensive coverage: Monitors certificates used in both client-to-Gateway and Gateway-to-upstream connections
  • Smart throttling: Built-in cooldown mechanisms prevent alert flooding while ensuring visibility
These events integrate seamlessly with existing monitoring and alerting systems through Tyk’s standard event framework, enabling teams to set up automated workflows for certificate renewal and replacement. Key benefits
  • Prevent unexpected API outages due to expired certificates
  • Reduce manual certificate monitoring overhead
  • Enable proactive certificate lifecycle management
  • Improve overall API reliability and uptime
Perfect for organizations managing multiple certificates across complex API infrastructures where manual tracking becomes impractical. For more details, please see the dedicated Gateway events section.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.10.0MDCB v2.8.5MDCB v2.8.5
Operator v1.2.0Operator v0.17
Sync v2.1.3Sync v2.1.0
Helm Chart v4.0Helm all versions
Pump v1.12.2Pump all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.241.24Go plugins must be built using Go 1.24
Redis6.2.x, 7.x, 7.4.x6.2.x, 7.x, 7.4.x
Valkey7.2.x, 8.0.x, 8.1.x7.2.x, 8.0.x, 8.1.x
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.10.0, please follow the detailed upgrade instructions.

Downloads

Please note that the Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.10.0.

Changelog

Added
Added OpenAPI Specification compliant multi-authentication support for Tyk OAS APIs, providing flexible authentication workflows that follow standard OpenAPI security patterns.Compliant mode (new)
  • Processes all entries in the OpenAPI security section sequentially, not just the first entry
  • Supports a local security section in the Tyk vendor extension for proprietary authentication methods (Custom Authentication plugin, HMAC)
  • Uses AND logic within each security entry and OR logic between entries, enabling flexible authentication combinations such as: OAuth2 OR Auth Token
  • Allows clients to authenticate using any of the defined security combinations
Legacy mode (existing behavior)
  • Continues to use only the first entry from the OpenAPI security section
  • Combines all declared methods with proprietary vendor extension methods using AND logic
  • Requires clients to satisfy ALL authentication methods
The authentication processing mode is controlled by the new server.authentication.securityProcessingMode field in the Tyk Vendor Extension, with legacy as the default to ensure backward compatibility. In compliant mode, proprietary authentication methods are configured in the new server.authentication.security section within the vendor extension, following the same array structure as the OpenAPI security section. This prevents breaking changes for existing API definitions that contain multiple entries in the security section but were designed for legacy processing behavior.
Tyk OAS APIs now support comprehensive validation of JWT registered claims, extending beyond basic token validation to provide complete access control capabilities. This enhancement includes:Registered claim validation
  • Subject, issuer, and audience validation: Validate tokens against allowed values with support for multiple entries per claim type
  • JWT ID enforcement: Require presence of unique token identifiers (jti) when needed
  • Flexible claim mapping: Configure different claim names for subject, base policy, and scope-to-policy mapping to support multiple Identity Providers within the same API setup (e.g., Keycloak’s scope vs Okta’s scp)
Custom claim validation framework
  • Flexible validation rules: Define validation for any custom JWT claim using three rule types: required (claim must exist), exact_match (claim equals specific values), or contains (claim contains specific values)
  • Advanced data support: Handle string, number, boolean, and array data types with nested claim access using dot notation (e.g., user.department)
  • Non-blocking validation: Configure rules to log warnings instead of rejecting requests for monitoring and gradual enforcement scenarios
These features enable advanced use cases, such as role-based access control, department validation, and custom permission schemes, while maintaining backward compatibility with existing JWT configurations.Note: Available only for Tyk OAS APIs and configured directly in the API definition via the Tyk Vendor Extension.
Enhanced the JWKS (JSON Web Key Set) caching system with three key improvements to reduce latency and provide better control over JWT validation:Configurable cache timeout - Tyk OAS APIs can now specify custom cache timeout values for JWKS endpoints in their JWT validation configuration, allowing fine-tuned control over cache refresh intervals based on Identity Provider requirements.
  • Cache invalidation API - Administrators can now manually invalidate JWKS cache entries via new Gateway API endpoints (DELETE /tyk/cache/jwks/{apiID} and DELETE /tyk/cache/jwks), either targeting specific APIs or purging all cached JWKS data. This enables immediate cache refresh when Identity Provider keys are rotated.
  • Automatic pre-fetching - For Tyk OAS APIs, JWKS data is now automatically fetched and cached when API definitions are loaded, eliminating cold-start delays for JWT validation. Pre-fetching includes comprehensive logging of fetch attempts and results, and failures do not prevent API initialization.
Note: For Tyk Classic APIs, JWKS caching behavior remains unchanged with on-demand fetching during token validation using the default cache timeout (60 seconds). Cache invalidation via the new API endpoints works for both Classic and OAS APIs.These enhancements improve JWT validation performance for Tyk OAS APIs and provide administrators with better tools for managing JWKS cache lifecycle when Identity Provider keys change.
Added a new external_services section in the Gateway configuration to provide centralized configuration for proxy settings and mTLS certificates when communicating with external services. This includes connections to persistent and temporal storage, OAuth 2.0 Authorization Servers, and webhook targets.Tyk Gateway can now apply proxy settings from standard environment variables (HTTP_PROXY, HTTPS_PROXY, NO_PROXY) or use the new granular configuration options. All existing configuration methods remain supported, including legacy options such as jwt_ssl_insecure_skip_verify and http_proxy.
Introduced a proactive event system to warn administrators when mTLS certificates are approaching expiry. The Gateway now emits two new API events to provide visibility into certificate status:
  • CertificateExpiringSoon - Generated when a certificate is used in an API request (either client-to-Gateway or Gateway-to-upstream) within a configurable time period of its expiry date
  • CertificateExpired - Generated when an attempt is made to use an already expired certificate, in addition to the standard error response sent to the API client
A cooldown mechanism prevents event flooding by throttling the generation of these notifications. The threshold for the CertificateExpiringSoon event and cooldown parameters are configured in the Gateway configuration:
"security": {
  "certificate_expiry_monitor": {}
}
The default threshold is 30 days before expiry.
Changed
Fixed
Fixed an issue where sending certain unexpected query parameters to the GET /tyk/apis/oas/{id} endpoint could cause a panic.
Fixed an issue where importing an OpenAPI description with an apiKey security scheme, while using the authentication query parameter, resulted in the unnecessary generation of a header object within the Tyk Vendor Extension (x-tyk-api-gateway), duplicating information already present in the declared OpenAPI security scheme.
Fixed an issue where Tyk OAS mock response middleware failed to execute when internal API proxying was enabled. Mock responses configured in the target API are now correctly returned when a request is redirected to another API on the same Tyk Gateway instance via internal looping.
Fixed an issue where CORS settings from the base API were incorrectly applied to all versions of a Tyk OAS API, preventing child API versions from using their own CORS configuration. This occurred because the CORS check was performed before the request was routed to the correct API version.The processing order has been corrected so that requests are first routed to the appropriate version (base or child), then the correct CORS settings are applied, allowing each API version to have its own CORS configuration.
Fixed an issue where Response Body Transformation middleware failed to apply to endpoints that used URL rewrite with regex patterns. When the endpoint path contained regex metacharacters (e.g., $, ^, (), []), these characters interfered with the body transformation’s internal pattern-matching process, preventing the middleware from executing.
Resolved an issue where the Gateway automatically converted Readable Duration values (such as uptime test timeouts) in Tyk OAS API definitions from integer-based formats to decimal formats, which triggered schema validation warnings. The effect of this was seen in the Tyk OAS API editor in the Dashboard UI where, for example, a duration of ‘4s500ms’ would be converted to ‘4.5s’ when reopening an API definition.Duration values are now consistently serialized and maintained in their original, integer-based format, preventing these validation errors.
Fixed an issue where Tyk Gateway did not properly apply the configured TLS settings when connecting to Redis for rate limiting operations. This could result in connection failures and incorrect HTTP 429 Too Many Requests responses being returned to clients. The rate limiter now correctly establishes TLS connections to Redis.
Fixed a bug where deleting an API with the Uptime Test feature enabled could cause the Gateway to crash due to a nil pointer dereference during cleanup operations. The Gateway now properly handles memory cleanup when removing APIs with active uptime tests, preventing crashes and ensuring stable API lifecycle management.
Fixed an issue where Gateways could fail to re-register with the Dashboard after a restart, particularly during upgrades or in large-scale deployments. This resulted in Authorization failed (Nonce empty) errors and Gateway crash loops that prevented successful registration.The fix includes an updated license handler with hardened registration logic, enhanced Dashboard authentication retry mechanisms, and support for new “Unlimited Gateway” licenses, ensuring Gateways register reliably without entering failure loops even during heavy churn or rolling upgrades.
Fixed an issue that caused repeated Body decompression error: EOF log messages when analytics were enabled for GraphQL APIs. The problem occurred because the Gateway attempted to decompress the response body after it had already been consumed for analytics processing, resulting in End of File (EOF) errors.The Gateway now properly handles response body consumption for GraphQL APIs with analytics, eliminating the spurious error logs.
Fixed an issue where users could create child Tyk OAS API versions using the /tyk/apis/oas endpoint without specifying a valid version name (new_version_name). The Gateway API now rejects such requests with an HTTP 422 Unprocessable Entity error, ensuring all versions have meaningful identifiers and preventing the creation of unusable or empty version entries.
Fixed an issue where updating a Tyk OAS API via PATCH /tyk/apis/oas/{apiId} did not properly update the Tyk Vendor Extension (x-tyk-api-gateway). When endpoints were removed or modified in the OpenAPI description, their corresponding middleware definitions could persist incorrectly in the vendor extension, leaving the API definition in an inconsistent state.The vendor extension is now correctly rebuilt to reflect all changes made to the OpenAPI description.

5.9 Release Notes

5.9.2 Release Notes

Release Date 5th September 2025

Release Highlights

This is a version bump to align with Dashboard v5.9.2, no changes have been implemented in this release. For further information, please see the release notes for Dashboard v5.9.2.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.9.2MDCB v2.8.4MDCB v2.8.4
Operator v1.2.0Operator v0.17
Sync v2.1.3Sync v2.1.0
Helm Chart v4.0Helm all versions
Pump v1.12.1Pump all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.231.23Go plugins must be built using Go 1.23
Redis6.2.x, 7.x, 7.4.x6.2.x, 7.x, 7.4.x
Valkey7.2.x, 8.0.x, 8.1.x7.2.x, 8.0.x, 8.1.x
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.9.2, please follow the detailed upgrade instructions.

Downloads

Changelog

Since this release was version-bumped only to align with Dashboard v5.9.2, no changes were encountered in this release.

5.9.1 Release Notes

Release Date 14th August 2025

Release Highlights

This release restores the stable /hello health-check behavior for Kubernetes probes. Deployments using /hello for liveness or readiness will now behave consistently again. It also fixes a schema compatibility issue in the URL Rewrite middleware, ensuring that API promotion and validation flows no longer fail due to schema mismatches. For a comprehensive list of changes, please refer to the detailed changelog.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.9.1MDCB v2.8.3MDCB v2.8.3
Operator v1.2.0Operator v0.17
Sync v2.1.2Sync v2.1.0
Helm Chart v4.0Helm all versions
Pump v1.12.0Pump all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.231.23Go plugins must be built using Go 1.23
Redis6.2.x, 7.x, 7.4.x6.2.x, 7.x, 7.4.x
Valkey7.2.x, 8.0.x, 8.1.x7.2.x, 8.0.x, 8.1.x
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.9.1, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed

5.9.0 Release Notes

Release Date 4th August 2025

Release Highlights

This release builds on the recent release of Tyk 5.8.3, adding a collection of new capabilities. For a comprehensive list of changes, please refer to the detailed changelog.
Accept JSON Web Tokens (JWTs) Issued By Multiple Identity Providers
Tyk can now validate JWTs against multiple JSON Web Key Set (JWKS) endpoints, allowing you to use different IdPs to issue JWTs for the same API. Previously, we supported only a single JWKS endpoint in the source field, but now you can register multiple JWKS endpoints in the Tyk OAS API definition. When a request is received bearing a JWT, Tyk will retrieve JWKS from all registered IdPs to check the token’s validity, for full details of how to use this powerful feature see the improved JWT Authentication section. Please note that this functionality is not available for Tyk Classic APIs.
Compatibility with Valkey
Tyk is now fully compatible with Valkey, the open-source (BSD) high-performance key/value datastore backed by the Linux Foundation, as an alternative to Redis.
Enhancements to Tyk Streams for Enterprise Edition
We’ve added support for additional processors, inputs and outputs for Tyk Streams event driven APIs, extending the flexibility of this powerful feature.

Breaking Changes

1. Modified /hello endpoint behavior affects kubernetes deployments In Tyk Gateway version 5.9.0, we introduced a breaking change to the /hello health check endpoint behavior. Previously, this endpoint would always return HTTP 200 during normal operations, regardless of Redis connectivity. The change made the endpoint return HTTP 503 when Redis was unavailable (which shouldn’t be the case), which caused issues for Kubernetes deployments using this endpoint for liveness probes.
Impact
  • Kubernetes pods may be unnecessarily terminated when Redis becomes temporarily unavailable
  • Deployments using /hello for both liveness and readiness probes experience disruption
  • This contradicts the documented behavior that the Gateway continues functioning when Redis is unavailable
Expected Fix Version
This issue will be fixed in Tyk Gateway version 5.9.1, where we will:
  • Revert the /hello endpoint to its pre-5.8.3 behavior (always return HTTP 200 during normal operations)
  • Ensure backward compatibility for existing Kubernetes deployments
2. URL rewrite rules now require explicit negate field A breaking change has been identified in Tyk 5.9.0 regarding URL rewrite rules. The negate field, which was optional in previous versions, is now mandatory in all URL rewrite rule configurations.
What Changed
In Tyk 5.8.2 and earlier, the negate field in URL rewrite rules included an omitempty tag, making it optional in JSON. If not provided, it would default to false In Tyk 5.9.0, this omitempty tag has been removed, making the negate field mandatory in all URL rewrite rule configurations.
Impact
API definitions that worked in Tyk 5.8.2 will fail validation in Tyk 5.9.0 if they contain URL rewrite rules without an explicit negate field. This may cause API updates, or promotion between environments failures between environments with error messages similar to: 
Error: API Updating Returned error: {
  "Status": "Error",
  "Message": "x-tyk-api-gateway.middleware.operations.(.*)OPTIONS.urlRewrite.triggers.0.rules.0: negate is required"
}
Workarounds
When using Tyk 5.9.0, you must explicitly include the negate field in all URL rewrite rules: 
{
  "rules": [
    {
      "in": "header",
      "name": "x-example",
      "pattern": "test",
      "negate": false  // This field is now required
    }
  ]
}
Set negate: false for standard matching behavior, or negate: true
Expected fix version
This issue will be fixed in Tyk 5.9.1, where we’re going to make negate field optional again.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.9.0MDCB v2.8.2MDCB v2.8.2
Operator v1.2.0Operator v0.17
Sync v2.1.2Sync v2.1.0
Helm Chart v4.0Helm all versions
Pump v1.12.0Pump all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.231.23Go plugins must be built using Go 1.23
Redis6.2.x, 7.x, 7.4.x6.2.x, 7.x, 7.4.x
Valkey7.2.x, 8.0.x, 8.1.x7.2.x, 8.0.x, 8.1.x
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.9.0, please follow the detailed upgrade instructions.

Downloads

Changelog

Added
Added compatibility with Valkey database as an alternative to Redis. This is for fresh environments, with no migration support from Redis.
Added support for configuration of multiple JWKS (JSON Web Key Set) endpoints in the Tyk OAS API definition. This enables the Gateway to authenticate JSON Web Tokens (JWTs) in multi-identity provider environments. The JWKS endpoints are configured in the new jwksURIs array in the JWT Auth securityScheme. This will take precedence over the existing source field, and existing API definitions will be automatically migrated to use the new field, while maintaining backward compatibility in case of rollback.
Enabled configuration for GraphQL SSE subscriptions to use POST requests instead of GET, addressing compatibility issues with upstream servers that require POST. We’ve added a new option proxy.sse_use_post which can be set if proxy.subscription_type=sse to cause Tyk to issue POST requests. This allows for larger subscription payloads and keeps the subscription payload out of the URL.
Added support for AMQP (0.9 and 1.0) and MQTT to be used for input and output methods when constructing Tyk Streams APIs.
Added support for Bloblang to be used as a new processor option for Tyk Streams APIs.
Added the missing KeyID field to the coprocess SessionState proto, allowing gRPC plugins to access it and aligning it with the Go SessionState struct. This enables full feature parity for custom authentication and session management in gRPC plugins.
Changed

5.8 Release Notes

5.8.7 Release Notes

Release Date 29 October 2025

Release Highlights

This patch release contains various bug fixes. For a comprehensive list of changes, please refer to the detailed changelog.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.8.7MDCB v2.8.5MDCB v2.8.5
Operator v1.2.0Operator v0.17
Sync v2.1.4Sync v2.1.1
Helm Chart v4.0Helm all versions
EDP v1.14.1EDP all versions
Pump v1.13.0Pump all versions
TIB (if using standalone) v1.7.0TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.241.24Go plugins must be built using Go 1.24
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.8.7, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed
Fixed an issue where Custom Authentication could fall back to a previously configured alternative authentication method if the custom plugin bundle was not loaded. Now this is treated as for any other failed plugin load, and requests to the API will be rejected with HTTP 500 Internal Server Error to prevent access to an improperly configured endpoint.
Fixed an issue where sending certain unexpected query parameters to the Gateway’s GET /tyk/apis/oas/{apiID} endpoint could cause a panic instead of returning a proper HTTP 400 Bad Request response. The Gateway now handles unexpected query parameters gracefully without crashing, improving system stability and providing appropriate error responses to clients.
Fixed an issue where the Gateway would load and attempt to use plugin bundles even when the manifest file was invalid or missing. The Gateway now properly validates bundle manifests and fails safely by rejecting API requests when bundles cannot be properly loaded or verified.This prevents risks from corrupted or tampered bundles and ensures that APIs with invalid plugin configurations are not accessible, maintaining the integrity of authentication and authorization checks implemented by plugins.
Fixed an issue where keys could remain deactivated when a policy applied to them was changed from draft to active status. When an access key/token is presented to Tyk in a request, policies linked to the key will be applied, configuring the authorization for that request. If any policy is in draft state, the key will be rejected.Toggling the policy to the active state should activate any keys to which the policy is applied. Previously, if the policy had never been applied when it was in draft state, there was an issue where keys would incorrectly be marked as inactive. This has now been resolved, and the policy state is correctly mapped to keys.
Added a new configuration option, HttpServerOptions.MaxResponseBodySize to limit the maximum size of the response bodies processed during any response body transformations. When the limit is exceeded, the Gateway returns HTTP 500 Response Body Too Large instead of attempting to process the oversized content.
Fixed an issue where plugin loading failure errors were ignored for gRPC, Python, and Lua plugins, allowing API requests to be processed even when plugins failed to load. The Gateway now properly validates plugin drivers during request processing and fails safely by returning HTTP 500 Internal Server Error when any plugin fails to load, ensuring consistent behavior across all plugin types.
Tyk Gateway now validates all file paths in zip bundles before extraction, rejecting bundles that contain invalid paths. Bundle extraction fails immediately upon detecting invalid paths, with detailed error logging, ensuring that only proper bundles with valid relative paths are processed.
Fixed an issue where a Tyk Classic API with inconsistent versioning configuration would process requests using a random version’s configuration.A non-versioned API should:
  • Contain a single entry in version_data.versions with the API configuration.
  • Have the version_data.not_versioned flag set to true.
Previously, if multiple entries existed in the version_data.versions array while not_versioned was set to true, the Gateway would randomly select one of those versions to process incoming requests.New behavior:When version_data.not_versioned is set to true and multiple versions are present, Tyk now deterministically selects the configuration for the default version instead of picking one at random.Tyk determines the default version as follows:
  • First, it looks for an entry named "Default".
  • If not found, it checks for "default".
  • If neither exists, it checks for an entry with an empty string key ("").
  • If none of these are found, Tyk returns an error, indicating a misconfigured non-versioned API.
Fixed an issue where the mock response middleware generated incorrect warning-level messages stating session not found, sending inappropriate rate-limit headers in the Gateway system logs.This warning was introduced incorrectly and caused confusion, as mock responses don’t require session objects by design. The Gateway now returns to the previous behavior where mock response requests execute without generating spurious warning messages, reducing log noise.
Fixed an issue where a Data Plane Gateway could hang for all client requests when the MDCB connection was lost. This was caused by the Gateway incorrectly checking the Organisation quota when TYK_GW_ENFORCEORGQUOTAS was not set. If the Organisation quota cache expired before the Gateway performed a health check, the Gateway could hang.From this release, the Gateway does not check the Organisation quota cache if this is not set. For users relying on Organisation quotas (setting TYK_GW_ENFORCEORGQUOTAS=true), the scenario is different and the lock does not occur.

5.8.6 Release Notes

Release Date 25th September 2025

Release Highlights

This patch release contains various bug fixes. For a comprehensive list of changes, please refer to the detailed changelog.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.8.6MDCB v2.8.4MDCB v2.8.4
Operator v1.2.0Operator v0.17
Sync v2.1.3Sync v2.1.1
Helm Chart v4.0Helm all versions
EDP v1.14.1EDP all versions
Pump v1.12.2Pump all versions
TIB (if using standalone) v1.7.0TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.241.24Go plugins must be built using Go 1.24
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.8.6, please follow the detailed upgrade instructions.

Downloads

Changelog

Changed
Fixed
Fixed an issue that caused repeated Body decompression error: EOF log messages when analytics were enabled for GraphQL APIs. The problem occurred because the Gateway attempted to decompress the response body after it had already been consumed for analytics processing, resulting in EOF (End of File) errors. The Gateway now correctly handles response body consumption for GraphQL APIs with analytics, eliminating the spurious error logs.
Fixed an issue where Gateways could fail to re-register with the Dashboard after a restart, particularly during upgrades or in large-scale deployments. This resulted in Authorization failed (Nonce empty) errors and Gateway crash loops that prevented successful registration. The fix includes an updated license handler with hardened registration logic, enhanced Dashboard authentication retry mechanisms, and support for new “Unlimited Gateway” licenses, ensuring Gateways register reliably without entering failure loops even during heavy churn or rolling upgrades.
Fixed a bug where deleting an API with the Uptime Test feature enabled could cause the Gateway to crash due to a nil pointer dereference during cleanup operations. The Gateway now properly handles memory cleanup when removing APIs with active uptime tests, preventing crashes and ensuring stable API lifecycle management.
Fixed an issue where Tyk Gateway did not properly apply the configured TLS settings when connecting to Redis for rate limiting operations. This could result in connection failures and incorrect HTTP 429 Too Many Requests responses being returned to clients. The rate limiter now correctly establishes TLS connections to Redis.
Fixed an issue where Response Body Transformation middleware failed to apply to endpoints that used URL rewrite with regex patterns. When the endpoint path contained regex metacharacters (e.g., $, ^, (), []), these characters interfered with the body transformation’s internal pattern-matching process, preventing the middleware from executing.
Fixed an issue where CORS settings from the base API were incorrectly applied to all versions of a Tyk OAS API, preventing child API versions from using their own CORS configuration. This occurred because the CORS check was performed before the request was routed to the correct API version. The processing order has been corrected so that requests are first routed to the appropriate version (base or child), then the correct CORS settings are applied, allowing each API version to have its own CORS configuration.
Fixed an issue where Tyk OAS mock response middleware failed to execute when internal API proxying was enabled. Mock responses configured in the target API are now correctly returned when a request is redirected to another API on the same Tyk Gateway instance via internal looping.
Fixed an issue where importing an OpenAPI description with an apiKey security scheme, while using the authentication query parameter, resulted in the unnecessary generation of a header object within the Tyk Vendor Extension (x-tyk-api-gateway), duplicating information already present in the declared OpenAPI security scheme.
Resolved an issue where the Gateway automatically converted Readable Duration values (such as uptime test timeouts) in Tyk OAS API definitions from integer-based formats to decimal formats, which triggered schema validation warnings. The effect of this was seen in the Tyk OAS API editor in the Dashboard UI where, for example, a duration of ‘4s500ms’ would be converted to ‘4.5s’ when reopening an API definition. Duration values are now consistently serialized and maintained in their original integer-based format to prevent these validation errors.
Fixed an issue where users could create child Tyk OAS API versions using the /tyk/apis/oas endpoint without specifying a valid version name (new_version_name). The Gateway API now rejects such requests with an HTTP 422 Unprocessable Entity error, ensuring all versions have meaningful identifiers and preventing the creation of unusable or empty version entries.
Fixed an issue where updating a Tyk OAS API via PATCH /tyk/apis/oas/{apiId} did not properly update the Tyk Vendor Extension (x-tyk-api-gateway). When endpoints were removed or modified in the OpenAPI description, their corresponding middleware definitions could persist incorrectly in the vendor extension, leaving the API definition in an inconsistent state. The vendor extension is now correctly rebuilt to reflect all changes made to the OpenAPI description.

5.8.5 Release Notes

Release Date 18th August 2025

Release Highlights

Gateway 5.8.5 was version bumped only to align with Dashboard 5.8.5. Subsequently, no changes were encountered in release 5.8.5. For further information, please see the release notes for Dashboard v5.8.5.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.8.5MDCB v2.8.4MDCB v2.8.4
Operator v1.2.0Operator v0.17
Sync v2.1.1Sync v2.1.1
Helm Chart v3.0Helm all versions
EDP v1.14EDP all versions
Pump v1.12.1Pump all versions
TIB (if using standalone) v1.7.0TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.231.23Go plugins must be built using Go 1.23
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.8.5, please follow the detailed upgrade instructions.

Downloads

Changelog

Since this release was version-bumped only to align with Dashboard v5.8.5, no changes were encountered in this release.

5.8.4 Release Notes

Release Date 13th August 2025

Release Highlights

This release restores the stable /hello health-check behavior for Kubernetes probes. Deployments using /hello for liveness or readiness will now behave consistently again. It also fixes a schema compatibility issue in the URL Rewrite middleware, ensuring that API promotion and validation flows no longer fail due to schema mismatches. For a comprehensive list of changes, please refer to the detailed changelog.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.8.4MDCB v2.8.3MDCB v2.8.3
Operator v1.2.0Operator v0.17
Sync v2.1.1Sync v2.1.1
Helm Chart v3.0Helm all versions
EDP v1.14EDP all versions
Pump v1.12.0Pump all versions
TIB (if using standalone) v1.7.0TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.231.23Go plugins must be built using Go 1.23
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.8.4, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed

5.8.3 Release Notes

Release Date 15th July 2025

Release Highlights

This patch release contains various bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

1. Modified /hello endpoint behavior affects kubernetes deployments In Tyk Gateway version 5.8.3, we introduced a breaking change to the /hello health check endpoint behavior. Previously, this endpoint would always return HTTP 200 during normal operations, regardless of Redis connectivity. The change made the endpoint return HTTP 503 when Redis was unavailable (which shouldn’t be the case), which caused issues for Kubernetes deployments using this endpoint for liveness probes.
Impact
  • Kubernetes pods may be unnecessarily terminated when Redis becomes temporarily unavailable
  • Deployments using /hello for both liveness and readiness probes experience disruption
  • This contradicts the documented behavior that the Gateway continues functioning when Redis is unavailable
Expected Fix Version
This issue will be fixed in Tyk Gateway version 5.8.4, where we will:
  • Revert the /hello endpoint to its pre-5.8.3 behavior (always return HTTP 200 during normal operations)
  • Ensure backward compatibility for existing Kubernetes deployments
2. URL rewrite rules now require explicit negate field A breaking change has been identified in Tyk 5.8.3 regarding URL rewrite rules. The negate field, which was optional in previous versions, is now mandatory in all URL rewrite rule configurations.
What Changed
In Tyk 5.8.2 and earlier, the negate field in URL rewrite rules included an omitempty tag, making it optional in JSON. If not provided, it would default to false In Tyk 5.8.3, this omitempty tag has been removed, making the negate field mandatory in all URL rewrite rule configurations.
Impact
API definitions that worked in Tyk 5.8.2 will fail validation in Tyk 5.8.3 if they contain URL rewrite rules without an explicit negate field. This may cause API updates, or promotion between environments failures between environments with error messages similar to: 
Error: API Updating Returned error: {
  "Status": "Error",
  "Message": "x-tyk-api-gateway.middleware.operations.(.*)OPTIONS.urlRewrite.triggers.0.rules.0: negate is required"
}
Workarounds
When using Tyk 5.8.3, you must explicitly include the negate field in all URL rewrite rules: 
{
  "rules": [
    {
      "in": "header",
      "name": "x-example",
      "pattern": "test",
      "negate": false  // This field is now required
    }
  ]
}
Set negate: false for standard matching behavior, or negate: true
Expected fix version
This issue will be fixed in Tyk 5.8.4, where we’re going to make negate field optional again.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.8.3MDCB v2.8.2MDCB v2.8.2
Operator v1.2.0Operator v0.17
Sync v2.1.1Sync v2.1.1
Helm Chart v3.0Helm all versions
EDP v1.14EDP all versions
Pump v1.12.0Pump all versions
TIB (if using standalone) v1.7.0TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.231.23Go plugins must be built using Go 1.23
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.8.3, please follow the detailed upgrade instructions.

Downloads

Changelog

Added
Fixed
Fixed support for dns:/// protocol for load balancing when using gRPC plugins. Setting the new configuration option TYK_GW_COPROCESSOPTIONS_GRPCROUNDROBINLOADBALANCING to true will cause Tyk to balance the load between multiple gRPC servers; the default behavior (false) is to use a sticky connection to a single server.
Fixed an issue introduced in Tyk 5.8.1 where several previously supported cipher suites were no longer recognized when configured, causing them to be silently skipped for clients relying on those ciphers. The issue was only visible with debug-level logging, making it difficult to diagnose in production environments. Support for these cipher suites has now been restored.
Gateway no longer returns HTTP 500 when calling an invalid path on a streams API and will instead return HTTP 404 as expected.
Fixed an issue where Tyk has trouble proxying a GraphQL edge case; a request that includes an argument on an interface leads to errors proxying.
Gateway no longer produces endless “unsupported protocol scheme” errors for Tyk Streams APIs
Fixed a panic triggered by starting GraphQL subscriptions and resolved an issue where Kafka messages failed to resolve correctly.
Gateway no longer tries to start a garbage collection task after deleting a Tyk Streams API
Fixed an issue where the payload (request body) was not included in detailed traffic logs for the following scenarios:
  • Content-Type "application/x-www-form-urlencoded"
  • Transfer-Encoding: chunked
Browser clients can now reliably consume streams outputs (SSE and WebSocket)
Fixed an issue when using Tyk OAS where the API definition was not accessible from Response Plugins unless a Request Plugin was also loaded. The issue was caused by the ctx.GetOASDefinition(req) function not consistently returning the proper OpenAPI Specification (OAS).

5.8.2 Release Notes

Release Date 1st July 2025

Release Highlights

This patch release contains fixes to some bugs experienced when using MDCB and distributed data planes. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.8.2MDCB v2.8.1MDCB v2.8.1
Operator v1.2.0Operator v0.17
Sync v2.1.0Sync v2.1.0
Helm Chart v3.0Helm all versions
EDP v1.13EDP all versions
Pump v1.12.0Pump all versions
TIB (if using standalone) v1.7.0TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.231.23Go plugins must be built using Go 1.23
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.8.2, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed
The Data Plane could lose connectivity to MDCB when DNS records changed (for example due to ELB updates). The RPC address became stale and the Gateways could not reconnect. We have improved the RPC connection handling in the gateway to properly detect and respond to DNS changes, ensuring seamless reconnection when remote IPs become unavailable.
Fixed a bug where a timeout in an RPC call to MDCB could lead to policies not being synchronised to the data plane.

5.8.1 Release Notes

Release Date 9 May 2025

Release Highlights

This patch release contains various bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.8.1MDCB v2.8.1MDCB v2.8.1
Operator v1.2.0Operator v0.17
Sync v2.1.0Sync v2.1.0
Helm Chart v3.0Helm all versions
EDP v1.13EDP all versions
Pump v1.12.0Pump all versions
TIB (if using standalone) v1.7.0TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.231.23Go plugins must be built using Go 1.23
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.8.1, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed
Addressed an issue for UDG APIs where caching led to the forwarding of stale values for headers that contained content variables towards the upstream of the UDG apis.
Resolved an issue where requests could be routed incorrectly due to inverted prioritisation of dynamically declared paths over those with similar static paths. Now, statically declared paths take priority in the path matching algorithm, so if API1 has listen path /path/{param}/endpoint and API2 has listen path /path/specific/endpoint a request to /path/specific/endpoint/resource will be correctly routed to API2.
Fixed an issue where an enforced timeout set for a specific API endpoint could be overruled by the configured proxy_default_timeout. Now if an endpoint-level timeout is set then this will be honoured, regardless of any default timeout that is configured.
Resolved a race condition in self-managed deployments which occasionally lead to fewer Gateways registering with the Dashboard than the number that had been licensed. Now Tyk Self-Managed deployments will allow the licensed number of Gateways to register and serve traffic.
Resolved a bug where allowed_types from multiple policies were incorrectly merged using intersection logic. Policies now correctly merge fields to allow access to any fields listed across the applied policies.

5.8.0 Release Notes

Release Date 28 March 2025

Release Highlights

With Tyk 5.8.0 we are delighted to unlock the power and flexibility of Tyk OAS for all users, with full feature parity with the legacy Tyk Classic API definition. We are also bringing other updates and improvements, delivering more control, flexibility, and performance. For a comprehensive list of changes, please refer to the detailed changelog below.
Full support for Gateway configuration using Tyk OAS
We have completed the journey with Tyk OAS that started in Tyk 4.1 - and now anything that you can configure using the Tyk Classic API definition is also available in the Tyk OAS API definition. Tyk OAS is now the recommended API style for all REST services, with Tyk Classic recommended for use only for GraphQL and TCP services. With Tyk OAS we combine the industry standard OpenAPI description with the Tyk Vendor Extension, which encapsulates all of the Tyk Gateway settings that cannot be inferred from the OpenAPI Specification (OAS). You can keep your service description (OAS) as source of truth and update the OpenAPI description part of a Tyk OAS API independently from the Tyk Vendor Extension - no need to unpick distributed vendor extensions from your OAS. For more details, please see the documentation.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.8.0MDCB v2.8.0MDCB v2.8.0
Operator v1.2.0Operator v0.17
Sync v2.1.0Sync v2.1.0
Helm Chart v3.0Helm all versions
EDP v1.13EDP all versions
Pump v1.12.0Pump all versions
TIB (if using standalone) v1.7.0TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.231.23Go plugins must be built using Go 1.23
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.8.0, please follow the detailed upgrade instructions.

Downloads

Changelog

Added
In Tyk 5.8.0, we have added configuration of the following features into the Tyk OAS API definition, so that anything you can configure for a REST API via Tyk Classic you can also configure using Tyk OAS:
  • IP access control
  • API-Level request size limit
  • API-level ignore endpoint case
  • Skip rate limit middleware
  • Skip quota middleware
  • Skip quota reset on key creation
  • Custom analytics tags
  • Custom analytics retention period
  • Custom analytics plugins
  • Preserve client Host header
  • Gateway HTTP settings
  • Upstream uptime testing
  • Upstream load balancing
  • Upstream SSL configuration
  • Upstream authentication: HMAC request signing
  • Event handling: custom JS handler
  • Event handling: custom log Handler
  • Batch requests
Tyk Gateway now supports transaction logs, providing structured access logs for API requests. This improves debugging and observability without the overhead of enabling debug mode in production. Logs can be output in JSON format and customized via a template, ensuring flexibility while maintaining performance. Find more details in our Transaction Logs documentation.
We have added GODEBUG flags to enable deprecated insecure ciphers by default for backward compatibility. Existing users will not be affected. New users or those who wish to override these settings can do so at runtime using environment variables.
Changed
Tyk Gateway now runs on Golang 1.23, bringing security and performance improvements. Key changes include:
  • unbuffered Timer/Ticker channels
  • removal of 3DES cipher suites
  • updates to X509KeyPair handling.
You may need to adjust your setup for compatibility. For more detail please see the official Go release notes.
We have updated the library that supports JSON schema validation in the Tyk Classic Validate JSON middleware. This introduces improved error messaging when a request does not match the expected schema, reporting where the error exists in the request payload.
Modified the default values of allow_explicit_policy_id and enable_duplicate_slugs to true in all example configuration files, ensuring consistency and alignment with recommended settings.
Fixed
We have fixed an issue where authentication was incorrectly handled for the Internal API when URL Rewrite middleware was used to redirect a request using the tyk:// protocol. This fix ensures that when API A redirects to API B, authentication with API B will use the method configured for API B, improving access control and preventing access denials. Users can now rely on the expected authentication flow, providing a predictable experience when routing to internal APIs.
Resolved initialization errors that caused unnecessary error logging during gateway startup, improving PID file handling and Redis connection state management.
Fixed an issue where the gateway stopped processing traffic when restarted while MDCB was unavailable. Instead of entering “emergency” mode and loading APIs and policies from the Redis backup, the gateway remained unresponsive, continuously attempting to reconnect. With this fix, the gateway detects connection failure and enters emergency mode, ensuring traffic processing resumes even when MDCB is down.
Improved the performance of ctx.GetOASDefinition() in custom plugins by replacing the deep copy operation with a more efficient cloning method. This optimization reduces memory usage by 95% and CPU consumption by 46%, significantly speeding up API definition retrieval.Thanks to @sebkehr for identifying this issue and providing valuable feedback to enhance Tyk’s performance.
Multi-value response headers were previously lost after synchronization with coprocess middleware, as only the first value was retained. This has been resolved, ensuring all response headers are properly synchronized and preserved
Resolved an issue where the gateway incorrectly selected the OAuth upstream authentication flow when both client credentials and password flows were configured. The gateway now correctly respects the allowedAuthorizeTypes setting, ensuring the intended authentication flow is used.

5.7 Release Notes

5.7.3 Release Notes

Release Date 05 June 2025

Release Highlights

This patch release contains a bug fix. For a comprehensive list of changes, please refer to the detailed changelog below.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.7.3MDCB v2.7.2MDCB v2.4.2
Operator v1.1.0Operator v0.17
Sync v2.0.2Sync v1.4.3
Helm Chart v2.2Helm all versions
EDP v1.12EDP all versions
Pump v1.11.1Pump all versions
TIB (if using standalone) v1.6.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.221.22Go plugins must be built using Go 1.22
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.7.3, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed

5.7.2 Release Notes

Release Date 19 February 2025

Release Highlights

This patch release contains a bug fix. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.7.2MDCB v2.7.2MDCB v2.4.2
Operator v1.1.0Operator v0.17
Sync v2.0.2Sync v1.4.3
Helm Chart v2.2Helm all versions
EDP v1.12EDP all versions
Pump v1.11.1Pump all versions
TIB (if using standalone) v1.6.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.221.22Go plugins must be built using Go 1.22
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.7.2, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed

5.7.1 Release Notes

Release Date 31 December 2024

Release Highlights

This release focuses mainly on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.7.1MDCB v2.7.2MDCB v2.4.2
Operator v1.1.0Operator v0.17
Sync v2.0.1Sync v1.4.3
Helm Chart v2.2Helm all versions
EDP v1.12EDP all versions
Pump v1.11.1Pump all versions
TIB (if using standalone) v1.6.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.221.22Go plugins must be built using Go 1.22
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.7.1, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed
Resolved an issue where the response body could be only partially recorded in the traffic log if a custom response plugin modified the payload. This was due to Tyk using the original, rather than the modified, content-length of the response when identifying the data to include in the traffic log.
Fixed a bug that prevented the control plane Gateway from loading APIs that use custom plugin bundles. The control plane Gateway is used to register OAuth clients and generate access tokens so this could result in an API being loaded to the data plane Gateways but clients unable to obtain access tokens. This issue was introduced in v5.3.1 as a side-effect of a change to address a potential security issue where APIs could be loaded without their custom plugins.
Addressed an issue where shared loggers caused debug logs to misidentify the middleware source, complicating debugging. Log entries now correctly indicate which middleware generated the log, ensuring clearer and more reliable diagnostics
Fixed an issue where a malformed listen path could cause the Gateway to crash. Now, such listen paths are properly validated, and if validation fails, an error is logged, and the API is skipped—preventing Gateway instability.
Resolved a bug that prevented upstream server-sent events (SSE) from being sent when OpenTelemetry was enabled, and fixed a gateway panic that occurred when detailed recording was active while SSE was in use. This ensures stable SSE streaming in configurations with OpenTelemetry.
Resolved an issue where API access keys remained valid even if all associated policies were deleted. The Gateway now attempts to apply all linked policies to the key when it is presented with a request. Warning logs are generated if any policies cannot be applied (for example, if they are missing). If no linked policy can be applied, the Gateway will reject the key to ensure no unauthorized access.
Resolved an issue where APIs using the Transfer-Encoding: chunked header alongside URL Rewrite or Validate Request middleware would lose the response payload body. The payload now processes correctly, ensuring seamless functionality regardless of header configuration.
OAuth 2.0 access tokens can now be issued even when data plane gateways are disconnected from the control plane. This is achieved by saving OAuth clients locally within the data plane when they are pulled from RPC.
Tyk now supports RSA-PSS signed JWTs (PS256, PS384, PS512), enhancing security while maintaining backward compatibility with RS256. No configuration changes are needed—just use RSA public keys, and Tyk will validate both algorithms seamlessly.
Resolved a problem in the request size limit middleware that caused GET and DELETE requests to fail validation.The middleware incorrectly expected a request body (payload) for these methods and blocked them when none was present.
Fixed an issue where GraphQL queries using variables for custom scalar types, such as UUID, failed due to incorrect input handling. Previously, the query would return an error when a variable was used but worked when the value was directly embedded in the query. This update ensures that variables for custom scalar types are correctly inferred and processed, enabling seamless query execution.

5.7.0 Release Notes

Release Date 03 December 2024

Release Highlights

We are thrilled to announce new updates and improvements in Tyk 5.7.0, bringing more control, flexibility, and performance. For a comprehensive list of changes, please refer to the detailed changelog below.
Tyk Streams - asynchronous API management with Tyk
Tyk is now entering the asynchronous API management space with a bang by delivering Tyk Streams to our users! Many API management solutions fail to fully support event-driven architectures, causing fragmented management, inconsistent security practices, and increased operational complexity. With event-driven architectures on the rise recently, keeping everything under control and enforcing standards at the organizational level has become a challenge. Tyk Streams is an event streaming solution available within the Tyk API Management Platform, which applies proven API management principles to simplify event and streams handling. This release brings capabilities to stream data and events using Kafka, Websocket, SSE and HTTP protocols. It also becomes possible to mediate the message format between Avro and JSON on the fly.
  • Merge together various sources of events to present to consumers as a unified stream.
  • Apply authentication and authorization to streams of messages, just as you do for your RESTful APIs
  • Expose async APIs via Tyk Portal, so that they are easily discoverable
All of this possible in self-managed and k8s deployments of Tyk!

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.7.0MDCB v2.7.2MDCB v2.4.2
Operator v1.1.0Operator v0.17
Sync v2.0.1Sync v1.4.3
Helm Chart v2.2Helm all versions
EDP v1.12EDP all versions
Pump v1.11.1Pump all versions
TIB (if using standalone) v1.6.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.221.22Go plugins must be built using Go 1.22
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

In 5.7.0, we have deprecated the dedicated External OAuth (Tyk Classic: external_oauth, Tyk OAS: server.authentication.securitySchemes.externalOAuth) and OpenID Connect (Tyk Classic: auth_configs.oidc, Tyk OAS: server.authentication.oidc) authentication methods. We advise users to switch to JWT Authentication.

Upgrade instructions

If you are upgrading to 5.7.0, please follow the detailed upgrade instructions.

Downloads

Changelog

Added
Added to Streams analytics capability to capture and report common error scenarios, including broker connectivity issues and standard HTTP errors, ensuring comprehensive request tracking for Streams-processed requests.
Connected the new OAS validator to the /streams endpoint, adding proper error handling and validation responses for invalid stream configurations.
Extended the OAS validator to include Streams configuration validation, enforcing allowlisted components and validating nested broker configurations while implementing schema validation for Streams configurations.
Introduced a new validator derived from the existing OAS schema, adapting it for Streams validation with modified requirements for upstreamURL and x-tyk-streaming fields. This validator is now used by both the Dashboard API streams endpoint and streams configuration validator.
Refined streams logging behavior to match Tyk’s logging patterns, reducing unnecessary log output and improving log clarity.
Implemented allowlist-based validation for components in streams configurations, replacing the previous blocklist approach. Supported components now include Kafka, WebSocket, SSE, and HTTP for both inputs and outputs (including broker combinations), along with JSON-Avro bidirectional conversion processors, while other components like scanners, caches, and buffers are blocked by default. This validation is enforced consistently across Gateway, Dashboard API, and UI.
Fixed
When using Tyk Streams and sending input via http, the requests sometimes timed out causing a problem for the consumers. The issue has been fixed and now inputs via http for Tyk Streams work as intended.
Fixed a backwards compatibility issue with Tyk OAS API schema validation. When downgrading from a Tyk version, schema validation could fail if new fields had been added to the Tyk OAS API definition. This change relaxes the strictness of validation to allow additional properties.
Resolved a bug where path-based permissions in policies were not preserved when policies were combined, potentially omitting URL values and incorrectly restricting access. The updated behavior ensures that URL access rights from all applicable policies are merged, regardless of policy order, allowing seamless enforcement of combined permissions.
Fixed a routing issue that caused incorrect API matching when dealing with APIs that lacked a trailing slash, used custom domains, or had similar listen path patterns. Previously, the router prioritized APIs with longer subdomains and shorter listen paths, leading to incorrect matches when listen paths shared prefixes. This fix ensures accurate API matching, even when subdomains and listen paths overlap.
Fixed an issue that caused increased memory consumption when proxying large response payloads. The Gateway now handles large payloads more efficiently in terms of speed and memory usage.

5.6 Release Notes

5.6.1 Release Notes

Release Date 18 October 2024

Release Highlights

This patch release for Tyk Gateway addresses critical stability issues for users running Tyk Gateway within the data plane, connecting to the control plane or Tyk Hybrid. Affected users should upgrade immediately to version 5.6.1 to avoid service interruptions and ensure reliable operations with the control plane or Tyk Hybrid. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.6.1MDCB v2.7.1MDCB v2.4.2
Operator v1.0.0Operator v0.17
Sync v2.0Sync v1.4.3
Helm Chart v2.1Helm all versions
EDP v1.11EDP all versions
Pump v1.11Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.221.22Go plugins must be built using Go 1.22
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.6.1, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed

5.6.0 Release Notes

Release Date 10 October 2024

Important Update

Date: 12 October 2024
Topic: Gateway panic when reconnecting to MDCB control plane or Tyk Cloud
Workaround: Restart Gateway
Affected Product: Tyk Gateway as an Edge Gateway
Affected versions: v5.6.0, v5.3.6, and v5.0.14
Issue Description:

We have identified an issue affecting Tyk Gateway deployed as a data plane connecting to the Multi-Data Center Bridge (MDCB) control plane or Tyk Cloud. In the above mentioned Gateway versions a panic may occur when gateway reconnect to the control plane after the control plane is restarted.

Our engineering team is actively working on a fix, and a patch (versions 5.6.1, 5.3.7, and 5.0.15) will be released soon.

Recommendations:
For users on versions 5.5.0, 5.3.5, and 5.0.13
We advise you to delay upgrading to the affected versions (5.6.0, 5.3.6, or 5.0.14) until the patch is available.For users who have already upgraded to 5.6.0, 5.3.6, or 5.0.14 and are experiencing a panic in the gateway:
Restarting the gateway process will restore it to a healthy state. If you are operating in a Kubernetes environment, Tyk Gateway instance should automatically restart, which ultimately resolves the issue.

We appreciate your understanding and patience as we work to resolve this. Please stay tuned for the upcoming patch release, which will address this issue.

Release Highlights

We are thrilled to announce new updates and improvements in Tyk 5.6.0, bringing more control, flexibility, and performance. For a comprehensive list of changes, please refer to the detailed changelog below.
Per endpoint Rate Limiting for clients
Building on the per-endpoint upstream rate limits introduced in Tyk 5.5.0 we have now added per-endpoint client rate limits. This new feature allows for more granular control over client consumption of API resources by associating the rate limit with the access key, enabling you to manage and optimize API usage more effectively.
Gateway logs in JSON format
You can now output Tyk Gateway system logs in JSON format. This allows for easier integration with logging systems and more structured log data.
Go upgrade to 1.22
We’ve upgraded the Tyk Gateway to Golang 1.22, bringing improved performance, better security, and enhanced stability to the core system.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.6.0MDCB v2.7.1MDCB v2.4.2
Operator v1.0.0Operator v0.17
Sync v2.0Sync v1.4.3
Helm Chart v2.1Helm all versions
EDP v1.11EDP all versions
Pump v1.11Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.221.22Go plugins must be built using Go 1.22
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.6.0, please follow the detailed upgrade instructions.

Downloads

Changelog

Added
Changed
Fixed
We have enhanced the initial synchronization of Data Plane gateways with the Control Plane to ensure more reliable loading of policies and APIs on start-up. A synchronous initialization process has been implemented to avoid sync failures and reduce the risk of service disruptions caused by failed loads. This update ensures smoother and more consistent syncing of policies and APIs in distributed deployments.
We have fixed an issue where the quota limit was not being consistently respected during request spikes, especially in deployments with multiple gateways. The problem occurred when multiple gateways cached the current and remaining quota counters at the end of quota periods. To address this, a distributed lock mechanism has been implemented, ensuring coordinated quota resets and preventing discrepancies across gateways.
We have fixed an issue where API-level rate limits set in multiple policies were not correctly applied to the same key. With this update, when multiple policies configure rate limits for a key, the key will now receive the highest rate limit from the combined policies, ensuring proper enforcement of limits.
We have addressed a performance regression where key creation for policies with a large number of APIs (100+) became significantly slower in Tyk 4.0.13/5.0.1. The operation, which previously took around 1.5 seconds, has been taking over 20 seconds since versions 4.0.13/5.0.1. This issue has been resolved by optimizing Redis operations during key creation, restoring the process to the previous duration, even with a large number of APIs in the policy.
Security Fixes

5.5 Release Notes

5.5.2 Release Notes

Release Date 03 October 2024

Release Highlights

This release replaces Tyk Gateway 5.5.1 which was accidentally released as a non-distroless image.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.5.2MDCB v2.7MDCB v2.4.2
Operator v0.18Operator v0.17
Sync v1.5Sync v1.4.3
Helm Chart v2.0.0Helm all versions
EDP v1.10EDP all versions
Pump v1.11Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.211.21Go plugins must be built using Go 1.21
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.5.2, please follow the detailed upgrade instructions.

Downloads

5.5.1 Release Notes

Release Date 26 September 2024

Release Highlights

This release fixes some issues related to the way that Tyk performs URL path matching, introducing two new Gateway configuration options to control path matching strictness. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

There are no breaking changes in this release.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.5.1MDCB v2.7MDCB v2.4.2
Operator v0.18Operator v0.17
Sync v1.5Sync v1.4.3
Helm Chart v2.0.0Helm all versions
EDP v1.10EDP all versions
Pump v1.11Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.211.21Go plugins must be built using Go 1.21
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.5.1, please follow the detailed upgrade instructions.

Downloads

Changelog

Added
Fixed

5.5.0 Release Notes

Release Date 12 August 2024

Release Highlights

We are thrilled to introduce Tyk Gateway 5.5, bringing advanced rate-limiting capabilities, enhanced certificate authentication, and performance optimizations. For a comprehensive list of changes, please refer to the changelog below.
Per Endpoint Rate Limiting
Now configure rate limits at the endpoint level for both Tyk OAS and Tyk Classic APIs, providing granular protection for upstream services against overloading and abuse.
Root CA Support for Client Certificates
Simplify certificate management with support for root Certificate Authority (CA) certificates, enabling clients to authenticate using certificates signed by the configured root CA.
Optimised AST Document Handling
Experience improved performance with optimised creation and usage of Abstract Syntax Tree (AST) documents in our GQL library, reducing memory usage and enhancing efficiency.

Breaking Changes

Docker images are now based on distroless. No shell is shipped in the image.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.5.0MDCB v2.7MDCB v2.4.2
Operator v0.18Operator v0.17
Sync v1.5Sync v1.4.3
Helm Chart v1.6Helm all versions
EDP v1.10EDP all versions
Pump v1.11Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.211.21Go plugins must be built using Go 1.21
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.5.0, please follow the detailed upgrade instructions.

Downloads

Changelog

Added
We’ve added support for you to register Certificate Authority (CA) certificates in your API definitions when using static mutual TLS (mTLS). Tyk can now authenticate clients presenting certificates signed by the registered root CA, simplifying certificate management for multiple clients sharing a common CA.
Optimised the creation and usage of AST documents in our GQL library to reduce significant memory allocations caused by pre-allocations during initial creation. These optimizations free up resources more efficiently, minimising performance penalties with increased requests to the Gateway.
Introduced new more granular controls for request rate limiting. Rate limits can now be configured at the endpoint level in Tyk OAS and Tyk Classic API definitions.
When using the URL path to indicate the API version (for example /v1/my-api) it is common to strip the version identifier (e.g. /v1) from the path before proxying the request to the upstream. If the client doesn’t provide any version identifier this could lead to an invalid target URL and failed requests, rather than correctly redirecting to the default version. We have introduced an optional configuration url_versioning_pattern where you can specify a regex that Tyk will use to identify if the URL contains a version identifier and avoiding the accidental stripping of valid upstream path.
Fixed
Fixed an issue when using Tyk OAS APIs where nested API endpoints, such as ‘/test’ and ‘/test/abc’, might incorrectly apply middleware from the parent path to the nested path. The fix ensures that API endpoint definitions are correctly ordered so that the standard behaviour of Tyk is followed, whereby path matching is performed starting from the longest path, preventing middleware misapplication and ensuring both the HTTP method and URL match accurately.
Previously, key creation or reset led to an exponential number of Redis DeleteRawKey commands; this was especially problematic for access lists with over 100 entries. The key creation sequence now runs only once, eliminating redundant deletion of non-existent keys in Redis. This optimization significantly reduces deletion events, enhancing performance and stability for larger access lists.
Addressed a bug that caused Server Side Event (SSE) streaming responses to be considered for caching, which required buffering the response and prevented SSE from being correctly proxied.
Resolved an issue where Host and Latency fields (Total and Upstream) were not correctly reported for Tyk Gateways in MDCB data planes. The fix ensures accurate Host values and Latency measurements are now captured and displayed in the generated traffic logs.
Security Fixes

5.4 Release Notes

5.4.0 Release Notes

Release Date 2 July 2024

Breaking Changes

Attention: Please read this section carefully We have fixed a bug in the way that Tyk calculates the key-level rate limit when multiple policies are applied to the same key. This fix alters the logic used to calculate the effective rate limit and so may lead to a different rate limit being applied to keys generated from your existing policies. See the change log for details of the change.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.4.0MDCB v2.6MDCB v2.4.2
Operator v0.18Operator v0.17
Sync v1.5Sync v1.4.3
Helm Chart v1.5.0Helm all versions
EDP v1.9EDP all versions
Pump v1.10.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
The above table needs reviewing and updating if necessary
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.19 (GQL), 1.21 (GW)1.19 (GQL), 1.21 (GW)Go plugins must be built using Go 1.21
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release. The above table needs reviewing and updating if necessary

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.4.0, please follow the detailed upgrade instructions. Add upgrade steps here if necessary.

Release Highlights

We’re thrilled to introduce exciting enhancements in Tyk Gateway 5.4, aimed at improving your experience with Tyk Gateway. For a comprehensive list of changes, please refer to the change log below.
Enhanced Rate Limiting Strategies
We’ve introducing a Rate Limit Smoothing option for the spike arresting Redis Rate Limiter to give the upstream time to scale in response to increased request rates.
Fixed MDCB Issue Relating To Replication Of Custom Keys To Dataplanes
Resolved an issue encountered in MDCB environments where changes to custom keys made via the Dashboard were not properly replicated to data planes. The issue impacted both key data and associated quotas, in the following versions:
  • 5.0.4 to 5.0.12
  • 5.1.1 and 5.1.2
  • 5.2.0 to 5.2.6
  • 5.3.0 to 5.3.2
Action Required
Customers should clear their edge Redis instances of any potentially affected keys to maintain data consistency and ensure proper synchronization across their environments. Please refer to the item in the fixed section of the changelog for recommended actions.
Fixed Window Rate Limiter
Ideal for persistent connections with load-balanced gateways, the Fixed Window Rate Limiter algorithm mechanism ensures fair handling of requests by allowing only a predefined number to pass per rate limit window. It uses a simple shared counter in Redis so requests do not need to be evenly balanced across the gateways.
Event handling with Tyk OAS
We’ve added support for you to register webhooks with your Tyk OAS APIs so that you can handle events triggered by the Gateway, including circuit breaker and quota expiry. You can also assign webhooks to be fired when using the new smoothing rate limiter to notify your systems of ongoing traffic spikes.
Enhanced Header Handling in GraphQL APIs
Introduced a features object in API definitions for GQL APIs, including the use_immutable_headers attribute. This allows advanced header control, enabling users to add new headers, rewrite existing ones, and selectively remove specific headers. Existing APIs will have this attribute set to false by default, ensuring no change in behavior. For new APIs, this attribute is true by default, facilitating smoother migration and maintaining backward compatibility.

Downloads

Changelog

Added
Introduced a Fixed Window Rate Limiting mechanism to handle rate limiting for load balancers with keep-alives. This algorithm allows the defined number of requests to pass for every rate limit window and blocks any excess requests. It uses a simple shared counter in Redis to count requests. It is suitable for situations where traffic towards Gateways is not balanced fairly. To enable this rate limiter, set enable_fixed_window_rate_limiter in the gateway config or set the environment variable TYK_GW_ENABLEFIXEDWINDOWRATELIMITER=true.
Implemented Rate Limit Smoothing as an extension to the existing Redis Rate Limiter to gradually adjust the rate based on smoothing configuration. Two new Gateway events have been created (RateLimitSmoothingUp and RateLimitSmoothingDown) which will be triggered as smoothing occurs. These can be used to assist with auto-scaling of upstream capacity during traffic spikes.
We’ve added the use_immutable_headers option to the GraphQL API configuration, offering advanced header transformation capabilities. When enabled, users can add new headers, rewrite existing ones, and selectively remove specific headers, allowing granular control without altering the original request. Existing APIs will default to false, maintaining current behavior until ready for upgrade.
Introduced an option for users to manually provide GQL schemas when creating APIs in Tyk, eliminating the dependency on upstream introspection. This feature enables the creation and editing of GQL APIs in Tyk even when upstream introspection is unavailable, providing flexibility for schema management as upstream configurations evolve over time.
The new GraphQL engine, version 3-preview, is now available in Tyk Gateway. It can be used for any GQL API by using the following enum in raw API definition: “version”: “3-preview”. This experimental version offers optimized GQL operation resolution, faster response times, and a more efficient data loader. It is currently not recommended for production use and will be stabilised in future releases, eventually becoming the default for new GQL APIs in Tyk.
Enhanced request headers handling in API definitions for GQL APIs by introducing a features object. Users can now set the use_immutable_headers attribute, which defaults to false for existing APIs, ensuring no change in header behavior. For new APIs, this attribute is true by default, facilitating smoother migration and maintaining backwards compatibility.
We’ve added some more features to the Tyk OAS API, moving closer to full parity with Tyk Classic. In this release we’ve added controls that allow you: to enable or prevent generation of traffic logs at the API-level and to enable or prevent the availability of session context to middleware. We’ve also added the facility to register webhooks that will be fired in response to Gateway events.
Fixed
Resolved a critical issue affecting MDCB environments, where changes to custom keys made via the dashboard were not properly replicated to data planes. This affected both the key data and associated quotas. This issue was present in versions:
  • 5.0.4 to 5.0.12
  • 5.1.1 and 5.1.2
  • 5.2.0 to 5.2.6
  • 5.3.0 to 5.3.2
Action RequiredCustomers are advised to clear their edge Redis instances of any keys that might have been affected by this bug to ensure data consistency and proper synchronization across their environments. There are several methods available to address this issue:
  1. Specific Key Deletion via API: To remove individual buggy keys, you can use the following API call:
curl --location --request DELETE 'http://tyk-gateway:{tyk-hybrid-port}/tyk/keys/my-custom-key' \ --header 'X-Tyk-Authorization: {dashboard-key}'
Replace {tyk-hybrid-port}, my-custom-key and {dashboard-key} with your specific configuration details. This method is safe and recommended for targeted removals without affecting other keys.
  1. Bulk Key Deletion Using Redis CLI: For environments with numerous affected keys, you might consider using the Redis CLI to remove keys en masse:
redis-cli --scan --pattern 'apikey-*' | xargs -L 1 redis-cli del
redis-cli --scan --pattern 'quota-*' | xargs -L 1 redis-cli del
This method can temporarily impact the performance of the Redis server, so it should be executed during a maintenance window or when the impact on production traffic is minimal.
  1. Complete Redis Database Flush: If feasible, flushing the entire Redis database offers a clean slate:
redis-cli FLUSHALL ASYNC
Implications Regardless of the chosen method, be aware that quotas will be reset and will need to resynchronize across the system. This may temporarily affect reporting and rate limiting capabilities.
Addressed an issue with service discovery where an IP returned by Consul wasn’t parsed correctly on the Gateway side, leading to unexpected errors when proxying requests to the service. Typically, service discovery returns valid domain names, which did not trigger the issue.
Fixed an issue where GQL Open Telemetry semantic conventions attribute names that lacked the ‘graphql’ prefix, deviating from the community standard. All attributes now have the correct prefix.
Corrected an issue where GraphQL OTel attributes were missing from spans when request validation failed in cases where detailed_tracing was set to false. Traces now include GraphQL attributes (operation name, type, and document), improving debugging for users.
Fixed a gateway panic issue observed by users when using the Persist GQL middleware without defined arguments. The gateway will no longer throw panics in these cases.
Fixed an issue with GraphQL API’s Cross-Origin Resource Sharing (CORS) configuration, which previously caused the API to fail in respecting CORS settings. This resulted in an inability to proxy requests to upstream servers and handle OPTIONS/CORS requests correctly. With this fix, users can now seamlessly make requests, including OPTIONS method requests, without encountering the previously reported error.
Fixed an issue where the Gateway did not respect API domain settings when there was another API with the same listen path but no domain. This could lead to the custom domain API not functioning correctly, depending on the order in which APIs were loaded. APIs with custom domains are now prioritised before those without custom domains to ensure that the custom domain is not ignored.
Addressed a problem with nested field mapping in UDG for GraphQL (GQL) operations. Previously, querying a single nested field caused an error, while including another normal field from the same level allowed the query to succeed. This issue has been fixed to ensure consistent behavior regardless of the query composition.
Fixed a long-standing bug in the algorithm used to determine the effective rate limit when multiple policies are applied to a key. If more than one policy is applied to a key then Tyk will apply the highest request rate permitted by any of the policies that defines a rate limit.Rate limits in Tyk are defined using two elements: rate, which is the number of requests and per, which is the period over which those requests can be sent. So, if rate is 90 and per is 30 seconds for a key, Tyk will permit a maximum of 90 requests to be made using the key in a 30 second period, giving an effective maximum of 180 requests per minute (or 3 rps).Previously, Tyk would take the highest rate and the highest per from the policies applied to a key when determining the effective rate limit. So, if policy A had rate set to 90 and per set to 30 seconds (3rps) while policy B had rate set to 100 and per set to 10 seconds (10rps) and both were applied to a key, the rate limit configured in the key would be: rate = 100 and per = 30 giving a rate of 3.33rps.With the fix applied in Tyk 5.4.0, the Gateway will now apply the highest effective rate to the key - so in this example, the key would take the rate limit from policy B: rate = 100 and per = 10 (10rps).Note that this corrected logic is applied when access keys are presented in API requests. If you are applying multiple policies to keys, there may be a change in the effective rate limit when using Tyk 5.4.0 compared with pre-5.4.0 versions.
Security Fixes

5.3 Release Notes

5.3.12 Release Notes

Release Date 12th September 2025

Release Highlights

This patch release contains bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.12MDCB v2.8.4MDCB v2.8.0
Operator v1.2.0Operator v0.17
Sync v2.1.0Sync v2.1.0
Helm Chart v3.0Helm all versions
EDP v1.13EDP all versions
Pump v1.12.0Pump all versions
TIB (if using standalone) v1.7.0TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.231.23Go plugins must be built using Go 1.23
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.3.12, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed
Resolved an issue introduced in Tyk 5.3.10 where Gateways in distributed Data Planes failed to cache TLS certificates correctly in the local Redis, resulting in potential service disruptions if MDCB became unavailable. Data plane gateways now reliably serve HTTPS and mTLS traffic even if MDCB is unavailable.
We’ve fixed an issue where RPC connections remained stale when DNS records changed (such as ELB IP updates), leading to timeout errors. Based on direct customer reports, we’ve enhanced DNS resolution so all connections in the RPC pool now properly reconnect when endpoint IPs change. This eliminates service disruptions during infrastructure updates and ensures more resilient connectivity.
Fixed a bug where a timeout in an RPC call to MDCB would lead to policies not being synchronised to the data plane.
We’ve resolved an issue that could cause Gateways to fail re-registration when restarting under certain licensing configurations during upgrades. This fix introduces support for new “Unlimited Gateway” licenses, enhances Gateway’s Dashboard authentication retry logic, and ensures a smoother upgrade experience for large-scale deployments. Gateways now register reliably without entering failure loops, even under heavy churn or rolling upgrades.

5.3.11 Release Notes

Release Date 7 May 2025

Release Highlights

This patch release contains various bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

This release has no breaking changes.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.11MDCB v2.8.0MDCB v2.8.0
Operator v1.2.0Operator v0.17
Sync v2.1.0Sync v2.1.0
Helm Chart v3.0Helm all versions
EDP v1.13EDP all versions
Pump v1.12.0Pump all versions
TIB (if using standalone) v1.7.0TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.231.23Go plugins must be built using Go 1.23
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release.

Upgrade instructions

If you are upgrading to 5.3.11, please follow the detailed upgrade instructions.

Downloads

Changelog

Added
Fixed
Addressed an issue for UDG APIs where caching led to the forwarding of stale values for headers that contained content variables towards the upstream of the UDG apis.
Resolved an issue where requests could be routed incorrectly due to inverted prioritisation of dynamically declared paths over those with similar static paths. Now, statically declared paths take priority in the path matching algorithm, so if API1 has listen path /path/{param}/endpoint and API2 has listen path /path/specific/endpoint a request to /path/specific/endpoint/resource will be correctly routed to API2.
Fixed an issue where an enforced timeout set for a specific API endpoint could be overruled by the configured proxy_default_timeout. Now if an endpoint-level timeout is set then this will be honoured, regardless of any default timeout that is configured.
Resolved a race condition in self-managed deployments which occasionally lead to fewer Gateways registering with the Dashboard than the number that had been licensed. Now Tyk Self-Managed deployments will allow the licensed number of Gateways to register and serve traffic.
Resolved a bug where Gateway pods in Kubernetes would enter a crash loop on restart if MDCB was down. The issue occurred due to the HTTP router failing to initialize properly during cold start. This fix ensures stable Gateway recovery even when MDCB is offline.
Multi-value response headers were previously lost after synchronization with coprocess middleware, as only the first value was retained. This has been resolved, ensuring all response headers are properly synchronized and preserved

5.3.10 Release Notes

Release Date 19 February 2025

Release Highlights

In this release, we upgraded the Golang version to v1.23 for security enhancement and fixed an API authentication issue with redirects. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

This release has no breaking changes.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.10MDCB v2.5.1MDCB v2.5.1
Operator v0.17Operator v0.16
Sync v1.4.3Sync v1.4.3
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0Helm all versions
EDP v1.8.3EDP all versions
Pump v1.9.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.23 (GW)1.23 (GW)Go plugins must be built using Go 1.23
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release

Upgrade Instructions

If you are upgrading to 5.3.10, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed
Fixed an issue where the gateway stopped processing traffic when restarted while MDCB was unavailable. Instead of entering “emergency” mode and loading APIs and policies from the Redis backup, the gateway remained unresponsive, continuously attempting to reconnect. With this fix, the gateway detects connection failure and enters emergency mode, ensuring traffic processing resumes even when MDCB is down.
Tyk Gateway now runs on Golang 1.23, bringing security and performance improvements. Key changes include unbuffered Timer/Ticker channels, removal of 3DES cipher suites, and updates to X509KeyPair handling. Users may need to adjust their setup for compatibility.
This fix ensures that when API A redirects to API B using the tyk:// scheme, API B will now correctly authenticate using its own credentials, improving access control and preventing access denials. Users can now rely on the expected authentication flow without workarounds, providing a smoother experience when integrating APIs.

5.3.9 Release Notes

Release Date 31 December 2024

Release Highlights

This release contains bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

This release has no breaking changes.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.9MDCB v2.5.1MDCB v2.5.1
Operator v0.17Operator v0.16
Sync v1.4.3Sync v1.4.3
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0Helm all versions
EDP v1.8.3EDP all versions
Pump v1.9.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.22 (GW)1.22 (GW)Go plugins must be built using Go 1.22
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

There are no deprecations in this release

Upgrade Instructions

If you are upgrading to 5.3.9, please follow the detailed upgrade instructions.

Downloads

Changelog

Fixed
Resolved an issue where the response body could be only partially recorded in the traffic log if a custom response plugin modified the payload. This was due to Tyk using the original, rather than the modified, content-length of the response when identifying the data to include in the traffic log.
Fixed a bug that prevented the control plane Gateway from loading APIs that use custom plugin bundles. The control plane Gateway is used to register OAuth clients and generate access tokens so this could result in an API being loaded to the data plane Gateways but clients unable to obtain access tokens. This issue was introduced in v5.3.1 as a side-effect of a change to address a potential security issue where APIs could be loaded without their custom plugins.
Addressed an issue where shared loggers caused debug logs to misidentify the middleware source, complicating debugging. Log entries now correctly indicate which middleware generated the log, ensuring clearer and more reliable diagnostics
Resolved an issue where APIs using the Transfer-Encoding: chunked header alongside URL Rewrite or Validate Request middleware would lose the response payload body. The payload now processes correctly, ensuring seamless functionality regardless of header configuration.
Resolved an issue where API access keys remained valid even if all associated policies were deleted. The Gateway now attempts to apply all linked policies to the key when it is presented with a request. Warning logs are generated if any policies cannot be applied (for example, if they are missing). If no linked policy can be applied, the Gateway will reject the key to ensure no unauthorized access.
Fixed a routing issue that caused incorrect API matching when dealing with APIs that lacked a trailing slash, used custom domains, or had similar listen path patterns. Previously, the router prioritized APIs with longer subdomains and shorter listen paths, leading to incorrect matches when listen paths shared prefixes. This fix ensures accurate API matching, even when subdomains and listen paths overlap.
Fixed an issue where a malformed listen path could cause the Gateway to crash. Now, such listen paths are properly validated, and if validation fails, an error is logged, and the API is skipped—preventing Gateway instability.
Fixed an issue where GraphQL queries using variables for custom scalar types, such as UUID, failed due to incorrect input handling. Previously, the query would return an error when a variable was used but worked when the value was directly embedded in the query. This update ensures that variables for custom scalar types are correctly inferred and processed, enabling seamless query execution.
Resolved a bug that prevented upstream server-sent events (SSE) from being sent when OpenTelemetry was enabled, and fixed a gateway panic that occurred when detailed recording was active while SSE was in use. This ensures stable SSE streaming in configurations with OpenTelemetry.
OAuth 2.0 access tokens can now be issued even when data plane gateways are disconnected from the control plane. This is achieved by saving OAuth clients locally within the data plane when they are pulled from RPC.
Tyk now supports RSA-PSS signed JWTs (PS256, PS384, PS512), enhancing security while maintaining backward compatibility with RS256. No configuration changes are needed—just use RSA public keys, and Tyk will validate both algorithms seamlessly.
Resolved a problem in the request size limit middleware that caused GET and DELETE requests to fail validation.The middleware incorrectly expected a request body (payload) for these methods and blocked them when none was present.

5.3.8 Release Notes

Release Date 07 November 2024

Release Highlights

This release focuses mainly on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

This release has no breaking changes.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.8MDCB v2.5.1MDCB v2.5.1
Operator v0.17Operator v0.16
Sync v1.4.3Sync v1.4.3
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0Helm all versions
EDP v1.8.3EDP all versions
Pump v1.9.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.22 (GW)1.22 (GW)Go plugins must be built using Go 1.22
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

This is an advanced notice that the dedicated External OAuth, OpenID Connect (OIDC) authentication options, and SQLite support will be deprecated starting in version 5.7.0. We recommend that users of the External OAuth and OpenID Connect methods migrate to Tyk’s dedicated JWT Auth method. Please review your API configurations, as the Gateway logs will provide notifications for any APIs utilizing these methods.

Upgrade Instructions

If you are upgrading to 5.3.8, please follow the detailed upgrade instructions.

Downloads

Changelog

Added
Fixed
This update fixes a bug that caused increased memory usage when proxying large response payloads that was introduced in version 5.3.1, restoring memory requirements to the levels seen in version 5.0.6. Users experiencing out-of-memory errors with 1GB+ file downloads will notice improved performance and reduced latency.
We resolved an issue that caused path-based permissions in policies to be lost when policies were combined, potentially omitting URL values and restricting access based on the merge order. It ensures that all applicable policies merge their allowed URL access rights, regardless of the order in which they are applied.
A backwards compatibility issue in the way that the Gateway handles Tyk OAS API definitions has been addressed by reducing the strictness of validation against the expected schema. Since Tyk version 5.3, the Gateway has enforced strict validation, potentially causing problems for users downgrading from newer versions. With this change, Tyk customers can move between versions seamlessly, ensuring their APIs remain functional and avoiding system performance issues.
This update resolves an issue where API keys could be lost if the keyspace synchronization between control and data planes was interrupted. The solution now enforces a resynchronization whenever a connection is re-established between MDCB and the data plane, ensuring key data integrity and seamless API access.

5.3.7 Release Notes

Release Date 22 October 2024

Release Highlights

This patch release for Tyk Gateway addresses critical stability issues for users running Tyk Gateway within the data plane, connecting to the control plane or Tyk Hybrid. Affected users should upgrade immediately to version 5.3.7 to avoid service interruptions and ensure reliable operations with the control plane or Tyk Hybrid. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

There are no breaking changes in this release.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

When upgrading to 5.3.7 please follow the detailed upgrade instructions.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.7MDCB v2.5.1MDCB v2.5.1
Operator v0.17Operator v0.16
Sync v1.4.3Sync v1.4.3
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0Helm all versions
EDP v1.8.3EDP all versions
Pump v1.9.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.221.22Go plugins must be built using Go 1.22
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Downloads

Changelog

Fixed

5.3.6 Release Notes

Release Date 04 October 2024

Important Update

Date: 12 October 2024
Topic: Gateway panic when reconnecting to MDCB control plane or Tyk Cloud
Workaround: Restart Gateway
Affected Product: Tyk Gateway as an Edge Gateway
Affected versions: v5.6.0, v5.3.6, and v5.0.14
Issue Description:

We have identified an issue affecting Tyk Gateway deployed as a data plane connecting to the Multi-Data Center Bridge (MDCB) control plane or Tyk Cloud. In the above mentioned Gateway versions a panic may occur when gateway reconnect to the control plane after the control plane is restarted.

Our engineering team is actively working on a fix, and a patch (versions 5.6.1, 5.3.7, and 5.0.15) will be released soon.

Recommendations:
For users on versions 5.5.0, 5.3.5, and 5.0.13
We advise you to delay upgrading to the affected versions (5.6.0, 5.3.6, or 5.0.14) until the patch is available.For users who have already upgraded to 5.6.0, 5.3.6, or 5.0.14 and are experiencing a panic in the gateway:
Restarting the gateway process will restore it to a healthy state. If you are operating in a Kubernetes environment, Tyk Gateway instance should automatically restart, which ultimately resolves the issue.

We appreciate your understanding and patience as we work to resolve this. Please stay tuned for the upcoming patch release, which will address this issue.

Release Highlights

This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

Docker images are now based on distroless. No shell is shipped in the image. If moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

When upgrading to 5.3.6 please follow the detailed upgrade instructions.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.6MDCB v2.5.1MDCB v2.5.1
Operator v0.17Operator v0.16
Sync v1.4.3Sync v1.4.3
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0Helm all versions
EDP v1.8.3EDP all versions
Pump v1.9.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.221.22Go plugins must be built using Go 1.22
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Downloads

Changelog

Changed
Fixed
We have resolved an issue where custom response plugins were not being triggered for Tyk OAS APIs. This fix ensures that all custom plugins are invoked as expected when using Tyk OAS APIs.
We have enhanced the initial synchronization of Data Plane gateways with the Control Plane to ensure more reliable loading of policies and APIs on start-up. A synchronous initialization process has been implemented to avoid sync failures and reduce the risk of service disruptions caused by failed loads. This update ensures smoother and more consistent syncing of policies and APIs in distributed deployments.
We have fixed an issue where the quota limit was not being consistently respected during request spikes, especially in deployments with multiple gateways. The problem occurred when multiple gateways cached the current and remaining quota counters at the end of quota periods. To address this, a distributed lock mechanism has been implemented, ensuring coordinated quota resets and preventing discrepancies across gateways.
We have addressed a performance regression identified in Tyk Gateway versions 4.0.13 and later, where key creation for policies with a large number of APIs (100+) became significantly slower. The operation, which previously took around 1.5 seconds in versions 4.0.0 to 4.0.12, was taking over 20 seconds in versions 4.0.13 and beyond. This issue has been resolved by optimizing Redis operations during key creation, restoring the process to its expected speed of approximately 1.5 seconds, even with a large number of APIs in the policy.
Security Fixes

5.3.5 Release Notes

Release Date 26 September 2024

Release Highlights

This release fixes some issues related to the way that Tyk performs URL path matching, introducing two new Gateway configuration options to control path matching strictness. For a comprehensive list of changes, please refer to the detailed changelog below.

Breaking Changes

There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

When upgrading to 5.3.5 please follow the detailed upgrade instructions.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.5MDCB v2.5.1MDCB v2.5.1
Operator v0.17Operator v0.16
Sync v1.4.3Sync v1.4.3
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v2.0.0Helm all versions
EDP v1.8.3EDP all versions
Pump v1.9.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.19 (GQL), 1.21 (GW)1.19 (GQL), 1.21 (GW)Go plugins must be built using Go 1.21
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Downloads

Changelog

Added
Fixed

5.3.4 Release Notes

Release Date August 26th 2024

Release Highlights

Gateway 5.3.4 was version bumped only, to align with Dashboard 5.3.4. Subsequently, no changes were encountered in release 5.3.4. For further information please see the release notes for Dashboard v5.3.4

Breaking Changes

Attention: Please read this section carefully. There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

When upgrading to 5.3.4 please follow the detailed upgrade instructions.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.4MDCB v2.5.1MDCB v2.5.1
Operator v0.17Operator v0.16
Sync v1.4.3Sync v1.4.3
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.4.0Helm all versions
EDP v1.8.3EDP all versions
Pump v1.9.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.19 (GQL), 1.21 (GW)1.19 (GQL), 1.21 (GW)Go plugins must be built using Go 1.21
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Downloads

Changelog

Since this release was version bumped only to align with Dashboard v5.3.4, no changes were encountered in this release.

5.3.3 Release Notes

Release Date August 2nd 2024

Breaking Changes

Attention: Please read this section carefully. There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

When upgrading to 5.3.3 please follow the detailed upgrade instructions.

Release Highlights

Bug Fixes
This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.
FIPS Compliance
Tyk Gateway now offers FIPS 140-2 compliance. For further details please consult Tyk API Management FIPS support.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.3MDCB v2.5.1MDCB v2.5.1
Operator v0.17Operator v0.16
Sync v1.4.3Sync v1.4.3
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.4.0Helm all versions
EDP v1.8.3EDP all versions
Pump v1.9.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.19 (GQL), 1.21 (GW)1.19 (GQL), 1.21 (GW)Go plugins must be built using Go 1.21
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Downloads

Changelog

Added
Fixed
Addressed an issue where creating or resetting a key caused an exponential number of Redis DeleteRawKey commands. Previously, the key creation sequence repeated for every API in the access list, leading to excessive deletion events, especially problematic for access lists with over 100 entries. Now, the key creation sequence executes only once, and redundant deletion of non-existent keys in Redis has been eliminated, significantly improving performance and stability for larger access lists.
Fixed a bug that caused Server Side Event (SSE) streaming responses to be considered for caching, which required buffering the response and prevented SSE from being correctly proxied.
Resolved an issue where Host and Latency fields (Total and Upstream) were not correctly reported for edge gateways in MDCB setups. The fix ensures accurate Host values and Latency measurements are now captured and displayed in analytics data.

5.3.2 Release Notes

Release Date 5th June 2024

Breaking Changes

Attention: Please read this section carefully. There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

When upgrading to 5.3.2 please follow the detailed upgrade instructions.

Release Highlights

This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.2MDCB v2.5.1MDCB v2.5.1
Operator v0.17Operator v0.16
Sync v1.4.3Sync v1.4.3
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.4.0Helm all versions
EDP v1.8.3EDP all versions
Pump v1.9.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.19 (GQL), 1.21 (GW)1.19 (GQL), 1.21 (GW)Go plugins must be built using Go 1.21
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Downloads

Changelog

Fixed
In Gateway version 5.2+ and 5.3+, we discovered a bug within the OpenTelemetry tracing feature that inadvertently transmits sensitive information. Specifically, tyk.api.apikey and tyk.api.oauthid attributes were exposing API keys. We have fixed the issue to ensure that only the hashed version of the API key is transmitted in traces.
Addressed an issue where an API with a custom domain might not be invoked if another API with the same listen path but no custom domain was also deployed on the Gateway. Now APIs with custom domain names are loaded first, so requests will be checked against these first before falling back to APIs without custom domains.
Addressed an issue in service discovery where an IP:port returned by Consul wasn’t parsed correctly on the Gateway side, leading to errors when proxying requests to the service. The issue primarily occurred with IP:port responses, while valid domain names were unaffected.
Fixed an issue with nested field mapping in UDG when used with GraphQL (GQL) operations for a field’s data source. Previously, querying only the mentioned field resulted in an error, but querying alongside another ‘normal’ field from the same level worked without issue.
Addressed a potential issue when working with Tyk OAS APIs where request context variables are automatically made available to relevant Tyk and custom middleware. We have introduced a control in the Tyk OAS API definition to disable this access if required.

5.3.1 Release Notes

Release Date 24 April 2024

Breaking Changes

Attention: Please read this section carefully. There are no breaking changes in this release, however if moving from an version of Tyk older than 5.3.0 please read the explanation provided with 5.3.0 release.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

When upgrading to 5.3.1 please follow the detailed upgrade instructions.

Release Highlights

This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.1MDCB v2.5.1MDCB v2.5.1
Operator v0.17Operator v0.16
Sync v1.4.3Sync v1.4.3
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.3.0Helm all versions
EDP v1.8.3EDP all versions
Pump v1.9.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.19 (GQL), 1.21 (GW)1.19 (GQL), 1.21 (GW)Go plugins must be built using Go 1.21
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Downloads

Changelog

Fixed
Issues were addressed where Tyk failed to properly reject custom plugin bundles with signature verification failures, allowing APIs to load without necessary plugins, potentially exposing upstream services. With the fix, if the plugin bundle fails to load (for example, due to failed signature verification) the API will not be loaded and an error will be logged in the Gateway.
Fixed a panic scenario that occurred when a custom JavaScript plugin that requests access to the session metadata (require_session:true) is assigned to the same endpoint as the Ignore Authentication middleware. While the custom plugin expects access to a valid session, the configuration flag doesn’t guarantee its presence, only that it’s passed if available. As such, the custom plugin should be coded to verify that the session metadata is present before attempting to use it.
Fixed a bug where the Gateway could crash when using custom Python plugins that access the Redis storage. The Tyk Python API methods store_data and get_data could fail due to connection issues with the Redis. With this fix, the Redis connection will be created if required, avoiding the crash.
In some instances users were noticing gateway panics when using the Persist GQL middleware without arguments defined. This issue has been fixed and the gateway will not throw panics in these cases anymore.
In cases where detailed_tracing was set to false and the client was sending a malformed request to a GraphQL API, the traces were missing GraphQL attributes (operation name, type and document). This has been corrected and debugging GraphQL with OTel will be easier for users.
GQL Open Telemetry semantic conventions attribute names were missing graphql prefix and therefore were not in line with the community standard. This has been fixed and all attributes have the correct prefix.
Fixed two bugs in the handling of usage quotas by the URL rewrite middleware when it was configured to rewrite to itself (e.g. to tyk://self). Quota limits were not observed and the quota related response headers always contained 0.
Resolved an issue in distributed deployments where the MDCB data plane gateway counter was inaccurately incremented when a Gateway was stopped and restarted.
Addressed a bug where clearing the API cache from the Tyk Dashboard failed to invalidate the cache in distributed data plane gateways. This fix requires MDCB 2.5.1.
Fixed a bug where custom Go plugins compiled in RHEL8 environments were unable to load into Tyk Gateway due to a discrepancy in base images between the Gateway and Plugin Compiler environments. This fix aligns the plugin compiler base image with the gateway build environment, enabling seamless plugin functionality on RHEL8 environments.
Removed several unused packages from the plugin compiler image. The packages include: docker, buildkit, ruc, sqlite, curl, wget, and other build tooling. The removal was done in order to address invalid CVE reporting, none of the removed dependencies are used to provide plugin compiler functionality.

5.3.0 Release Notes

Release Date 5 April 2024

Breaking Changes

Attention: Please read this section carefully
Tyk OAS APIs Compatibility Caveats - Tyk OSS
This upgrade transitions Tyk OAS APIs out of Early Access. For licensed deployments (Tyk Cloud, Self Managed including MDCB), please refer to the release notes of Tyk Dashboard 5.3.0.
  • Out of Early Access
    • This means that from now on, all Tyk OAS APIs will be backwards compatible and in case of a downgrade from v5.3.X to v5.3.0, the Tyk OAS API definitions will always work.
  • Not Backwards Compatible
    • Tyk OAS APIs in Tyk Gateway v5.3.0 are not backwards compatible. This means that the new Tyk OAS API format created by Tyk Gateway v5.3.X does not work with older versions of Tyk Gateway, i.e. you cannot export these API definitions from a v5.3.X Tyk Gateway and import them to an earlier version.
    • The upgrade is not reversible, i.e. you cannot use version 5.3.X Tyk OAS API definitions with an older version of Tyk Dashboard.
    • This means that if you wish to downgrade or revert to your previous version of Tyk, you will need to restore these API definitions from a backup. Please go to the backup section for detailed instructions on backup before upgrading to v5.3.0.
    • If you are not using Tyk OAS APIs, Tyk will maintain backward compatibility standards.
  • Not Forward Compatible
    • Tyk OAS API Definitions prior to v5.3.0 are not forward compatible with Tyk Gateway v5.3.X.
    • This means that any Tyk OAS APIs created in any previous release (4.1.0-5.2.x) cannot work with the new Tyk Gateway v5.3.X without being migrated to its latest format.
  • After upgrade (the good news)
    • Tyk OAS API definitions that are part of the file system are not automatically converted to the new format. Subsequently, users will have to manually update their OAS API Definitions to the new format.
    • If users upgrade to 5.3.0, create new Tyk OAS APIs and then decide to rollback then the upgrade is non-reversible. Reverting to your previous version requires restoring from a backup.
Important: Please go to the backup section for detailed instructions on backup before upgrading to v5.3.0
Python plugin support
Starting from Tyk Gateway version v5.3.0, Python is no longer bundled with the official Tyk Gateway Docker image to reduce exposure to security vulnerabilities in the Python libraries. Whilst the Gateway still supports Python plugins, you must extend the image to add the language support.

Dependencies

Compatibility Matrix For Tyk Components
Gateway VersionRecommended ReleasesBackwards Compatibility
5.3.0MDCB v2.5MDCB v2.4.2
Operator v0.17Operator v0.16
Sync v1.4.3Sync v1.4.3
Helm Chart (tyk-stack, tyk-oss, tyk-dashboard, tyk-gateway) v1.3.0Helm all versions
EDP v1.8.3EDP all versions
Pump v1.9.0Pump all versions
TIB (if using standalone) v1.5.1TIB all versions
3rd Party Dependencies & Tools
Third Party DependencyTested VersionsCompatible VersionsComments
Go1.19 (GQL), 1.21 (GW)1.19 (GQL), 1.21 (GW)Go plugins must be built using Go 1.21
Redis6.2.x, 7.x6.2.x, 7.xUsed by Tyk Gateway
OpenAPI Specificationv3.0.xv3.0.xSupported by Tyk OAS
Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.

Deprecations

In 5.3.0, we have simplified the configuration of response transform middleware. We encourage users to embrace the global_headers mechanism as the response_processors.header_injector is now an optional setting and will be removed in a future release.

Upgrade instructions

If you are upgrading to 5.3.0, please follow the detailed upgrade instructions. The following steps are essential to follow before upgrading Tyk Cloud (including Hybrid Gateways) and Self Managed users - Please refer to the release notes of Tyk Dashboard 5.3.0. For OSS deployments -
  1. Backup Your environment using the usual guidance documented with every release (this includes backup config file and database).
  2. Backup all your API definitions (Tyk OAS API and Classic Definitions) by saving your API and policy files or by exporting them using the GET /tyk/apis and Get /tyk/policies
  3. Performing the upgrade - follow the instructions in the upgrade guide when upgrading Tyk.

Release Highlights

We’re thrilled to announce the release of 5.3.0, an update packed with exciting features and significant fixes to elevate your experience with Tyk Gateway. For a comprehensive list of changes, please refer to the detailed changelog below.
Tyk OAS Feature Maturity
Tyk OAS is now out of Early Access as we have reached feature maturity. You are now able to make use of the majority of Tyk Gateway’s features from your Tyk OAS APIs, so they are a credible alternative to the legacy Tyk Classic APIs. From Tyk 5.3.0 we support the following features when using Tyk OAS APIs with Tyk Gateway:
  • Security
    • All Tyk-supported client-gateway authentication methods including custom auth plugins
    • Automatic configuration of authentication from the OpenAPI description
    • Gateway-upstream mTLS
    • CORS
  • API-level (global) middleware including:
    • Response caching
    • Custom plugins for PreAuth, Auth, PostAuth, Post and Response hooks
    • API-level rate limits
    • Request transformation - headers
    • Response transformation - headers
    • Service discovery
    • Internal API
  • Endpoint-level (per-path) middleware including:
    • Request validation - headers and body (automatically configurable from the OpenAPI description)
    • Request transformation - method, headers and body
    • Response transformation - headers and body
    • URL rewrite and internal endpoints
    • Mock responses (automatically configurable from the OpenAPI description)
    • Response caching
    • Custom Go Post-Plugin
    • Request size limit
    • Virtual endpoint
    • Allow and block listing
    • Do-not-track
    • Circuit breakers
    • Enforced timeouts
    • Ignore authentication
  • Observability
    • Open Telemetry tracing
    • Detailed log recording (include payload in the logs)
    • Do-not-track endpoint
  • Governance
    • API Versioning
Enhanced KV storage of API Definition Fields
Tyk is able to store configuration data from the API definition in KV systems, such as Vault and Consul, and then reference these values during configuration of the Tyk Gateway or APIs deployed on the Gateway. Previously this was limited to the Target URL and Listen Path but from 5.3.0 you are able to store any string type field from your API definition, unlocking the ability to store sensitive information in a centralised location. For full details check out the documentation of this powerful feature.
Redis v7.x Compatibility
We have upgraded Redis driver go-redis to v9. Subsequently, Tyk 5.3 is compatible with Redis v7.x.
Gateway and Component Upgrades
We’ve raised the bar with significant upgrades to our Gateway and components. Leveraging the power and security of Go 1.21, upgrading Sarama, a widly used Kafka client in Go, to version 1.41.0 and enhancing the GQL engine with Go version 1.19, we ensure improved functionality and performance to support your evolving needs seamlessly.

Downloads

Changelog

Added
The following features have been added in 5.3.0 to bring Tyk OAS to feature maturity:
  • Detailed log recording (include payload in the logs)
  • Enable Open Telemetry tracing
  • Context variables available to middleware chain
  • API-level header transforms (request and response)
  • Endpoint-level cache
  • Circuit breakers
  • Track endpoint logs for inclusion in Dashboard aggregated data
  • Do-not-track endpoint
  • Enforced upstream timeouts
  • Configure endpoint as Internal, not available externally
  • URL rewrite
  • Per-endpoint request size limit
  • Request transformation - method, header
  • Response transformation - header
  • Custom domain certificates
We have implemented support for all string type fields in the Tyk OAS and Tyk Classic API Definitions to be stored in separate KV storage, including Hashicorp Consul and Vault.
Tyk 5.3 refactors Redis connection logic by using storage v1.2.2, which integrates with go-redis v9. Subsequently, Tyk 5.3 supports Redis v7.0.x.
Some of the error messages generated by the GQL engine were unclear for users, especially relating to variable validation. The errors have been changed and are now much more clearer and helpful in cases where engine processing fails.
Upgraded Go version for GraphQL engine to 1.19.
We’ve added OpenTelemetry semantic conventions for GraphQL spans. Spans will now incorporate <operation.type>, <operation.name> and <document> tags.
GraphQL APIs can now use the detailed_tracing setting in an API definition. With that property set to true any call to a GraphQL API will create a span for each middleware involved in request processing. While it is set to false, only two spans encapsulating the entire request lifecycle will be generated. This setting helps to reduce the size of traces, which can get large for GraphQL APIs. Furthermore, this gives users an option to customize the level of tracing detail to suit their monitoring needs.
This release introduces an enhanced trace generation system for Universal Data Graph (UDG). It consolidates all spans from both Tyk-managed and external data source executions into a single trace when used together. Furthermore, when UDG solely utilizes Tyk-managed data sources, trace management is simplified and operational visibility is improved.
For GraphQL requests normalization and validation has been disabled in the GraphQL engine. Both of those actions were performed in the Tyk Gateway and were unnecessary to be done again in the engine. This enhances performance slightly and makes detailed OTel traces concise and easier to read.
The Tyk Dashboard API endpoint /api/data-graphs/data-sources/import now handles OpenAPI schemas with arrays of objects. This addition means users can now import more complex OpenAPI documents and transform them into UDG configurations.
The OAS-to-UDG converter now seamlessly handles OpenAPI descriptions that utilize the allOf, anyOf and oneOf keywords, ensuring accurate and comprehensive conversion to a Tyk API definition. The feature expands the scope of OpenAPI documents that the converter can handle and allows our users to import REST API data sources defined in OAS in more complex cases.
The OAS-to-UDG converter can now create GraphQL types even if an object’s definition doesn’t have an explicit name.
The OAS-to-UDG converter was unable to handle a document properly if an object within the OpenAPI description had no properties defined. This limitation resulted in unexpected behavior and errors during the conversion process. The tool will now handle such cases seamlessly, ensuring a smoother and more predictable conversion process.
Previously OAS-to-UDG converter had limitations in handling enums from OpenAPI descriptions, leading to discrepancies and incomplete conversions. With the inclusion of enum support, the OAS converter now seamlessly processes enums defined in your OpenAPI descriptions, ensuring accurate and complete conversion to GraphQL schemas.
OAS-to-UDG converter can now handle HTTP status code ranges that are defined by the OpenAPI Specification. This means that code ranges defined as 1XX, 2XX, etc will be correctly converted by the tool.
We have added the capability for users to define a custom rate limit key within session metadata. This increases flexibility with rate limiting, as the rate limit can be assigned to different entities identifiable from the session metadata (such as a client app or organization) and is particularly useful for users of Tyk’s Enterprise Developer Portal.
Changed
Previously, when operating in a worker configuration (in the data plane), the Tyk Gateway fetched session expiry information from the control plane the first time an API was accessed for a given organization. This approach led to a significant issue: if the MDCB connection was lost, the next attempt to consume the API would incur a long response time. This delay, typically around 30 seconds, was caused by the Gateway waiting for the session-fetching operation to time out, as it tried to communicate with the now-inaccessible control plane.
Now, the worker gateway fetches the session expiry information up front, while there is an active connection to MDCB. This ensures that this data is already available locally in the event of an MDCB disconnection.
This change significantly improves the API response time under MDCB disconnection scenarios by removing the need for the Gateway to wait for a timeout when attempting to fetch session information from the control plane, avoiding the previous 30-second delay. This optimization enhances the resilience and efficiency of Tyk Gateway in distributed environments.
We have made some changes to the Tyk OAS API Definition to provide a stable contract that will now be under breaking-change control for future patches and releases as Tyk OAS moves out of Early Access. Changes include the removal of the unnecessary slug field and simplification of the custom plugin contract.
We have optimized the allocation behavior of our sliding window log rate limiter implementation (Redis Rate Limiter). Previously the complete request log would be retrieved from Redis. With this enhancement only the count of the requests in the window is retrieved, optimizing the interaction with Redis and decreasing the Gateway memory usage.
Fixed
In this release, we fixed automated token trimming in Redis, ensuring efficient management of OAuth tokens by implementing a new hourly job within the Gateway and providing a manual trigger endpoint.
We fixed a bug in the Tyk OAS Validate Request middleware where we were not correctly validating date-time format schema, which could lead to invalid date-time values reaching the upstream services.
Fixed an issue when using the Distributed Rate Limiter (DRL) where the Gateway did not apply any rate limit until a DRL notification was received. Now the rate of requests will be limited at 100% of the configured rate limit until the DRL notification is received, after which the limit will be reduced to an even share of the total (i.e. 100% divided by the number of Gateways) per the rate limit algorithm design.
Fixed an issue where the OAS-to-UDG converter was sometimes adding the same field to an object type many times. This caused issues with the resulting GQL schema and made it non-compliant with GQL specification.
Fixed an issue where the Gateway attempted to execute a query with GQL engine version 1 (which lacks OTel support), while simultaneously trying to validate the same query with the OpenTelemetry (OTel) supported engine. It caused the API to fail with an error message “Error socket hang up”. Right now with OTel enabled, the gateway will enforce GQL engine to default to version 2, so that this problem doesn’t occur anymore.
The OAS-to-UDG converter now effectively handles array of objects within POST paths. Previously, there were instances where the converter failed to accurately interpret and represent these structures in the generated UDG configuration.
OAS-to-UDG converter was unable to correctly process Tyk OAS API definitions where “JSON” was used as one of enum values. This issue is now fixed and whenever “JSON” is used as one of enums in the OpenAPI description, it will get correctly transformed into a custom scalar in GQL schema.
Fixed an issue where the Gateway could panic while updating a Tyk OAS API with the Virtual Endpoint middleware configured.
Fixed an issue where reloading a bundle containing JS plugins could cause the Gateway to panic.
Fixed an issue where the Disable introspection setting was not working correctly in cases where field-based permissions were set (allow or block list). It was not possible to introspect the GQL schema while introspection was technically allowed but field-based permissions were enabled. Currently, Allow/Block list settings are ignored only for introspection queries and introspection is only controlled by the Disable introspection setting.
The OAS-to-UDG converter was unable to handle a document properly if an object within the OpenAPI description had no properties defined. This limitation resulted in unexpected behavior and errors during the conversion process. The tool will now handle such cases seamlessly, ensuring a smoother and more predictable conversion process
Addressed a memory leak issue in Tyk Gateway linked to a logger mutex change introduced in v5.2.4. Reverting these changes has improved connection management and enhanced system performance.
Resolved an issue where in certain conditions external clients could access internal endpoints. This was caused by incorrect combination of middleware which could lead to internal endpoints proxying traffic from external sources. This has now been addressed, so that an endpoint with the internal middleware configured will not be reachable from external requests.
Security Fixes

5.2 Release Notes

5.2.5 Release Notes

Release Date 19 Dec 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation. Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This release implements a bug fix. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Fixed

5.2.4 Release Notes

Release Date 7 Dec 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation. Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This release enhances security, stability, and performance. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Fixed
Fixed an issue where the Validate Request middleware provided too much information when reporting a schema validation failure in a request to a Tyk OAS API.
Fixed a bug where the gateway didn’t correctly apply Path-Based Permissions from different policies when using the same sub claim but different scopes in each policy. Now the session will be correctly configured for the claims provided in the policy used for each API request.
Fixed a bug when using the build_id argument with the Tyk Plugin Compiler that prevents users from hot-reloading different versions of the same plugin compiled with different build_ids. The bug was introduced with the plugin module build change implemented in the upgrade to Go version 1.19 in Tyk 5.1.0.
Fixed a bug that was introduced in the fix applied to the URL Rewrite middleware in Tyk 5.0.5/5.1.2. The previous fix did not correctly handle escaped characters in the query parameters. Now you can safely include escaped characters in your query parameters and Tyk will not modify them in the URL Rewrite middleware.

5.2.3 Release Notes

Release Date 21 Nov 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation. Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This release enhances security, stability, and performance. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Fixed
Fixed an issue where Tyk was not auto-detecting the installed Python version if it had multiple digits in the minor version (e.g. Python 3.11). The regular expression was updated to correctly identify Python versions 3.x and 3.xx, improving compatibility and functionality.
Improved the behavior when using JWTs and the MDCB (Multi Data Center Bridge) link is down; the Gateway will no longer be blocked attempting to fetch OAuth client info. We’ve also enhanced the error messages to specify which type of resource (API key, certificate, OAuth client) the data plane Gateway failed to retrieve due to a lost connection with the control plane.
Fixed an issue where the session object generated when creating a Custom Key in a Go Plugin did not inherit parameters correctly from the Security Policy.
Fixed an issue where uploading a public key instead of a certificate into the certificate store, and using that key for mTLS, caused all the Gateways that the APIs are published on to cease negotiating TLS. This fix improves the stability of the gateways and the successful negotiation of TLS.
Added
This prints the release version, git commit, Go version used, architecture and other build details.
Added new option for Tyk to use the default version of an API if the requested version does not exist. This is referred to as falling back to default and is enabled using a configuration flag in the API definition; for Tyk OAS APIs the flag is fallbackToDefault, for Tyk Classic APIs it is fallback_to_default.
Added a backoff limit for GraphQL subscription connection retry to prevent excessive error messages when the upstream stops working. The connection retries and linked error messages now occur in progressively longer intervals, improving error handling and user experience.
Community Contributions
Special thanks to the following member of the Tyk community for their contribution to this release:

5.2.2 Release Notes

Release Date 31 Oct 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation. Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

If you are using a 5.2.x version, we advise you to upgrade ASAP to this latest release. If you are on an older version, you should skip 5.2.0 and upgrade directly to this release. Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Security
The following CVEs have been resolved in this release:
Fixed
Fixed an issue where enforced timeouts values were incorrect on a per-request basis. Since we enforced timeouts only at the transport level and created the transport only once within the value set by max_conn_time, the timeout in effect was not deterministic. Timeouts larger than 0 seconds are now enforced for each request.
Fixed an issue when using MongoDB and Tyk Security Policies where Tyk could incorrectly grant access to an API after that API had been deleted from the associated policy. This was due to the policy cleaning operation that is triggered when an API is deleted from a policy in a MongoDB installation. With this fix, the policy cleaning operation will not remove the final (deleted) API from the policy; Tyk recognizes that the API record is invalid and denies granting access rights to the key.
The Logstash formatter timestamp is now in RFC3339Nano format.
Fixed a potential race condition where the DRL Manager was not properly protected against concurrent read/write operations in some high-load scenarios.
Fixed a performance issue encountered when Tyk Gateway retrieves a key via MDCB for a JWT API. The token is now validated against JWKS or the public key in the API Definition.
Fixed a performance issue where JWT middleware introduced latency which significantly reduced the overall request/response throughput.
Fixed an issue that prevented UDG examples from being displayed in the dashboard when the Open Policy Agent(OPA) is enabled.
Fixed an issue where the Tyk Gateway logs would include sensitive information when the incorrect signature is provided in a request to an API protected by HMAC authentication.
Community Contributions
Special thanks to the following members of the Tyk community for their contributions to this release:

5.2.1 Release Notes

Release Date 10 Oct 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation. Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

If you are on a 5.2.0 we advise you to upgrade ASAP and if you are on an older version skip 5.2.0 and upgrade directly to this release. Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Changed
Enhance log message quality by eliminating unnecessary messages
Fixed a bug that occurs during Gateway reload where the Gateway would continue to load new API definitions even if policies failed to load. This led to a risk that an API could be invoked without the associated policies (for example, describing access control or rate limits) having been loaded. Now Tyk offers a configurable retry for resource loading, ensuring that a specified number of attempts will be made to load resources (APIs and policies). If a resource fails to load, an error will be logged and the Gateway reverts to its last working configuration.We have introduced two new variables to configure this behavior:
  • resource_sync.retry_attempts - defines the number of retries that the Gateway should perform during a resource sync (APIs or policies), defaulting to zero which means no retries are attempted
  • resource_sync.interval - setting the fixed interval between retry attempts (in seconds)
For OpenTelemetry users, we’ve included much-needed attributes, http.response.body.size and http.request.body.size, in both Tyk HTTP spans and upstream HTTP spans. This addition enables users to gain better insight into incoming/outgoing request/response sizes within their traces.
Fixed
Fixed a memory leak issue in Gateway 5.2.0 if OpenTelemetry (abbreviated “OTel”) is enabled. It was caused by multiple otelhttp handlers being created. We have updated the code to use a single instance of otelhttp handler in 5.2.1 to improve performance under high traffic load.
Fixed a memory leak that occurred when enabling the strict routes option to change the routing to avoid nearest-neighbor requests on overlapping routes (TYK_GW_HTTPSERVEROPTIONS_ENABLESTRICTROUTES)
Fixed a potential performance issue related to high rates of Tyk Gateway reloads (when the Gateway is updated due to a change in APIs and/or policies). The gateway uses a timer that ensures there’s at least one second between reloads, however in some scenarios this could lead to poor performance (for example overloading Redis). We have introduced a new configuration option, reload_interval (TYK_GW_RELOADINTERVAL), that can be used to adjust the duration between reloads and hence optimize the performance of your Tyk deployment.
Fixed an issue with GraphQL APIs, where headers were not properly forwarded upstream for GQL/UDG subscriptions.
Fixed a bug where the Gateway did not correctly close idle upstream connections (sockets) when configured to generate a new connection after a configurable period of time (using the max_conn_time configuration option). This could lead to the Gateway eventually running out of sockets under heavy load, impacting performance.
Removed the extra chunked transfer encoding that was added unnecessarily to rawResponse analytics
Resolved a bug with HTTP GraphQL APIs where, when the Persist GraphQL middleware was used in combination with Response Body Transform, the response’s body transformation was not being executed.Bug in persistent gql and response body transform
Fixed a bug where, if you created a key which provided access to an inactive or draft API, you would be unable to subsequently modify that key (via the Tyk Dashboard UI, Tyk Dashboard API or Tyk Gateway API)
Dependencies
  • Updated TykTechnologies/gorm to v1.21 in Tyk Gateway

5.2.0 Release Notes

Release Date 29 Sep 2023

Breaking Changes

Attention: Please read carefully this section. We have two topics to report:

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backwards-compatible. Downgrading or reverting an upgrade may not be possible resulting in a broken installation. Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Release Highlights

We’re thrilled to bring you some exciting enhancements and crucial fixes to improve your experience with Tyk Gateway. For a comprehensive list of changes, please refer to the detailed changelog below.
Added Body Transform Middleware to Tyk OAS API Definition
With this release, we are adding the much requested Body Transformations to Tyk OAS API Definition. You can now configure middleware for both request and response body transformations and - as a Tyk Dashboard user - you’ll be able to do so from within our simple and elegant API Designer tool.
Reference Tyk OAS API Definition From Within Your Custom Go Plugins
Reference the Tyk OAS API definition from within your custom Go Plugins, bringing them up to standard alongside those you might use with a Tyk Classic API.
Configure Caching For Each API Endpoint
We’ve added the ability to configure per-endpoint timeouts for Tyk’s response cache, giving you increased flexibility to tailor your APIs to your upstream services.
Added Header Management in Universal Data Graph
With this release we are adding a concept of header management in Universal Data Graph. With multiple upstream data sources, data graphs need to be sending the right headers upstream, so that our users can effectively track the usage and be able to enforce security rules at each stage. All Universal Data Graph headers now have access to request context variables like JWT claims, IP address of the connecting client or request ID. This provides extensive configurability of customizable information that can be sent upstream.
Added Further Support For GraphQL WebSocket Protocols
Support for WebSocket protocols between client and the Gateway has also been expanded. Instead of only supporting the graphql-ws protocol, which is becoming deprecated, we now also support graphql-transport-ws by setting the Sec-WebSocket-Protocol header to graphql-transport-ws.
Added OpenTelemetry Tracing
In this version, we’re introducing the support for OpenTelemetry Tracing, the new open standard for exposing observability data. This addition gives you improved visibility into how API requests are processed, with no additional license required. It is designed to help you with monitoring and troubleshooting APIs, identify bottlenecks, latency issues and errors in your API calls. For detailed information and guidance, you can check out our OpenTelemetry Tracing resource. OpenTelemetry makes it possible to isolate faults within the request lifetime through inspecting API and Gateway meta-data. Additionally, performance bottlenecks can be identified within the request lifetime. API owners and developers can use this feature to understand how their APIs are being used or processed within the Gateway. OpenTelemetry functionality is also available in Go Plugins. Developers can write code to add the ability to preview OpenTelemetry trace attributes, error status codes etc., for their Go Plugins. We offer support for integrating OpenTelemetry traces with supported open source tools such Jaeger, Dynatrace or New Relic. This allows API owners and developers to gain troubleshooting and performance insights from error logs, response times etc. You can also find a direct link to our docs in the official OpenTelemetry Integration page
Tyk Gateway 5.2 now includes OpenTelemetry Tracing. Over the next year, we’ll be deprecating OpenTracing. We recommend migrating to OpenTelemetry for better trace insights and more comprehensive support. This change will offer you significant advantages in managing your distributed tracing needs.

Downloads

Changelog

Added:
Added support for configuring distributed tracing behavior of Tyk Gateway. This includes enabling tracing, configuring exporter types, setting the URL of the tracing backend to which data is to be sent, customizing headers, and specifying enhanced connectivity for HTTP, HTTPS and gRPC. Subsequently, users have precise control over tracing behavior in Tyk Gateway.
Added support to configure OpenTelemetry sampling types and rates in the Tyk Gateway. This allows users to manage the need for collected detailed tracing information against performance and resource usage requirements.
Added span attributes to simplify identifying Tyk API and request meta-data per request. Example span attributes include: tyk.api.id, tyk.api.name, tyk.api.orgid, tyk.api.tags, tyk.api.path, tyk.api.version, tyk.api.apikey, tyk.api.apikey.alias and tyk.api.oauthid. This allows users to use OpenTelemetry semantic conventions to filter and create metrics for increased insight and observability.
Added custom resource attributes: service.name, service.instance.id, service.version, tyk.gw.id, tyk.gw.dataplane, tyk.gw.group.id, tyk.gw.tags to allow process information to be available in traces.
Added a new feature that allows clients to retrieve the trace ID from response headers. This feature is available when OpenTelemetry is enabled and simplifies debugging API requests, empowering users to seamlessly correlate and analyze data for a specific trace in any OpenTelemetry backend like Jaeger.
Added configuration parameter to enable/disable detailed_tracing for Tyk Classic API.
Added OpenTelemetry support for GraphQL. This is activated by setting opentelemetry.enabled to true. This integration enhances observability by enabling GQL traces in any OpenTelemetry backend, like Jaeger, granting users comprehensive insights into the execution process, such as request times.
Added a new timeout option, offering granular control over cache timeout at the endpoint level.
Added support for using request context variables in UDG global or data source headers. This feature enables much more advanced header management for UDG and allows users to extract header information from an incoming request and pass it to upstream data sources.
Added support for configuration of global headers for any UDG. These headers will be forwarded to all data sources by default, enhancing control over data flow.
Added the ability for Custom GoPlugin developers using Tyk OAS APIs to access the API Definition from within their plugin. The newly introduced ctx.getOASDefinition function provides read-only access to the OAS API Definition and enhances the flexibility of plugins.
Added support for the websocket protocol, graphql-transport-ws protocol, enhancing communication between the client and Gateway. Users connecting with the header Sec-WebSocket-Protocol set to graphql-transport-ws can now utilize messages from this protocol for more versatile interaction.
Added support for API Developers using Tyk OAS API Definition to configure a body transform middleware that operates on API responses. This enhancement ensures streamlined and selective loading of the middleware based on configuration, enabling precise response data customization at the per-endpoint level.
  • Added support for enhanced Gateway usage reporting. MDCB v2.4 and Gateway v5.2 can now report the number of connected gateways and data planes. Features such as data plane gateway visualisation are available in Tyk Dashboard for enhanced monitoring of your deployment.
Changed:
Fixed:
Fixed an issue with querying a UDG API containing a query parameter of array type in a REST data source. The UDG was dropping the array type parameter from the final request URL sent upstream.
Fixed an issue with introspecting GraphQL schemas that previously raised an error when dealing with custom root types other than Query, Mutation or Subscription.
Fixed an issue where the Enforced Timeout configuration parameter of an API endpoint accepted negative values, without displaying validation errors. With this fix, users receive clear feedback and prevent unintended configurations.
Fixed an issue where allowedIPs validation failures replaced the reported errors list, causing the loss of other error types. This fix appends IP validation errors to the list, providing users with a comprehensive overview of encountered errors. Subsequently, this enhances the clarity and completeness of validation reporting.
Fixed a critical issue in MDCB v2.3 deployments, relating to Data Plane stability. The Data Plane Gateway with versions older than v5.1 was found to crash with a panic when creating a Tyk OAS API. The bug has been addressed, ensuring stability and reliability in such deployments.

5.1 Release Notes

Release Date 23 June 2023

Breaking Changes

*Attention warning: Please read carefully this section.

Golang Version upgrade

Our Gateway is using Golang 1.19 programming language starting with the 5.1 release. This brings improvements to the code base and allows us to benefit from the latest features and security enhancements in Go. Don’t forget that, if you’re using GoPlugins, you’ll need to recompile these to maintain compatibility with the latest Gateway.

Early Access Features:

Please note that the Tyk OAS APIs feature, currently marked as Early Access, is subject to breaking changes in subsequent releases. Please refer to our Early Access guide for specific details. Upgrading to a new version may introduce changes that are not backward-compatible. Downgrading to a previous version after upgrading may result in a broken installation. Users are strongly advised to follow the recommended upgrade instructions provided by Tyk before applying any updates.

Deprecations

There are no deprecations in this release.

Upgrade Instructions

Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

Request Body Size Limits

We have introduced a new Gateway-level option to limit the size of requests made to your APIs. You can use this as a first line of defense against overly large requests that might affect your Tyk Gateways or upstream services. Of course, being Tyk, we also provide the flexibility to configure API-level and per-endpoint size limits so you can be as granular as you need to protect and optimize your services. Check out our improved documentation for full description of how to use these powerful features.

Changed default RPC pool size for MDCB deployments

We have reduced the default RPC pool size from 20 to 5. This can reduce the CPU and memory footprint in high throughput scenarios. Please monitor the CPU and memory allocation of your environment and adjust accordingly. You can change the pool size using slave_options.rpc_pool_size

Downloads

Changelog

Added

  • Added HasOperation, Operation and Variables to GraphQL data source API definition for easier nesting
  • Added abstractions/interfaces for ExecutionEngineV2 and ExecutionEngine2Executor with respect to graphql-go-tools
  • Added support for the :authority header when making GRPC requests. If the :authority header is not present then some GRPC servers return PROTOCOL_ERROR which prevents custom GRPC plugins from running. Thanks to vanhtuan0409 from the Tyk Community for his contribution!

Changed

  • Tyk Gateway updated to use Go 1.19
  • Updated kin-openapi dependency to the version v0.114.0
  • Enhanced the UDG parser to comprehensively extract all necessary information for UDG configuration when users import to Tyk their OpenAPI document as an API definition
  • Reduced default CPU and memory footprint by changing the default RPC pool size from 20 to 5 connections.

Fixed

  • Fixed an issue where invalid IP addresses could be added to the IP allow list
  • Fixed an issue when using custom authentication with multiple authentication methods, custom authentication could not be selected to provide the base identity
  • Fixed an issue where OAuth access keys were physically removed from Redis on expiry. Behavior for OAuth is now the same as for other authorization methods
  • Fixed an issue where the global_size_limit setting didn’t enable request size limit middleware. Thanks to PatrickTaibel for the contribution!
  • Fixed minor versioning, URL and field mapping issues when importing OpenAPI document as an API definition to UDG
  • When the control API is not protected with mTLS we now do not ask for a cert, even if all the APIs registered have mTLS as an authorization mechanism

Tyk Classic Portal Changelog

Changed

  • Improved performance when opening the Portal page by optimizing the pre-fetching of required data

5.0 Release Notes

5.0.15 Release Notes

Release Date 24 October 2024

Breaking Changes

There are no breaking changes in this release.

Upgrade Instructions

Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This patch release for Tyk Gateway addresses critical stability issues for users running Tyk Gateway within the data plane, connecting to the control plane or Tyk Hybrid. Affected users should upgrade immediately to version 5.0.15 to avoid service interruptions and ensure reliable operations with the control plane or Tyk Hybrid. For a comprehensive list of changes, please refer to the detailed changelog below.

Changelog

Fixed

5.0.14 Release Notes

Release Date 18th September 2024

Important Update

Date: 12 October 2024
Topic: Gateway panic when reconnecting to MDCB control plane or Tyk Cloud
Workaround: Restart Gateway
Affected Product: Tyk Gateway as an Edge Gateway
Affected versions: v5.6.0, v5.3.6, and v5.0.14
Issue Description:

We have identified an issue affecting Tyk Gateway deployed as a data plane connecting to the Multi-Data Center Bridge (MDCB) control plane or Tyk Cloud. In the above mentioned Gateway versions a panic may occur when gateway reconnect to the control plane after the control plane is restarted.

Our engineering team is actively working on a fix, and a patch (versions 5.6.1, 5.3.7, and 5.0.15) will be released soon.

Recommendations:
For users on versions 5.5.0, 5.3.5, and 5.0.13
We advise you to delay upgrading to the affected versions (5.6.0, 5.3.6, or 5.0.14) until the patch is available.For users who have already upgraded to 5.6.0, 5.3.6, or 5.0.14 and are experiencing a panic in the gateway:
Restarting the gateway process will restore it to a healthy state. If you are operating in a Kubernetes environment, Tyk Gateway instance should automatically restart, which ultimately resolves the issue.

We appreciate your understanding and patience as we work to resolve this. Please stay tuned for the upcoming patch release, which will address this issue.

Breaking Changes

Attention: Please read this section carefully. There are no breaking changes in this release.

Upgrade Instructions

This release is not tightly coupled with Tyk Dashboard v5.0.14, so you do not have to upgrade both together. Go to the Upgrading Tyk section for detailed upgrade instructions.

Release Highlights

This release fixes some issues related to the way that Tyk performs URL path matching, introducing two new Gateway configuration options to control path matching strictness.

Changelog

Added
Fixed
Fixed an issue when using granular Path-Based Permissions in access policies and keys that led to authorization incorrectly being granted to endpoints if an invalid regular expression was configured in the key/policy. Also fixed an issue where path-based parameters were not correctly handled by Path-Based Permissions. Now Tyk’s authorization check correctly handles both of these scenarios granting access only to the expected resources.
Fixed an issue where a parameterized endpoint URL (e.g. /user/{id}) would be invoked if a request is made that omits the parameter. For example, a request to /user/ will now be interpreted as a request to /user and not to /user/{id}.
We have enhanced the Tyk Gateway’s synchronization with MDCB to ensure more reliable loading of policies and APIs. A synchronous initialization process has been implemented to prevent startup failures and reduce the risk of service disruptions caused by asynchronous operations. This update ensures smoother and more consistent syncing of policies and APIs from MDCB.

5.0.13 Release Notes

Release Date 4 July 2024

Release Highlights

Resolved an issue encountered in MDCB environments where changes to custom keys made via the Dashboard were not properly replicated to data planes. The issue impacted both key data and associated quotas, in the following versions:
  • 5.0.4 to 5.0.12
  • 5.1.1 and 5.1.2
  • 5.2.0 to 5.2.6
  • 5.3.0 to 5.3.2
Action Required
Customers should clear their edge Redis instances of any potentially affected keys to maintain data consistency and ensure proper synchronization across their environments. Please refer to the item in the fixed section of the changelog for recommended actions.

Changelog

Fixed

5.0.12 Release Notes

Please refer to our GitHub release notes.

5.0.11 Release Notes

Please refer to our GitHub release notes.

5.0.10 Release Notes

Please refer to our GitHub release notes.

5.0.9 Release Notes

Please refer to our GitHub release notes.

5.0.8 Release Notes

Please refer to our GitHub release notes.

5.0.7 Release Notes

Please refer to our GitHub release notes.

5.0.6 Release Notes

Please refer to our GitHub release notes.

5.0.5 Release Notes

Please refer to our GitHub release notes.

5.0.4 Release Notes

Please refer to our GitHub release notes.

5.0.3 Release Notes

Please refer to our GitHub release notes.

5.0.2 Release Notes

Release Date 29 May 2023

Release Highlights

This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Updated
  • Internal refactoring to make storage related parts more stable and less affected by potential race issues

5.0.1 Release Notes

Release Date 25 Apr 2023

Release Highlights

This release primarily focuses on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.

Downloads

Changelog

Added
  • Added a new enable_distributed_tracing option to the NewRelic config to enable support for Distributed Tracer
Fixed
  • Fixed panic when JWK method was used for JWT authentication and the token didn’t include kid
  • Fixed an issue where failure to load GoPlugin middleware didn’t prevent the API from proxying traffic to the upstream: now Gateway logs an error when the plugin fails to load (during API creation/update) and responds with HTTP 500 if the API is called; at the moment this is fixed only for file based plugins
  • Fixed MutualTLS issue causing leak of allowed CAs during TLS handshake when there are multiple mTLS APIs
  • Fixed a bug during hot reload of Tyk Gateway where APIs with JSVM plugins stored in filesystem were not reloaded
  • Fixed a bug where the gateway would remove the trailing /at the end of a URL
  • Fixed a bug where nested field-mappings in UDG weren’t working as intended
  • Fixed a bug when using Tyk OAuth 2.0 flow on Tyk Cloud where a request for an Authorization Code would fail with a 404 error
  • Fixed a bug where mTLS negotiation could fail when there are a large number of certificates and CAs; added an option (http_server_options.skip_client_ca_announcement) to use the alternative method for certificate transfer
  • Fixed CVE issue with go.uuid package
  • Fixed a bug where rate limits were not correctly applied when policies are partitioned to separate access rights and rate limits into different scopes

5.0.0 Release Notes

Release Date 28 Mar 2023

Deprecations

  • Tyk Gateway no longer natively supports LetsEncrypt integration. You still can use LetsEncrypt CLI tooling to generate certificates and use them with Tyk.

Release Highlights

Improved OpenAPI support
We have added some great features to the Tyk OAS API definition bringing it closer to parity with our Tyk Classic API and to make it easier to get on board with Tyk using your Open API workflows. Tyk’s OSS users can now make use of extensive custom middleware options with your OAS APIs, to transform API requests and responses, exposing your upstream services in the way that suits your users and internal API governance rules. We’ve enhanced the Request Validation for Tyk OAS APIs to include parameter validation (path, query, headers, cookie) as well as the body validation that was introduced in Tyk 4.1. Versioning your Tyk OAS APIs is easier than ever, with the Tyk OSS Gateway now looking after the maintenance of the list of versions associated with the base API for you; we’ve also added a new endpoint on the Tyk API that will return details of the versions for a given API. We’ve improved support for OAS Mock Responses, with the Tyk OAS API definition now allowing you to register multiple Mock Responses in a single API, providing you with increased testing flexibility. Of course, we’ve also addressed some bugs and usability issues as part of our ongoing ambition to make Tyk OAS API the best way for you to create and manage your APIs. Thanks to our community contributors armujahid, JordyBottelier and ls-michal-dabrowski for your PRs that further improve the quality of Tyk OSS Gateway!

Downloads

Changelog

Added
  • Support for request validation (including query params, headers and the rest of OAS rules) with Tyk OAS APIs
  • Transform request/response middleware for Tyk OAS APIs
  • Custom middleware for Tyk OAS APIs
  • Added a new API endpoint to manage versions for Tyk OAS APIs
  • Improved Mock API plugin for Tyk OAS APIs
  • Universal Data Graph and GraphQL APIs now support using context variables in request headers, allowing passing information it to your subgraphs
  • Now you can control access to introspection on policy and key level

Fixed

  • Fixed potential race condition when using distributed rate limiter

4.3 Release Notes

4.3.0 Release Notes

Release Highlights

Mock Responses with Tyk OAS API Definitions
Does your Tyk OAS API Definition define examples or a schema for your path responses? If so, starting with Tyk v4.3, Tyk can use those configurations to mock your API responses, enabling your teams to integrate easily without being immediately dependent on each other. Check it out! Mock Responses Documentation
External OAuth - 3rd party OAuth IDP integration
If you’re using a 3rd party IDP to generate tokens for your OAuth applications, Tyk can now validate the generated tokens by either performing JWT validation or by communicating with the authorization server and executing token introspection. This can be achieved by configuring the new External OAuth authentication mechanism. Find out more here External OAuth Integration
Updated the Tyk Gateway version of Golang, to 1.16.
Our Gateway is using Golang 1.16 version starting with 4.3 release. This version of the Golang release deprecates x509 commonName certificates usage. This will be the last release where it’s still possible to use commonName, users need to explicitly re-enable it with an environment variable. The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable. Note that if the CommonName is an invalid host name, it’s always ignored, regardless of GODEBUG settings. Invalid names include those with any characters other than letters, digits, hyphens and underscores, and those with empty labels or trailing dots.
Improved GQL security
4.3 adds two important features that improve security settings for GraphQL APIs in Tyk.
  1. Ability to turn on/off introspection - this feature allows much more control over what consumers are able to do when interacting with a GraphQL API. In cases where introspection is not desirable, API managers can now disallow it. The setting is done on API key level, which means API providers will have very granular control over who can and who cannot introspect the API.
  2. Support for allow list in field-based permissions - so far Tyk was offering field-based permissions as a “block list” only. That meant that any new field/query added to a graph was by default accessible for all consumers until API manager explicitly blocked it on key/policy level. Adding support for “allow list” gives API managers much more control over changing schemas and reduces the risk of unintentionally exposing part of the graph that are not ready for usage. See Introspection for more details.

Changelog

Tyk Gateway
Added
  • Minor modifications to the Gateway needed for enabling support for Graph Mongo Pump.
  • Added header X-Tyk-Sub-Request-Id to each request dispatched by federated supergraph and Universal Data Graph, so that those requests can be distinguished from requests directly sent by consumers.
  • Added a functionality that allows to block introspection for any GraphQL API, federated supergraph and Universal Data Graph (currently only supported via Gateway, UI support coming in the next release).
  • Added an option to use allow list in field-based permissions. Implemented for full types and individual fields. (currently only supported via Gateway, UI support coming in the next release)
  • Added new middleware that can be used with HTTP APIs to set up persisted queries for GraphQL upstreams.
  • Added support for two additional subscription protocols for GraphQL subscriptions. Default protocol used between the gateway and upstream remains to be graphql-ws, two additional protocols are possible to configure and use: graphql-transport-ws and SSE.
Changed
Updated the Tyk Gateway version of Golang, to 1.16. SECURITY: The release deprecates x509 commonName certificates usage. This will be the last release where it’s still possible to use commonName, users need to explicitly re-enable it with an environment variable. The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable. Note that if the CommonName is an invalid host name, it’s always ignored, regardless of GODEBUG settings. Invalid names include those with any characters other than letters, digits, hyphens and underscores, and those with empty labels or trailing dots.
Fixed
  • Fixed an issue where introspection query was returning a wrong response in cases where introspection query had additional objects.
  • Fixed an issue where gateway was crashing when a subscription was started while no datasource was connected to it.
  • Fixed a problem with missing configuration in the GraphQL config adapter that caused issues with batching requests to subgraphs in GraphQL API federation setting.
  • A HTTP OAS API version lifetime respects now the date value of the expiration field from Tyk OAS API Definition.
  • Now it is possible to proxy traffic from a HTTP API (using Tyk Classic API Definition) to a HTTP OAS API (using Tyk OAS API Definition) and vice versa.

Updated Versions

Tyk Gateway 4.3 (docker images

Upgrade process

Follow the standard upgrade guide, there are no breaking changes in this release. If you want switch from MongoDB to SQL, you can use our migration tool, but keep in mind that it does not yet support the migration of your analytics data.
Note: Upgrading the Golang version implies that all the Golang custom plugins that you are using need to be recompiled before migrating to 4.3 version of the Gateway. Check our docs for more details Golang Plugins.

4.2 Release Notes

4.2.0 Release Notes

Release Highlights

GraphQL Federation improvements
Changed GUI in Universal Data Graph configuration section.
A new GUI introduces enhancements to the user experience and more consistent user journey for UDG. This change does not yet cover all possible use cases and is released with a feature flag. To enable the new GUI, analytics.conf needs the following setting: 
"ui": {
  "dev": true
}
What’s possible with this change:
  • Importing GraphQL schema created outside of Tyk (formats accepted .json, .graphql, .grahqls)
  • Creating GraphQL schema in Tyk using schema editor
  • Hide/Unhide schema editor to focus on graphical representation of the schema
  • Resizing schema editor to adjust workspace look & feel to user preferences
  • Improved search in schema editor (search and search & replace available)
  • Quick link to UDG documentation from schema editor
Note: Full configuration of new Universal Data Graph is not yet possible in the GUI, however any UDGs created earlier will not be broken and will work as previously.
Changes to federation entities
Defining the base entity
Entities must be defined with the @key directive. The fields argument must reference a field by which the entity can be uniquely identified. Multiple primary keys are possible. For example: Subgraph 1 (base entity): 
type MyEntity @key(fields: "id") @key(fields: "name") {
  id: ID!
  name: String!
}
Attempting to extend a non-entity with an extension that includes the @key directive or attempting to extend a base entity with an extension that does not include the @key directive will both result in errors.
Entity stubs
Entities cannot be shared types (be defined in more than one single subgraph). If one subgraph references a base entity (an entity defined in another subgraph), that reference must be declared as a stub (stubs look like an extension without any new fields in federation v1). This stub would contain the minimal amount of information to identify the entity (referencing exactly one of the primary keys on the base entity regardless of whether there are multiple primary keys on the base entity). For example, a stub for MyEntity from Subgraph 1 (defined above): Subgraph 2 (stub) 
extend type MyEntity @key(fields: "id") {
  id: ID! @external
}
Supergraph extension orphans
It is now possible to define an extension for a type in a subgraph that does not define the base type. However, if an extension is unresolved (an extension orphan) after an attempted federation, the federation will fail and produce an error.
Improved Dashboard UI and error messages
GraphQL-related (for example when federating subgraphs into a supergraph) errors in the Dashboard UI will show a lean error message with no irrelevant prefixes or suffixes. Changed the look & feel of request logs in Playground tab for GraphQL APIs. New component presents all logs in a clearer way and is easier to read for the user
Shared types
Types of the same name can be defined in more than one subgraph (a shared type). This will no longer produce an error if each definition is identical. Shared types cannot be extended outside of the current subgraph, and the resolved extension must be identical to the resolved extension of the shared type in all other subgraphs (see subgraph normalization notes). Attempting to extend a shared type will result in an error. The federated supergraph will include a single definition of a shared type, regardless of how many times it has been identically defined in its subgraphs.
Subgraph normalization before federation
Extensions of types whose base type is defined in the same subgraph will be resolved before an attempt at federation. A valid example involving a shared type: Subgraph 1: 
enum Example {
  A,
  B
}

extend enum Example {
  C  
}
Subgraph 2: 
enum Example {
  A,
  B,
  C
}
The enum named “Example” defined in Subgraph 1 would resolve to be identical to the same-named enum defined in Subgraph 2 before federation takes place. The resulting supergraph would include a single definition of this enum.
Validation
Union members must be both unique and defined. Types must have bodies, e.g., enums must contain at least one value; inputs, interfaces, or objects must contain at least one field
OpenAPI
Added support for the Request Body Transform middleware, for new Tyk OAS API Definitions.
Universal Data Graph
Added support for Kafka as a data source in Universal Data Graph. Configuration allows the user to provide multiple topics and broker addresses.

Changelog

Tyk Gateway
Added
  • Added support for Kafka as a data source in Universal Data Graph.
  • Adding a way to defining the base GraphQL entity via @key directive
  • It is now possible to define an extension for a type in a subgraph that does not define the base type.
  • Added support for the Request Body Transform middleware, for the new Tyk OAS API Definition
  • Session lifetime now can be controlled by Key expiration, e.g. key removed when it is expired. Enabled by setting session_lifetime_respects_key_expiration to true
Changed
  • Generate API ID when API ID is not provided while creating API.
  • Updated the Go plugin loader to load the most appropriate plugin bundle, honoring the Tyk version, architecture and OS
  • When GraphQL query with a @skip directive is sent to the upstream it will no longer return “null” for the skipped field, but remove the field completely from the response
  • Added validation to Union members - must be both unique and defined.
Fixed
  • Fixed an issue where the Gateway would not create the circuit breaker events (BreakerTripped and BreakerReset) for which the Tyk Dashboard offers webhooks.
  • Types of the same name can be defined in more than one subgraph (a shared type). This will no longer produce an error if each definition is exactly identical.
  • Apply Federation Subgraph normalization do avoid merge errors. Extensions of types whose base type is defined in the same subgraph will be resolved before an attempt at federation.

Updated Versions

Tyk Gateway 4.2

Upgrade process

Follow the standard upgrade guide, there are no breaking changes in this release. If you want switch from MongoDB to SQL, you can use our migration tool, but keep in mind that it does not yet support the migration of your analytics data.

4.1 Release Notes

4.1.0 Release Notes

Release Highlights

OpenAPI as a native API definition format
Tyk has always had a proprietary specification for defining APIs. From Tyk v4.1 we now support defining APIs using the Open API Specification (OAS) as well, which can offer significant time and complexity savings. This is an early access capability. As we extend our OAS support, we would very much like your feedback on how we can extend and update to best meet your needs: . This capability is available in both the open source and paid versions of Tyk. See our Tyk OAS documentation for more details.
MDCB Synchroniser
Tyk Gateway v4.1 enables an improved synchroniser functionality within Multi Data Center Bridge (MDCB) v2.0. Prior to this release, the API keys, certificates and OAuth clients required by worker Gateways were synchronised from the controller Gateway on-demand. With Gateway v4.1 and MDCB v2.0 we introduce proactive synchronisation of these resources to the worker Gateways when they start up. This change improves resilience in case the MDCB link or controller Gateway is unavailable, because the worker Gateways can continue to operate independently using the resources stored locally. There is also a performance improvement, with the worker Gateways not having to retrieve resources from the controller Gateway when an API is first called. Changes to keys, certificates and OAuth clients are still synchronised to the worker Gateways from the controller when there are changes and following any failure in the MDCB link.
Go Plugin Loader
When upgrading your Tyk Installation you need to re-compile your plugin with the new version. At the moment of loading a plugin, the Gateway will try to find a plugin with the name provided in the API definition. If none is found then it will fallback to search the plugin file with the name: {plugin-name}_{Gw-version}_{OS}_{arch}.so From v4.1.0 the plugin compiler automatically names plugins with the above naming convention. It enables you to have one directory with different versions of the same plugin. For example:
  • plugin_v4.1.0_linux_amd64.so
  • plugin_v4.2.0_linux_amd64.so
So, if you upgrade from Tyk v4.1.0 to v4.2.0 you only need to have the plugins compiled for v4.2.0 before performing the upgrade.

Changelog

Tyk Gateway
Added
  • Added support for new OAS API definition format
  • Added support for headers on subgraph level for federated GraphQL APIs
  • Added support for interfaces implementing interfaces in GQL schema editor
  • Added support for passing authorization header in GQL API Playgrounds for subscription APIs
  • Added TYK_GW_OMITCONFIGFILE option for Tyk Gateway to ignore the values in the config file and load its configuration only from environment variables and default values
  • Added a way to modify Tyk analytics record via Go plugins configurable with API definition. Can be used to sanitise analytics data.
  • Added new policy API REST endpoints
  • Added option to configure certificates for Tyk Gateway using environment variable
  • Added support for Python 3.9 plugins
  • Added support for headers on subgraph level for federated GraphQL APIs
  • Added support for introspecting schemas with interfaces implementing interfaces for proxy only GQL
  • Added support for input coercion in lists for GraphQL
  • Added support for repeatable directives for GraphQL
Changed
  • Generate API ID when API ID is not provided while creating API.
  • Updated the Go plugin loader to load the most appropriate plugin bundle, honoring Tyk version, architecture and OS
  • When a GraphQL query with a @skip directive is sent to the upstream it will no longer return “null” for the skipped field, but remove the field completely from the response
Fixed
  • Fixed a bug where the MDCB worker Gateway could become unresponsive when a certificate is added in the Tyk Dashboard
  • Fixed an issue with the calculation of TTL for keys in an MDCB deployment such that TTL could be different between worker and controller Gateways
  • Fixed a bug when using Open ID where quota was not tracked correctly
  • Fixed multiple issues with schema merging in GraphQL federation. Federation subgraphs with the same name shared types like objects, interfaces, inputs, enums, unions and scalars will no longer cause errors when users are merging schemas into a federated supergraph.
  • Fixed an issue where schema merging in GraphQL federation could fail depending on the order or resolving subgraph schemas and only first instance of a type and its extension would be valid. Subgraphs are now individually normalized before a merge is attempted and all extensions that are possible in the federated schema are applied.
  • Fixed an issue with accessing child properties of an object query variable for GraphQL where query {{.arguments.arg.foo}} would return { "foo":"123456" } instead of “123456”

Updated Versions

Tyk Gateway 4.1 Tyk MDCB 2.0.1

Upgrade process

Follow the standard upgrade guide, there are no breaking changes in this release. If you want switch from MongoDB to SQL, you can use our migration tool, but keep in mind that it does not yet support the migration of your analytics data.

4.0 Release Notes

4.0.0 Release Notes

Release Highlights

GraphQL federation
As we know, ease-of-use is an important factor when adopting GraphQL. Modern enterprises have dozens of backend services and need a way to provide a unified interface for querying them. Building a single, monolithic GraphQL server is not the best option. It is hard to maintain and leads to a lot of dependencies and over-complication. To remedy this, Tyk 4.0 offers GraphQL federation that allows the division of GraphQL implementation across multiple backend services, while still exposing them all as a single graph for the consumers. Subgraphs represent backend services and define a distinct GraphQL schema. A subgraph can be queried directly, as a separate service or federated in the Tyk Gateway into a larger schema of a supergraph – a composition of several subgraphs that allows execution of a query across multiple services in the backend. Federation docs Subgraphs and Supergraphs docs
GraphQL subscriptions
Subscriptions are a way to push data from the server to the clients that choose to listen to real-time messages from the server, using the WebSocket protocol. There is no need to enable subscriptions separately; Tyk supports them alongside GraphQL as standard. With release 4.0, users can federate GraphQL APIs that support subscriptions. Federating subscriptions means that events pushed to consumers can be enriched with information from other federated graphs. Subscriptions docs

Changelog

  • Now it is possible to configure GraphQL upstream authentification, in order for Tyk to work with its schema
  • JWT scopes now support array and comma delimiters
  • Go plugins can be attached on per-endpoint level, similar to virtual endpoints

Updated Versions

Tyk Gateway 4.0 Tyk Pump 1.5

Upgrade process

Follow the standard upgrade guide, there are no breaking changes in this release. If you want switch from MongoDB to SQL, you can use our migration tool, but keep in mind that it does not yet support the migration of your analytics data.

3.2 Release Notes

3.2.0 Release Notes

Release Highlights

GraphQL and UDG improvements
We’ve updated the GraphQL functionality of our Universal Data Graph. You’re now able to deeply nest GraphQL & REST APIs and stitch them together in any possible way. Queries are now possible via WebSockets and Subscriptions are coming in the next Release (3.3.0). You’re also able to configure upstream Headers dynamically, that is, you’re able to inject Headers from the client request into UDG upstream requests. For example, it can be used to access protected upstreams. We’ve added an easy to use URL-Builder to make it easier for you to inject object fields into REST API URLs when stitching REST APIs within UDG. Query-depth limits can now be configured on a per-field level. If you’re using GraphQL upstream services with UDG, you’re now able to forward upstream error objects through UDG so that they can be exposed to the client.
Go response plugins
With Go response plugins you are now able to modify and create a full request round trip made through the Tyk Gateway. Find out more about plugins and how to write Go response plugins.

Changelog

In addition to the above, version 3.2 includes all the fixes that are part of 3.0.5 https://github.com/TykTechnologies/tyk/releases/tag/v3.0.5

Updated Versions

Tyk Gateway 3.2

Upgrade process

If you already have GraphQL or UDG APIs you need to follow this upgrade guide

3.1 Release Notes

3.1.0 Release Notes

Release Highlights

Identity Management UX and SAML support
You will notice that the experience for creating a new profile in the Identity management section of the dashboard was changed to a ‘wizard’ approach which reduces the time it takes to get started and configure a profile. In addition, users are now able to use SAML for the dashboard and portal login, whether you use TIB(Tyk Identity Broker) internally or externally of the dashboard. This follows the recent changes that we have made to embed TIB (Tyk Identity Broker)in the dashboard. See 3.0 release notes for more information regarding this. To learn more see the documentation
UDG (Universal Data Graph) & GraphQL
Schema Validation
For any GraphQL API that is created via Dashboard or through our API, the GraphQL schema is now validated before saving the definition. Instant feedback is returned in case of error.
Sync / Update schema with upstream API (Proxy Only Mode)
If you’ve configured just a proxy GraphQL API, you can now keep in sync the upstream schema with the one from the API definition, just by clicking on the Get latest version button on the Schema tab from API Designer Docs here
Debug logs
You can now see what responses are being returned by the data sources used while configuring a UDG (universal data graph). These can be seen by calling the /api/debug API or using the playground tab within API designer. The data that will be displayed will show information on the query before and after the request to a data source happens, as follows: Before the request is sent: Example log message: “Query.countries: preSendHttpHook executed”. Along with this message, the log entry will contain the following set of fields: Typename, Fieldname and Upstream url; After the request is sent: Example log message: “Query.countries: postReceiveHttpHook executed”. Along with this message, the log entry will contain the following set of fields: Typename, Filename, response body, status code. Example: {"typename": "Query", "fielname": "countries", "response_body": "{\"data\":{}}", "status_code": 200} Docs here
Portal
GraphQL Documentation
Documentation for the GraphQL APIs that you are exposing to the portal is available now through a GraphQL Playground UI component, same as on the playground tab of API Designer. Also to overcome the CORS issues that you might encounter while testing documentation pages on the portal, we have pre-filled the CORS settings section in API Designer with explicit values from the start. All you need to do is to check the “Enable CORS” option.
Portal - API key is hidden in email
You now have the option to hide the API key in the email generated after you approve the key request for a developer. Docs here

Changelog

The 3.1 version includes the fixes that are part of 3.0.1. https://github.com/TykTechnologies/tyk/releases/tag/v3.0.1

Updated Versions

  • Tyk Gateway 3.1

3.0 Release Notes

3.0.0 Release Notes

Release Highlights

Version changes and LTS releases
We have bumped our major Tyk Gateway version from 2 to 3, a long overdue change as we’ve been on version 2 for 3 years. We have also changed our Tyk Dashboard major version from 1 to 3, and from now on it will always be aligned with the Tyk Gateway for major and minor releases. The Tyk Pump has also now updated to 1.0, so we can better indicate major changes in future. Importantly, such a big change in versions does not mean that we going to break backward compatibility. More-over we are restructuring our internal release strategy to guarantee more stability and to allow us to deliver all Tyk products at a faster pace. We aim to bring more clarity to our users on the stability criteria they can expect, based on the version number. Additionally we are introducing Long Term Releases (also known as LTS). Read more about this changes in our blog post: https://tyk.io/blog/introducing-long-term-support-some-changes-to-our-release-process-product-versioning/
Universal Data Graph and GraphQL
Tyk now supports GraphQL natively. This means Tyk doesn’t have to use any external services or process for any GraphQL middleware. You can securely expose existing GraphQL APIs using our GraphQL core functionality. In addition to this you can also use Tyk’s integrated GraphQL engine to build a Universal Data Graph. The Universal Data Graph (UDG) lets you expose existing services as one single combined GraphQL API. All this without even have to build your own GraphQL server. If you have existing REST APIs all you have to do is configure the UDG and Tyk has done the work for you. With the Universal Data Graph (UDG), Tyk becomes the central integration point for all your internal and external APIs. It also benefits from the full set of capabilities included with your Tyk installation—meaning your data graph is secure from the start and can take advantage of a wide range of out-of-the-box middleware to power your graph. Read more about the GraphQL and Universal Data Graph
Using external secret management services
Want to reference secrets from a KV store in your API definitions? We now have native Vault & Consul integration. You can even pull from a tyk.conf dictionary or environment variable file. Read more
Co-Process Response Plugins
We added a new middleware hook allowing middleware to modify the response from the upstream. Using response middleware you can transform, inspect or obfuscate parts of the response body or response headers, or fire an event or webhook based on information received by the upstream service. At the moment the Response hook is supported for Python and gRPC plugins.
Enhanced Gateway health check API
Now the standard Health Check API response include information about health of the dashboard, redis and mdcb connections. You can configure notifications or load balancer rules, based on new data. For example, you can be notified if your Tyk Gateway can’t connect to the Dashboard (or even if it was working correctly with the last known configuration). Read More
Enhanced Detailed logging
Detailed logging is used in a lot of the cases for debugging issues. Now as well as enabling detailed logging globally (which can cause a huge overhead with lots of traffic), you can enable it for a single key, or specific APIs. New detailed logging changes are available only to our Self-Managed customers currently. Read More
Ability to shard analytics to different data-sinks
In a multi-org deployment, each organization, team, or environment might have their preferred analytics tooling. At present, when sending analytics to the Tyk Pump, we do not discriminate analytics by org - meaning that we have to send all analytics to the same database - e.g. MongoDB. Now the Tyk Pump can be configured to send analytics for different organizations to different places. E.g. Org A can send their analytics to MongoDB + DataDog. But Org B can send their analytics to DataDog + expose the Prometheus metrics endpoint. It also becomes possible to put a in-place, meaning that some data sinks can receive information for all orgs, whereas others will not receive OrgA’s analytics if blocked. This change requires updating to new Tyk Pump 1.0 Read More
404 Error logging - unmatched paths
Concerned that client’s are getting a 404 response? Could it be that the API definition or URL rewrites have been misconfigured? Telling Tyk to track 404 logs, will cause the Tyk Gateway to produce error logs showing that a particular resource has not been found. The feature can be enabled by setting the config track_404_logs to true in the gateway’s config file.

Changelog

Fixes
  • Fixed the bug when tokens created with non empty quota, and quota expiration set to Never, were treated as having unlimited quota. Now such tokens will stop working, once initial quota is reached.

Updated Versions

  • Tyk Gateway 3.0
  • Tyk Pump 1.0

Upgrading From Version 2.9

No specific actions required. If you are upgrading from version 2.8, please read this guide

Further Information

Upgrading Tyk

Please refer to the upgrading Tyk page for further guidance on the upgrade strategy.

API Documentation

FAQ

Please visit our Developer Support page for further information relating to reporting bugs, upgrading Tyk, technical support and how to contribute.