HomeTyk Open Source API Gateway v2.xQuotas, Rate Limits and SecurityUnderstanding Tyk Token Session Objects

Understanding Tyk Token Session Objects

All tokens that are used to access services via Tyk correspond to a session objec tthat informs Tyk about the context of this particular token.

A session object takes the following form:

    "last_check": 0,
    "allowance": 1000,
    "rate": 1000,
    "per": 1,
    "expires": 1458669677,
    "quota_max": 1000,
    "quota_renews": 1458667309,
    "quota_remaining": 1000,
    "quota_renewal_rate": 3600,
    "access_rights": {
        "e1d21f942ec746ed416ab97fe1bf07e8": {
            "api_name": "Closed",
            "api_id": "e1d21f942ec746ed416ab97fe1bf07e8",
            "versions": ["Default"],
            "allowed_urls": null
    "org_id": "53ac07777cbb8c2d53000002",
    "oauth_client_id": "",
    "basic_auth_data": {
        "password": "",
        "hash_type": ""
    "jwt_data": {
        "secret": ""
    "hmac_enabled": false,
    "hmac_string": "",
    "is_inactive": false,
    "apply_policy_id": "",
    "data_expires": 0,
    "monitor": {
        "trigger_limits": null
    "meta_data": {
        "test": "test-data"
    "tags": ["tag1", "tag2"],
    "alias": "[email protected]" 

Session objects fields and their meaning:


No longer used, but this value is related to rate limiting


No longer directly used, this value, no key creation, should be the same as rate


The number of requests that are allowed in the specified rate limiting window


The number of seconds that the rate window should encompass


An epoch that defines when the key should expire


The maximum number of requests allowed during the quota period


An epoch that defines when the quota renews


The number of requests remaining for this users quota (unrelated to rate limit)


The time, in seconds. during which the quota is valid. So for 1000 requests per hour, this value would be 3600 while quota_max and quota_remaining would be 1000


This section is defined in the Access Control section of this documentation, use this section define what APIs and versions this token has access to.


The organisation this user belongs to, this can be used in conjunction with the org_id setting in the API Definition object to have tokens “owned” by organisations


This is set by Tyk if the token is generated by an OAuth client during an OAuth authorisation flow.


This section defines the basic auth password and hashing method.


This section contains a JWT shared secret if the ID matches a JWT ID


If this token belongs to an HMAC user, this will set the token as a valid HMAC provider


The value of the HMAC shared secret


Set this value to true to deny access


The policy ID that is bound to this token


An value, in seconds, that defines when data generated by this token expires in the analytuics DB (must be using Pro edition and MongoDB)


Rate monitor trigger settings, defined elsewhere in the documentation.


Meta data to be included as part of the session, this is a key/value string map that can be used in other middleware such as transforms and header injection to embed user-specific data into a request, or alternatively to query the providence of a key.


Tags are embedded into analytics data when the request completes. If a policy has tags, those tags will supercede the ones carried by the token (they will be overwritten).


[As of v2.1]

An Alias offers a way to identify a token in a more human-readable manner, add an Alias to a token in order to have the data transferred into Analytics later on so you can track both hashed and un-hashed tokens to a meaningful identifier that doesn’t expose the security of the underlying token.

Was this article helpful to you? Yes No