Securing System Payloads

Last updated: 1 minute read.

Tyk, when first installed, does not insist on signing any cluster messages or middleware bundles. However, if you are moving to production, or thinking of enabling the Dashboard configuration feature, it is strongly recommended to enable payload signatures.

Payload signatures can be enabled in your tyk.conf by setting allow_insecure_configs to false and then setting up a public / private keypair with:

# private key
openssl genrsa -out privkey.pem 2048

# public key
openssl rsa -in privkey.pem -pubout -out pubkey.pem

Then add the path to the public key to your tyk.conf under public_key_path, this same key is also used for middleware bundle signature validation.

Make sure to keep your private key safe, and transfer it to your Dashboard instance. In your tyk_analytics.conf file, you must add the full path to the private_key_path field. This will allow your Dashboard to sign all of its payloads using the private key.