Documentation
OAuth Key Management API
Create new OAuth Client
Any OAuth keys must be generated with the help of a client ID. These need to be pre-registered with Tyk before they can be used (in a similar vein to how you would register your app with Twitter before attempting to ask user permissions using their API).
| Property | Description |
|---|---|
| Resource URL | /tyk/oauth/clients/create |
| Method | POST |
| Type | JSON |
| Body | Client Object |
Sample Request
POST /tyk/oauth/clients/create HTTP/1.1
Host: localhost:8080
x-tyk-authorization: 352d20ee67be67f6340b4c0605b044b7
Cache-Control: no-cache
{
"api_id": "25348e8cf157409b52e39357fd9578f1",
"redirect_uri": "http://client-app.com/oauth-redirect/"
}
Sample Response
{
"client_id": "061ba634e6644b40633fa9456b138f4b",
"secret": "MjA3OGEyNzctZTlmZC00YzYzLTZkMDItNDJlYzJkZTg2Mjcy",
"redirect_uri": "http://client-app.com/oauth-redirect/"
}
Creating OAuth clients with Access to Multiple APIs
New for Tyk Gateway 2.6.0 is the ability to create OAuth clients with access to more than one API. If you provide the api_id it works the same as in previous releases. If you don’t provide the api_id the request uses policy access rights and enumerates APIs from their setting in the newly created OAuth-client.
NOTE: This cannot be performed from the Dashboard in this release.
Delete OAuth Client
You can delete an OAuth client using a simple DELETE method. Please note that tokens issued with the client ID will still be valid until they expire.
| Property | Description |
|---|---|
| Resource URL | /tyk/oauth/clients/{{api-id}}/{{client-id}} |
| Method | DELETE |
| Type | |
| Body | NONE |
Sample Request
DELETE /tyk/oauth/clients/25348e8cf157409b52e39357fd9578f1/061ba634e6644b40633fa9456b138f4b HTTP/1.1
Host: localhost:8080
x-tyk-authorization: 352d20ee67be67f6340b4c0605b044b7
Cache-Control: no-cache
Sample Response
{
"key": "061ba634e6644b40633fa9456b138f4b",
"status": "ok",
"action": "deleted"
}
List OAuth Clients
OAuth Clients are organised by API ID, and therefore are queried as such.
| Property | Description |
|---|---|
| Resource URL | /tyk/oauth/clients/{{api-id}}/ |
| Method | GET |
| Type | |
| Body | NONE |
Sample Request
GET /tyk/oauth/clients/25348e8cf157409b52e39357fd9578f1/ HTTP/1.1
Host: localhost:8080
x-tyk-authorization: 352d20ee67be67f6340b4c0605b044b7
Cache-Control: no-cache
Sample Response
[
{
"client_id": "03ae189a18f941024e6a870d4dfa7ae0",
"secret": "ZDY4NWY5NzctMDU0MS00MWQ1LTQwODYtNGUxZjdhMDg1ODY4",
"redirect_uri": "http://client-app.com/oauth-redirect/"
},
{
"client_id": "061ba634e6644b40633fa9456b138f4b",
"secret": "MjA3OGEyNzctZTlmZC00YzYzLTZkMDItNDJlYzJkZTg2Mjcy",
"redirect_uri": "http://client-app2.com/oauth-redirect/"
}
]
OAuth Authorisation Flow
With the OAuth flow you will need to create authorisation or access tokens for your clients, in order to do this, Tyk provides a private API endpoint for your application to generate these codes and redirect the end-user back to the API Client.
| Property | Description |
|---|---|
| Resource URL | /tyk/oauth/authorize-client/ |
| Method | POST |
| Type | Form-Encoded |
| Body | Fields (see below) |
response_type: Should be provided by requesting client as part of authorisation request, this should be eithercodeortokendepending on the methods you have specified for the API.client_id: Should be provided by requesting client as part of authorisation request. The Client ID that is making the request.redirect_uri: Should be provided by requesting client as part of authorisation request. Must match with the record stored with Tyk.key_rules: A string representation of a Session Object (form-encoded). This should be provided by your application in order to apply any quotas or rules to the key.
Sample Request
POST /528a67c1ac9940964f9a41ae79235fcc/tyk/oauth/authorize-client/ HTTP/1.1
Host: localhost:8080
X-Tyk-Authorization: 352d20ee67be67f6340b4c0605b044b7
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
response_type=code&client_id=21e2baf424674f6461faca6d45285bbb&redirect_uri=http%3A%2F%2Foauth.com%2Fredirect&key_rules=%7B+++++%22allowance%22%3A+999%2C+++++%22rate%22%3A+1000%2C+++++%22per%22%3A+60%2C+++++%22expires%22%3A+0%2C+++++%22quota_max%22%3A+-1%2C+++++%22quota_renews%22%3A+1406121006%2C+++++%22quota_remaining%22%3A+0%2C+++++%22quota_renewal_rate%22%3A+60%2C+++++%22access_rights%22%3A+%7B+++++++++%22528a67c1ac9940964f9a41ae79235fcc%22%3A+%7B+++++++++++++%22api_name%22%3A+%22OAuth+Test+API%22%2C+++++++++++++%22api_id%22%3A+%22528a67c1ac9940964f9a41ae79235fcc%22%2C+++++++++++++%22versions%22%3A+%5B+++++++++++++++++%22Default%22+++++++++++++%5D+++++++++%7D+++++%7D%2C+++++%22org_id%22%3A+%2253ac07777cbb8c2d53000002%22+%7D
Sample Response (code request)
{
"code": "MWY0ZDRkMzktOTYwNi00NDRiLTk2YmQtOWQxOGQ3Mjc5Yzdk",
"redirect_to": "http://client-app.com/oauth-redirect/?code=MWY0ZDRkMzktOTYwNi00NDRiLTk2YmQtOWQxOGQ3Mjc5Yzdk"
}
Sample Response (token request)
{
"access_token": "53ac07777cbb8c2d530000022b778ed6ef204a44794ed2bc9d120237",
"expires_in": 3600,
"redirect_to": "http://client-app.com/oauth-redirect/#access_token=53ac07777cbb8c2d530000022b778ed6ef204a44794ed2bc9d120237&expires_in=3600&token_type=bearer",
"token_type": "bearer"
}
Invalidate Refresh Token
It is possible to invalidate refresh tokens in order to manage OAuth client access more robustly:
| Property | Description |
|---|---|
| Resource URL | /tyk/oauth/refresh/{key}?api_id={api_id} |
| Method | DELETE |
| Type | |
| Body | NONE |
Sample Request
DELETE /tyk/oauth/refresh/25348e8cf157409b52e39357fd9578f1/061ba634e6644b40633fa9456b138f4b HTTP/1.1
Host: localhost:8080
x-tyk-authorization: 352d20ee67be67f6340b4c0605b044b7
Cache-Control: no-cache
Sample Response
{
"key": "061ba634e6644b40633fa9456b138f4b",
"status": "ok",
"action": "deleted"
}
Retrieve All Current Tokens for Specified OAuth Client
This endpoint allows you to retrieve a list of all current tokens and their expiry date for a provided API ID and OAuth-client ID in the following format. This endpoint will work only for newly created tokens.
NOTE: This option is available from v2.6.0 onwards.
| Property | Description |
|---|---|
| Resource URL | /tyk/oauth/clients/{apiID}/{oauthClientId}/tokens |
| Method | GET |
| Type | |
| Body | NONE |
Sample Request
GET /tyk/oauth/clients/528a67c1ac9940964f9a41ae79235fcc/25348e8cf157409b52e39357fd9578f1/tokens HTTP/1.1
Host: localhost:8080
x-tyk-authorization: 352d20ee67be67f6340b4c0605b044b7
Cache-Control: no-cache
Sample Response
[
{
"code": "5a7d110be6355b0c071cc339327563cb45174ae387f52f87a80d2496",
"expires": 1518158407
},
{
"code": "5a7d110be6355b0c071cc33988884222b0cf436eba7979c6c51d6dbd",
"expires": 1518158594
},
{
"code": "5a7d110be6355b0c071cc33990bac8b5261041c5a7d585bff291fec4",
"expires": 1518158638
},
{
"code": "5a7d110be6355b0c071cc339a66afe75521f49388065a106ef45af54",
"expires": 1518159792
}
]
You can control how long you want to store expired tokens in this list using oauth_token_expired_retain_period which specifies retain period for expired tokens stored in Redis. By default expired token not get removed. See here for more details.