1.Concept: API Session Object
In Tyk, all identities are mapped to a session object, identities can be in the form of Bearer Tokens, HMAC Keys, JSON Web Tokens, OpenID Connect identities and Basic Auth users.
Think about a session object as the metadata associated with a user, or the identity trying to gain access to your services.
In Tyk, a session object encapsulates the following details for any given identity:
- What rate limit to apply
- What quota to apply
- What Access Control List to apply
- What policy ID to use to override the above (if set)
- When the session holder’s access expires
Tyk also allows some additional meta-data for a session object which is valuable for transformation or upstream identification purposes:
- Meta Data (a string key/value map that can hold any data)
- Alias (a human-readable name for the identity)
Note: Expiry is not the same as invalidation, in Tyk, a session object will be “expired” but still be in the database in order to inform the session owner that their token has expired and they should renew, if the token was invalidate (deleted after the expiry period), then the user would simply be denied access and their token would be invalid. This is important for developers that have (but shouldn’t) hard-coded their token into their app so it is hard to change.
Where are session objects stored?
Session objects are stored in Redis, not in MongoDB or in the gateway itself. Session objects are stored as a token string / JSON object key/value pair in the Redis DB.
By default, the token itself is hashed and therefore obfuscated, this means using the Alias is important to identify token data in analytics and logs.
Where can I get more information?
A session object is just a JSON object, and full details of each parameter in the object can be found in the REST API documentation.