Tyk Cheat Sheet
Overview
Tyk is an open-source API gateway and management platform that provides high-performance request proxying, authentication, rate limiting, analytics, and developer portal capabilities. It is written in Go and supports REST, GraphQL, gRPC, and TCP proxying with minimal latency overhead.
Tyk offers three deployment models: Tyk Open Source (gateway only), Tyk Self-Managed (full platform with dashboard), and Tyk Cloud (SaaS). The gateway supports custom middleware in JavaScript, Python, Go, and gRPC, along with comprehensive API analytics, versioning, and developer key management.
Installation
Docker
# Tyk Gateway (Open Source)
docker run -d --name tyk-gateway \
-p 8080:8080 \
-v $(pwd)/tyk.conf:/opt/tyk-gateway/tyk.conf \
-v $(pwd)/apps:/opt/tyk-gateway/apps \
tykio/tyk-gateway:latest
# Tyk with Dashboard (Docker Compose)
git clone https://github.com/TykTechnologies/tyk-pro-docker-demo.git
cd tyk-pro-docker-demo
docker compose up -dHelm Chart (Kubernetes)
helm repo add tyk-helm https://helm.tyk.io/public/helm/charts/
helm repo update
# Open Source gateway
helm install tyk-oss tyk-helm/tyk-oss \
--namespace tyk --create-namespace \
--set global.redis.addrs="{redis.tyk.svc:6379}"
# Full stack with dashboard
helm install tyk-pro tyk-helm/tyk-pro \
--namespace tyk --create-namespace \
-f values.yamlLinux Package
# Add Tyk repository
curl -s https://packagecloud.io/install/repositories/tyk/tyk-gateway/script.deb.sh | sudo bash
# Install
sudo apt-get install tyk-gateway
# Bootstrap
sudo /opt/tyk-gateway/install/setup.sh \
--dashboard=0 --listenport=8080 --redishost=localhost --redisport=6379
# Start
sudo systemctl start tyk-gateway
sudo systemctl enable tyk-gatewayGateway Configuration (tyk.conf)
{
"listen_port": 8080,
"secret": "your-gateway-secret",
"node_secret": "your-node-secret",
"template_path": "/opt/tyk-gateway/templates",
"use_db_app_configs": false,
"app_path": "/opt/tyk-gateway/apps",
"storage": {
"type": "redis",
"host": "localhost",
"port": 6379,
"optimisation_max_idle": 2000,
"optimisation_max_active": 4000
},
"enable_analytics": true,
"analytics_config": {
"type": "csv",
"csv_dir": "/tmp",
"enable_detailed_recording": true
},
"health_check": {
"enable_health_checks": true,
"health_check_value_timeouts": 60
},
"enable_bundle_downloader": true
}API Definitions
Create an API (File-Based)
{
"name": "My API",
"slug": "my-api",
"api_id": "my-api-1",
"org_id": "default",
"active": true,
"use_keyless": false,
"definition": {
"location": "header",
"key": "x-api-version"
},
"auth": {
"auth_header_name": "Authorization"
},
"version_data": {
"not_versioned": true,
"versions": {
"Default": {
"name": "Default",
"use_extended_paths": true
}
}
},
"proxy": {
"listen_path": "/api/",
"target_url": "http://backend:3000/",
"strip_listen_path": true,
"preserve_host_header": false
}
}Gateway API
# Create an API via Gateway API
curl -X POST http://localhost:8080/tyk/apis \
-H "x-tyk-authorization: your-gateway-secret" \
-H "Content-Type: application/json" \
-d @api-definition.json
# List APIs
curl http://localhost:8080/tyk/apis \
-H "x-tyk-authorization: your-gateway-secret"
# Get specific API
curl http://localhost:8080/tyk/apis/my-api-1 \
-H "x-tyk-authorization: your-gateway-secret"
# Update an API
curl -X PUT http://localhost:8080/tyk/apis/my-api-1 \
-H "x-tyk-authorization: your-gateway-secret" \
-H "Content-Type: application/json" \
-d @api-definition.json
# Delete an API
curl -X DELETE http://localhost:8080/tyk/apis/my-api-1 \
-H "x-tyk-authorization: your-gateway-secret"
# Hot reload (apply changes)
curl http://localhost:8080/tyk/reload/group \
-H "x-tyk-authorization: your-gateway-secret"Authentication
API Key Authentication
{
"use_keyless": false,
"auth": {
"auth_header_name": "Authorization",
"use_param": false,
"use_cookie": false
}
}# Create an API key
curl -X POST http://localhost:8080/tyk/keys \
-H "x-tyk-authorization: your-gateway-secret" \
-d '{
"allowance": 1000,
"rate": 100,
"per": 60,
"expires": -1,
"quota_max": -1,
"access_rights": {
"my-api-1": {
"api_name": "My API",
"api_id": "my-api-1",
"versions": ["Default"]
}
}
}'JWT Authentication
{
"use_keyless": false,
"enable_jwt": true,
"jwt_signing_method": "rsa",
"jwt_source": "https://auth.example.com/.well-known/jwks.json",
"jwt_identity_base_field": "sub",
"jwt_policy_field_name": "pol"
}OAuth2
{
"use_oauth2": true,
"oauth_meta": {
"allowed_access_types": ["authorization_code", "refresh_token"],
"allowed_authorize_types": ["code"],
"auth_login_redirect": "https://app.example.com/login"
}
}Rate Limiting and Quotas
{
"global_rate_limit": {
"rate": 1000,
"per": 60
},
"disable_rate_limit": false,
"disable_quota": false
}# Set rate limit on a key
curl -X POST http://localhost:8080/tyk/keys \
-H "x-tyk-authorization: your-gateway-secret" \
-d '{
"rate": 10,
"per": 1,
"quota_max": 10000,
"quota_renewal_rate": 3600,
"access_rights": {
"my-api-1": {
"api_name": "My API",
"api_id": "my-api-1",
"versions": ["Default"],
"limit": {
"rate": 50,
"per": 60,
"quota_max": 5000,
"quota_renewal_rate": 3600
}
}
}
}'Middleware and Plugins
URL Rewriting
{
"version_data": {
"versions": {
"Default": {
"use_extended_paths": true,
"extended_paths": {
"url_rewrites": [
{
"path": "/old-endpoint",
"method": "GET",
"match_pattern": "/old-endpoint(.*)",
"rewrite_to": "/new-endpoint$1"
}
],
"transform_headers": [
{
"path": "/api/*",
"method": "GET",
"add_headers": {"X-Custom": "value"},
"delete_headers": ["X-Remove-Me"]
}
]
}
}
}
}
}Custom JavaScript Middleware
// middleware/pre-auth.js
var myMiddleware = new TykJS.TykMiddleware.NewMiddleware({});
myMiddleware.NewProcessRequest(function(request, session) {
// Add custom header
request.SetHeaders["X-Request-Time"] = new Date().toISOString();
// Log
log("Processing request: " + request.URL);
return myMiddleware.ReturnData(request, {});
});Advanced Usage
API Versioning
{
"definition": {
"location": "header",
"key": "x-api-version"
},
"version_data": {
"not_versioned": false,
"default_version": "v2",
"versions": {
"v1": {
"name": "v1",
"expires": "2027-01-01 00:00"
},
"v2": {
"name": "v2"
}
}
}
}Load Balancing
{
"proxy": {
"enable_load_balancing": true,
"target_list": [
"http://backend1:3000",
"http://backend2:3000",
"http://backend3:3000"
]
}
}Circuit Breaker
{
"version_data": {
"versions": {
"Default": {
"use_extended_paths": true,
"extended_paths": {
"circuit_breakers": [
{
"path": "/api/*",
"method": "GET",
"threshold_percent": 0.5,
"samples": 5,
"return_to_service_after": 60
}
]
}
}
}
}
}Troubleshooting
| Issue | Solution |
|---|---|
| 403 Forbidden | Check API key validity; verify access rights include the API |
| 404 after API create | Run hot reload (/tyk/reload/group); check listen_path |
| Gateway won’t start | Verify Redis connectivity; check tyk.conf JSON syntax |
| Rate limit not working | Verify key has rate limits set; check disable_rate_limit is false |
| Analytics missing | Enable enable_analytics and enable_detailed_recording |
| Upstream timeout | Increase proxy timeout settings; check backend health |
| JWT validation fails | Verify JWKS URL is reachable; check signing method configuration |
| Hot reload fails | Check gateway secret is correct; review gateway logs |