Tyk API Definitions
Tyk OAS
Introduction to Tyk OAS
The upstream service receives requests from Tyk to the upstream API after processing based on the configuration applied in the Tyk API definition. Crucially the upstream service remains unaware of Tyk Gateway’s processing, responding to incoming requests as it would for direct client-to-service communication. The API proxy deployed on Tyk is typically designed to have the same API endpoints, resources and methods that are defined for the upstream service’s API. The upstream API will often be described according to the industry standard OpenAPI Specification - and this is where Tyk OAS comes in.What is the OpenAPI Specification?
The OpenAPI Specification (OAS) is a standardized framework for describing RESTful APIs in a machine-readable format (typically JSON or YAML). It defines how APIs should be documented, including details about endpoints, request/response formats, authentication, and error codes. In short, OAS is a blueprint for your API—detailing how the API behaves and how users or services can interact with it. The OpenAPI Description (OAD) is the actual content that adheres to this specification, essentially an object that describes the specific functionality of an API. The OpenAPI Document refers to a file that contains an OpenAPI description, following the OAS format. OpenAPI has become the de facto standard for API documentation because of its consistency, ease of use, and broad tooling support. It allows both developers and machines to interact with APIs more effectively, offering benefits like auto-generated client SDKs, server stubs, and up-to-date documentation. Tools such as Tyk also support validation, testing, and mock servers, which speeds up development and ensures consistency across API implementations. Tyk supports OpenAPI Specification v3.0.x.What is a Tyk OAS API definition?
Not every feature of an advanced API management platform such as Tyk is covered by the OpenAPI Specification. The API definition must provide Tyk with everything it needs to receive and process requests on behalf of the upstream service - so the OpenAPI description of the upstream API is not enough on its own to configure the Gateway. This is where the Tyk Vendor Extension comes in, allowing you to configure all the powerful features of Tyk Gateway that are not covered by OAS. The Tyk Vendor Extension follows the same architectural style as the OpenAPI Specification and is encapsulated in a single object that is appended to the OpenAPI description, creating a Tyk OAS API definition.OpenAPI description
There are many great explanations of the features and capabilities of the OpenAPI Specification so we won’t repeat it all here. A good place to start learning is from the maintainers of the specification: the OpenAPI Initiative. The minimal set of elements that must be defined Tyk treats the OpenAPI description as the source of truth for the data stored within it. This means that Tyk does not duplicate those data in the Tyk Vendor Extension but rather builds upon the basic configuration defined in the OAD.Tyk Vendor Extension
The Tyk Vendor Extension is a JSON object (x-tyk-api-gateway) within the Tyk OAS API definition that encapsulates all of the Gateway configuration that is not contained within the OpenAPI description.
It is structured in four sections:
infocontaining metadata used by Tyk to manage the API proxy, including name, identifiers, status, and versionservercontains configuration for the client-gateway integration, including listen path and authentication methodmiddlewarecontains configuration for the gateway’s middleware chain, split into API-level and endpoint-level settingsupstreamcontains configuration for the gateway-upstream integration, including targets, load balancing and rate limits
enabled flag which must be set for Tyk to apply that configuration. This can be used to include settings in the API definition and enable them only when required (useful during API development, testing and debug).
In the OpenAPI Specification paths define the API endpoints, while operations specify the HTTP methods (GET, POST, PUT, DELETE) and actions for each endpoint. They describe how the API handles requests, including parameters, request bodies, responses, and status codes, providing a clear structure for API interactions. Tyk interprets this information directly from the OpenAPI description and uses the operationID field to link the endpoint level middleware configuration within the Tyk Vendor Extension to the appropriate endpoint.
Modifying the OpenAPI description
Tyk will only make additions or modifications to the OAD when the user makes certain changes in the Tyk API Designer and as follows:- The URL on Tyk Gateway to which client requests should be sent will be added at the first location in the
serverslist - The OpenAPI Specification declares
pathswhich describe the available endpoints (paths) and the operations that can be performed on them (such asGET,POST,PUT,DELETE). Tyk will modify this list if changes are made using the Tyk API Designer, for example if an endpoint is added.
Tyk vendor extension reference
XTykAPIGateway contains custom Tyk API extensions for the OpenAPI definition. The values for the extensions are stored inside the OpenAPI document, under the keyx-tyk-api-gateway.
Field: info (Info)
Info contains the main metadata for the API definition.
Field: upstream (Upstream)
Upstream contains the configurations related to the upstream.
Field: server (Server)
Server contains the configurations related to the server.
Field: middleware (Middleware)
Middleware contains the configurations related to the Tyk middleware.
Info
Info contains the main metadata for the API definition. Field:id (string)
ID is the unique identifier of the API within Tyk.
Tyk classic API definition: api_id.
Field: dbId (string)
DBID is the unique identifier of the API within the Tyk database.
Tyk classic API definition: id.
Field: orgId (string)
OrgID is the ID of the organisation which the API belongs to.
Tyk classic API definition: org_id.
Field: name (string)
Name is the name of the API.
Tyk classic API definition: name.
Field: expiration (string)
Expiration date.
Tyk classic API definition: expiration.
Field: state (State)
State holds configuration for API definition states (active, internal).
Field: versioning (Versioning)
Versioning holds configuration for API versioning.
Upstream
Upstream holds configuration for the upstream server to which Tyk should proxy requests. Field:url (string)
URL defines the upstream address (or target URL) to which requests should be proxied.
Tyk classic API definition: proxy.target_url.
Field: serviceDiscovery (ServiceDiscovery)
ServiceDiscovery contains the configuration related to Service Discovery.
Tyk classic API definition: proxy.service_discovery.
Field: uptimeTests (UptimeTests)
UptimeTests contains the configuration related to uptime tests.
Tyk classic API definition: uptime_tests and check_host_against_uptime_tests.
Field: mutualTLS (MutualTLS)
MutualTLS contains the configuration for establishing a mutual TLS connection between Tyk and the upstream server.
Tyk classic API definition: upstream_certificates_disabled and upstream_certificates.
Field: certificatePinning (CertificatePinning)
CertificatePinning contains the configuration related to certificate pinning.
Tyk classic API definition: certificate_pinning_disabled and pinned_public_keys.
Field: rateLimit (RateLimit)
RateLimit contains the configuration related to API level rate limit.
Tyk classic API definition: global_rate_limit.
Field: authentication (UpstreamAuth)
Authentication contains the configuration related to upstream authentication.
Tyk classic API definition: upstream_auth.
Field: loadBalancing (LoadBalancing)
LoadBalancing contains configuration for load balancing between multiple upstream targets.
Tyk classic API definition: proxy.enable_load_balancing and proxy.targets.
Field: preserveHostHeader (PreserveHostHeader)
PreserveHostHeader contains the configuration for preserving the host header.
Tyk classic API definition: proxy.preserve_host_header.
Field: preserveTrailingSlash (PreserveTrailingSlash)
PreserveTrailingSlash controls whether Tyk preserves trailing slashes in URLs when proxying
requests to upstream services. When enabled, URLs like “/users/” will retain the trailing slash.
Tyk classic API definition: proxy.disable_strip_slash.
Field: tlsTransport (TLSTransport)
TLSTransport contains the configuration for TLS transport settings.
Tyk classic API definition: proxy.transport.
Field: proxy (Proxy)
Proxy contains the configuration for an internal proxy.
Tyk classic API definition: proxy.proxy_url.
Server
Server contains the configuration that sets Tyk up to receive requests from the client applications. Field:listenPath (ListenPath)
ListenPath is the base path on Tyk to which requests for this API should
be sent. Tyk listens for any requests coming into the host at this
path, on the port that Tyk is configured to run on and processes these
accordingly.
Field: authentication (Authentication)
Authentication contains the configurations that manage how clients can authenticate with Tyk to access the API.
Field: clientCertificates (ClientCertificates)
ClientCertificates contains the configurations related to establishing static mutual TLS between the client and Tyk.
Field: gatewayTags (GatewayTags)
GatewayTags contain segment tags to indicate which Gateways your upstream service is connected to (and hence where to deploy the API).
Field: customDomain (Domain)
CustomDomain is the domain to bind this API to. This enforces domain matching for client requests.
Tyk classic API definition: domain.
Field: detailedActivityLogs (DetailedActivityLogs)
DetailedActivityLogs configures detailed analytics recording.
Field: detailedTracing (DetailedTracing)
DetailedTracing enables OpenTelemetry’s detailed tracing for this API.
Tyk classic API definition: detailed_tracing.
Field: eventHandlers (EventHandlers)
EventHandlers contains the configuration related to Tyk Events.
Tyk classic API definition: event_handlers.
Field: ipAccessControl (IPAccessControl)
IPAccessControl configures IP access control for this API.
Tyk classic API definition: allowed_ips and blacklisted_ips.
Field: batchProcessing (BatchProcessing)
BatchProcessing contains configuration settings to enable or disable batch request support for the API.
Tyk classic API definition: enable_batch_request_support.
Field: protocol (string)
Protocol configures the HTTP protocol used by the API.
Possible values are:
- “http”: Standard HTTP/1.1 protocol
- “http2”: HTTP/2 protocol with TLS
- “h2c”: HTTP/2 protocol without TLS (cleartext).
protocol.
Field: port (int)
Port Setting this value will change the port that Tyk listens on. Default: 8080.
Tyk classic API definition: listen_port.
Middleware
Middleware holds configuration for Tyk’s native middleware. Field:global (Global)
Global contains configuration for middleware that affects the whole API (all endpoints).
Field: operations (Operations)
Operations contains configuration for middleware that can be applied to individual endpoints within the API (per-endpoint).
State
State holds configuration for the status of the API within Tyk - if it is currently active and if it is exposed externally. Field:active (boolean)
Active enables the API so that Tyk will listen for and process requests made to the listenPath.
Tyk classic API definition: active.
Field: internal (boolean)
Internal makes the API accessible only internally.
Tyk classic API definition: internal.
Versioning
Versioning holds configuration for API versioning. Tyk classic API definition:version_data.
Field: enabled (boolean)
Enabled is a boolean flag, if set to true it will enable versioning of the API.
Field: name (string)
Name contains the name of the version as entered by the user (“v1” or similar).
Field: default (string)
Default contains the default version name if a request is issued without a version.
Field: location (string)
Location contains versioning location information. It can be one of the following:
header,url-param,url.
key (string)
Key contains the name of the key to check for versioning information.
Field: versions ([]VersionToID)
Versions contains a list of versions that map to individual API IDs.
Field: stripVersioningData (boolean)
StripVersioningData is a boolean flag, if set to true, the API responses will be stripped of versioning data.
Field: urlVersioningPattern (string)
UrlVersioningPattern is a string that contains the pattern that if matched will remove the version from the URL.
Field: fallbackToDefault (boolean)
FallbackToDefault controls the behaviour of Tyk when a versioned API is called with a nonexistent version name.
If set to true then the default API version will be invoked; if set to false Tyk will return an HTTP 404
This API version does not seem to exist error in this scenario.
ServiceDiscovery
ServiceDiscovery holds configuration required for service discovery. Field:enabled (boolean)
Enabled activates Service Discovery.
Tyk classic API definition: service_discovery.use_discovery_service.
Field: queryEndpoint (string)
QueryEndpoint is the endpoint to call, this would usually be Consul, etcd or Eureka K/V store.
Tyk classic API definition: service_discovery.query_endpoint.
Field: dataPath (string)
DataPath is the namespace of the data path - where exactly in your service response the namespace can be found.
For example, if your service responds with:
node.value.
Tyk classic API definition: service_discovery.data_path.
Field: useNestedQuery (boolean)
UseNestedQuery enables the use of a combination of dataPath and parentDataPath.
It is necessary when the data lives within this string-encoded JSON object.
service_discovery.use_nested_query.
Field: parentDataPath (string)
ParentDataPath is the namespace of the where to find the nested
value if useNestedQuery is true. In the above example, it
would be node.value. You would change the dataPath setting
to be hostname, since this is where the host name data
resides in the JSON string. Tyk automatically assumes that
dataPath in this case is in a string-encoded JSON object and
will try to deserialize it.
Tyk classic API definition: service_discovery.parent_data_path.
Field: portDataPath (string)
PortDataPath is the port of the data path. In the above nested example, we can see that there is a separate port value
for the service in the nested JSON. In this case, you can set the portDataPath value and Tyk will treat dataPath as
the hostname and zip them together (this assumes that the hostname element does not end in a slash or resource identifier
such as /widgets/). In the above example, the portDataPath would be port.
Tyk classic API definition: service_discovery.port_data_path.
Field: useTargetList (boolean)
UseTargetList should be set to true if you are using load balancing. Tyk will treat the data path as a list and
inject it into the target list of your API definition.
Tyk classic API definition: service_discovery.use_target_list.
Field: cacheTimeout (int64)
CacheTimeout is the timeout of a cache value when a new data is loaded from a discovery service.
Setting it too low will cause Tyk to call the SD service too often, setting it too high could mean that
failures are not recovered from quickly enough.
Deprecated: The field is deprecated. Use service_discovery to configure service discovery cache options.
Tyk classic API definition: service_discovery.cache_timeout.
Field: cache (ServiceDiscoveryCache)
Cache holds cache related flags.
Tyk classic API definition:.
service_discovery.cache_disabledservice_discovery.cache_timeout
targetPath (string)
TargetPath is used to set a target path that will be appended to the
discovered endpoint, since many service discovery services only provide
host and port data. It is important to be able to target a specific
resource on that host. Setting this value will enable that.
Tyk classic API definition: service_discovery.target_path.
Field: endpointReturnsList (boolean)
EndpointReturnsList is set true when the response type is a list instead of an object.
Tyk classic API definition: service_discovery.endpoint_returns_list.
UptimeTests
UptimeTests configures uptime tests. Field:enabled (boolean)
Enabled specifies whether the uptime tests are active or not.
Tyk classic API definition: uptime_tests.disabled.
Field: serviceDiscovery (ServiceDiscovery)
ServiceDiscovery contains the configuration related to test Service Discovery.
Tyk classic API definition: proxy.service_discovery.
Field: tests ([]UptimeTest)
Tests contains individual connectivity tests defined for checking if a service is online.
Field: hostDownRetestPeriod (time.ReadableDuration)
HostDownRetestPeriod is the time to wait until rechecking a failed test.
If undefined, the default testing interval (10s) is in use.
Setting this to a lower value would result in quicker recovery on failed checks.
Field: logRetentionPeriod (time.ReadableDuration)
LogRetentionPeriod holds a time to live for the uptime test results.
If unset, a value of 100 years is the default.
MutualTLS
MutualTLS contains the configuration for establishing a mutual TLS connection between Tyk and the upstream server. Field:enabled (boolean)
Enabled activates upstream mutual TLS for the API.
Tyk classic API definition: upstream_certificates_disabled.
Field: domainToCertificateMapping ([]DomainToCertificate)
DomainToCertificates maintains the mapping of domain to certificate.
Tyk classic API definition: upstream_certificates.
CertificatePinning
CertificatePinning holds the configuration about mapping of domains to pinned public keys. Field:enabled (boolean)
Enabled is a boolean flag, if set to true, it enables certificate pinning for the API.
Tyk classic API definition: certificate_pinning_disabled.
Field: domainToPublicKeysMapping (PinnedPublicKeys)
DomainToPublicKeysMapping maintains the mapping of domain to pinned public keys.
Tyk classic API definition: pinned_public_keys.
RateLimit
RateLimit holds the configurations related to rate limit. The API-level rate limit applies a base-line limit on the frequency of requests to the upstream service for all endpoints. The frequency of requests is configured in two parts: the time interval and the number of requests that can be made during each interval. Tyk classic API definition:global_rate_limit.
Field: enabled (boolean)
Enabled activates API level rate limiting for this API.
Tyk classic API definition: !disable_rate_limit.
Field: rate (int)
Rate specifies the number of requests that can be passed to the upstream in each time interval (per).
This field sets the limit on the frequency of requests to ensure controlled
resource access or to prevent abuse. The rate is defined as an integer value.
A higher value indicates a higher number of allowed requests in the given
time frame. For instance, if Per is set to 1m (one minute), a Rate of 100
means up to 100 requests can be made per minute.
Tyk classic API definition: global_rate_limit.rate.
Field: per (ReadableDuration)
Per defines the time interval for rate limiting using shorthand notation.
The value of Per is a string that specifies the interval in a compact form,
where hours, minutes and seconds are denoted by ‘h’, ‘m’ and ‘s’ respectively.
Multiple units can be combined to represent the duration.
Examples of valid shorthand notations:
- “1h” : one hour
- “20m” : twenty minutes
- ”30s” : thirty seconds
- “1m29s”: one minute and twenty-nine seconds
- “1h30m” : one hour and thirty minutes
global_rate_limit.per.
UpstreamAuth
UpstreamAuth holds the configurations related to upstream API authentication. Field:enabled (boolean)
Enabled enables upstream API authentication.
Field: basicAuth (UpstreamBasicAuth)
BasicAuth holds the basic authentication configuration for upstream API authentication.
Field: oauth (UpstreamOAuth)
OAuth contains the configuration for OAuth2 Client Credentials flow.
Field: requestSigning (UpstreamRequestSigning)
RequestSigning holds the configuration for generating signed requests to an upstream API.
LoadBalancing
LoadBalancing represents the configuration for load balancing between multiple upstream targets. Field:enabled (boolean)
Enabled determines if load balancing is active.
Field: skipUnavailableHosts (boolean)
SkipUnavailableHosts determines whether to skip unavailable hosts during load balancing based on uptime tests.
Tyk classic field: proxy.check_host_against_uptime_tests
Field: targets ([]LoadBalancingTarget)
Targets defines the list of targets with their respective weights for load balancing.
PreserveHostHeader
PreserveHostHeader holds the configuration for preserving the host header. Field:enabled (boolean)
Enabled activates preserving the host header.
PreserveTrailingSlash
PreserveTrailingSlash holds the configuration for preserving the trailing slash when routed to upstream services. The default behaviour of Tyk is to strip any trailing slash (/) from the target URL when proxying the request upstream. In some use cases the upstream might expect the trailing slash - or might consider /users/ to be a different endpoint from /users (for example). Field:enabled (boolean)
Enabled activates preserving the trailing slash when routing requests.