tyk-gateway folder and by default is called tyk.conf, though it can be renamed and specified using the --conf flag. Environment variables are created from the dot notation versions of the JSON objects contained with the config files.
To understand how the environment variables notation works, see Environment Variables.
All the Gateway environment variables have the prefix TYK_GW_. The environment variables will take precedence over the values in the configuration file.
tyk lint
In v2.4 we have added a newtyk lint command which will validate your tyk.conf file and validate it for syntax correctness, misspelled attribute names or format of values. The Syntax can be:
tyk lint or tyk --conf=path lint
If --conf is not used, the first of the following paths to exist is used:
./tyk.conf
/etc/tyk/tyk.conf
hostname
ENV: TYK_GW_HOSTNAMEType:
stringForce your Gateway to work only on a specific domain name. Can be overridden by API custom domain.
listen_address
ENV: TYK_GW_LISTENADDRESSType:
stringIf your machine has multiple network devices or IPs you can force the Gateway to use the IP address you want.
listen_port
ENV: TYK_GW_LISTENPORTType:
intSetting this value will change the port that Tyk listens on. Default: 8080.
control_api_hostname
ENV: TYK_GW_CONTROLAPIHOSTNAMEType:
stringCustom hostname for the Control API
control_api_port
ENV: TYK_GW_CONTROLAPIPORTType:
intSet this to expose the Tyk Gateway API on a separate port. You can protect it behind a firewall if needed. Please make sure you follow this guide when setting the control port https://tyk.io/docs/tyk-self-managed/#change-your-control-port.
secret
ENV: TYK_GW_SECRETType:
stringThis should be changed as soon as Tyk is installed on your system. This value is used in every interaction with the Tyk Gateway API. It should be passed along as the X-Tyk-Authorization header in any requests made. Tyk assumes that you are sensible enough not to expose the management endpoints publicly and to keep this configuration value to yourself.
node_secret
ENV: TYK_GW_NODESECRETType:
stringThe shared secret between the Gateway and the Dashboard to ensure that API Definition downloads, heartbeat and Policy loads are from a valid source.
pid_file_location
ENV: TYK_GW_PIDFILELOCATIONType:
stringLinux PID file location. Do not change unless you know what you are doing. Default: /var/run/tyk/tyk-gateway.pid
allow_insecure_configs
ENV: TYK_GW_ALLOWINSECURECONFIGSType:
boolCan be set to disable Dashboard message signature verification. When set to
true, public_key_path can be ignored.
public_key_path
ENV: TYK_GW_PUBLICKEYPATHType:
stringWhile communicating with the Dashboard. By default, all messages are signed by a private/public key pair. Set path to public key.
allow_remote_config
ENV: TYK_GW_ALLOWREMOTECONFIGType:
boolAllow your Dashboard to remotely set Gateway configuration via the Nodes screen.
security
Global Certificate configurationsecurity.private_certificate_encoding_secret
ENV: TYK_GW_SECURITY_PRIVATECERTIFICATEENCODINGSECRETType:
stringSet the AES256 secret which is used to encode certificate private keys when they uploaded via certificate storage
security.control_api_use_mutual_tls
ENV: TYK_GW_SECURITY_CONTROLAPIUSEMUTUALTLSType:
boolEnable Gateway Control API to use Mutual TLS. Certificates can be set via
security.certificates.control_api section
security.pinned_public_keys
ENV: TYK_GW_SECURITY_PINNEDPUBLICKEYSType:
map[string]stringSpecify public keys used for Certificate Pinning on global level.
security.certificates.upstream
ENV: TYK_GW_SECURITY_CERTIFICATES_UPSTREAMType:
map[string]stringUpstream is used to specify the certificates to be used in mutual TLS connections to upstream services. These are set at gateway level as a map of domain -> certificate id or path. For example if you want Tyk to use the certificate
ab23ef123 for requests to the example.com upstream and /certs/default.pem for all other upstreams then:
In tyk.conf you would configure "security": {"certificates": {"upstream": {"*": "/certs/default.pem", "example.com": "ab23ef123"}}}
And if using environment variables you would set this to *:/certs/default.pem,example.com:ab23ef123.
security.certificates.control_api
ENV: TYK_GW_SECURITY_CERTIFICATES_CONTROLAPIType:
[]stringCertificates used for Control API Mutual TLS
security.certificates.dashboard_api
ENV: TYK_GW_SECURITY_CERTIFICATES_DASHBOARDType:
[]stringUsed for communicating with the Dashboard if it is configured to use Mutual TLS
security.certificates.mdcb_api
ENV: TYK_GW_SECURITY_CERTIFICATES_MDCBType:
[]stringCertificates used for MDCB Mutual TLS
http_server_options
Gateway HTTP server configurationhttp_server_options.read_timeout
ENV: TYK_GW_HTTPSERVEROPTIONS_READTIMEOUTType:
intAPI Consumer -> Gateway network read timeout. Not setting this config, or setting this to 0, defaults to 120 seconds
http_server_options.write_timeout
ENV: TYK_GW_HTTPSERVEROPTIONS_WRITETIMEOUTType:
intAPI Consumer -> Gateway network write timeout. Not setting this config, or setting this to 0, defaults to 120 seconds
http_server_options.use_ssl
ENV: TYK_GW_HTTPSERVEROPTIONS_USESSLType:
boolSet to true to enable SSL connections
http_server_options.enable_http2
ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLEHTTP2Type:
boolEnable HTTP2 protocol handling
http_server_options.enable_strict_routes
ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLESTRICTROUTESType:
boolEnableStrictRoutes changes the routing to avoid nearest-neighbour requests on overlapping routes
- if disabled,
/applewill route to/app, the current default behavior, - if enabled,
/apponly responds to/app,/app/and/app/*but not/apple
http_server_options.enable_path_prefix_matching
ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLEPATHPREFIXMATCHINGType:
boolEnablePathPrefixMatching changes how the gateway matches incoming URL paths against routes (patterns) defined in the API definition. By default, the gateway uses wildcard matching. When EnablePathPrefixMatching is enabled, it switches to prefix matching. For example, a defined path such as
/json will only match request URLs that begin with /json, rather than matching any URL containing /json.
The gateway checks the request URL against several variations depending on whether path versioning is enabled:
- Full path (listen path + version + endpoint):
/listen-path/v4/json - Non-versioned full path (listen path + endpoint):
/listen-path/json - Path without version (endpoint only):
/json
/, the gateway prepends ^ before performing the check, ensuring a true prefix match.
For patterns that start with ^, the gateway will already perform prefix matching so EnablePathPrefixMatching will have no impact.
This option allows for more specific and controlled routing of API requests, potentially reducing unintended matches. Note that you may need to adjust existing route definitions when enabling this option.
Example:
With wildcard matching, /json might match /api/v1/data/json.
With prefix matching, /json would not match /api/v1/data/json, but would match /json/data.
Combining EnablePathPrefixMatching with EnablePathSuffixMatching will result in exact URL matching, with /json being evaluated as ^/json$.
http_server_options.enable_path_suffix_matching
ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLEPATHSUFFIXMATCHINGType:
boolEnablePathSuffixMatching changes how the gateway matches incoming URL paths against routes (patterns) defined in the API definition. By default, the gateway uses wildcard matching. When EnablePathSuffixMatching is enabled, it switches to suffix matching. For example, a defined path such as
/json will only match request URLs that end with /json, rather than matching any URL containing /json.
The gateway checks the request URL against several variations depending on whether path versioning is enabled:
- Full path (listen path + version + endpoint):
/listen-path/v4/json - Non-versioned full path (listen path + endpoint):
/listen-path/json - Path without version (endpoint only):
/json
$, the gateway will already perform suffix matching so EnablePathSuffixMatching will have no impact. For all other patterns, the gateway appends $ before performing the check, ensuring a true suffix match.
This option allows for more specific and controlled routing of API requests, potentially reducing unintended matches. Note that you may need to adjust existing route definitions when enabling this option.
Example:
With wildcard matching, /json might match /api/v1/json/data.
With suffix matching, /json would not match /api/v1/json/data, but would match /api/v1/json.
Combining EnablePathSuffixMatching with EnablePathPrefixMatching will result in exact URL matching, with /json being evaluated as ^/json$.
http_server_options.ssl_insecure_skip_verify
ENV: TYK_GW_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFYType:
boolDisable TLS verification. Required if you are using self-signed certificates.
http_server_options.enable_websockets
ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLEWEBSOCKETSType:
boolEnabled WebSockets and server side events support
http_server_options.certificates
ENV: TYK_GW_HTTPSERVEROPTIONS_CERTIFICATESType:
CertsDataDeprecated: Use
ssl_certificatesinstead.
http_server_options.ssl_certificates
ENV: TYK_GW_HTTPSERVEROPTIONS_SSLCERTIFICATESType:
[]stringIndex of certificates available to the Gateway for use in client and upstream communication. The string value in the array can be two of the following options:
- The ID assigned to and used to identify a certificate in the Tyk Certificate Store
- The path to a file accessible to the Gateway. This PEM file must contain the private key and public certificate pair concatenated together.
http_server_options.server_name
ENV: TYK_GW_HTTPSERVEROPTIONS_SERVERNAMEType:
stringStart your Gateway HTTP server on specific server name
http_server_options.min_version
ENV: TYK_GW_HTTPSERVEROPTIONS_MINVERSIONType:
uint16Minimum TLS version. Possible values: https://tyk.io/docs/api-management/certificates#supported-tls-versions
http_server_options.max_version
ENV: TYK_GW_HTTPSERVEROPTIONS_MAXVERSIONType:
uint16Maximum TLS version.
http_server_options.skip_client_ca_announcement
ENV: TYK_GW_HTTPSERVEROPTIONS_SKIPCLIENTCAANNOUNCEMENTType:
boolWhen mTLS enabled, this option allows to skip client CA announcement in the TLS handshake. This option is useful when you have a lot of ClientCAs and you want to reduce the handshake overhead, as some clients can hit TLS handshake limits. This option does not give any hints to the client, on which certificate to pick (but this is very rare situation when it is required)
http_server_options.flush_interval
ENV: TYK_GW_HTTPSERVEROPTIONS_FLUSHINTERVALType:
intSet this to the number of seconds that Tyk uses to flush content from the proxied upstream connection to the open downstream connection. This option needed be set for streaming protocols like Server Side Events, or gRPC streaming.
http_server_options.skip_url_cleaning
ENV: TYK_GW_HTTPSERVEROPTIONS_SKIPURLCLEANINGType:
boolAllow the use of a double slash in a URL path. This can be useful if you need to pass raw URLs to your API endpoints. For example:
http://myapi.com/get/http://example.com.
http_server_options.skip_target_path_escaping
ENV: TYK_GW_HTTPSERVEROPTIONS_SKIPTARGETPATHESCAPINGType:
boolDisable automatic character escaping, allowing to path original URL data to the upstream.
http_server_options.ssl_ciphers
ENV: TYK_GW_HTTPSERVEROPTIONS_CIPHERSType:
[]stringCustom SSL ciphers applicable when using TLS version 1.2. See the list of ciphers here https://tyk.io/docs/api-management/certificates#supported-tls-cipher-suites
http_server_options.max_request_body_size
ENV: TYK_GW_HTTPSERVEROPTIONS_MAXREQUESTBODYSIZEType:
int64MaxRequestBodySize configures a maximum size limit for request body size (in bytes) for all APIs on the Gateway. Tyk Gateway will evaluate all API requests against this size limit and will respond with HTTP 413 status code if the body of the request is larger. Two methods are used to perform the comparison:
- If the API Request contains the
Content-Lengthheader, this is directly compared againstMaxRequestBodySize. - If the
Content-Lengthheader is not provided, the Request body is read in chunks to compare total size againstMaxRequestBodySize.
version_header
ENV: TYK_GW_VERSIONHEADERType:
stringExpose version header with a given name. Works only for versioned APIs.
suppress_redis_signal_reload
ENV: TYK_GW_SUPPRESSREDISSIGNALRELOADType:
boolDisable dynamic API and Policy reloads, e.g. it will load new changes only on procecss start.
reload_interval
ENV: TYK_GW_RELOADINTERVALType:
int64ReloadInterval defines a duration in seconds within which the gateway responds to a reload event. The value defaults to 1, values lower than 1 are ignored.
hash_keys
ENV: TYK_GW_HASHKEYSType:
boolEnable Key hashing
disable_key_actions_by_username
ENV: TYK_GW_DISABLEKEYACTIONSBYUSERNAMEType:
boolDisableKeyActionsByUsername disables key search by username. When this is set to
true you are able to search for keys only by keyID or key hash (if hash_keys is also set to true)
Note that if hash_keys is also set to true then the keyID will not be provided for APIs secured using basic auth. In this scenario the only search option would be to use key hash
If you are using the Tyk Dashboard, you must configure this setting with the same value in both Gateway and Dashboard
hash_key_function
ENV: TYK_GW_HASHKEYFUNCTIONType:
stringSpecify the Key hashing algorithm. Possible values: murmur64, murmur128, sha256.
basic_auth_hash_key_function
ENV: TYK_GW_BASICAUTHHASHKEYFUNCTIONType:
stringSpecify the Key hashing algorithm for “basic auth”. Possible values: murmur64, murmur128, sha256, bcrypt. Will default to “bcrypt” if not set.
hash_key_function_fallback
ENV: TYK_GW_HASHKEYFUNCTIONFALLBACKType:
[]stringSpecify your previous key hashing algorithm if you migrated from one algorithm to another.
enable_hashed_keys_listing
ENV: TYK_GW_ENABLEHASHEDKEYSLISTINGType:
boolAllows the listing of hashed API keys
min_token_length
ENV: TYK_GW_MINTOKENLENGTHType:
intMinimum API token length
template_path
ENV: TYK_GW_TEMPLATEPATHType:
stringPath to error and webhook templates. Defaults to the current binary path.
policies
The policies section allows you to define where Tyk can find its policy templates. Policy templates are similar to key definitions in that they allow you to set quotas, access rights and rate limits for keys. Policies are loaded when Tyk starts and if changed require a hot-reload so they are loaded into memory. A policy can be defined in a file (Open Source installations) or from the same database as the Dashboard.policies.policy_source
ENV: TYK_GW_POLICIES_POLICYSOURCEType:
stringSet this value to
file to look in the file system for a definition file. Set to service to use the Dashboard service.
policies.policy_connection_string
ENV: TYK_GW_POLICIES_POLICYCONNECTIONSTRINGType:
stringThis option is required if
policies.policy_source is set to service.
Set this to the URL of your Tyk Dashboard installation. The URL needs to be formatted as: http://dashboard_host:port.
policies.policy_record_name
ENV: TYK_GW_POLICIES_POLICYRECORDNAMEType:
stringThis option only applies in OSS deployment when the
policies.policy_source is either set
to file or an empty string. If policies.policy_path is not set, then Tyk will load policies
from the JSON file specified by policies.policy_record_name.
policies.allow_explicit_policy_id
ENV: TYK_GW_POLICIES_ALLOWEXPLICITPOLICYIDType:
boolIn a Pro installation, Tyk will load Policy IDs and use the internal object-ID as the ID of the policy. This is not portable in cases where the data needs to be moved from installation to installation. If you set this value to
true, then the id parameter in a stored policy (or imported policy using the Dashboard API), will be used instead of the internal ID.
This option should only be used when moving an installation to a new database.
policies.policy_path
ENV: TYK_GW_POLICIES_POLICYPATHType:
stringThis option only applies in OSS deployment when the
policies.policy_source is either set
to file or an empty string. If policies.policy_path is set, then Tyk will load policies
from all the JSON files under the directory specified by the policies.policy_path option.
In this configuration, Tyk Gateway will allow policy management through the Gateway API.
ports_whitelist
ENV: TYK_GW_PORTWHITELISTType:
PortsWhiteListDefines the ports that will be available for the API services to bind to in the format documented here https://tyk.io/docs/api-management/non-http-protocols/#allowing-specific-ports. Ports can be configured per protocol, e.g. https, tls etc. If configuring via environment variable
TYK_GW_PORTWHITELIST then remember to escape
JSON strings.
disable_ports_whitelist
ENV: TYK_GW_DISABLEPORTWHITELISTType:
boolDisable port whilisting, essentially allowing you to use any port for your API.
app_path
ENV: TYK_GW_APPPATHType:
stringIf Tyk is being used in its standard configuration (Open Source installations), then API definitions are stored in the apps folder (by default in /opt/tyk-gateway/apps). This location is scanned for .json files and re-scanned at startup or reload. See the API section of the Tyk Gateway API for more details.
use_db_app_configs
ENV: TYK_GW_USEDBAPPCONFIGSType:
boolIf you are a Tyk Pro user, this option will enable polling the Dashboard service for API definitions. On startup Tyk will attempt to connect and download any relevant application configurations from from your Dashboard instance. The files are exactly the same as the JSON files on disk with the exception of a BSON ID supplied by the Dashboard service.
db_app_conf_options
This section defines API loading and shard options. Enable these settings to selectively load API definitions on a node from your Dashboard service.db_app_conf_options.connection_string
ENV: TYK_GW_DBAPPCONFOPTIONS_CONNECTIONSTRINGType:
stringSet the URL to your Dashboard instance (or a load balanced instance). The URL needs to be formatted as:
http://dashboard_host:port
db_app_conf_options.connection_timeout
ENV: TYK_GW_DBAPPCONFOPTIONS_CONNECTIONTIMEOUTType:
intSet a timeout value, in seconds, for your Dashboard connection. Default value is 30.
db_app_conf_options.node_is_segmented
ENV: TYK_GW_DBAPPCONFOPTIONS_NODEISSEGMENTEDType:
boolSet to
true to enable filtering (sharding) of APIs.
db_app_conf_options.tags
ENV: TYK_GW_DBAPPCONFOPTIONS_TAGSType:
[]stringThe tags to use when filtering (sharding) Tyk Gateway nodes. Tags are processed as
OR operations.
If you include a non-filter tag (e.g. an identifier such as node-id-1, this will become available to your Dashboard analytics).
storage
This section defines your Redis configuration.storage.type
ENV: TYK_GW_STORAGE_TYPEType:
stringThis should be set to
redis (lowercase)
storage.host
ENV: TYK_GW_STORAGE_HOSTType:
stringThe Redis host, by default this is set to
localhost, but for production this should be set to a cluster.
storage.port
ENV: TYK_GW_STORAGE_PORTType:
intThe Redis instance port.
storage.addrs
ENV: TYK_GW_STORAGE_ADDRSType:
[]stringIf you have multi-node setup, you should use this field instead. For example: [“host1:port1”, “host2:port2”].
storage.master_name
ENV: TYK_GW_STORAGE_MASTERNAMEType:
stringRedis sentinel master name
storage.sentinel_password
ENV: TYK_GW_STORAGE_SENTINELPASSWORDType:
stringRedis sentinel password
storage.username
ENV: TYK_GW_STORAGE_USERNAMEType:
stringRedis user name
storage.password
ENV: TYK_GW_STORAGE_PASSWORDType:
stringIf your Redis instance has a password set for access, you can set it here.
storage.database
ENV: TYK_GW_STORAGE_DATABASEType:
intRedis database
storage.optimisation_max_idle
ENV: TYK_GW_STORAGE_MAXIDLEType:
intSet the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.
storage.optimisation_max_active
ENV: TYK_GW_STORAGE_MAXACTIVEType:
intSet the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.
storage.timeout
ENV: TYK_GW_STORAGE_TIMEOUTType:
intSet a custom timeout for Redis network operations. Default value 5 seconds.
storage.enable_cluster
ENV: TYK_GW_STORAGE_ENABLECLUSTERType:
boolEnable Redis Cluster support
storage.use_ssl
ENV: TYK_GW_STORAGE_USESSLType:
boolEnable SSL/TLS connection between your Tyk Gateway & Redis.
storage.ssl_insecure_skip_verify
ENV: TYK_GW_STORAGE_SSLINSECURESKIPVERIFYType:
boolDisable TLS verification
storage.ca_file
ENV: TYK_GW_STORAGE_CAFILEType:
stringPath to the CA file.
storage.cert_file
ENV: TYK_GW_STORAGE_CERTFILEType:
stringPath to the cert file.
storage.key_file
ENV: TYK_GW_STORAGE_KEYFILEType:
stringPath to the key file.
storage.tls_max_version
ENV: TYK_GW_STORAGE_TLSMAXVERSIONType:
stringMaximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.
storage.tls_min_version
ENV: TYK_GW_STORAGE_TLSMINVERSIONType:
stringMinimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.
disable_dashboard_zeroconf
ENV: TYK_GW_DISABLEDASHBOARDZEROCONFType:
boolDisable the capability of the Gateway to
autodiscover the Dashboard through heartbeat messages via Redis.
The goal of zeroconf is auto-discovery, so you do not have to specify the Tyk Dashboard address in your Gatewaytyk.conf file.
In some specific cases, for example, when the Dashboard is bound to a public domain, not accessible inside an internal network, or similar, disable_dashboard_zeroconf can be set to true, in favor of directly specifying a Tyk Dashboard address.
slave_options
Theslave_options allow you to configure the RPC slave connection required for MDCB installations.
These settings must be configured for every RPC slave/worker node.
slave_options.use_rpc
ENV: TYK_GW_SLAVEOPTIONS_USERPCType:
boolSet to
true to connect a worker Gateway using RPC.
slave_options.use_ssl
ENV: TYK_GW_SLAVEOPTIONS_USESSLType:
boolSet this option to
true to use an SSL RPC connection.
slave_options.ssl_insecure_skip_verify
ENV: TYK_GW_SLAVEOPTIONS_SSLINSECURESKIPVERIFYType:
boolSet this option to
true to allow the certificate validation (certificate chain and hostname) to be skipped.
This can be useful if you use a self-signed certificate.
slave_options.connection_string
ENV: TYK_GW_SLAVEOPTIONS_CONNECTIONSTRINGType:
stringUse this setting to add the URL for your MDCB or load balancer host.
slave_options.rpc_key
ENV: TYK_GW_SLAVEOPTIONS_RPCKEYType:
stringYour organization ID to connect to the MDCB installation.
slave_options.api_key
ENV: TYK_GW_SLAVEOPTIONS_APIKEYType:
stringThis the API key of a user used to authenticate and authorize the Gateway’s access through MDCB. The user should be a standard Dashboard user with minimal privileges so as to reduce any risk if the user is compromised. The suggested security settings are read for Real-time notifications and the remaining options set to deny.
slave_options.enable_rpc_cache
ENV: TYK_GW_SLAVEOPTIONS_ENABLERPCCACHEType:
boolSet this option to
true to enable RPC caching for keys.
slave_options.bind_to_slugs
ENV: TYK_GW_SLAVEOPTIONS_BINDTOSLUGSINSTEADOFLISTENPATHSType:
boolFor an Self-Managed installation this can be left at
false (the default setting). For Legacy Cloud Gateways it must be set to ‘true’.
slave_options.disable_keyspace_sync
ENV: TYK_GW_SLAVEOPTIONS_DISABLEKEYSPACESYNCType:
boolSet this option to
true if you don’t want to monitor changes in the keys from a primary Gateway.
slave_options.group_id
ENV: TYK_GW_SLAVEOPTIONS_GROUPIDType:
stringThis is the
zone that this instance inhabits, e.g. the cluster/data-center the Gateway lives in.
The group ID must be the same across all the Gateways of a data-center/cluster which are also sharing the same Redis instance.
This ID should also be unique per cluster (otherwise another Gateway cluster can pick up your keyspace events and your cluster will get zero updates).
slave_options.call_timeout
ENV: TYK_GW_SLAVEOPTIONS_CALLTIMEOUTType:
intCall Timeout allows to specify a time in seconds for the maximum allowed duration of a RPC call.
slave_options.ping_timeout
ENV: TYK_GW_SLAVEOPTIONS_PINGTIMEOUTType:
intThe maximum time in seconds that a RPC ping can last.
slave_options.rpc_pool_size
ENV: TYK_GW_SLAVEOPTIONS_RPCPOOLSIZEType:
intThe number of RPC connections in the pool. Basically it creates a set of connections that you can re-use as needed. Defaults to 5.
slave_options.key_space_sync_interval
ENV: TYK_GW_SLAVEOPTIONS_KEYSPACESYNCINTERVALType:
float32You can use this to set a period for which the Gateway will check if there are changes in keys that must be synchronized. If this value is not set then it will default to 10 seconds.
slave_options.rpc_cert_cache_expiration
ENV: TYK_GW_SLAVEOPTIONS_RPCCERTCACHEEXPIRATIONType:
float32RPCCertCacheExpiration defines the expiration time of the rpc cache that stores the certificates, defined in seconds
slave_options.rpc_global_cache_expiration
ENV: TYK_GW_SLAVEOPTIONS_RPCGLOBALCACHEEXPIRATIONType:
float32RPCKeysCacheExpiration defines the expiration time of the rpc cache that stores the keys, defined in seconds
slave_options.synchroniser_enabled
ENV: TYK_GW_SLAVEOPTIONS_SYNCHRONISERENABLEDType:
boolSynchroniserEnabled enable this config if MDCB has enabled the synchoniser. If disabled then it will ignore signals to synchonise recources
management_node
ENV: TYK_GW_MANAGEMENTNODEType:
boolIf set to
true, distributed rate limiter will be disabled for this node, and it will be excluded from any rate limit calculation.
If you set
db_app_conf_options.node_is_segmented to true for multiple Gateway nodes, you should ensure that management_node is set to false.
This is to ensure visibility for the management node across all APIs.management_node is not a valid configuration option.
Always set management_node to false in pro environments.
auth_override
This is used as part of the RPC / Hybrid back-end configuration in a Tyk Enterprise installation and isn’t used anywhere else.enable_fixed_window_rate_limiter
ENV: TYK_GW_ENABLEFIXEDWINDOWRATELIMITERType:
boolEnableFixedWindow enables fixed window rate limiting.
enable_redis_rolling_limiter
ENV: TYK_GW_ENABLEREDISROLLINGLIMITERType:
boolRedis based rate limiter with sliding log. Provides 100% rate limiting accuracy, but require two additional Redis roundtrips for each request.
enable_sentinel_rate_limiter
ENV: TYK_GW_ENABLESENTINELRATELIMITERType:
boolTo enable, set to
true. The sentinel-based rate limiter delivers a smoother performance curve as rate-limit calculations happen off-thread, but a stricter time-out based cool-down for clients. For example, when a throttling action is triggered, they are required to cool-down for the period of the rate limit.
Disabling the sentinel based rate limiter will make rate-limit calculations happen on-thread and therefore offers a staggered cool-down and a smoother rate-limit experience for the client.
For example, you can slow your connection throughput to regain entry into your rate limit. This is more of a “throttle” than a “block”.
The standard rate limiter offers similar performance as the sentinel-based limiter. This is disabled by default.
enable_rate_limit_smoothing
ENV: TYK_GW_ENABLERATELIMITSMOOTHINGType:
boolEnableRateLimitSmoothing enables or disables rate limit smoothing. The rate smoothing is only supported on the Redis Rate Limiter, or the Sentinel Rate Limiter, as both algorithms implement a sliding log.
enable_non_transactional_rate_limiter
ENV: TYK_GW_ENABLENONTRANSACTIONALRATELIMITERType:
boolAn enhancement for the Redis and Sentinel rate limiters, that offers a significant improvement in performance by not using transactions on Redis rate-limit buckets.
drl_notification_frequency
ENV: TYK_GW_DRLNOTIFICATIONFREQUENCYType:
intHow frequently a distributed rate limiter synchronises information between the Gateway nodes. Default: 2 seconds.
drl_threshold
ENV: TYK_GW_DRLTHRESHOLDType:
float64A distributed rate limiter is inaccurate on small rate limits, and it will fallback to a Redis or Sentinel rate limiter on an individual user basis, if its rate limiter lower then threshold. A Rate limiter threshold calculated using the following formula:
rate_threshold = drl_threshold * number_of_gateways.
So you have 2 Gateways, and your threshold is set to 5, if a user rate limit is larger than 10, it will use the distributed rate limiter algorithm.
Default: 5
drl_enable_sentinel_rate_limiter
ENV: TYK_GW_DRLENABLESENTINELRATELIMITERType:
boolControls which algorthm to use as a fallback when your distributed rate limiter can’t be used.
enforce_org_data_age
ENV: TYK_GW_ENFORCEORGDATAAGEType:
boolAllows you to dynamically configure analytics expiration on a per organization level
enforce_org_data_detail_logging
ENV: TYK_GW_ENFORCEORGDATADETAILLOGGINGType:
boolAllows you to dynamically configure detailed logging on a per organization level
enforce_org_quotas
ENV: TYK_GW_ENFORCEORGQUOTASType:
boolAllows you to dynamically configure organization quotas on a per organization level
monitor
The monitor section is useful if you wish to enforce a global trigger limit on organization and user quotas. This feature will trigger a webhook event to fire when specific triggers are reached. Triggers can be global (set in the node), by organization (set in the organization session object) or by key (set in the key session object) While Organization-level and Key-level triggers can be tiered (e.g. trigger at 10%, trigger at 20%, trigger at 80%), in the node-level configuration only a global value can be set. If a global value and specific trigger level are the same the trigger will only fire once:monitor.enable_trigger_monitors
ENV: TYK_GW_MONITOR_ENABLETRIGGERMONITORSType:
boolSet this to
true to have monitors enabled in your configuration for the node.
monitor.configuration.method
ENV: TYK_GW_MONITOR_CONFIG_METHODType:
stringThe method to use for the webhook.
monitor.configuration.target_path
ENV: TYK_GW_MONITOR_CONFIG_TARGETPATHType:
stringThe target path on which to send the request.
monitor.configuration.template_path
ENV: TYK_GW_MONITOR_CONFIG_TEMPLATEPATHType:
stringThe template to load in order to format the request.
monitor.configuration.header_map
ENV: TYK_GW_MONITOR_CONFIG_HEADERLISTType:
map[string]stringHeaders to set when firing the webhook.
monitor.configuration.event_timeout
ENV: TYK_GW_MONITOR_CONFIG_EVENTTIMEOUTType:
int64The cool-down for the event so it does not trigger again (in seconds).
monitor.global_trigger_limit
ENV: TYK_GW_MONITOR_GLOBALTRIGGERLIMITType:
float64The trigger limit, as a percentage of the quota that must be reached in order to trigger the event, any time the quota percentage is increased the event will trigger.
monitor.monitor_user_keys
ENV: TYK_GW_MONITOR_MONITORUSERKEYSType:
boolApply the monitoring subsystem to user keys.
monitor.monitor_org_keys
ENV: TYK_GW_MONITOR_MONITORORGKEYSType:
boolApply the monitoring subsystem to organization keys.
max_idle_connections
ENV: TYK_GW_MAXIDLECONNSType:
intMaximum idle connections, per API, between Tyk and Upstream. By default not limited.
max_idle_connections_per_host
ENV: TYK_GW_MAXIDLECONNSPERHOSTType:
intMaximum idle connections, per API, per upstream, between Tyk and Upstream. Default:100
max_conn_time
ENV: TYK_GW_MAXCONNTIMEType:
int64Maximum connection time. If set it will force gateway reconnect to the upstream.
close_connections
ENV: TYK_GW_CLOSECONNECTIONSType:
boolIf set, disable keepalive between User and Tyk
enable_custom_domains
ENV: TYK_GW_ENABLECUSTOMDOMAINSType:
boolAllows you to use custom domains
allow_master_keys
ENV: TYK_GW_ALLOWMASTERKEYSType:
boolIf AllowMasterKeys is set to true, session objects (key definitions) that do not have explicit access rights set will be allowed by Tyk. This means that keys that are created have access to ALL APIs, which in many cases is unwanted behavior unless you are sure about what you are doing.
service_discovery.default_cache_timeout
ENV: TYK_GW_SERVICEDISCOVERY_DEFAULTCACHETIMEOUTType:
intService discovery cache timeout
proxy_ssl_insecure_skip_verify
ENV: TYK_GW_PROXYSSLINSECURESKIPVERIFYType:
boolGlobally ignore TLS verification between Tyk and your Upstream services
proxy_enable_http2
ENV: TYK_GW_PROXYENABLEHTTP2Type:
boolEnable HTTP2 support between Tyk and your upstream service. Required for gRPC.
proxy_ssl_min_version
ENV: TYK_GW_PROXYSSLMINVERSIONType:
uint16Minimum TLS version for connection between Tyk and your upstream service.
proxy_ssl_max_version
ENV: TYK_GW_PROXYSSLMAXVERSIONType:
uint16Maximum TLS version for connection between Tyk and your upstream service.
proxy_ssl_ciphers
ENV: TYK_GW_PROXYSSLCIPHERSUITESType:
[]stringAllow list of ciphers for connection between Tyk and your upstream service.
proxy_default_timeout
ENV: TYK_GW_PROXYDEFAULTTIMEOUTType:
float64This can specify a default timeout in seconds for upstream API requests. Default: 30 seconds
proxy_ssl_disable_renegotiation
ENV: TYK_GW_PROXYSSLDISABLERENEGOTIATIONType:
boolDisable TLS renegotiation.
proxy_close_connections
ENV: TYK_GW_PROXYCLOSECONNECTIONSType:
boolDisable keepalives between Tyk and your upstream service. Set this value to
true to force Tyk to close the connection with the server, otherwise the connections will remain open for as long as your OS keeps TCP connections open.
This can cause a file-handler limit to be exceeded. Setting to false can have performance benefits as the connection can be reused.
uptime_tests
Tyk nodes can provide uptime awareness, uptime testing and analytics for your underlying APIs uptime and availability. Tyk can also notify you when a service goes down.uptime_tests.disable
ENV: TYK_GW_UPTIMETESTS_DISABLEType:
boolTo disable uptime tests on this node, set this value to
true.
uptime_tests.poller_group
ENV: TYK_GW_UPTIMETESTS_POLLERGROUPType:
stringIf you have multiple Gateway clusters connected to the same Redis instance, you need to set a unique poller group for each cluster.
uptime_tests.config.failure_trigger_sample_size
ENV: TYK_GW_UPTIMETESTS_CONFIG_FAILURETRIGGERSAMPLESIZEType:
intThe sample size to trigger a
HostUp or HostDown event. For example, a setting of 3 will require at least three failures to occur before the uptime test is triggered.
uptime_tests.config.time_wait
ENV: TYK_GW_UPTIMETESTS_CONFIG_TIMEWAITType:
intThe value in seconds between tests runs. All tests will run simultaneously. This value will set the time between those tests. So a value of 60 will run all uptime tests every 60 seconds.
uptime_tests.config.checker_pool_size
ENV: TYK_GW_UPTIMETESTS_CONFIG_CHECKERPOOLSIZEType:
intThe goroutine pool size to keep idle for uptime tests. If you have many uptime tests running at a high time period, then increase this value.
uptime_tests.config.enable_uptime_analytics
ENV: TYK_GW_UPTIMETESTS_CONFIG_ENABLEUPTIMEANALYTICSType:
boolSet this value to
true to have the node capture and record analytics data regarding the uptime tests.
health_check
This section enables the configuration of the health-check API endpoint and the size of the sample data cache (in seconds).health_check.enable_health_checks
ENV: TYK_GW_HEALTHCHECK_ENABLEHEALTHCHECKSType:
boolSetting this value to
true will enable the health-check endpoint on /Tyk/health.
health_check.health_check_value_timeouts
ENV: TYK_GW_HEALTHCHECK_HEALTHCHECKVALUETIMEOUTType:
int64This setting defaults to 60 seconds. This is the time window that Tyk uses to sample health-check data. You can set a higher value for more accurate data (a larger sample period), or a lower value for less accurate data. The reason this value is configurable is because sample data takes up space in your Redis DB to store the data to calculate samples. On high-availability systems this may not be desirable and smaller values may be preferred.
health_check_endpoint_name
ENV: TYK_GW_HEALTHCHECKENDPOINTNAMEType:
stringEnables you to rename the /hello endpoint
oauth_refresh_token_expire
ENV: TYK_GW_OAUTHREFRESHEXPIREType:
int64Change the expiry time of a refresh token. By default 14 days (in seconds).
oauth_token_expire
ENV: TYK_GW_OAUTHTOKENEXPIREType:
int32Change the expiry time of OAuth tokens (in seconds).
oauth_token_expired_retain_period
ENV: TYK_GW_OAUTHTOKENEXPIREDRETAINPERIODType:
int32Specifies how long expired tokens are stored in Redis. The value is in seconds and the default is 0. Using the default means expired tokens are never removed from Redis.
oauth_redirect_uri_separator
ENV: TYK_GW_OAUTHREDIRECTURISEPARATORType:
stringCharacter which should be used as a separator for OAuth redirect URI URLs. Default: ;.
oauth_error_status_code
ENV: TYK_GW_OAUTHERRORSTATUSCODEType:
intConfigures the OAuth error status code returned. If not set, it defaults to a 403 error.
enable_key_logging
ENV: TYK_GW_ENABLEKEYLOGGINGType:
boolBy default all key IDs in logs are hidden. Set to
true if you want to see them for debugging reasons.
ssl_force_common_name_check
ENV: TYK_GW_SSLFORCECOMMONNAMECHECKType:
boolForce the validation of the hostname against the common name, even if TLS verification is disabled.
enable_analytics
ENV: TYK_GW_ENABLEANALYTICSType:
boolTyk is capable of recording every hit to your API to a database with various filtering parameters. Set this value to
true and fill in the sub-section below to enable logging.
For performance reasons, Tyk will store traffic data to Redis initially and then purge the data from Redis to MongoDB or other data stores on a regular basis as determined by the purge_delay setting in your Tyk Pump configuration.
analytics_config
This section defines options on what analytics data to store.analytics_config.type
ENV: TYK_GW_ANALYTICSCONFIG_TYPEType:
stringSet empty for a Self-Managed installation or
rpc for multi-cloud.
analytics_config.ignored_ips
ENV: TYK_GW_ANALYTICSCONFIG_IGNOREDIPSType:
[]stringAdding IP addresses to this list will cause Tyk to ignore these IPs in the analytics data. These IP addresses will not produce an analytics log record. This is useful for health checks and other samplers that might skew usage data. The IP addresses must be provided as a JSON array, with the values being single IPs. CIDR values are not supported.
analytics_config.enable_detailed_recording
ENV: TYK_GW_ANALYTICSCONFIG_ENABLEDETAILEDRECORDINGType:
boolSet this value to
true to have Tyk store the inbound request and outbound response data in HTTP Wire format as part of the Analytics data.
Please note, this will greatly increase your analytics DB size and can cause performance degradation on analytics processing by the Dashboard.
This setting can be overridden with an organization flag, enabed at an API level, or on individual Key level.
analytics_config.enable_geo_ip
ENV: TYK_GW_ANALYTICSCONFIG_ENABLEGEOIPType:
boolTyk can store GeoIP information based on MaxMind DB’s to enable GeoIP tracking on inbound request analytics. Set this value to
true and assign a DB using the geo_ip_db_path setting.
analytics_config.geo_ip_db_path
ENV: TYK_GW_ANALYTICSCONFIG_GEOIPDBLOCATIONType:
stringPath to a MaxMind GeoIP database The analytics GeoIP DB can be replaced on disk. It will cleanly auto-reload every hour.
analytics_config.normalise_urls
This section describes methods that enable you to normalise inbound URLs in your analytics to have more meaningful per-path data.analytics_config.normalise_urls.enabled
ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_ENABLEDType:
boolSet this to
true to enable normalisation.
analytics_config.normalise_urls.normalise_uuids
ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_NORMALISEUUIDSType:
boolEach UUID will be replaced with a placeholder
analytics_config.normalise_urls.normalise_ulids
ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_NORMALISEULIDSType:
boolEach ULID will be replaced with a placeholder
analytics_config.normalise_urls.normalise_numbers
ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_NORMALISENUMBERSType:
boolSet this to true to have Tyk automatically match for numeric IDs, it will match with a preceding slash so as not to capture actual numbers:
analytics_config.normalise_urls.custom_patterns
ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_CUSTOMType:
[]stringThis is a list of custom patterns you can add. These must be valid regex strings. Tyk will replace these values with a
{var} placeholder.
analytics_config.pool_size
ENV: TYK_GW_ANALYTICSCONFIG_POOLSIZEType:
intNumber of workers used to process analytics. Defaults to number of CPU cores.
analytics_config.records_buffer_size
ENV: TYK_GW_ANALYTICSCONFIG_RECORDSBUFFERSIZEType:
uint64Number of records in analytics queue, per worker. Default: 1000.
analytics_config.storage_expiration_time
ENV: TYK_GW_ANALYTICSCONFIG_STORAGEEXPIRATIONTIMEType:
intYou can set a time (in seconds) to configure how long analytics are kept if they are not processed. The default is 60 seconds. This is used to prevent the potential infinite growth of Redis analytics storage.
analytics_config.enable_multiple_analytics_keys
ENV: TYK_GW_ANALYTICSCONFIG_ENABLEMULTIPLEANALYTICSKEYSType:
boolSet this to
true to have Tyk automatically divide the analytics records in multiple analytics keys.
This is especially useful when storage.enable_cluster is set to true since it will distribute the analytic keys across all the cluster nodes.
analytics_config.purge_interval
ENV: TYK_GW_ANALYTICSCONFIG_PURGEINTERVALType:
float32You can set the interval length on how often the tyk Gateway will purge analytics data. This value is in seconds and defaults to 10 seconds.
analytics_config.serializer_type
ENV: TYK_GW_ANALYTICSCONFIG_SERIALIZERTYPEType:
stringDetermines the serialization engine for analytics. Available options: msgpack, and protobuf. By default, msgpack.
enable_separate_analytics_store
ENV: TYK_GW_ENABLESEPERATEANALYTICSSTOREType:
boolEnable separate analytics storage. Used together with
analytics_storage.
analytics_storage.type
ENV: TYK_GW_ANALYTICSSTORAGE_TYPEType:
stringThis should be set to
redis (lowercase)
analytics_storage.host
ENV: TYK_GW_ANALYTICSSTORAGE_HOSTType:
stringThe Redis host, by default this is set to
localhost, but for production this should be set to a cluster.
analytics_storage.port
ENV: TYK_GW_ANALYTICSSTORAGE_PORTType:
intThe Redis instance port.
analytics_storage.addrs
ENV: TYK_GW_ANALYTICSSTORAGE_ADDRSType:
[]stringIf you have multi-node setup, you should use this field instead. For example: [“host1:port1”, “host2:port2”].
analytics_storage.master_name
ENV: TYK_GW_ANALYTICSSTORAGE_MASTERNAMEType:
stringRedis sentinel master name
analytics_storage.sentinel_password
ENV: TYK_GW_ANALYTICSSTORAGE_SENTINELPASSWORDType:
stringRedis sentinel password
analytics_storage.username
ENV: TYK_GW_ANALYTICSSTORAGE_USERNAMEType:
stringRedis user name
analytics_storage.password
ENV: TYK_GW_ANALYTICSSTORAGE_PASSWORDType:
stringIf your Redis instance has a password set for access, you can set it here.
analytics_storage.database
ENV: TYK_GW_ANALYTICSSTORAGE_DATABASEType:
intRedis database
analytics_storage.optimisation_max_idle
ENV: TYK_GW_ANALYTICSSTORAGE_MAXIDLEType:
intSet the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.
analytics_storage.optimisation_max_active
ENV: TYK_GW_ANALYTICSSTORAGE_MAXACTIVEType:
intSet the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.
analytics_storage.timeout
ENV: TYK_GW_ANALYTICSSTORAGE_TIMEOUTType:
intSet a custom timeout for Redis network operations. Default value 5 seconds.
analytics_storage.enable_cluster
ENV: TYK_GW_ANALYTICSSTORAGE_ENABLECLUSTERType:
boolEnable Redis Cluster support
analytics_storage.use_ssl
ENV: TYK_GW_ANALYTICSSTORAGE_USESSLType:
boolEnable SSL/TLS connection between your Tyk Gateway & Redis.
analytics_storage.ssl_insecure_skip_verify
ENV: TYK_GW_ANALYTICSSTORAGE_SSLINSECURESKIPVERIFYType:
boolDisable TLS verification
analytics_storage.ca_file
ENV: TYK_GW_ANALYTICSSTORAGE_CAFILEType:
stringPath to the CA file.
analytics_storage.cert_file
ENV: TYK_GW_ANALYTICSSTORAGE_CERTFILEType:
stringPath to the cert file.
analytics_storage.key_file
ENV: TYK_GW_ANALYTICSSTORAGE_KEYFILEType:
stringPath to the key file.
analytics_storage.tls_max_version
ENV: TYK_GW_ANALYTICSSTORAGE_TLSMAXVERSIONType:
stringMaximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.
analytics_storage.tls_min_version
ENV: TYK_GW_ANALYTICSSTORAGE_TLSMINVERSIONType:
stringMinimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.
liveness_check.check_duration
ENV: TYK_GW_LIVENESSCHECK_CHECKDURATIONType:
time.DurationFrequencies of performing interval healthchecks for Redis, Dashboard, and RPC layer. Expressed in Nanoseconds. For example: 1000000000 -> 1s. Default: 10 seconds.
dns_cache
This section enables the global configuration of the expireable DNS records caching for your Gateway API endpoints. By design caching affects only http(s), ws(s) protocols APIs and doesn’t affect any plugin/middleware DNS queries.dns_cache.enabled
ENV: TYK_GW_DNSCACHE_ENABLEDType:
boolSetting this value to
true will enable caching of DNS queries responses used for API endpoint’s host names. By default caching is disabled.
dns_cache.ttl
ENV: TYK_GW_DNSCACHE_TTLType:
int64This setting allows you to specify a duration in seconds before the record will be removed from cache after being added to it on the first DNS query resolution of API endpoints. Setting
ttl to -1 prevents record from being expired and removed from cache on next check interval.
dns_cache.multiple_ips_handle_strategy
ENV: TYK_GW_DNSCACHE_MULTIPLEIPSHANDLESTRATEGYType:
stringA strategy which will be used when a DNS query will reply with more than 1 IP Address per single host. As a DNS query response IP Addresses can have a changing order depending on DNS server balancing strategy (eg: round robin, geographically dependent origin-ip ordering, etc) this option allows you to not to limit the connection to the first host in a cached response list or prevent response caching.
pick_firstwill instruct your Tyk Gateway to connect to the first IP in a returned IP list and cache the response.randomwill instruct your Tyk Gateway to connect to a random IP in a returned IP list and cache the response.no_cachewill instruct your Tyk Gateway to connect to the first IP in a returned IP list and fetch each addresses list without caching on each API endpoint DNS query.
disable_regexp_cache
ENV: TYK_GW_DISABLEREGEXPCACHEType:
boolIf set to
true this allows you to disable the regular expression cache. The default setting is false.
regexp_cache_expire
ENV: TYK_GW_REGEXPCACHEEXPIREType:
int32If you set
disable_regexp_cache to false, you can use this setting to limit how long the regular expression cache is kept for in seconds.
The default is 60 seconds. This must be a positive value. If you set to 0 this uses the default value.
local_session_cache
Tyk can cache some data locally, this can speed up lookup times on a single node and lower the number of connections and operations being done on Redis. It will however introduce a slight delay when updating or modifying keys as the cache must expire. This does not affect rate limiting.local_session_cache.disable_cached_session_state
ENV: TYK_GW_LOCALSESSIONCACHE_DISABLECACHESESSIONSTATEType:
boolBy default sessions are set to cache. Set this to
true to stop Tyk from caching keys locally on the node.
enable_separate_cache_store
ENV: TYK_GW_ENABLESEPERATECACHESTOREType:
boolEnable to use a separate Redis for cache storage
cache_storage.type
ENV: TYK_GW_CACHESTORAGE_TYPEType:
stringThis should be set to
redis (lowercase)
cache_storage.host
ENV: TYK_GW_CACHESTORAGE_HOSTType:
stringThe Redis host, by default this is set to
localhost, but for production this should be set to a cluster.
cache_storage.port
ENV: TYK_GW_CACHESTORAGE_PORTType:
intThe Redis instance port.
cache_storage.addrs
ENV: TYK_GW_CACHESTORAGE_ADDRSType:
[]stringIf you have multi-node setup, you should use this field instead. For example: [“host1:port1”, “host2:port2”].
cache_storage.master_name
ENV: TYK_GW_CACHESTORAGE_MASTERNAMEType:
stringRedis sentinel master name
cache_storage.sentinel_password
ENV: TYK_GW_CACHESTORAGE_SENTINELPASSWORDType:
stringRedis sentinel password
cache_storage.username
ENV: TYK_GW_CACHESTORAGE_USERNAMEType:
stringRedis user name
cache_storage.password
ENV: TYK_GW_CACHESTORAGE_PASSWORDType:
stringIf your Redis instance has a password set for access, you can set it here.
cache_storage.database
ENV: TYK_GW_CACHESTORAGE_DATABASEType:
intRedis database
cache_storage.optimisation_max_idle
ENV: TYK_GW_CACHESTORAGE_MAXIDLEType:
intSet the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.
cache_storage.optimisation_max_active
ENV: TYK_GW_CACHESTORAGE_MAXACTIVEType:
intSet the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.
cache_storage.timeout
ENV: TYK_GW_CACHESTORAGE_TIMEOUTType:
intSet a custom timeout for Redis network operations. Default value 5 seconds.
cache_storage.enable_cluster
ENV: TYK_GW_CACHESTORAGE_ENABLECLUSTERType:
boolEnable Redis Cluster support
cache_storage.use_ssl
ENV: TYK_GW_CACHESTORAGE_USESSLType:
boolEnable SSL/TLS connection between your Tyk Gateway & Redis.
cache_storage.ssl_insecure_skip_verify
ENV: TYK_GW_CACHESTORAGE_SSLINSECURESKIPVERIFYType:
boolDisable TLS verification
cache_storage.ca_file
ENV: TYK_GW_CACHESTORAGE_CAFILEType:
stringPath to the CA file.
cache_storage.cert_file
ENV: TYK_GW_CACHESTORAGE_CERTFILEType:
stringPath to the cert file.
cache_storage.key_file
ENV: TYK_GW_CACHESTORAGE_KEYFILEType:
stringPath to the key file.
cache_storage.tls_max_version
ENV: TYK_GW_CACHESTORAGE_TLSMAXVERSIONType:
stringMaximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.
cache_storage.tls_min_version
ENV: TYK_GW_CACHESTORAGE_TLSMINVERSIONType:
stringMinimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.
enable_bundle_downloader
ENV: TYK_GW_ENABLEBUNDLEDOWNLOADERType:
boolEnable downloading Plugin bundles Example:
bundle_base_url
ENV: TYK_GW_BUNDLEBASEURLType:
stringIs a base URL that will be used to download the bundle. In this example we have
bundle-latest.zip specified in the API settings, Tyk will fetch the following URL: http://my-bundle-server.com/bundles/bundle-latest.zip (see the next section for details).
bundle_insecure_skip_verify
ENV: TYK_GW_BUNDLEINSECURESKIPVERIFYType:
boolDisable TLS validation for bundle URLs
enable_jsvm
ENV: TYK_GW_ENABLEJSVMType:
boolSet to true if you are using JSVM custom middleware or virtual endpoints.
jsvm_timeout
ENV: TYK_GW_JSVMTIMEOUTType:
intSet the execution timeout for JSVM plugins and virtal endpoints
disable_virtual_path_blobs
ENV: TYK_GW_DISABLEVIRTUALPATHBLOBSType:
boolDisable virtual endpoints and the code will not be loaded into the VM when the API definition initialises. This is useful for systems where you want to avoid having third-party code run.
tyk_js_path
ENV: TYK_GW_TYKJSPATHType:
stringPath to the JavaScript file which will be pre-loaded for any JSVM middleware or virtual endpoint. Useful for defining global shared functions.
middleware_path
ENV: TYK_GW_MIDDLEWAREPATHType:
stringPath to the plugins dirrectory. By default is “./middleware`.
coprocess_options
Configuration options for Python and gRPC plugins.coprocess_options.enable_coprocess
ENV: TYK_GW_COPROCESSOPTIONS_ENABLECOPROCESSType:
boolEnable gRPC and Python plugins
coprocess_options.coprocess_grpc_server
ENV: TYK_GW_COPROCESSOPTIONS_COPROCESSGRPCSERVERType:
stringAddress of gRPC user
coprocess_options.grpc_recv_max_size
ENV: TYK_GW_COPROCESSOPTIONS_GRPCRECVMAXSIZEType:
intMaximum message which can be received from a gRPC server
coprocess_options.grpc_send_max_size
ENV: TYK_GW_COPROCESSOPTIONS_GRPCSENDMAXSIZEType:
intMaximum message which can be sent to gRPC server
coprocess_options.grpc_authority
ENV: TYK_GW_COPROCESSOPTIONS_GRPCAUTHORITYType:
stringAuthority used in GRPC connection
coprocess_options.python_path_prefix
ENV: TYK_GW_COPROCESSOPTIONS_PYTHONPATHPREFIXType:
stringSets the path to built-in Tyk modules. This will be part of the Python module lookup path. The value used here is the default one for most installations.
coprocess_options.python_version
ENV: TYK_GW_COPROCESSOPTIONS_PYTHONVERSIONType:
stringIf you have multiple Python versions installed you can specify your version.
ignore_endpoint_case
ENV: TYK_GW_IGNOREENDPOINTCASEType:
boolIgnore the case of any endpoints for APIs managed by Tyk. Setting this to
true will override any individual API and Ignore, Blacklist and Whitelist plugin endpoint settings.
ignore_canonical_mime_header_key
ENV: TYK_GW_IGNORECANONICALMIMEHEADERKEYType:
boolWhen enabled Tyk ignores the canonical format of the MIME header keys. For example when a request header with a “my-header” key is injected using “global_headers”, the upstream would typically get it as “My-Header”. When this flag is enabled it will be sent as “my-header” instead. Current support is limited to JavaScript plugins, global header injection, virtual endpoint and JQ transform header rewrites. This functionality doesn’t affect headers that are sent by the HTTP client and the default formatting will apply in this case. For technical details refer to the CanonicalMIMEHeaderKey functionality in the Go documentation.
log_level
ENV: TYK_GW_LOGLEVELType:
stringYou can now set a logging level (log_level). The following levels can be set: debug, info, warn, error. If not set or left empty, it will default to
info.
log_format
ENV: TYK_GW_LOGFORMATType:
stringYou can now configure the log format to be either the standard or json format If not set or left empty, it will default to
standard.
access_logs
AccessLogs configures the output for access logs. If not configured, the access log is disabled.access_logs.enabled
ENV: TYK_GW_ACCESSLOGS_ENABLEDType:
boolEnabled controls the generation of access logs by the Gateway. Default: false.
access_logs.template
ENV: TYK_GW_ACCESSLOGS_TEMPLATEType:
[]stringTemplate configures which fields to include in the access log. If no template is configured, all available fields will be logged. Example: [“client_ip”, “path”]. Template Options:
api_keywill include they obfuscated or hashed key.client_ipwill include the ip of the request.hostwill include the host of the request.methodwill include the request method.pathwill include the path of the request.protocolwill include the protocol of the request.remote_addrwill include the remote address of the request.upstream_addrwill include the upstream address (scheme, host and path)upstream_latencywill include the upstream latency of the request.latency_totalwill include the total latency of the request.user_agentwill include the user agent of the request.statuswill include the response status code.
tracing
Section for configuring OpenTracing support Deprecated: use OpenTelemetry instead.tracing.name
ENV: TYK_GW_TRACER_NAMEType:
stringThe name of the tracer to initialize. For instance appdash, to use appdash tracer
tracing.enabled
ENV: TYK_GW_TRACER_ENABLEDType:
boolEnable tracing
tracing.options
ENV: TYK_GW_TRACER_OPTIONSType:
map[string]interface{}Tracing configuration. Refer to the Tracing Docs for the full list of options.
opentelemetry
Section for configuring OpenTelemetry.opentelemetry.enabled
ENV: TYK_GW_OPENTELEMETRY_ENABLEDType:
boolA flag that can be used to enable or disable the trace exporter.
opentelemetry.exporter
ENV: TYK_GW_OPENTELEMETRY_EXPORTERType:
stringThe type of the exporter to sending data in OTLP protocol. This should be set to the same type of the OpenTelemetry collector. Valid values are “grpc”, or “http”. Defaults to “grpc”.
opentelemetry.endpoint
ENV: TYK_GW_OPENTELEMETRY_ENDPOINTType:
stringOpenTelemetry collector endpoint to connect to. Defaults to “localhost:4317”.
opentelemetry.headers
ENV: TYK_GW_OPENTELEMETRY_HEADERSType:
map[string]stringA map of headers that will be sent with HTTP requests to the collector.
opentelemetry.connection_timeout
ENV: TYK_GW_OPENTELEMETRY_CONNECTIONTIMEOUTType:
intTimeout for establishing a connection to the collector. Defaults to 1 second.
opentelemetry.resource_name
ENV: TYK_GW_OPENTELEMETRY_RESOURCENAMEType:
stringName of the resource that will be used to identify the resource. Defaults to “tyk”.
opentelemetry.span_processor_type
ENV: TYK_GW_OPENTELEMETRY_SPANPROCESSORTYPEType:
stringType of the span processor to use. Valid values are “simple” or “batch”. Defaults to “batch”.
opentelemetry.context_propagation
ENV: TYK_GW_OPENTELEMETRY_CONTEXTPROPAGATIONType:
stringType of the context propagator to use. Valid values are:
- “tracecontext”: tracecontext is a propagator that supports the W3C Trace Context format (https://www.w3.org/TR/trace-context/).
- “b3”: b3 is a propagator serializes SpanContext to/from B3 multi Headers format. Defaults to “tracecontext”.
opentelemetry.tls
TLS configuration for the exporter.opentelemetry.tls.enable
ENV: TYK_GW_OPENTELEMETRY_TLS_ENABLEType:
boolFlag that can be used to enable TLS. Defaults to false (disabled).
opentelemetry.tls.insecure_skip_verify
ENV: TYK_GW_OPENTELEMETRY_TLS_INSECURESKIPVERIFYType:
boolFlag that can be used to skip TLS verification if TLS is enabled. Defaults to false.
opentelemetry.tls.ca_file
ENV: TYK_GW_OPENTELEMETRY_TLS_CAFILEType:
stringPath to the CA file.
opentelemetry.tls.cert_file
ENV: TYK_GW_OPENTELEMETRY_TLS_CERTFILEType:
stringPath to the cert file.
opentelemetry.tls.key_file
ENV: TYK_GW_OPENTELEMETRY_TLS_KEYFILEType:
stringPath to the key file.
opentelemetry.tls.max_version
ENV: TYK_GW_OPENTELEMETRY_TLS_MAXVERSIONType:
stringMaximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.
opentelemetry.tls.min_version
ENV: TYK_GW_OPENTELEMETRY_TLS_MINVERSIONType:
stringMinimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.
opentelemetry.sampling
Defines the configurations to use in the sampler.opentelemetry.sampling.type
ENV: TYK_GW_OPENTELEMETRY_SAMPLING_TYPEType:
stringRefers to the policy used by OpenTelemetry to determine whether a particular trace should be sampled or not. It’s determined at the start of a trace and the decision is propagated down the trace. Valid Values are: AlwaysOn, AlwaysOff and TraceIDRatioBased. It defaults to AlwaysOn.
opentelemetry.sampling.rate
ENV: TYK_GW_OPENTELEMETRY_SAMPLING_RATEType:
float64Parameter for the TraceIDRatioBased sampler type and represents the percentage of traces to be sampled. The value should fall between 0.0 (0%) and 1.0 (100%). For instance, if the sampling rate is set to 0.5, the sampler will aim to sample approximately 50% of the traces. By default, it’s set to 0.5.
opentelemetry.sampling.parent_based
ENV: TYK_GW_OPENTELEMETRY_SAMPLING_PARENTBASEDType:
boolRule that ensures that if we decide to record data for a particular operation, we’ll also record data for all the subsequent work that operation causes (its “child spans”). This approach helps in keeping the entire story of a transaction together. Typically, ParentBased is used in conjunction with TraceIDRatioBased. Using it with AlwaysOn or AlwaysOff might not be as effective since, in those cases, you’re either recording everything or nothing, and there are no intermediary decisions to consider. The default value for this option is false.
newrelic.app_name
ENV: TYK_GW_NEWRELIC_APPNAMEType:
stringNew Relic Application name
newrelic.license_key
ENV: TYK_GW_NEWRELIC_LICENSEKEYType:
stringNew Relic License key
newrelic.enable_distributed_tracing
ENV: TYK_GW_NEWRELIC_ENABLEDISTRIBUTEDTRACINGType:
boolEnable distributed tracing
enable_http_profiler
ENV: TYK_GW_HTTPPROFILEType:
boolEnable debugging of your Tyk Gateway by exposing profiling information through https://tyk.io/docs/api-management/troubleshooting-debugging
use_redis_log
ENV: TYK_GW_USEREDISLOGType:
boolEnables the real-time Gateway log view in the Dashboard.
use_sentry
ENV: TYK_GW_USESENTRYType:
boolEnable Sentry logging
sentry_code
ENV: TYK_GW_SENTRYCODEType:
stringSentry API code
sentry_log_level
ENV: TYK_GW_SENTRYLOGLEVELType:
stringLog verbosity for Sentry logging
use_syslog
ENV: TYK_GW_USESYSLOGType:
boolEnable Syslog log output
syslog_transport
ENV: TYK_GW_SYSLOGTRANSPORTType:
stringSyslong transport to use. Values: tcp or udp.
syslog_network_addr
ENV: TYK_GW_SYSLOGNETWORKADDRType:
stringGraylog server address
use_graylog
ENV: TYK_GW_USEGRAYLOGType:
boolUse Graylog log output
graylog_network_addr
ENV: TYK_GW_GRAYLOGNETWORKADDRType:
stringGraylog server address
use_logstash
ENV: TYK_GW_USELOGSTASHType:
boolUse logstash log output
logstash_transport
ENV: TYK_GW_LOGSTASHTRANSPORTType:
stringLogstash network transport. Values: tcp or udp.
logstash_network_addr
ENV: TYK_GW_LOGSTASHNETWORKADDRType:
stringLogstash server address
track_404_logs
ENV: TYK_GW_TRACK404LOGSType:
boolShow 404 HTTP errors in your Gateway application logs
statsd_connection_string
ENV: TYK_GW_STATSDCONNECTIONSTRINGType:
stringAddress of StatsD server. If set enable statsd monitoring.
statsd_prefix
ENV: TYK_GW_STATSDPREFIXType:
stringStatsD prefix
event_handlers
ENV: TYK_GW_EVENTHANDLERSType:
apidef.EventHandlerMetaConfigEvent System
hide_generator_header
ENV: TYK_GW_HIDEGENERATORHEADERType:
boolHideGeneratorHeader will mask the ‘X-Generator’ and ‘X-Mascot-…’ headers, if set to true.
force_global_session_lifetime
ENV: TYK_GW_FORCEGLOBALSESSIONLIFETIMEType:
boolEnable global API token expiration. Can be needed if all your APIs using JWT or oAuth 2.0 auth methods with dynamically generated keys.
session_lifetime_respects_key_expiration
ENV: TYK_GW_SESSIONLIFETIMERESPECTSKEYEXPIRATIONType:
boolSessionLifetimeRespectsKeyExpiration respects the key expiration time when the session lifetime is less than the key expiration. That is, Redis waits the key expiration for physical removal.
global_session_lifetime
ENV: TYK_GW_GLOBALSESSIONLIFETIMEType:
int64global session lifetime, in seconds.
kv.KV
ENV: TYK_GW_KV_KVType:
structSee more details https://tyk.io/docs/tyk-self-managed/#store-configuration-with-key-value-store
kv.consul.address
ENV: TYK_GW_KV_CONSUL_ADDRESSType:
stringAddress is the address of the Consul server
kv.consul.scheme
ENV: TYK_GW_KV_CONSUL_SCHEMEType:
stringScheme is the URI scheme for the Consul server
kv.consul.datacenter
ENV: TYK_GW_KV_CONSUL_DATACENTERType:
stringThe datacenter to use. If not provided, the default agent datacenter is used.
kv.consul.http_auth.username
ENV: TYK_GW_KV_CONSUL_HTTPAUTH_USERNAMEType:
stringUsername to use for HTTP Basic Authentication
kv.consul.http_auth.password
ENV: TYK_GW_KV_CONSUL_HTTPAUTH_PASSWORDType:
stringPassword to use for HTTP Basic Authentication
kv.consul.tls_config.address
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_ADDRESSType:
stringAddress
kv.consul.tls_config.ca_file
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_CAFILEType:
stringCA file
kv.consul.tls_config.ca_path
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_CAPATHType:
stringCA Path
kv.consul.tls_config.cert_file
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_CERTFILEType:
stringCert file
kv.consul.tls_config.key_file
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_KEYFILEType:
stringKey file
kv.consul.tls_config.insecure_skip_verify
ENV: TYK_GW_KV_CONSUL_TLSCONFIG_INSECURESKIPVERIFYType:
boolDisable TLS validation
kv.vault.token
ENV: TYK_GW_KV_VAULT_TOKENType:
stringToken is the vault root token
kv.vault.kv_version
ENV: TYK_GW_KV_VAULT_KVVERSIONType:
intKVVersion is the version number of Vault. Usually defaults to 2
secrets
ENV: TYK_GW_SECRETSType:
map[string]stringSecrets configures a list of key/value pairs for the gateway. When configuring it via environment variable, the expected value is a comma separated list of key-value pairs delimited with a colon. Example:
TYK_GW_SECRETS=key1:value1,key2:/value2
Produces: {"key1": "value1", "key2": "/value2"}
The secret value may be used as secrets://key1 from the API definition.
In versions before gateway 5.3, only listen_path and target_url fields
have had the secrets replaced.
See more details https://tyk.io/docs/tyk-self-managed/#how-to-access-the-externally-stored-data
override_messages
Override the default error code and or message returned by middleware. The following message IDs can be used to override the message and error codes: AuthToken message IDsauth.auth_field_missingauth.key_not_found
oauth.auth_field_missingoauth.auth_field_malformedoauth.key_not_foundoauth.client_deleted
cloud
ENV: TYK_GW_CLOUDType:
boolCloud flag shows the Gateway runs in Tyk Cloud.
jwt_ssl_insecure_skip_verify
ENV: TYK_GW_JWTSSLINSECURESKIPVERIFYType:
boolSkip TLS verification for JWT JWKs url validation
resource_sync
ResourceSync configures mitigation strategy in case sync fails.resource_sync.retry_attempts
ENV: TYK_GW_RESOURCESYNC_RETRYATTEMPTSType:
intRetryAttempts defines the number of retries that the Gateway should perform during a resource sync (APIs or policies), defaulting to zero which means no retries are attempted.
resource_sync.interval
ENV: TYK_GW_RESOURCESYNC_INTERVALType:
intInterval configures the interval in seconds between each retry on a resource sync error.
oas_config
OAS holds the configuration for various OpenAPI-specific functionalitiesoas_config.validate_examples
ENV: TYK_GW_OAS_VALIDATEEXAMPLESType:
boolValidateExamples enables validation of values provided in
example and examples fields against the declared schemas in the OpenAPI Document. Defaults to false.
oas_config.validate_schema_defaults
ENV: TYK_GW_OAS_VALIDATESCHEMADEFAULTSType:
boolValidateSchemaDefaults enables validation of values provided in
default fields against the declared schemas in the OpenAPI Document. Defaults to false.
streaming
Streaming holds the configuration for Tyk Streaming functionalitiesstreaming.enabled
ENV: TYK_GW_STREAMING_ENABLEDType:
boolThis flag enables the Tyk Streaming feature.
streaming.allow_unsafe
ENV: TYK_GW_STREAMING_ALLOWUNSAFEType:
[]stringAllowUnsafe specifies a list of potentially unsafe streaming components that should be allowed in the configuration. By default, components that could pose security risks (like file access, subprocess execution, socket operations, etc.) are filtered out. This field allows administrators to explicitly permit specific unsafe components when needed. Use with caution as enabling unsafe components may introduce security vulnerabilities.