Get Started With Tyk API Gateway

Katharina Sick
Geek Culture
Published in
6 min readJan 28, 2021
Photo by winui on shutterstock.com

Tyk offers various products to manage APIs and services. The heart of its product palette is its open-source API Gateway. It is completely developed in Go and can serve as a proxy for REST, GraphQL, and other services. This guide describes how to run the API Gateway with Docker.

What You’ll Need

  • Docker
  • A REST client — I’ll use HTTPie in my examples, but any client works

Run Tyk Gateway With Docker

To get Tyk Gateway up and running you need to run Redis and, of course, Tyk Gateway itself. Follow the below instructions to get everything working.

1. Configure a Network

$ docker network create tyk

2. Pull and Run Redis
I’m using Redis 5.0.10 instead of the latest version because this is the latest supported version according to the Tyk docs. Please note, that running Redis like this is not the preferred way for production environments. There Redis should be highly available and deployed as a cluster.

$ docker pull redis:5.0.10
$ docker run -itd --rm --name redis --network tyk -p 6379:6379 redis:5.0.10

3. Create Tyk Configuration

Create a new directory, which will hold your configuration and API definitions. Additionally, create a new file that contains the following JSON. I’d suggest tyk.conf as the name for this file. As we are using the Tyk API Gateway without any other (enterprise) products, this config is based on the tyk.standalone.conf in this repository. I removed some attributes, that isn’t important for now. The most important change I made is removing the secret as we will set this via an environment variable to not expose it in the configuration.

Most values are quite self-explanatory. Head over to Tyk’s documentation to learn more about them.

4. Pull and Run Tyk Gateway

Now it‘s time to run the API Gateway. Execute the below-printed commands to pull the Docker image for the API Gateway and to run it.

$ docker pull tykio/tyk-gateway:latest
$ docker run -d \
--name tyk_gateway \
--network tyk \
-p 8080:8080 \
-e TYK_GW_SECRET=[YOUR-SECRET] \
-v $(pwd)/tyk.conf:/opt/tyk-gateway/tyk.conf \
-v $(pwd)/apps:/opt/tyk-gateway/apps \
tykio/tyk-gateway:latest

Below the arguments of the run command is explained:

  • --name tyk_gateway: Sets the name of the container.
  • --network tyk: Connects the container to the network tyk.
  • -p 8080:8080: Exposes port 8080 of the container to port 8080 of your system.
  • -e TYK_GW_SECRET=[YOUR-SECRET]: Sets the environment variable that holds your secret.
  • -v $(pwd)/tyk.conf:/opt/tyk-gateway/tyk.conf: Bind mounts the configuration we created in the previous step to the configuration file inside the container.
  • -v $(pwd)/apps:/opt/tyk-gateway/apps: Bind mounts the app directory in our current folder to the directory opt/tyk-gateway/apps inside the container.

5. Verify Everything Is Set Up Correctly

To verify that the API Gateway is up and running, you can simply send a GET request to /hello. The answer should look similar to the below printed JSON.

Edit Tyk’s Configuration

Editing your configuration is quite easy. As we created a bind mount for the configuration, you can simply edit the configuration file we created earlier to make config changes.

NOTE: Vim doesn’t save a file directly, but creates a new file and copies it into place. Therefore the inode of the file is being changed and saving the file breaks the bind mount. To avoid this, you need to set set backupcopy=yes in vim. If you want to make this setting permanent, you need to add it to the file ~/.vimrc. If this file doesn’t exist, you can simply create it and vim will take notice of it.

Now all that’s left to do is reloading the API Gateway. This can be achieved with a GET call to /tyk/reload.

Add an API

Now, that the API Gateway is up and running, it’s time to add an API to it. You can either add an API by making a request to the REST API of the API Gateway or by adding the API definition to the folder /opt/tyk-gateway/apps, which we mounted to the ./apps directory earlier. I’ll use the second option in this guide, as I prefer to have configurable files. If you opt for the first possibility you can simply send a POST request to /tyk/apis that contains the API definition in its body. Please don’t forget to set the x-tyk-authorization header in this request.

We’ll add an API that is available at /httpbin and proxies requests to https://httpbin.org. The minimal configuration for this API can be found in the below Gist. Again, a description of all attributes can be found in Tyk’s documentation.

Navigate to the ./apps directory Docker created for you and create a new file httpbin.json that contains the above-shown JSON.

The last step, to add a new endpoint, is to reload the API Gateway with the following request.

$ http :8080/tyk/reload 'x-tyk-authorization:[YOUR-SECRET]'

That’s it. As you can see in the Gist below, requests to localhost:8080/httpbin are proxied to httpbin.org now.

Authentication With Tyk

There are several ways to implement authentication for APIs. Tyk supports the following methods to authenticate. Since Tyk version 2.3, it’s also possible to chain authentication middleware.

  • Basic Authentication
  • Bearer Token
  • HMAC Request Signing
  • JSON Web Token
  • OpenID Connect

Tyk also provides support for OAuth 2.0 and can even serve as a provider for authorization and access tokens.

As this guide aims to get you started with Tyk, this section doesn’t cover all authentication and authorization methods. To provide a rough understanding of how authentication works, Bearer Token and Basic Authentication are explained in the next subsections.

Bearer Token

Bearer Token authentication is the default way of securing APIs with Tyk. In the definition of the API we added earlier, we set the use_keyless attribute to true to expose the API without authentication. Below you can see an API definition, with Bearer Token authentication. It is very similar to the definition we used above. The values for name, listen_path, and id changed and use_keyless has been removed.

If you reload your API Gateway, requests to /httpbin are still working as before, because they belong to the previously created API. If you make a request to /httpbin/bearer the API Gateway will return 401 Unauthorized, with the error Authorization field missing. After setting the Authorization header to any value (we’ll issue a token in a second), the gateway will return 403 ForbiddenAccess to this API has been disallowed.

The API is ready now, therefore we need to issue a token to access it. To do so, we need to define a session object. Below a minimal definition is shown. It grants access to the API with ID 2 (the one we just created) in organization 1. With a session object like the one below, you can configure lots of things. Check out the official documentation to learn more about that.

Now send the session object with a POST request to /tyk/keys to issue an authentication token.

Your token is contained in the key field of the response. It needs to be sent in the Authorization header of all requests to /httpbin/bearer.

Basic Authentication

To configure Basic Authentication we will create a new API. The definition looks similar to the ones you already know, but name, id, and listen_path changed. The most important change is that the field use_basic_auth is added and set to true. This tells Tyk to secure this endpoint with Basic Auth instead of Bearer Tokens. You don’t need to configure anything else, as Tyk knows how to handle the Basic Auth standard.

After reloading the API Gateway, requests to httpbin/basic will fail if no or an invalid user is passed. To create a new user, we need to create a session token. You can see the configuration for this token in the snippet below. Again, the definition is very similar to the one we used to issue a Bearer Token. Of course name and id of the API changed, as we want to create a user for API 3 now. Further, the password of the user was added within basic_auth_data.

Now everything is ready to publish the user to the API Gateway with a POST request to /tyk/keys/[USERNAME]. The following snippet shows how to create a new user with the name a-user.

Now you can make requests with the newly created credentials.

Conclusion

Within this introduction, we covered how to get the Tyk API Gateway up and running with Docker and how to define basic APIs and simple authentication mechanisms.

That’s it. Thanks a lot for reading this article! I hope it helps you to get into the Tyk API Gateway.

--

--

Katharina Sick
Katharina Sick

Written by Katharina Sick

Creative and detail-oriented software developer. Advanced from mobile to backend development and now getting into full stack solutions.

No responses yet