2.3 Chained Auth Mech Questions


I have a question about the Chained Auth allowed in the API for 2.3.

Is this an “AND” or a “OR” setup?

The way I read it right now its an AND meaning you would need JWT and AuthToken. Im actually looking for an “OR” solution, at accept APIToken keys or a JWT for the same API.

It looks like with 2.3 I can do on my own with a CustomKeyCheck plugin if necessary, but im just looking to see whats supported out of the box.


It’s AND, they run consecutively (and can interfere with one another)

We may in future add a setting in future to have it so that any one of the auth MW can authenticate the user.

I had the same question when reading https://tyk.io/docs/security/your-apis/multiple-auth/

Especially the term “chained” indicates that all auth middlewares have to pass. However, it’s still not 100% clear. Especially when what you need is the exact opposite.

I wonder how to publish an API in a way that users can either use a token or a JWT (from OpenID Connect) for authentication.

They are all required to pass