API endpoint whitelisting

We have setup an API with whitelisting enabled, by adding a few endpoints to the whitelist such as /api/v1.0/ibase-manager/ and /api/v1.0/user-manager/token. However, they both return request forbidden when we try it with a REST client. However, I see that both the above endpoints work when I add /api/v1.0/user-manager and /api/v1.0/ibase-manager/ to the endpoint designer and whitelist them as well. Can you please explain why this is and how I can only allow the first two endpoints?

Hi Akhilesh,

It sounds like there might be an issue with the regex you used to set up the whitelist. Are you able to provide that regex, so that we can take a look?

Kind regards,
Jess @ Tyk

We have multiple endpoints, relative to the base target URL, which we have added to the whitelist as seperate endpoints, whitelisting each one. They are the of the form -


… and so on. We have added each of these as a separate endpoint and whitelisted them individually. Is this not a correc t way to do it?

This is the correct way to do it, but you need to remember that a white list is exclusive, only things that are in the list are allowed. It’s odd that only a few work, since the match is very strict, you might want to make use of wildcards:


This would also catch 301’s etc where a request is redirected because of a slash.

Might be worth a try…

In the interest of time, can you please tell me how I can add the following endpoints to the whitelist to allow strict access to only these endpoints. We have urgent production obligations to fulfill, I will explore more on this in the next few days to understand how it works.

I had initially added them individually, but found that few of them didn’t work.
Endpoints -

Thanks in advance.

Hi Akhilesh,

Have you tried something like the following?:


Kind regards,
Jess @ Tyk

This might not work, the regexes wouldn;t be picked up, you need to use tyk wildcards in the endpoint designer, I’d also (just in case) put them in length order, though the editor should do tht for you on save:


Note that the wildcards {a} will allow anything that is at the end of these endpoints through too, so for example /api/v1.0/user-manager/token/foo. If you don;t want this and just want an exact match, remove the widcard ({a}).

To provide some closure on this. We had set the contractItems, ibaseProducts endpoints as is, with the uppercase letters in them and I assume Tyk didn’t allow them because it is strict matching and the browser sends the request with the lowercase path.

I changed them to full lowercase, now the 6 endpoints in the endpoint designer are allowing strict access to the endpoints.

Thanks Martin and Jess for your inputs on this.

1 Like

That’s great news! We’ll need to make that a lot clearer in the docs.