I noticed recently that there was some inconsistency with adding JWT keys to an API.
Here are the steps to reproduce (I have not been able to reproduce this consistently):
Create the key in Tyk and assign to desired API.
Used a valid JWT based off the Tyk key to hit an established route on the API.
Received a 403 “Key not authorized” error
Tried to proxy through a different API that was not assigned to the key, and it worked.
Also, the UI (key editing tab) does not accurately reflect the data - it says the key is associated to an API that it is not actually associated to; however, this is the API that I wanted it to be associated to when I created the key. To ensure that this was not a caching issue, I restarted both the gateway and the dashboard, but the UI still displayed the wrong API for the key.
I’m using the 0.9.7.2 version of the dashboard and a build of the gateway based off 8994e8578c20672d75fa785beadae3f9842acc6d.
Let me know if there’s anymore information I need to provide. In practice, I don’t think this bug will affect us, as we’ll be adding all of our APIs to a key, but FYI.
One more thing: I checked the Redis database, and the API key is indeed associated to the right API; however, I cannot use it to access established routes on this API - only on another API that I did not associate to this key.
The API ID param sets the back end to use, it is not a filter. That is expected behaviour (it’s odd I know, but Tyk has the capability to have a different storage back end for auth and session on a per API basis, which means we need to kneel which backend to query)