Authentication Token less than 4 characters


We have an API Key associated with a API Definition by the Keys Access Control list, and Authentication by token turned on.

We can access this API with the Key as expected. HOWEVER, we can also access this API using any Authorization value that has 3 characters or less.

Obviously this is a concern. Including API Def
See the Authorization Header?

The same request with 4 charactors

Here is the Auth section of API dev

"use_keyless": false,
"use_oauth2": false,
"oauth_meta": {
  "allowed_access_types": [],
  "allowed_authorize_types": [],
  "auth_login_redirect": ""
"auth": {
  "auth_header_name": "Authorization",
  "param_name": "",
  "cookie_name": "",
  "use_param": false,
  "use_cookie": false

Any help or guidance here?

Hi, thanks for reporting this, which gateway version are you using?

We are using 2.3.5 and have 2.6.0 in some environments. We are seeing this in both.

If it helps, we are in configured in Hashed Key mode

Hi matt,

Thank you for raising the issue - we believe this is down to our hashing algorithm and we actively working to fix it.

There are a few mitigating factors worth considering:

  1. This does not affect our cloud our hybrid environment
  2. This does not affect environments that are not using key hashing
  3. We believe it only affects environments that are sparsely populated - I.e have few keys issued

For new installations: the workaround is to disable key hashing in the Tyk.conf

Alternatively - generating several dummy keys (doing so with a separate organisation would be better) should also suffice.

We’ll post more information here as we investigate.

Kind regards,

Hi Matt

Quick update for you that a fix for the 3 character key bug was pushed today with further enhancements and refinements to our key auth system coming in upcoming releases. Please see our release notes here: Gateway 2.6.2, Dashboard 1.6.2, Pump 0.5.3, MDCB 1.5.4 for more details.