Check Header in API request without validating it

I am trying to create and API where I expect that Headers should include X-API-Key but I do not care about value of X-API-Key cause my backend service checks it and if it is wrong request will be rejected.
What I found out in TYK is that I can register API which requires X-API-Key but then I should also create a key in order to access my API.

curl -v -H "x-tyk-authorization: foo" \
  -s \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{
    "name": "delivery-apikey",
    "api_id": "delivery-apikey",
    "org_id": "caruso-org-id-api-key",
    "definition": {
        "location": "header",
        "key": "version"
    "auth": {
        "auth_header_name": "X-API-Key"
    "use_keyless": false,
    "enable_context_vars": true,
    "version_data": {
        "not_versioned": true,
        "versions": {
            "Default": {
                "name": "Default",
                "global_headers": {
                    "X-API-Key": "$tyk_context.headers_X_Api_Key"
    "proxy": {
        "listen_path": "/delivery",
        "target_url": "http://localhost:32656/delivery",
        "strip_listen_path": true
}' http://localhost:8080/tyk/apis | python3 -mjson.tool

curl localhost:8080/tyk/keys -X POST --header "x-tyk-authorization: foo" -d '
  "quota_max": 0,
  "rate": 3,
  "per": 10,
  "org_id": "org-id-api-key",
  "access_rights": {
      "delivery-apikey": {
          "api_name": "delivery-apikey",
          "api_id": "delivery-apikey",
          "versions": [
          "allowed_urls": [],
          "limit": null,
          "allowance_scope": ""

curl -X POST http://localhost:8080/delivery/v1/get -H "X-Api-Key:org-id-api-key76ac7bcbb1c94e328bd42bfa051359ad" 

Is there a way to avoid key creation and just call my API with some random string just to bypass tyk-gateway?

curl -X POST http://localhost:8080/delivery/v1/get -H “X-Api-Key:some-not-registered-key-in-tyk”


Hi @Andrey22l and welcome to the community.

You could utilize our Advanced URL Rewrite feature to check for header values.

As for bypassing authentication, we have an ignore middleware that can do that. However, it also bypasses quota, rate limiting, and even endpoint transformations or configurations.

So the best option I think of now, would be to use a custom plugin