[CORS] Tyk gateway return double Access-Control-Allow-Access header


I am integrating our webapp and APIs with Tyk. So far API part is good, I can request api through gateway and get response using curl or postman. But I encountered CORS issue when integrating with webapp because webapp sends ajax calls to Tyk api gateway. I enabled “Enable CORS” and set allowed origins to “*” then there are two cases:

  1. If I opt out “Options pass through”, the response from gateway does not include “Access-Control-Allow-Access” header → the ajax call is failed as no origin allowed

  2. If I opt in “Options pass through”, the response from gateway contains two “Access-Control-Allow-Access” headers → the ajax call is failed too. This is browser console log
    “The ‘Access-Control-Allow-Origin’ header contains multiple values ‘http://localhost:8080, http://localhost:8080’, but only one is allowed. Origin ‘http://localhost:8080’ is therefore not allowed access.”
    And two headers in response

Whether my api set ‘Access-Control-Allow-Origin’ header or not (I tested different versions), I get the same result as described.

Can anyone help to tell me how to solve this issue?



It looks like problem could be that you have enabled CORS within Tyk, but your upstream is also returning its own CORS headers.

If you enable CORS within Tyk, then you need to tell Tyk what origins are allowed. Your upstream should not return its own CORS headers because Tyk is responsible for this.

If you want your upstream to handle CORS, you need to enable options_passthrough, and disable enable_cors

Hi ahmet,

As said, I got the same cors error whether my upstream return its own CORS header or not (when both options are enabled)
But you’re right, it works when I enable options_passthrough, and disable enable_cors. That’s enough for me now.

Thanks for your help


Now I am facing another struggle with policy for jwt authentication. I have an API which requires jwt token in authorization header and this API have different levels of access. For some path patterns, user role can access while other path patterns require admin role. So I think of create 2 policies for different access level but only one policy name is allowed in API definition for “Policy Field Name”.
(If I list policies in this field, I cannot access API because policy does not match)

I dont know if there is any way to tell API to accept any policy in a policy list so I can use different jwt token with different access (defined by policy) to access my API or is Tyk supporting this?


So you would:

  1. Create two policies “user” and “admin”
  2. When JWT is created, inject the policy ID into the policy feld / claim of the JWT
  3. The gateway should pick that up and

Hi Martin,
Thanks for reply but it does not work

  1. I created two policies “user” and “admin”
    and API’s “Policy Field Name” is “admin”
  2. I injected policy Id to jwt token payload
    -> token with policy “admin” can access but token with policy “user” because it does not match API Policy Field Name (admin)

I was think it would be more flexible if API’s Policy Field Name can accept list of policies. For my case it would be “admin”, “user”. Can you consider to add that in next release?