Create Organisations, Users, Api Definitions, Key

Hello,
I would like to know when using your api for creating the following objects:

  • Organisations
  • Api definitions
  • Keys
  • Users

If we can pass some kind of validation on request for preventing duplicates? Instead of going first to the server validating if some object already exists and reporting back. I would like to prevent the double roundtrip.

Thanks

Hi Carlos,

Iā€™m afraid not, youā€™ll need to manage that yourself. There is some limited validation in place for users, and API definitions have programatically generated API IDs (unless you are fixing them). Keys, unless being added are generated as well so they should always be unique.

If you are using the gateway API and are adding a key, then adding a duplicate will just overwrite the existing one.

Ah ok ,

Another question about creation API definitions, keys, and users.

For forming the http request to the rest api for this objects I need an Authorization header.

Can you please tell me where can i get this id? I see in google chrome that you are passing a guid for this but i canā€™t understand where does it come from.

Thanks

For the advanced API youā€™ll find that with your username in the dashboard, just visit your user (or create a new one for the client) and there will be an API key area under the user details.

For th admin API (org creation) you will need to use the secret that is stored in your Tyk analytics conf file.

Hope that helps!

M.

Iā€™m sorry but i donā€™t understand.

My workflow is as follows:
Create organization (use admin-auth header)
Create API Definition(using authorization header and having error because donā€™t know where can i read it from because i donā€™t have yet a user)
Create Key(using authorization header and having error because donā€™t know where can i read it from because i donā€™t have yet a user)
Create User(using authorization header and having error because donā€™t know where can i read it from because i donā€™t have yet a user)

Hi Carlos,

You should:

  • Create organisation (admin auth)
  • Store org id
  • Create dashboard user (with admin auth) that is bound to org id, this returns your API key
  • Compete rest of flow

A ā€œUserā€ here is a dashboard user - in this case think of it like a slack bot.

If you mean you want to create a portal developer thatā€™s different. Youā€™ll still need a dashboard user to perform actions as.

Take a look at the setup script we use to bootstrap the docker QuickStart - it does it all with the API, the only things missing are key and API creation :slight_smile:

https://github.com/lonelycode/tyk_quickstart/blob/master/setup.sh

Hope thatā€™s clearer.

M.

Hello Martin,

I still having issues with my workflow. I can successfully create Organisations and User using Admin API but then when triyng to create API Definition it says to me that authorization is missing. Iā€™m passing , like you said, the API Dashboard Access Key calculate from response.acess_key. What Iā€™m doing wrong? By the way it will be the same problem for Key Creation. Can you please send a successful requests that so i can proceed?

Thanks.

For API creation what header name are you using for auth? They are different for admin and advanced API

Iā€™m using like so:

var headers = options.token ?
{ā€˜admin-authā€™: options.token} :
{ā€˜authorizationā€™: options.authorization};

Admin API;
admin-auth:12345

Advanced API:
authorization:97596c2cb8664200656c19813de3d28d

Hereā€™s an API creation request (lifted from docs) - just ran this with Postman against my local box:


Request URL:http://domain.com:3000/api/apis
Request Method:POST

Accept:*/*
Accept-Encoding:gzip, deflate
Accept-Language:en-GB,en;q=0.8,en-US;q=0.6,de;q=0.4,es;q=0.2
Authorization:822f2b1c75dc4a4a522944caa757976a
Cache-Control:no-cache
Connection:keep-alive
Content-Length:3355
Content-Type:text/plain;charset=UTF-8
Host:domain.com:3000
Origin:chrome-extension://fdmmgilgnpjigdojojpjoooidkmcomcm
Pragma:no-cache


{
    "api_definition": {
        "name": "Test API 2",
        "auth": {
            "auth_header_name": "authorization"
        },
        "definition": {
            "location": "header",
            "key": ""
        },
        "proxy": {
            "target_url": "http://httpbin.org/"
        },
        "version_data": {
            "use_extended_paths": true,
            "not_versioned": true,
            "versions": {
                "Default": {
                    "expires": "",
                    "name": "Default",
                    "paths": {
                        "ignored": [],
                        "white_list": [],
                        "black_list": []
                    },
                    "extended_paths": {
                        "ignored": [
                            {
                                "path": "/test-path/",
                                "method_actions": {
                                    "GET": {
                                        "action": "no_action",
                                        "code": 200,
                                        "data": "",
                                        "headers": {}
                                    }
                                }
                            },
                            {
                                "path": "/test-path/reply",
                                "method_actions": {
                                    "GET": {
                                        "action": "reply",
                                        "code": 200,
                                        "data": "{\"foo\": \"bar\"}",
                                        "headers": {
                                            "x-test": "test"
                                        }
                                    }
                                }
                            }
                        ],
                        "white_list": [],
                        "black_list": []
                    },
                    "use_extended_paths": true
                }
            }
        },
        "use_oauth2": false,
        "oauth_meta": {
            "auth_login_redirect": "",
            "allowed_access_types": [],
            "allowed_authorize_types": [
                "token"
            ]
        },
        "notifications": {
            "shared_secret": "",
            "oauth_on_keychange_url": ""
        },
        "enable_ip_whitelisting": true,
        "allowed_ips": [
            "127.0.0.1"
        ],
        "use_keyless": false,
        "enable_signature_checking": false,
        "use_basic_auth": false,
        "active": true,
        "enable_batch_request_support": true
    },
    "hook_references": [
        {
            "event_name": "QuotaExceeded",
            "hook": {
                "api_model": {},
                "id": "54be6c0beba6db07a6000002",
                "org_id": "54b53d3aeba6db5c35000002",
                "name": "Test Post",
                "method": "POST",
                "target_path": "http://httpbin.org/post",
                "template_path": "",
                "header_map": {
                    "x-tyk-test": "123456"
                },
                "event_timeout": 0
            },
            "event_timeout": 60
        }
    ]
}

Response was:

{
    "Status": "OK",
    "Message": "API created",
    "Meta": "56a1076130c55e6c66000006"
}

Itā€™s working :slightly_smiling:

But for the creating an API Key it gives a different errorā€¦

User does not have permission to add API to key Access Rights ā€¦

Does the user belong to the same org as the API?

Hello Martin,

Yes I have the correspondent org and user and api on the same group. So to that I log in to dashboard and I see the correspondent objects. What it strange is that if analyse your request and responses on google chrome all works but when I simulate the same behavior on my code it doesnā€™t work. At the moment is giving me Failed to save new session object to Tyk: Could not create key for this API ID, API doesnā€™t exist. Another error happened to me already when i use a test script on packgage.json when starting my docker container complaining that the tyk object is not defined. And to resolve this issue i have to update the API and try to generate the new key. Furthermore I have also developed the same update to the api definition but with no success.

What can I be missing?

Ah! Ok, so when you create a key with the Advanced API, what happens is:

CREATE key request -> [Advanced API] Gateway Wrapper -> [Tyk Gateway API] CREATE Key

Basically the dashboard validates the request and then instructs the gateway to generate the token, the dashboard (advanced API) doesnā€™t generate the token directly.

So, if you create an API in the dashboard, it will save it, and signal to Tyk Gateway to load the API (hot reload).

Tyk gateway has a timed load for these signals so they batch if lots of updates happen at the same time (to prevent constant, or back-to-back reloads). If your CREATE command is happening too quickly, the API will not exist on the gateway yet, and therefore the key cannot be created since it is attached to an API that the gateway wonā€™t recognise, and so the request fails up the chain.

The trick is to wait for the API to be loaded in Tyk (say 5 secs or so) before creating keys. You can see the reload live if you tail the logs on save an API definition to get the timing.

Hello Martin,

I tried to await before calling the api (/api/keys) creating method. I tried with a 50 seconds timeout and I could not make it work. It gives the sames error. :frowning:

Ok, weā€™ll need to debug your setup then:

  1. Is your API Gateway hot reloading when you create an API (there will be a status message, a pause, then the reload output with all the APIs that are loading)
  • Can you create a key manually in the dashboard? Or do you get the same error message?

Thanks,
Martin

Yes itā€™s reloading.
And yes i can on dashboard create keys successfully. In the browser manually creating the time i have between api creation and dashboard is significant that the tyk reloads the api. The problem is when i use my api. Currently i can make a first request and create api but next ones are failing. :frowning:

We need to go deeper, can you share your request bodies?

Hello Martin,

Sorry the late response, :frowning:

My requests I can only share small details . Concretely what you need to know?

To debug this we canā€™t help if its blind, and I donā€™t know what Iā€™m looking for, but your client is doing something fundamentally wrong:

  • The API that you are using is the same API that is used by the dashboard (literally, the GUI is an Advanced API web client, it does nothing special or privileged)
  • If the command is possible with the dashboard then the problem isnā€™t your configuration, isnā€™t your architecture and isnā€™t not something wrong with your API configuration.

Can you at least share your log output when the requests run (with error) for the dashboard and for the gateway?

Beyond that, I canā€™t help debug if I donā€™t know what is being sent.

Also, I have no idea what this is:

We donā€™t use a package.json, so Iā€™m not sure how your docker container is set up, are you using our containers or something proprietary (are you talking about packagecloud.io)?

Thanks,
Martin