Debugging "Access to this API has been disallowed" and "Attempted access to unauthorised API."

Support Installation and Deployment
,
1

After attempting to setup Tyk CE for on-prem use, I’ve been struggling trying to register an API definition and generate API keys that will work for an incoming request. I have been bouncing around the Getting Started section for CE, as well as various pages and this community forum to try and determine what is not properly configured.

All I receive from the response of a failed request is a 403 with the following payload:

{
“error”: “Access to this API has been disallowed”
}

Within the logs, I see:

time=“Feb 23 01:30:19” level=info msg=“Attempted access to unauthorised API.” api_found=false key=“” origin=x.x.x.x path=“/myservice/”

I don’t see any docs that help me to understand these log messages, specifically api_found=false.

I also turned on debug mode and found nothing additional other than the log line above to help me troubleshoot the configuration issue.

Would it be possible to allow debug messages to provide details on why a request wasn’t authorized, to help in the initial setup of a CE gateway?

For now, I’m likely going to try and stand up a single node gateway with the dashboard to see if I can have better success in seeing my first successful request routed to my service.

Thanks,
James

2

On the surface, it looks like you are using a key which does not have access to that API.

Below is an example api definition:

{
    "name": "Tyk Test API",
    "api_id": "my_api_id_1",
    "org_id": "default",
    "definition": {
        "location": "header",
        "key": "version"
    },
    "auth": {
        "auth_header_name": "authorization"
    },
    "version_data": {
        "not_versioned": true,
        "versions": {
            "Default": {
                "name": "Default",
                "expires": "3000-01-02 15:04",
                "use_extended_paths": true,
                "extended_paths": {
                    "ignored": [],
                    "white_list": [],
                    "black_list": []
                }
            }
        }
    },
    "proxy": {
        "listen_path": "/httpbin/",
        "target_url": "http://httpbin.org",
        "strip_listen_path": true
    },
    "enable_batch_request_support": true
}

When creating the key, it should contain an access_rights object, keyed by the api_id. In the api definition above, the value for the api_id is my_api_id_1.

The example below, creates a key which grants access to 2 apis. my_api_id_1 and my_api_id_2.

{
    "allowance": 1000,
    "rate": 1000,
    "per": 60,
    "expires": -1,
    "quota_max": -1,
    "quota_renews": 1406121006,
    "quota_remaining": 0,
    "quota_renewal_rate": 60,
    "access_rights": {
        "my_api_id_1": {
            "api_name": "My API",
            "api_id": "my_api_id_1",
            "versions": [
                "Default"
            ]
        },
        "my_api_id_2": {
            "api_name": "My 2nd API",
            "api_id": "my_api_id_2",
            "versions": [
                "Default"
            ]
        }
    },
    "org_id": "default"
}

https://tyk.io/docs/security/token-level-security/

https://tyk.io/docs/tyk-rest-api/token-management/#create-keys

Hope this helps. And if you get stuck, try it by using the dashboard / GUI for free using tyk-cloud, or a on-prem version. You can simply export your api definition and load it into Tyk CE.

3

Thanks. This helped me catch a typo due to the redundant need to use API IDs as JSON keys for a struct as well as within the struct as name/value pairs (when crafting API requests manually).

I only wish that the getting started walked through this process like your reply did. It helped me identify the problem quickly.

Thanks again!