"error": "Access to this API has been disallowed" in tyk gateway opensource

Ranjitha · February 25, 2025, 2:54pm

Hi, {
“name”: “My Test API”,
“slug”: “my-test-api”,
“api_id”: “3”,
“org_id”: “test-org”,
“use_keyless”: false,
“auth_configs”: {
“jwt”: {
“auth_header_name”: “Authorization”,
“strip_bearer_token”: true,
“secret”: “my-super-secret-key”,
“secret_is_base64”: false,
“signature_algorithm”: “HS256”,
“allowed_algs”: [“HS256”],
“identity_source”: “sub”,
“identity_claim_name”: “sub”
}
},
“proxy”: {
“listen_path”: “/api/data”,
“target_url”: “http://localhost:8080/api/data”,
“strip_listen_path”: true
},
“version_data”: {
“not_versioned”: true,
“versions”: {
“Default”: {
“name”: “Default”,
“use_extended_paths”: true
}
}
},
“active”: true
}{
“error”: “Access to this API has been disallowed”
} I was able to retrieve the result in Postman for this API.

After that, I generated a JWT token https://jwt.io/ to verify whether the Tyk gateway accepts JWT authentication, but it is not working. I have also reviewed the basic JWT settings in the sample-api-definition.json file.

Could you please check if anything needs to be corrected?

Ranjitha · February 26, 2025, 4:43pm

How is the Tyk gateway validating the JWT token is valid? Is there some code that you have written for that?

James · March 3, 2025, 8:24am

Please can you check your logs, to see why the request is being disallowed. You might see something like:

time=“Feb 23 01:30:19” level=info msg=“Attempted access to unauthorised API.” api_found=false key=“” origin=x.x.x.x path=“/myservice/”

When setting this up, which of our guides did you follow?

James · March 3, 2025, 8:47am

Also note this section of the docs. It’s important that your policy is correctly created to provide access to the API you intend to secure, and that the policy is mapped to the key.

Ranjitha · March 4, 2025, 2:43pm

My tyk open source version - {
“status”: “pass”,
“version”: “v4.0.0”,
“description”: “Tyk GW”,
“details”: {
“redis”: {
“status”: “pass”,
“componentType”: “datastore”,
“time”: “2025-03-04T14:41:47Z”
}
}
}
I’m getting an error in logs - 2025-03-04 20:09:26 [Mar 04 14:39:26] DEBUG auth-mgr: Could not get session detail, key not found err=key not found inbound-key=****yn6Y
2025-03-04 20:09:26 [Mar 04 14:39:26] INFO Attempted access with non-existent key. api_id=41433797848f41a558c1573d3e55a410 api_name=My Test API key=****yn6Y mw=AuthKey org_id=54de205930c55e15bd000001 origin=172.18.0.1 path=/api/anon/data
2025-03-04 20:09:26 [Mar 04 14:39:26] DEBUG EVENT FIRED: AuthFailure
2025-03-04 20:09:26 [Mar 04 14:39:26] DEBUG Finished api_id=41433797848f41a558c1573d3e55a410 api_name=My Test API code=403 error=Access to this API has been disallowed mw=AuthKey ns=1783168 org_id=54de205930c55e15bd000001 origin=172.18.0.1 path=/api/anon/data

James · March 4, 2025, 3:33pm

OK, have you checked that the API you are attempting to hit, is mapped to a policy where the key you are using is also mapped onto the same policy? Security Policy and Access Keys

Ranjitha · March 4, 2025, 4:03pm

yes its is mapped{
“default”: {
“rate”: 1000,
“per”: 1,
“quota_max”: 100,
“quota_renewal_rate”: 60,
“access_rights”: {
“41433797848f41a558c1573d3e55a”: {
“api_name”: “My Test API”,
“api_id”: “41433797848f41a558c1573d3e55a”,
“versions”: [“Default”]
}
},
“org_id”: “54de205930c55e15bd000”,
“allowed_urls”: [
]
}
}

Ranjitha · March 5, 2025, 10:30am

@James My question is whether the open-source version of Tyk Gateway supports standalone JWT validation without additional OAuth, OAS, or API key configurations.

Ranjitha · March 6, 2025, 6:53am

"Could not find a valid policy to apply to this token!
api-definition file:
{
“id”: “5”,
“name”: “My Test API”,
“slug”: “my-test-api”,
“listen_port”: 0,
“protocol”: “”,
“api_id”: “0fba2962-98d0-468fe5384255b”,
“org_id”: “2mSTfVorijgRU5tnLlHuI”,
“auth_configs”: {
“jwt”: {
“name”: “”,
“use_param”: false,
“param_name”: “”,
“use_cookie”: false,
“cookie_name”: “”,
“disable_header”: false,
“auth_header_name”: “Authorization”,
“secret_is_base64”: true,
“use_certificate”: false,
“validate_signature”: false,
“signature”: {
“algorithm”: “”,
“header”: “”,
“use_param”: false,
“param_name”: “”,
“secret”: “”,
“allowed_clock_skew”: 0,
“error_code”: 0,
“error_message”: “”
}
}
},
“enable_jwt”: true,
“jwt_signing_method”: “HS256”,
“jwt_source”: “bXktc3VwZXItc2VjcmV0LWQ==”,
“jwt_identity_base_field”: “sub”,
“jwt_client_base_field”: “”,
“jwt_policy_field_name”: “pol”,
“jwt_default_policies”: [“default”],
“jwt_issued_at_validation_skew”: 0,
“jwt_expires_at_validation_skew”: 0,
“jwt_not_before_validation_skew”: 0,
“jwt_skip_kid”: false,
“scopes”: {
“jwt”: {
“scope_claim_name”: “”,
“scope_to_policy”: {}
},
“oidc”: {
“scope_claim_name”: “”,
“scope_to_policy”: {}
}
},
“jwt_scope_to_policy_mapping”: {},
“jwt_scope_claim_name”: “”,
“enable_signature_checking”: false,
“hmac_allowed_clock_skew”: -1,
“hmac_allowed_algorithms”: ,
“request_signing”: {
“is_enabled”: false,
“secret”: “”,
“key_id”: “”,
“algorithm”: “”,
“header_list”: ,
“certificate_id”: “”,
“signature_header”: “”
},
“base_identity_provided_by”: “”,
“version_data”: {
“not_versioned”: true,
“default_version”: “”,
“versions”: {
“Default”: {
“name”: “Default”,
“expires”: “”,
“paths”: {
“ignored”: ,
“white_list”: ,
“black_list”:
},
“use_extended_paths”: true,
“extended_paths”: {}
}
}
},
“proxy”: {
“preserve_host_header”: false,
“listen_path”: “/api1/”,
“target_url”: “http://httpbin.org/”,
“disable_strip_slash”: true,
“strip_listen_path”: true
},
“session_lifetime_respects_key_expiration”: false,
“session_lifetime”: 0,
“active”: true,
“internal”: false,
“allowed_ips”: ,
“blacklisted_ips”: ,
“expire_analytics_after”: 0,
“response_processors”: ,
“config_data”: {},
“tag_headers”:
}

tyk.conf file :

{
“log_level”: “info”,
“listen_port”: 8090,
“secret”: “58de1402fbb76743f5527600e590bbf8d8f44463ae278f3034”,
“template_path”: “/opt/tyk-gateway/templates”,
“tyk_js_path”: “/opt/tyk-gateway/js/tyk.js”,
“middleware_path”: “/opt/tyk-gateway/middleware”,
“use_db_app_configs”: false,
“app_path”: “/opt/tyk-gateway/apps/”,
“storage”: {
“type”: “redis”,
“host”: “tyk-redis”,
“port”: 6379,
“username”: “”,
“password”: “”,
“database”: 0,
“optimisation_max_idle”: 2000,
“optimisation_max_active”: 4000
},
“enable_analytics”: false,
“analytics_config”: {
“type”: “”,
“ignored_ips”: ,
“enable_detailed_recording”: true
},
“health_check”: {
“enable_health_checks”: false,
“health_check_value_timeouts”: 60
},
“enable_non_transactional_rate_limiter”: true,
“enable_sentinel_rate_limiter”: false,
“enable_redis_rolling_limiter”: false,
“allow_master_keys”: false,
“policies”: {
“policy_source”: “file”,
“policy_path”: “/opt/tyk-gateway/policies/policies.json”
},
“hash_keys”: false,
“close_connections”: false,
“http_server_options”: {
“enable_websockets”: true
},
“allow_insecure_configs”: true,
“coprocess_options”: {
“enable_coprocess”: true,
“coprocess_grpc_server”: “”
},
“enable_bundle_downloader”: true,
“bundle_base_url”: “”,
“global_session_lifetime”: 100,
“force_global_session_lifetime”: false,
“max_idle_connections_per_host”: 500,
“enable_jsvm”: true
}

policies.json file -
{
“default”: {
“rate”: 1000,
“per”: 1,
“quota_max”: -1,
“quota_renewal_rate”: -1,
“access_rights”: {
“0fba2962-98d0-468f-a3d5-7dbe53255b”: {
“api_name”: “My API”,
“api_id”: “0fba2962-98d0-468f-abe5384255b”,
“versions”: [“Default”]
}
},
“org_id”: “2mSTfVorijgRU5tnLCHuI”,
“hmac_enabled”: false,
“allowed_urls”: [
{
“url”: “/api1/”,
“methods”: [“POST”]
}
]
}
}
docker compose file :
version: ‘3’
services:
tyk-gateway:
image: docker.tyk.io/tyk-gateway/tyk-gateway:latest
ports:
- “8091:8090”
environment:
- TYK_GW_SECRET=58de1402fbb76743f552760053ba3d8d1625f8d8f44463ae278f3034
volumes:
- C:\TykFreshSetup\tyk.conf:/opt/tyk-gateway/tyk.conf
- C:\TykFreshSetup\apps:/opt/tyk-gateway/apps
- C:\TykFreshSetup\policies:/opt/tyk-gateway/policies
networks:
- tyk
depends_on:
- tyk-redis
tyk-redis:
image: redis:4.0-alpine
ports:
- “6390:6379”
volumes:
- redis-data:/data
networks:
- tyk
networks:
tyk:
external: true
volumes:
redis-data:
{
“error”: “key not authorized: no matching policy”
}
time=“Mar 06 06:36:30” level=error msg=“Could not find a valid policy to apply to this token!” api_id=0fba2962-98d0-468f384255b api_name=“My Test API” mw=JWTMiddleware org_id=2mSTfVorijgRU5tHuI origin=172.18.0.1 path=“/api1/”
@James @Olu @Ubong

James · March 6, 2025, 8:48am

Hi Ranjitha - you didn’t receive a community reply, as you created a ‘private’ topic, which wasn’t findable on the forums, only to people you shared the link with. I’ve just switched it to public, you should now receive a reply in time.

Page · March 6, 2025, 8:55am

Hi Ranjitha,

From the logs you previous provided I saw this:

2025-03-04 20:09:26 [Mar 04 14:39:26] DEBUG Finished api_id=41433797848f41a558c1573d3e55a410 api_name=My Test API code=403 error=Access to this API has been disallowed mw=AuthKey ns=1783168 org_id=54de205930c55e15bd000001 origin=172.18.0.1 path=/api/anon/data

But the policy you used in the key seems to have a different api_id but same api name:

yes its is mapped{
“default”: {
“rate”: 1000,
“per”: 1,
“quota_max”: 100,
“quota_renewal_rate”: 60,
“access_rights”: {
“41433797848f41a558c1573d3e55a”: {
“api_name”: “My Test API”,
“api_id”: “41433797848f41a558c1573d3e55a”,
“versions”: [“Default”]
}
},
“org_id”: “54de205930c55e15bd000”,
“allowed_urls”: [
]
}

You must ensure that the api_id mapped to the policy is the same api_id of the API you are making a request with the key using this policy.

A helpful tool will be to also use the Gateway API, to check the created API, Policy and Keys by making a GET /tyk/apis/ or /tyk/apis/{apiid}, GET /tyk/policies/{policyID} and GET /tyk/keys/{keyID}.