Exclude path from authentication


Imported Google Group message. Original thread at: https://groups.google.com/forum/#!topic/tyk-community-support/WqlAbq-KYGQ Import Date: 2016-01-19 21:38:08 +0000.
Sender:Ladislav Gazo.
Date:Tuesday, 22 December 2015 09:30:50 UTC.


I have a use case where within my API I want some of the given paths to be open so they don’t require authentication but all others should. Is there a way to do it within one API definition or I have to split it to two?


API = /myapi

Path (Method) = Authentication
/address (GET) = keyless
/address (POST) = OAuth2
/contact (POST) = OAuth2


Best regards,


Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 22 December 2015 09:35:22 UTC.

Hi Ladislav,

You can use the ignored setting in the API designer, it will bypass auth for certain endpoints.

Mixing access methods within an API is not possible though.


  • show quoted text -

  • show quoted text -

You received this message because you are subscribed to the Google Groups “Tyk Community Support” group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
To view this discussion on the web, visit https://groups.google.com/d/msgid/tyk-community-support/7fe2d06b-c927-4f84-bdad-8114c523440d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Imported Google Group message.
Sender:Ladislav Gazo.
Date:Tuesday, 22 December 2015 13:47:52 UTC.

Hi Martin,

thanks for the answer. I’ve played with the parameter a bit and found one issue with it, see description here:

API = /myapi
auth = OAuth2

I have manually created a key.

/address (GET) = Whitelist, Ignore
/address (POST) = Whitelist

In this scenario when I send POST request I receive:

HTTP 403
“error”: “Requested endpoint is forbidden”

I have also changed /address (POST) to /addresses (POST) in case there is the same path with GET and POST but it seems Ignore plugin applies for all paths. Btw. I am using cloud UI. Is it a UI bug or do you think it is global problem? Or I have not understood all.


Dňa utorok, 22. decembra 2015 10:35:22 UTC+1 Martin Buhr napísal(-a):

  • show quoted text -


Imported Google Group message.
Sender:Martin Buhr.
Date:Tuesday, 22 December 2015 14:22:16 UTC.

Hi Ladislav,

There is no reason it should work, if you have a closed API and have an ignored whitelist entry separated out by method.

I think the problem here is the matching - remove the preceeding slashes.

Many thanks,