Extended_paths -> ignore list & white list issue

I am trying to use the ignore/whitelist functionality to specify certain endpoints that do not require authentication.

I’ve read this post alongside the documentation to try and figure out if I am using ignore list & white list correctly.

(Note → We are using Bearer tokens with a header entitled “authorization” for authentication)

“extended_paths”: {
“ignored”: [],
“white_list”: [
“path”: “/api//v2/courses/”,
“method_actions”: {
“GET”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
“black_list”: [],
“url_rewrites”: [
“path”: “/api/v2/courses/”,
“method”: “GET”,
“match_pattern”: “/api/v2/courses/(.*)”,
“rewrite_to”: “/v2/courses/$1”


Case Above - action: “no_action”: it’ll forward requests to my service for data (in this case grabbing a course by it’s ID and any other query params as well). But if I don’t have authentication in the header, it is not whitelisted and will return an error specifying that the auth header is missing.

Other Case - action: “reply” : This basically will turn my endpoint into a dummy endpoint, returning whatever value I have in the “data” field. It will allow requests regardless of having an authentication token in the header or not.

As for the ignored field, that just returns a 404 every time, even if I have an auth token in the header.

version_data.{version-name}.extended_paths.ignored: This section will define methods and paths that will be ignored and will bypass the quota and rate limiting machinery of Tyk.

In the post linked above, Martin provided a description of the purpose of the ignored/black/white lists that you can specify under extended_paths:

Ignored: Bypasses all auth, great for logins or heartbeat calls
Blacklist - Access is blocked to these paths, e.g. you v1 and v2 of an API and in v2, the resource /widget/ is deprecated, so you in the v2 blacklist settings you explicitly set this path as a blacklist so that v2 users get an error to not use that path
Whitelist: An exclusive list of paths and patterns that are allowed, adding one element to a white list automatically (obviously) blacklists everything else.

Ignored doesn’t appear to be true when I take the exact same JSON block in my example above under whitelist, and apply it to ignored. I’ve also tried having the same endpoint specified in both lists, and still get 404’s.