Hybrid Setup Incomplete?


Hello Martin,
I apologize in advance if the below are very basic questions, but we have just started trying the hybrid setup.

I followed the hybrid installation but can not find the component related to the actual setup.
What about the actual proxy config (i.e. proxying traffic back to the source API endpoint)?
The hybrid documentation also makes a reference to the SECRET key and hardcodes one:

sudo ./start.sh 8080 54636453636 [RPC-CREDENTIALS] [API CREDENTIALS]
TYK-SECRET - The secret key to use so you can interact with your tyk node via the REST API
The TYK-SECRET should be a secret key you define so you can interact with your Tyk node programatically.
How do we change that secret key?



You can find the [RPC-CREDENTIALS] and the [API CREDENTIALS] in the Users -> Username section of the dashboard, each user you create will have their own credentials.

The TYK-SECRET parameter in the startup command sets the API secret in your Tyk setup so that you can use the gateway REST API, so you don’t need to change it, it gets set every time you run the command (see the entrypoint.sh file in the docker container, it re-writes the tyk.conf with your variables).

The reason we add it to the startup command is to ensure that it gets set and no default is used (to secure your installation).


Hello Martin
Thank you very much for the quick response.
This is clear now.

In terms of the overall setup, I am a bit unclear perhaps on the architecture of hybrid.
Doesn’t the tyk docker instance listen to requests, authenticate against Tyk cloud and if authorized proxies to the API?
IF so, where do I setup the proxying to my internal API?
How can the contain communicate on my network with the default non-routed subnet

Am I missing part of the config? I did everything in the doc, but not sure if there is a subsequent set of instructions that I may be missing…


The way hybrid works is that you have a local (scalable) Tyk gateway, it synchronises API definitions with Tyk Cloud, and uses Tyk Cloud as a master resource for generated access tokens, once they are cached locally they are valid until deleted. Tyk Hybrid nodes will synchronise access analytics back up Tyk Cloud.

Yes, the Tyk Docker instance listens for requests. Yes, it authenticates against Tyk Cloud, and yes, it then proxies if authorised.

You log into your Tyk Cloud dashboard and set up your API definition as you would with a cloud based setup, just that targets you define can be inside your network as you are doing your traffic handling locally.

The Tyk Hybrid container must be on your network and be able to see your API, it can live behind your firewall, so long as it can communicate with Tyk Cloud, so you can use a private subnet with Tyk Hybrid since Tyk will prxy inside your network once traffic hits the container.

No, you just need to configure your API in Tyk Cloud admin dashboard with your API on, if Hybrid is set up and running, then you should be able to send traffic to your hybrid container (if it is installed on your network) and see it proxied to your target node.


Thanks Martin. I appreciate your guidance on this.
Will follow your comments/instructions.