But this will hash the key, which obfuscates the original key name that I want to support
Not necessarily. You may observe that the value of the key field is simply a base64 encoding of the org_id, the specified key_id and the hashing algorithm
{"org":"1","id":"test_key","h":"murmur64"}
You can use the exact id specified as the value for your Auth header and it should still work.
I want to be able to easily create and query for
test_keywithout hashing and without the preceding org_id.
Querying the key from Tyk is the stumbling block. I don’t see how you can retrieve the key definition without specifying a matching org_id in an encoded or decoded format. The API definitions and keys are scoped or tied to the organisation IDs specified.
The only other alternative is to use an empty org_id value or completely strip it from the API definition and the key definition.
I was wondering if there was any security concern for creating all keys and apis without an org id
So to answer your concern, there isn’t any security issue when you create all keys and APIs without an org_id as long as you disable master keys and manage the access control to the APIs appropriately.
Hope this helps