Hi @Luan Thanks for the reply.
I need to create my own keys that’s why i was asking about the each individual key.
However i’ve noticed something strange.
I’ve created an api key with an individual secret using this body:
POST: http://www.tyk-test.com:8181/tyk/keys/aaa-bbb-999
{
"allowance": 1000,
"rate": 1000,
"per": 60,
"expires": -1,
"quota_max": -1,
"quota_renews": 1449051461,
"quota_remaining": -1,
"quota_renewal_rate": 60,
"access_rights": {
"a8de59c9cd404abc46f07a841a7aeb6a": {
"api_name": "Test with api key",
"api_id": "a8de59c9cd404abc46f07a841a7aeb6a",
"versions": [
"Default"
],
"allowed_urls": []
}
},
"org_id": "5aaa35ad7d0d6e000187d6ea",
"oauth_client_id": "",
"basic_auth_data": {
"password": "",
"hash_type": ""
},
"jwt_data": {
"secret": "xxx"
},
"hmac_enabled": false,
"hmac_string": "",
"is_inactive": false,
"apply_policy_id": "",
"apply_policies": [],
"data_expires": 0,
"monitor": {
"trigger_limits": null
},
"meta_data": {
"aaa": 1
},
"tags": ["aaa"]
}
And generated a token with this header:
{
"alg": "HS256",
"typ": "JWT",
"kid": "aaa-bbb-999"
}
Then used this JWT to get access to the API. This is all good.
However chaning the kid in the header to “aaa-bbb-99” and regenerating the JWT I still get access. How is this possible?
I’ve noticed that behaviour with a regular access token as well. Is this a vulnerability in Tyk gateway?