@Martin @Luan thank you for your help so far. I’ve experimented further with the Tyk gateway and there is still something unclear to me.
I’ve created an API key holding a secret via the gateway api:
POST tyk/keys/key-id-random-999
...
"jwt_data": {
"secret": "secret-99"
},
...
and i’ve included it’s id in the kid of the JWT i send to the api for authorization. The JWT was successfully parsed by the gateway which validated it and let the request go through. Also tested that the ratelimit is enforced on this api key.
One thing i’ve noticed that in the dashboard key usage section (/#/activity-key) a new key is generated and the key used in the JWT is not present. I can delete it but i cannot see it in the dashboard. This new key automagically created key cannot be deleted (even if the delete request says it is deleted) and cannot be retrieved - errors with “Attempting to access a non owned key”.
I’m a bit confused about what the correct flow and use case is here and what is the difference between the 2 keys (the one i created holding the JWT secret and the one generated by Tyk)