Limit api key to a domain

Is there a way to limit an API key to access the same API just through a specific domain.
Let say api key “aaaa” can access API “xy” through a domain
and api key “bbbb” can access API “xy” through a domain

Does this make sense? Is more fr auditing purpose than anything else.

I don’t think the Key definition has a feature like that off the top of my head. I could look into it a bit more and confirm

But for something like this the easiest way is to use 2 API definitions with the different domain names as a proxy and funnel it upstream or to another master API definition.

Another method would be to use a custom plugin. I think you could check for the key and the base URL, then take an action depending on the condition. For example, you could set the expected domain name on the API key metadata. Then use a custom post-auth plugin, to check the domain name matches.

Plugins can be written in Python, Lua, Javascript or any language which supports gRPC. Here are some plugin examples in different languages.

1 Like

Just as a follow up, can you share the main feature or job Tyk is doing for you?

It is an micro-service api gateway for internal or/and external use.

Great! Can you share the approximate amount or range of APIs Tyk is handling?

Approximately 100 micro-services, each have it’s own base API, plus few mashup APIS (combine multiple micro-service in one use-case/mobile-app …).
So maybe duplicating APIs for internal or/and external use, might not be a good idea.

Perhaps going the custom plugin way …

The plugins route sounds less cumbersome considering the number of APIs you have that may need auditing.

This is the final solution - for reference:

var apiKeyDomainCheck = new TykJS.TykMiddleware.NewMiddleware({});

apiKeyDomainCheck.NewProcessRequest(function (request, session, spec) {
if (session.meta_data.allowed_domain != undefined) {
        var allowed_domain = session.meta_data.allowed_domain

  if (allowed_domain.indexOf(request.Headers.Host) < 0) {
            log('Domain ' + request.Headers.Host + ' not allowed for key (' + session.key_id + '). Allowed domain is ' + allowed_domain + '.')
            request.ReturnOverrides.ResponseCode = 406
            request.ReturnOverrides.ResponseError = "This API-key is not issued for this domain."

   return apiKeyDomainCheck.ReturnData(request, session.meta_data);

log("JavaScript middleware 'apiKeyDomainCheck.js' is initialised");

1 Like