Orchestration API call in Tyk gateway

We have an upstream API which is protected by OAuth2. How can we proxy this backend API in Tyk open source operator gateway. Below is the flow -

When the API request comes to Tyk Gateway then it needs to make a side call to backend OAuth API which returns a Token with expiry time. This token needs to be added in header before calling the actual upstream API.

Also this token needs be cached in gateway till the expiry time and needs to be reused in next subsequent calls and token side call should be skipped if it is present in cache.

How can we implement this flow. We saw this post about service orchestration, can this approach be used for this scenario also?

Anup Rai

Hey @Anup_Rai,

Those are very good questions. I’m currently looking at finding the answers for you. I’ll keep you updated as soon as I find out.


Hi @Anup_Rai In order to achieve this, you will need to write a plugin.

The plugin could be written in Python, Javascript, Go or any language which supports gRPC.

The plugin would run on the post hook, which means it gets invoked just before proxying to the upstream service.

The plugin would contain some logic to exchange a client_id + client_secret for an access token, and then inject that into the request header for the upstream. (Client Credentials Grant). You might want to think about caching that access token for the duration of it’s validity.

An example gRPC plugin which shows what’s possible can be seen here:

alongside the BDD tests to show expected output:

If you take a look at the GitHub actions, you will see the gRPC plugin being run against the open source Gateway in the bdd section. Actions · TykTechnologies/tyk-operator · GitHub

For comprehensive plugin documentation:

Request middleware execution order: Request Middleware Chain

Plugin docs: Custom Plugins