You could do this, it’s computationally expensive though
The cheapest and easiest thing to do is to end-to-end SSL the connection for one, and then also have tyk inject a shared secret into all upstream requests using the global request header injector, then have the service check for the shared secret to ensure the request originated from Tyk.