Swagger Documentation API url

Hi Martin,

I am using tyk cloud. I have uploaded my swagger documentation for the API to the catalog.

In swagger file, I have set the url of my API. When I view the documentation in portal, and click the Try it out button, it tries to call http://[Organization].cloud.tyk.io/Api instead of the url I set inside swagger file.

Is it possible to override this behavior, and make it use the url in swagger file?


Not yet, but we will be changing those templates to not override the URL if the host is set in the swagger file.

Excellent news.
I am setting the host and baseUrl in the swagger file.

I hope this change will be very soon.

Thanks again for the help.

This feature has now been pushed to live. You should see the host + basepath override the URLs (both will be required to properly work) - you may need to refresh your browser too.

Great news. It is using the host+ basePath from swagger now.

However, an error is occurring upon clicking the “Try it out” button as follows:

XMLHttpRequest cannot load http://api.rerouteme.com/EventsRealtimeNoGeo/. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://rhexia-incorporated.cloud.tyk.io’ is therefore not allowed access. The response had HTTP status code 400.

As you know this is a CORS issue. So what is your recommendation to solve this issue?

If your underlying target API already handles CORS, then all you will need to change is under “Advanced Settings” select “Options Pass through”, but do not enable CORS.

If you’re underlying target API does not handle CORS, then you can enable CORS in the gateway and add the relevant headers / allowed hosts in the settings screen.

Hi Martin,
It is overriding the host + basePath again i n the documentation page.

Not that I can see?

The override happens in a JavaScript callback, so it’s not instant.

Yes you are totally correct.

Regarding CORS issue, do you think that there is something required to be done on the hybrid gateway or firewall?

I am still getting error: XMLHttpRequest cannot load http://api.rerouteme.com/EventsRealtimeNoGeo/. No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://rhexia-incorporated.cloud.tyk.io’ is therefore not allowed access. The response had HTTP status code 403.

I have tried the “Options Path through” and also enabling CORS and allowing the referrer domain but none has worked.

See my post above. If your APi handles CORS, then you need to put al the settings into your service and just allow options pass through (do not enable anything)

If you are not handling CORS upstream, then you can put the required settings into Tyk:

  1. Enable CORS
  2. Set allowed hosts to *
  3. Set Allowed methods to GET, PUT, POST, DELETE
  4. Deselect Options passthrough

This will cause Tyk gateway to start blocking requests and handling CORS, be warned, if the upstream API also injects CORS headers, then you will get more errors becuase of the duplicate response headers.

Hi Martin,

I followed your instructions above. I have removed everything related to CORS from my local API. I have enabled CORS and added allowed domains = * and Allowed methods = GET in tyk cloud.

Unfortunately, it is still not working.

I have also checked on my side i.e. Firewall, web server and nothing has reached my endpoint. It seems that the request is not going out from the portal site.

Please find attached the request and response details from Chrome upon clicking on the “Try it out” button.

Hi Ahmad,

I’ve looked into your account, and think I know what is wrong:

Your APIs are configured with very specific listen paths that are case sensitive, e.g. /eventsrealtime/ in Tyk Cloud, which means your managed URLS would be:

  • http://your-company.cloud.tyk.io/eventsrealtime
  • http://your.custom.hybrid.domain:{hybrid-port}/{api-id}
  • Or, if you have the NGinX settings enabled to handle URL rewrites in your hybrid agent (I wouldn’t tackle this yet), then: http://your.custom.hybrid.domain/eventsrealtime

Now your swagger definitions are pointing directly at your API on your custom domain, under paths such as /EventsFullNoGeo/, which I think is a real endpoint name: If I visit this URL directly (as specified by your Swagger), I get a Windows server response that is not being in any way protected by Tyk, but I still get a 403 status code because the response is not allowed (probably because it’s not actually a public endpoint).

Your API Definitions all have *.local targets, so the only way to reach them is with a hybrid agent, assuming you have hybrid running, then you should be able to target this API via:


(for testing, this is a good place to start).

This means that CORS is the least of your problems, since your routing is totally off at the moment. and those requests from the swagger interface will never work since the 403 response that the CORS pre-flight is complaining about is coming from IIS, and not Tyk (we do not run Windows servers), and since Tyk isn’t managing that request, it can’t inject the required CORS headers to allow the pre-flight to pass.

I hope that helps a bit, I think the overall routing configuration is the problem here, I’d suggest:

  1. Remove the Authentication from Tyk for now (for teting), less things to go wrong like wrong keys
  2. Ensure you have Hybrid running (see our quickstart for Hybrid, it shows you how to handle a demo request)
  3. Once you have requests working with postman or Curl, then come back here and we’ll talk about setting up the built-in NginX host to allow for friendly URLs


Hi Martin,

I have managed to make it work from documentation page following your instructions.

However, I still have one issue. There is a specific path in the api that accepts a custom header named “open511-version”. When I call this path from documentation page and pass a value for this header, I get the CORS error. If I don’t pass value for this header, it works correctly.

I have added this header to Allowed Headers in tyk api config. Unfortunately, it is still not working.

I need your advice please.

Hmmm, have you also made sure the matching method is in the CORS config too as it might not be the header alone.

Can you send me the link tot he affected documentation (or the name of the catalogue entry / path if you don’t want to share a link to your portal).

Hi Martin,

I appreciate your help.

The link is: http://rhexia-incorporated.cloud.tyk.io/portal/apis/56dd5ca5666a060001000027/documentation/#!/Events/Events_Get

It is a get method and I have added GET to allowed methods in CORS config. This path works if I don’t pass a value for my custom header.

You can try to remove the value for the header “open511-version” and you’ll find that no error occurs.

This might be a stupid thing, and something we need to look at, but have you tried making the header lowercase in your swagger doc?

Hi Martin,

The issue is solved now and I haven’t changed anything.

Thank you for solving it.