if this feature is enabled, will Tyk do validation on each request? if yes, to which extent validation happens? Will Tyk validate the request method, path, required parameters, headers, field types with restrictions of a json request body, etc?
Where you’ve provided a different endpoint that Tyk is unaware of, the gateway doesn’t automatically assume it knows everything about your upstream service and so will allow that to pass through (see Endpoint Designer).
If you want to restrict the caller to the specific endpoints that you’ve defined in your API, then you need to enable allowList middleware for each of those endpoints (see Endpoint Designer).
If you’ve imported your API to Tyk using the OAS Import function, then the allowList middleware should have been automatically configured - however if you’ve created it within the Tyk OAS API Designer then adding the allowList is left as a deliberate choice for you to make.
Please would you check and apply the allowList middleware to your valid endpoints and see if this then works as you expect?