/tyk/policies endpoint of gateway API returning 404

I set up tyk gateway OSS with docker compose as described in the docs. However, if I try to talk to the /tyk/ploicies endpoint of the gateway API I’m getting 404 page not found as a reply. All other endpoints work as expected and the tyk.conf includes the configuration for policies described in the docs, as to be seen in my config posted below.

Also adding - ./policies/policies.json:/opt/tyk-gateway/policies/policies.json to volumes in docker-compose.yml, in order to use my own policies instead of the standard one generated in case of basic configuration, the same issue occurs.

Thanks in advance for your help!


  "listen_port": 8080,
  "secret": "352d20ee67be67f6340b4c0605b044b7",
  "template_path": "/opt/tyk-gateway/templates",
  "tyk_js_path": "/opt/tyk-gateway/js/tyk.js",
  "middleware_path": "/opt/tyk-gateway/middleware",
  "use_db_app_configs": false,
  "app_path": "/opt/tyk-gateway/apps/",
  "storage": {
    "type": "redis",
    "host": "tyk-redis",
    "port": 6379,
    "username": "",
    "password": "",
    "database": 0,
    "optimisation_max_idle": 2000,
    "optimisation_max_active": 4000
  "enable_analytics": false,
  "analytics_config": {
    "type": "csv",
    "csv_dir": "/tmp",
    "mongo_url": "",
    "mongo_db_name": "",
    "mongo_collection": "",
    "purge_delay": -1,
    "ignored_ips": []
  "health_check": {
    "enable_health_checks": true,
    "health_check_value_timeouts": 60
  "optimisations_use_async_session_write": false,
  "enable_non_transactional_rate_limiter": true,
  "enable_sentinel_rate_limiter": false,
  "enable_redis_rolling_limiter": false,
  "allow_master_keys": false,
  "policies": {
    "policy_source": "file",
    "policy_record_name": "/opt/tyk-gateway/policies/policies.json"
  "hash_keys": true,
  "enable_hashed_keys_listing": true,
  "close_connections": false,
  "http_server_options": {
    "enable_websockets": true
  "allow_insecure_configs": true,
  "coprocess_options": {
    "enable_coprocess": true,
    "coprocess_grpc_server": ""
  "enable_bundle_downloader": true,
  "bundle_base_url": "",
  "global_session_lifetime": 100,
  "force_global_session_lifetime": false,
  "max_idle_connections_per_host": 500,
  "enable_jsvm": true


version: '3.3'
    image: tykio/tyk-gateway:v4.0rc2
      - 8080:8080
      - tyk
      - ./tyk.standalone.conf:/opt/tyk-gateway/tyk.conf
      - ./apps:/opt/tyk-gateway/apps
      - ./middleware:/opt/tyk-gateway/middleware
      - ./certs:/opt/tyk-gateway/certs
      - TYK_GW_SECRET=foo
      - tyk-redis
    image: redis:5.0-alpine
      - tyk
      - 6379:6379

I think the policies gateway endpoint is being introduced in version 4.1.x and above. I am not sure which release candidate version it starts with but I have tested with tykio/tyk-gateway:v4.1.0-rc10 and can confirm that is works.

1 Like

Endpoint works now, thanks a lot!

But now I have issues attaching policies to custom keys. The session object for posting the key (to /tyk/keys/<KEY>) looks like this:

  "access_rights": {
    "1": {
      "api_name": "Tyk Test API",
      "api_id": "1"
  "hmac_enabled": false,
  "hmac_string": "",
  "is_inactive": false,
  "monitor": {
    "trigger_limits": []
  "apply_policy_id": "",
  "apply_policies": [

and policy (obtained by GET /tyk/policies) looks like this:

        "_id": "",
        "id": "TEST_POLICY",
        "name": "TEST_POLICY",
        "org_id": "",
        "rate": 100,
        "per": 1,
        "quota_max": -1,
        "quota_renewal_rate": 0,
        "throttle_interval": 0,
        "throttle_retry_limit": 0,
        "max_query_depth": 0,
        "access_rights": {
            "1": {
                "api_name": "Tyk Test API",
                "api_id": "1",
                "versions": [
                "allowed_urls": null,
                "restricted_types": null,
                "limit": {
                    "rate": 0,
                    "per": 0,
                    "throttle_interval": 0,
                    "throttle_retry_limit": 0,
                    "max_query_depth": 0,
                    "quota_max": -1,
                    "quota_renews": 0,
                    "quota_remaining": 0,
                    "quota_renewal_rate": 0
                "field_access_rights": null,
                "allowance_scope": ""
        "hmac_enabled": false,
        "enable_http_signature_validation": false,
        "active": true,
        "is_inactive": false,
        "tags": null,
        "key_expires_in": 0,
        "partitions": {
            "quota": false,
            "rate_limit": true,
            "complexity": false,
            "acl": false,
            "per_api": false
        "last_updated": "",
        "meta_data": null,
        "graphql_access_rights": null

As indicated by partitions I only want to enforce rate limits. But what I get back is:

    "status": "error",
    "message": "Failed to create key, ensure security settings are correct."

As removing

"apply_policy_id": "",
"apply_policies": [

from the session object, the key is propperly added. Any idea what I’m doing wrong?


I am not sure but could you check if your API definition has an org_id. If it does then the policy would also have to be set with the same thing.

That’s it, thank you very much!!

Any idea when it will be pushed to the stable release? Thx.

I checked internally but could not find an actual release date. I know development is nearly complete and I suspect a release to be any time from July. But I can’t say for certain, so I update the thread around July with an update

@Olu might it make sense to take the policies endpoint in the API docs out of version 4.0 if that’s not included in it?

Hi @jonlink_mf

I’ve created an internal ticket to this end.


Thank you! Would definitely cut down on confusion :slight_smile: