Imported Google Group message.
Date:Friday, 10 April 2015 06:12:24 UTC+1.
NGinX is your friend here, if you are exposing your API via Tyk you'll most likely want the gateway to run on a subdomain or something similar per API (so you don't need to expose the API ID).
As part of the location record that handles the upstream proxy yu could put directives to block access to the REST API by IP.
Hope that helps,