And the ACL entries is API? May be the Tyk isn't API-level quotas and rate limiting?
I think each API has its own rate limiting, but multiple APIs can share a Key rate limiting, Tyk routing, then the first route to their own API rate limiting, if not more than their own API settings, and then route to the Key level rate limiting; That is, API rate limiting and Key rate limiting have a priority.