Tyk + Vault Integration


I want to integrate Tyk with Vault because I need to get secrets that will be injected as a header in the request, I managed to do it with middleware but I saw that there is a way to do it without it (tyk.io/docs/tyk-configuration-reference/kv-store/). But that part “For body transforms and URL rewrites, the prefixes are $ secret_vault., $ Secret_consul. And $ secret_conf.” it wasn’t very clear to me.

The configuration for the vault in the .config file looks like this:

"kv": {
  "vault": {
    "address": "http://host.docker.internal:8200",
    "max_retries": 3,
    "timeout": 30,
    "token": "root",
    "kv_version": 2

If I want to get the secrets via request I use the following address:

engine name: myengine
path: user1

I’m trying to log the secret into the middleware like this:
log ($secret_vault.myengine.user1)
but I’m having the error:
time = “Apr 05 12:18:53” level = error msg = “Failed to run JS middleware” api_id = keyless api_name = “Tyk Test Keyless API” error = “ReferenceError: ‘$ secret_vault’ is not defined” mw = DynamicMiddleware org_id = default origin = path = “/ keyless / get”

Can someone tell me how i can do this?

Marcos Oleiro

Hi @Marcos-Oleiro, thank you for the question. Our team is currently looking at this as well and will get back to you as soon as we can!


I wanna add that im having same error whent i try to log a secret from .conf file, like this:

 //.conf file
 "secrets": {
     "gateway": "secret"

On middleware i’m tryong to access this secret with var a = $secret_conf.gateway.

time=“Apr 05 18:35:20” level=error msg=“Failed to run JS middleware” api_id=keyless api_name=“Tyk Test Keyless API” error=“ReferenceError: ‘$secret_conf’ is not defined” mw=DynamicMiddleware org_id=default origin= path="/keyless/"

So, nothing new about it?

Hi! There is no direct access to secrets from inside the plugin.
The closest thing you can do is to inject secret into HTTP header (using global headers middleware), and then read and remove it via middleware.


Hello @leon, you say like this?

If you want it globally, more like this:

"version_data": {
  "versions": {
    "Default": {
      "name": "Default"
      "global_headers": {
        "Foo": "$secret_conf.gateway"

Does it works with vault too? like “$secret_vault…”

1 Like

Yes! But only nuance here is that header transformation middleware runs between PRE and POST stage tyk/api_loader.go at master · TykTechnologies/tyk · GitHub
E.g. your plugin should be “post” type.

PS. Virtual endpoint will work too.

Got it! If i can do this with transformation/global header i dont even gonna need middleware. Actually i’ve tried to get the values from Vault but didn’t worked out for me. I should use $secret_vault.myengine.user1.senha, where ‘myengine’ is engine’s name, ‘user1’ is the path and ‘senha’ is the key?