Hi @chbaumgaertnerhb @CousinLarry
Thank you for your questions and welcome to the community 
You can use Global Headers to add upstream auth to the original request. The upstream auth keys can be hardcoded in the API definition,
"version_data": {
"versions": {
"Default": {
...
"global_headers": {
"X-Upstream-Auth-Header": "dXBzdHJlYW0tYXV0aGVudGljYXRpb24ta2V5",
},
...
}
}
},
Or stored and retrieved from Secrets Storage.
"version_data": {
"versions": {
"Default": {
...
"global_headers": {
"X-Upstream-Auth-Header": "$secret_conf.upstream_auth_token",
},
...
}
}
},
Either way, the clients wonβt need or see this data when making their requests to Tyk.
Even closer to what you were thinking with keys⦠you can include the upstream auth data as metadata in the keys you issue to your clients. Then when the Tyk API is called using a key, the upstream auth data will be retrieved from the key and added to the request (using $tyk_meta.METADATA_KEY) before sending it upstream.
For situations, like OAuth, where the upstream auth data needs to be generated, a custom plugin would be needed. Please see a similar discussion in this Post.
Hope this helps. Please write back if you have further questions.