URL Rewrite - append URL parameter

I have a simple API set-up, actually pointing towards httpbin. In our actual production API, I need to send an API key which is needs to be provided privately (rather than the end-user including it in their GET request).

I though this could be done via the rewrite tool in endpoint designer and although I can add content to the URL, the originaly query string keeps getting appended but preceeded with a question mark, which means that I end up with 1x question mark and then the ASCII equivalent.

My request URL is:

http://codelocks-ltd.cloud.tyk.io/httpbin/martinget/?apikey=5715edaa35a557000100000d3e26042887534eae4761d5e40eafe7d6

My match pattern is:

get/

and my rewrite is:

get?hello=world&&

The actual URL sent to httpbin ends up as:
http://httpbin.org/get?hello=world&&%3Fapikey=myapikey

How can I get my private parameter (hello=world) simply appended to the query string sent to the server?

You can probably do this with the rewrite, but you will need to write a capture regex that gets all of the params (including key) and then completely rewrite it with the newly captured groups.

Capturing the URL parameters is straightforward, for example - capturing everything after the “?” you can use ?(.*). The problem is that TYK is appending the original query string by default.

http://httpbin.org/get?myappendedparam=paramvalue&&apikey=myapikey&hello=martin%3Fapikey=myapikey&hello=world

The appended query string is from %3F onwards.

How can I either not have the original query string appended, or, how can I just append a single parameter?

What you need to do is reconstruct the URL with extracted data without appending, so your match pattern could be:

(martinget)\/(\?)(apikey=)([a-zA-Z0-9]+)

Which will give you the following grouping:

We only need group 4 (you may want to refer back to Tyk for this key, or just log it), and your rewrite can then be:

martinget/?tyk-key=$4&hidden-key=YOURKEYHERE

The idea here is you just replace things completely with paameterised groups

Let me know if that helps.

Martin, you said “probably” in your first reply here. Is there a better/recommended way?

No not really :-/ currently parameter injection is only possible with a rewrite.