Hi Robin,
You could store the keys as metadata, but they won’t be encrypted in the token’s session object. For reference, see the meta_data section here https://tyk.io/docs/tyk-rest-api/token-session-object-details/.
For the authentication part, Tyk would be authenticating using the token provided in the request, as per standard auth token authentication, but it would not be using the metadata. It is feasible for the upstream server to authenticate the transformed request.
Regards,
Dave