What's the maximim number of APIs for Tyk-gateway OSS version

I would like to know what’s the maximim number of APIs for Tyk-gateway OSS version. Let’s say I would like to create one API per customer, is that possible?

My scenario is the following: A shared API domain, lets say api.example.com across all the APIs and we use the listening path as a customer ID, multiple APIs can share the same domain, so long as their listen paths are unique:

API-01: api.example.com/customerid01
API-02: api.example.com/customerid02
API-03: api.example.com/customerid03

API-N: api.example.com/customeridN

In this way we can use API-level global rate limit and Quota so every customer can create as many API Keys as they want but all of them will be controlled by the API-level global rate limit and quota stablished per customer.

I don’t know if this is a crazy idea because I’m not sure about how many APIs can be defined or if it’s a bad practice to create many APIs and use the listen path to identify the customer.

Hi @javiertc, welcome to the community.

To answer your question, No. There is no set limit for the amount of APIs you can have. There are only environment limits since the API gets loaded into memory.

Regarding your scenario about using API-level global rate limit to create keys, could you explain a bit further.

Hi @Olu thanks for getting back to me.

I want to provide an API service with different plans. Lets say I’ll have free, dev and pro plan.

  • Free plan will allow 25k request/month with a limit of 5 requests/second
  • Developer 50K request/month with a limit of 20 requests/second
  • Professional 75K request/month with a limit of 40 request/second

My plan is to use Quotas for controlling the amount of request per month. Let’s say a new user comes to my platform creates an account and buys a pro plan, it means he will have 75k req/month in his account. Inside his account he can create different projects, each one represented by a KEY. So it doesn’t matter how may keys he creates, the sum of all the request in his account are capped by the Quota at 75K req/month.

That’s why I need to use API-level global rate limit and Quotes, because Key-level per-API rate limit doesn’t solve my problem of having a user account with several projects inside (each one identified by a key). And that’s why I’m asking if it’s a crazy idea to create an API per customer where all the APIs will have the same domain but the listen_path will be different, it’ll be an ID for a customer, something like api.example.com/e07aa4427d6a47906dc36f168b6a468c/ and for another customer something like
api.example.com/u623aa234ya47906dc36f1682i4o2/ and so on.

I get it now. The way you’ve explained it should work fine.

1 Like

Hi @Olu

I’m having an error creating a key and I’m not sure why, if you can help me with this that would be awesome, don’t know what I’m missing.

This is the error I get when I’m trying to create a Key for the API:

    "status": "error",
    "message": "Failed to create key - attempting to apply policy from different organisation to key, skipping"

API configuration

    "name": "customer001",
    "api_id": "988167b8b88b42056033b3c3a69fd614",
    "org_id": "customer001",
    "id": "6136a5407fb58700010858fe",
    "active": true,
    "auth": {
        "auth_header_name": "authorization",
        "use_param": false,
        "param_name": "",
        "use_cookie": false,
        "cookie_name": ""
    "disable_quota": false,
    "cache_options": {
      "cache_timeout": 60,
      "enable_cache": true,
      "cache_all_safe_requests": false,
      "cache_response_codes": [],
      "enable_upstream_cache_control": false,
      "cache_control_ttl_header": "",
      "cache_by_headers": []
    "enable_batch_request_support": true,
    "definition": {
        "location": "url",
        "key": "v1",
        "strip_path": false
    "version_data": {
        "not_versioned": false,
        "default_version": "v1",
        "versions": {
            "v1": {
                "name": "v1",
                "expires": "",
                "paths": {
                    "ignored": [],
                    "white_list": [],
                    "black_list": []
                "use_extended_paths": true,
                "extended_paths": {},
                "global_headers": {},
                "global_headers_remove": [],
                "global_response_headers": {},
                "global_response_headers_remove": [],
                "ignore_endpoint_case": false,
                "global_size_limit": 0,
                "override_target": ""
    "proxy": {
        "preserve_host_header": true,
        "listen_path": "/988167b8b88b42056033b3c3a69fd614/",
        "target_url": "",
        "disable_strip_slash": true,
        "strip_listen_path": false,
        "enable_load_balancing": true,
        "target_list": [
        "check_host_against_uptime_tests": false,
        "service_discovery": {
            "use_discovery_service": false,
            "query_endpoint": "",
            "use_nested_query": false,
            "parent_data_path": "",
            "data_path": "",
            "port_data_path": "",
            "target_path": "",
            "use_target_list": false,
            "cache_timeout": 0,
            "endpoint_returns_list": false
        "transport": {
            "ssl_insecure_skip_verify": false,
            "ssl_ciphers": [],
            "ssl_min_version": 0,
            "ssl_max_version": 0,
            "ssl_force_common_name_check": false,
            "proxy_url": ""
    "domain": "api.example.com",
    "global_rate_limit": {
        "rate": 10,
        "per": 60
    "protocol": "https",
    "listen_port": 0,
    "strip_auth_data": false

Policy configuration in /policies/policies.json

   "free": {
     "rate": 10,
     "per": 60,
     "quota_max": 15,
     "quota_remaining": 15,
     "quota_renewal_rate": 120,
     "access_rights": {
       "988167b8b88b42056033b3c3a69fd614": {
         "apiname": "customer001",
         "apiid": "988167b8b88b42056033b3c3a69fd614",
         "versions": [
         "allowed_urls": []
     "name": "Free plan",
     "active": true,
     "is_inactive": false,
     "tags": [],
     "key_expires_in": 0

Generate key JSON body

    "is_inactive": false,
    "access_rights": {
        "988167b8b88b42056033b3c3a69fd614": {
            "api_name": "customer001",
            "api_id": "988167b8b88b42056033b3c3a69fd614",
            "versions": [
            "allowed_urls": [],
            "limit": null,
            "allowance_scope": ""
    "apply_policies": [

You might need to add an org_id to the record, and that org_id needs to match the one in your API Definitions.

Not sure if there are some required fields but you could use Policies Guide (tyk.io) as reference

Hi @Olu, thanks for getting back to me. I’ve disabled org_id everywhere and now it works fine. I don’t think I’ll need to define orgs. Thanks

That’s good to know. Glad I could help.