Why do we have a default Secret API GW token

Deep_Patel · April 17, 2025, 12:57am

Tyk-Gateway:

TykTechnologies/tyk/blob/master/config/config.go#L28


      
          	"github.com/TykTechnologies/tyk/regexp"
          )
          
          type IPsHandleStrategy string
          
          var (
          	log = logger.Get()
          
          	Default = Config{
          		ListenPort:     8080,
          		Secret:         "352d20ee67be67f6340b4c0605b044b7",
          		TemplatePath:   "templates",
          		MiddlewarePath: "middleware",
          		AppPath:        "apps/",
          		Storage: StorageOptionsConf{
          			Type:    "redis",
          			Host:    "localhost",
          			MaxIdle: 100,
          			Port:    6379,
          		},
          		AnalyticsConfig: AnalyticsConfigConfig{

On above line, which eventually goes to tyk.conf, we have a shared secret which is defined statically. Question is why?

Appreciate your take/response to the above Q.
Thank you.

Isaac · April 24, 2025, 10:10am

Hi Deep-Patel,
The static secret you see in the Tyk source code is there as a default to make local development and testing easy, basically to simplify initial setup. However, this value is only a placeholder and it’s may not be secure for production use.

This secret is critical for securing API access and internal communications. Leaving the default value unchanged could put your system at risk, It’s essentially a placeholder that must be replaced before deploying to any public or production environment.
For any real-world deployment, you may:
-Generate a strong secret
-Set it in either: Your tyk.conf file, or The TYK_GW_SECRET environment variable. You could check this (Key Value Secrets Storage for Configuration in Tyk) for supported Key Value Secrets Storage for Configurations in Tyk

Deep_Patel · April 24, 2025, 5:48pm

Thanks Isaac. It all makes sense.