X-tyk-authorization in TYK Key Management API

neonlai · December 7, 2018, 5:20pm

According to OAuth 2.0 flow in //tyk.io/docs/basic-config-and-security/security/authentication-authorization/oauth-2-0/

For example, Access token flow (e.g. mobile apps, single-page web apps)

Step 5, it requires TYK REST API /tyk/oauth/authorize-client/ to generate the access code/token for the access purpose

According to the Key management API in https://tyk.io/docs/tyk-rest-api/oauth-key-management/

it requires x-tyk-authorization which is the node secret of TYK gateway. I wonder why it does not use the client ID/secret. It means the client app require to keep the tyk node secret and if someone get this node secret, he can call the TYK REST API for authorization the client.
Is there any security issue in this step? Please correct me if I am wrong. Thanks

david · December 11, 2018, 9:20am

Step 5 is a call made from the authorization server to Tyk to confirm that the client is authorized, so the client should not have visibility of the call. The client id is included in the request body.

The code returned can then be used to generate an API token, which can be done client side (step 8).

neonlai · December 11, 2018, 9:42am

Thanks @david. I misunderstood the concept of Step 5. before. Got it now.

sunder_s · August 18, 2020, 4:31pm

@david i have been trying to implement the GitHub - coliquio/tyk-gateway-prometheus-exporter: Tyk-API-Gateway Prometheus Exporter with the tyk , but i cant seem to find the TYK management apis, are they depcrecated? if yes, then what are my alternatives?

david · August 19, 2020, 2:27am

No, the management APIs are not deprecated.

You can find the API reference documentation here: