Introduction
Theoauth2 security scheme lets Tyk Gateway validate bearer tokens issued by an external OAuth 2.0 or OIDC provider. The scheme integrates scope enforcement, Protected Resource Metadata (PRM) publishing, and RFC 8693 token exchange into a single API-level declaration driven by your OpenAPI description.
How it fits with other OAuth options
Tyk offers three distinct OAuth-related client authentication mechanisms:- Tyk OAuth 2.0: Tyk Gateway acts as the authorization server, issuing and managing tokens itself. See Tyk OAuth 2.0.
oauth2security scheme (this page): Tyk enforces scopes and can publish a PRM document for tokens issued by an external IdP.- External OAuth (deprecated): A previous mechanism for external IdP integration, deprecated in Tyk 5.7.0. If you are using the
externalOAuthServerblock, theoauth2scheme is its replacement. Migration requires manual reconfiguration; there is no automatic migration forexternalOAuthServerconfigs.
Configure the oauth2 scheme
Theoauth2 scheme is declared in two places: the standard OAS components.securitySchemes section, and the Tyk Vendor Extension (x-tyk-api-gateway).
OAS security scheme declaration
Incomponents.securitySchemes, declare the scheme with type: oauth2 and define the OAuth 2.0 flows your IdP supports. The scopes declared in flows serve as the documented catalog for your API and are used to populate the PRM document’s scopes_supported field.
idpAuth in this example) is used throughout the document to reference this scheme in security: arrays and in the Tyk Vendor Extension.
Tyk Vendor Extension
Enable the scheme in thex-tyk-api-gateway extension using the matching scheme name:
enabled: true and the header block configured, Tyk reads the bearer token from the specified header. To add scope enforcement, PRM, or token exchange, extend the block as described in the sections below.
To read the token from a different header, cookie, or query parameter, add the matching header, cookie, or query block. For example, to read from a custom header:
Apply the scheme to operations
Reference the scheme in the OASsecurity: array to require it for all operations on the API, or on individual operations:
[api:read]), they become the required scopes for that operation when scope enforcement is enabled.
Apply the scheme to MCP primitives
MCP primitives (tools, resources, and prompts) have no OAS path entries of their own, so their security requirements are declared in the Tyk Vendor Extension rather than underpaths. The structure mirrors the OAS security: array exactly:
security: declarations, subject to the same scopeSource rules. The root-level security: array still applies as a fallback when a primitive carries no security entry of its own.
Scope enforcement
Scope enforcement checks that the inbound token carries the scopes required by the matched operation’ssecurity: declaration. Configure it under scopeCheck in the scheme block:
Scope enforcement reads claims from the inbound bearer token at request time. The
oauth2 scheme does not validate the token’s JWT signature itself in Tyk 5.14.0. JWT authentication must be configured on the API so that the inbound token is verified before scope check runs. Without a JWT auth method configured, Tyk’s auth chain will reject the request before scope enforcement is reached.403 Forbidden with a WWW-Authenticate challenge containing error="insufficient_scope".
Scope check fields
Scope source modes
scopeSource controls which security: declarations Tyk enforces against:
union(default): Merges per-operation and rootsecurity:alternatives. A request passes if it satisfies any one alternative from the combined set.operation: Only the matched operation’ssecurity:array applies. The rootsecurity:array is ignored.global: Only the rootsecurity:array applies, uniformly across every operation on this API.
Per-operation and per-MCP-primitive overrides
You can exempt individual operations or MCP primitives from scope enforcement by settingenabled: false on the operation or primitive:
Protected Resource Metadata
Protected Resource Metadata (PRM) is a discovery document defined in RFC 9728 that tells OAuth 2.0 clients where to obtain a token and which scopes the resource accepts. Tyk publishes this document from theoauth2 scheme configuration, serving it at a well-known path on the API.
Configure PRM under protectedResourceMetadata in the scheme block:
{listenPath}/{wellKnownPath}. The default well-known path is .well-known/oauth-protected-resource.
PRM fields
Migration
Prior to Tyk 5.14.0, Protected Resource Metadata was configured at the root-levelauthentication.protectedResourceMetadata block. It is now configured under the oauth2 security scheme at authentication.securitySchemes[name].protectedResourceMetadata.
When Tyk Dashboard starts, it automatically migrates existing configurations across all OAS API definitions. No manual action is required. The migration is non-destructive: it skips any API where the new block already exists. If both locations are present, the scheme-level block takes precedence.
Token exchange
Token exchange (RFC 8693) is a client authentication feature that replaces the inbound token with a backend-scoped token before forwarding the request upstream. It is configured within theoauth2 scheme but operates in the upstream authentication phase, after scope enforcement and before the reverse proxy.
Token exchange is Enterprise Edition only. For full configuration details, see Token exchange.