Installation and Setup

​

Prerequisites

​

License Requirements

• Valid Tyk license with Governance feature enabled

​

System Requirements

• No local system requirements as Tyk Governance is fully hosted and managed by Tyk in the cloud

• Minimum 1 CPU core
• 512MB RAM
• 1GB available disk space
• Linux-based operating system (Ubuntu 18.04+, CentOS 7+, or equivalent)
• Docker (if using containerized deployment)
• Kubernetes (optional, for orchestrated deployments)

​

Permission Requirements

• Read access to your API providers (Tyk, AWS API Gateway, etc.)
• Ability to create and manage containers or services in your environment
• Network configuration permissions to establish outbound connections
• Permission to create and manage secrets for storing API credentials

​

Network Requirements

• Inbound access from the Tyk Governance Hub (default 50051 for gRPC)
• Outbound access to your API providers
• Outbound HTTPS (port 443) access to the Tyk Governance Hub
• If API Provider gateways run on different networks, network routes must allow the agent to communicate with those networks

​

System Architecture

​

High-Level Architecture

​

Deployment Models

​

Tyk Cloud with Automatic Agent

• You exclusively use Tyk Cloud for API management
• You want the simplest possible setup with minimal configuration
• You don’t have any APIs on other platforms that need governance

​

Tyk Cloud with Customer-Deployed Agents

• You use self-managed Tyk deployments (not Tyk Cloud)
• You use AWS API Gateway or other supported providers
• You need to govern APIs across providers that aren’t in Tyk Cloud

​

Hybrid Deployment

• You use a combination of Tyk Cloud and other API platforms
• You have a mix of cloud and on-premises API deployments
• You need comprehensive governance across your entire API ecosystem

​

Installation

​

Requesting Access to Tyk Governance

1. Contact Tyk for Access
   • Reach out to your Tyk Account Manager or visit tyk.io/contact-book-a-demo
   • Specify that you’re interested in access to Tyk Governance
   • Provide information about your current API management environment
2. Receive Access Credentials
   • After your request is processed, you’ll receive an email with:
     • URL to access the Tyk Governance Hub
     • Admin credentials for initial login
     • Instructions for next steps
3. Initial Login
   • Navigate to the provided Governance Hub URL
   • Enter the admin credentials from the email
   • You’ll be prompted to change your password on first login

​

Enabling Governance Feature for Cloud Control Planes

1. Log in to Tyk Cloud Dashboard
   • Navigate to your Tyk Cloud dashboard
   • Ensure you have administrative privileges
2. Access Control Plane Settings
   • Select the Control Plane you want to enable governance for
   • Click on “Edit Details” button
3. Enable Governance Feature
   • Locate the “Governance Agent” toggle
   • Enable the feature
   • Save your changes
4. Verification
   • An agent will be automatically deployed for your Tyk Control Plane
   • You can now access the Governance dashboard via “Governance” in the Cloud UI sidebar

​

Installing a Local Agent

• Access to the Governance Hub to generate agent tokens
• Network connectivity between the agent and both the Governance Hub and your API provider
• Docker or Kubernetes for container-based deployment (recommended)

​

Generate Agent Token from Governance Hub UI

1. From the Agents page, click the New agent button in the top-right corner.

2. In the New agent form, enter:
   • Name: A descriptive name for the agent (required)
   • Description: Details about the agent’s purpose or location (required)
   Click Create agent to save the new agent.
3. Click “Generate new access token”
4. Use the copy icon to copy the token to your clipboard

​

Generate Agent Token using API

1. Obtain an API Key:
   • Log in to the Governance Hub using the credentials provided in your welcome email
   • Check your Access key under the “Settings > User Profile” section
   
2. Create an Agent using the API:
   Copy

   Ask AI

   # Replace these values with your actual information
   GOVERNANCE_URL="https://your-governance-instance.tyk.io"
   API_KEY="your-access-key"
   AGENT_NAME="My AWS Agent (US)"
   
   # Create agent first
   curl -s -X POST --location "${GOVERNANCE_URL}/api/agents/" \
     -H "X-API-Key: ${API_KEY}" \
     -H "Content-Type: application/json" \
     -d '{
       "name": "'"${AGENT_NAME}"'"
     }'
   

   Example response that shows an agent is created in INACTIVE state:
   Copy

   Ask AI

   {
     "id": "a51d9bd0-bafe-4749-8285-e18641b151f2",
     "name": "My AWS agent (US)",
     "description": "",
     "last_heartbeat": "0001-01-01T00:00:00Z",
     "status": "inactive",
     "providers": null,
     "token": "",
     "version": ""
   }
   

   Copy

   Ask AI

   # Extract agent ID from response
   AGENT_ID="a51d9bd0-bafe-4749-8285-e18641b151f2"
   

3. Generate an Agent Token using the API: Now you can generate an access token for the agent.
   Copy

   Ask AI

   # API call to create an agent token
   curl -X POST "${GOVERNANCE_URL}/api/auth/token/" \
     -H "X-API-Key: ${API_KEY}" \
     -H "Content-Type: application/json" \
     -d '{
       "agent_id": "'"${AGENT_ID}"'"
     }'
   

   Example response:
   Copy

   Ask AI

   {
     "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
   }
   

4. Save the token securely:
   • Copy the token value from the response
   • Store it securely, as you’ll need it for agent configuration
   • Note: This token cannot be retrieved later, so make sure to save it

​

Prepare Configuration

#==============================================================================
# Tyk Governance Agent Configuration
#==============================================================================

# Your Tyk Governance license key - required for agent authentication
# This is provided by Tyk when you subscribe to the Governance service
licenseKey: "your-tyk-governance-license-key"

# Configuration for connecting to the Tyk Governance dashboard/service
governanceDashboard:
  server:
    # The gRPC endpoint URL of the Tyk Governance service
    # Format: hostname:port (without protocol)
    # This is in the format of prefixing "grpc-" to your Governance Hub URL.
    url: "grpc-your-governance-instance.tyk.io:443"
  
  auth:
    # Authentication token for this agent
    # Generated via API call to /auth/token endpoint
    # This token identifies and authorizes this specific agent
    token: "my-agent-token"

#==============================================================================
# API Provider Configurations
#==============================================================================
# List of API providers this agent will connect to
# Each agent can connect to multiple providers of different types
instances:
  #--------------------------------------------------------------------------
  # Tyk Provider Configuration
  #--------------------------------------------------------------------------
  - name: "tyk-provider"  # Descriptive name for this provider instance
    type: "tyk"           # Provider type: must be "tyk" for Tyk Dashboard
    config:
      # The URL of your Tyk Dashboard
      # For Kubernetes deployments, this might be an internal service URL
      host: "http://dashboard-svc-tyk-stack-tyk-dashboard.tyk.svc.cluster.local:3000"
      
      # API key with read access to the Tyk Dashboard
      # Can be obtained in Tyk Dashboard under "User" > "User Details": "Tyk Dashboard API Access Credentials"
      # Requires read permissions for APIs and policies
      auth: "your-auth-key"
  
  #--------------------------------------------------------------------------
  # AWS API Gateway Provider Configuration
  #--------------------------------------------------------------------------
  - name: "aws-provider"  # Descriptive name for this AWS API Gateway instance
    type: "aws"           # Provider type: must be "aws" for AWS API Gateway
    config:
      # AWS IAM credentials with permissions to list and get API Gateway resources
      # Recommended: Use an IAM role with minimal required permissions
      accessKeyId: "your-aws-access-key-id"
      accessKeySecret: "your-aws-access-key-secret"
      
      # AWS region where your API Gateway APIs are deployed
      # Example: us-east-1, eu-west-1, ap-southeast-2, etc.
      region: "us-east-1"
      
      # Optional: Temporary session token if using temporary credentials
      # Required only when using AWS STS temporary credentials
      sessionToken: "your-aws-session-token"

#==============================================================================
# Agent Settings
#==============================================================================

# Log level controls verbosity of agent logs
# Options: debug, info, warn, error
# Recommended: info for production, debug for troubleshooting
logLevel: debug

# Health probe configuration for monitoring agent health
# Used by container orchestration systems like Kubernetes
healthProbe:
  server:
    # Port on which the health probe server will listen
    # Ensure this port is not used by other services
    port: 5959

​

Deploy the Agent

# Replace it with your Tyk Governance license key
LICENSE_KEY="tyk-governance-license-key"

# Replace with an available version tag
VERSION="latest"

docker run -d --name tyk-governance-agent \
  -v $(pwd)/agent-config.yaml:/app/config.yaml \
  -e TYK_AGENT_LICENSEKEY="$LICENSE_KEY" \
  tykio/governance-agent:$VERSION

1. Create a Kubernetes secret for the configuration:

kubectl create secret generic agent-config \
  --from-file=config.yaml=./agent-config.yaml \
  -n your-namespace

2. Apply the following manifest:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: governance-agent
  namespace: your-namespace # Replace with your namespace
spec:
  replicas: 1
  selector:
    matchLabels:
      app: tyk-governance-agent
  template:
    metadata:
      labels:
        app: tyk-governance-agent
    spec:
      containers:
      - name: agent
        image: tykio/governance-agent:latest # Replace with an available version tag
        env:
        - name: TYK_AGENT_LICENSEKEY
          value: your-governance-license #Replace with your license key
        ports:
        - name: health
          containerPort: 5959
          protocol: TCP
        livenessProbe:
          httpGet:
            path: /health
            port: health
        readinessProbe:
          httpGet:
            path: /live
            port: health
        volumeMounts:
        - mountPath: /app/config.yaml
          name: agent-config
          subPath: config.yaml
      volumes:
      - name: agent-config
        secret:
          secretName: agent-config
          items:
          - key: config.yaml
            path: config.yaml

kubectl apply -f agent-deployment.yaml

​

Verify Agent Connection

1. Check if the agent is running properly:
   Copy

   Ask AI

   # For Docker
   docker logs tyk-governance-agent
   
   # For Kubernetes
   kubectl logs -l app=tyk-governance-agent -n your-namespace
   

2. Look for log messages indicating a successful connection:
   Copy

   Ask AI

   Starting license validation... 
   License validated successfully. Valid till: ...
   starting agent
   agent started successfully
   waiting agent to establish health check
   starting health probes HTTP server","addr":":5959
   authenticated and established health stream
   health check established, waiting for sync stream
   agent registered successfully and established sync stream with governance dashboard
   waiting for sync requests from the dashboard
   

​

Trigger Initial Sync

1. In the Governance Hub, navigate to “API Repository”
2. Click the “ReSync” button to initiate synchronisation

3. Monitor the sync progress in the UI or refresh the page manually.

​

Examples

​

Example 1: Tyk Cloud with Automatic Agent

1. Requesting Access to Tyk Governance
2. Enable the Governance feature in Tyk Cloud Control Plane as described in Enabling Governance Feature for Cloud Control Planes
3. Wait for automatic agent deployment
4. Access the Governance Hub from the Cloud UI sidebar
5. Navigate to “API Repository” to view your automatically discovered APIs
6. Trigger “ReSync” to pull updates from the control planes

• All APIs from your Tyk Control Plane will be automatically discovered and displayed in the API Repository

​

Example 2: Multi-Platform Governance with Custom Agents

1. Requesting Access to Tyk Governance
2. Generate agent tokens for each provider as described in Installing a Local Agent
3. Create configuration files for each agent
4. Deploy each agent using Docker or Kubernetes as described in Installing a Local Agent
5. Verify agent connections
6. Access the Governance Hub with the provided URL
7. Navigate to “API Repository” to view your automatically discovered APIs
8. Trigger “ReSync” to pull updates from all agents

• APIs from all providers will be discovered and displayed in a unified repository