You can use environment variables to override the config file for the Tyk Gateway. The Gateway configuration file can be found in the tyk-gateway folder and by default is called tyk.conf, though it can be renamed and specified using the --conf flag. Environment variables are created from the dot notation versions of the JSON objects contained with the config files. To understand how the environment variables notation works, see Environment Variables. All the Gateway environment variables have the prefix TYK_GW_. The environment variables will take precedence over the values in the configuration file.

tyk lint

In v2.4 we have added a new tyk lint command which will validate your tyk.conf file and validate it for syntax correctness, misspelled attribute names or format of values. The Syntax can be: tyk lint or tyk --conf=path lint If --conf is not used, the first of the following paths to exist is used: ./tyk.conf /etc/tyk/tyk.conf

hostname

ENV: TYK_GW_HOSTNAME
Type: string
 Force your Gateway to work only on a specific domain name. Can be overridden by API custom domain.

listen_address

ENV: TYK_GW_LISTENADDRESS
Type: string
 If your machine has multiple network devices or IPs you can force the Gateway to use the IP address you want.

listen_port

ENV: TYK_GW_LISTENPORT
Type: int
 Setting this value will change the port that Tyk listens on. Default: 8080.

control_api_hostname

ENV: TYK_GW_CONTROLAPIHOSTNAME
Type: string
 Custom hostname for the Control API

control_api_port

ENV: TYK_GW_CONTROLAPIPORT
Type: int
 Set this to expose the Tyk Gateway API on a separate port. You can protect it behind a firewall if needed. Please make sure you follow this guide when setting the control port https://tyk.io/docs/tyk-self-managed/#change-your-control-port.

secret

ENV: TYK_GW_SECRET
Type: string
 This should be changed as soon as Tyk is installed on your system. This value is used in every interaction with the Tyk Gateway API. It should be passed along as the X-Tyk-Authorization header in any requests made. Tyk assumes that you are sensible enough not to expose the management endpoints publicly and to keep this configuration value to yourself.

node_secret

ENV: TYK_GW_NODESECRET
Type: string
 The shared secret between the Gateway and the Dashboard to ensure that API Definition downloads, heartbeat and Policy loads are from a valid source.

pid_file_location

ENV: TYK_GW_PIDFILELOCATION
Type: string
 Linux PID file location. Do not change unless you know what you are doing. Default: /var/run/tyk/tyk-gateway.pid

allow_insecure_configs

ENV: TYK_GW_ALLOWINSECURECONFIGS
Type: bool
 Can be set to disable Dashboard message signature verification. When set to true, public_key_path can be ignored.

public_key_path

ENV: TYK_GW_PUBLICKEYPATH
Type: string
 While communicating with the Dashboard. By default, all messages are signed by a private/public key pair. Set path to public key.

allow_remote_config

ENV: TYK_GW_ALLOWREMOTECONFIG
Type: bool
 Allow your Dashboard to remotely set Gateway configuration via the Nodes screen.

security

Global Certificate configuration

security.private_certificate_encoding_secret

ENV: TYK_GW_SECURITY_PRIVATECERTIFICATEENCODINGSECRET
Type: string
 Set the AES256 secret which is used to encode certificate private keys when they uploaded via certificate storage

security.control_api_use_mutual_tls

ENV: TYK_GW_SECURITY_CONTROLAPIUSEMUTUALTLS
Type: bool
 Enable Gateway Control API to use Mutual TLS. Certificates can be set via security.certificates.control_api section

security.pinned_public_keys

ENV: TYK_GW_SECURITY_PINNEDPUBLICKEYS
Type: map[string]string
 Specify public keys used for Certificate Pinning on global level.

security.certificates.upstream

ENV: TYK_GW_SECURITY_CERTIFICATES_UPSTREAM
Type: map[string]string
 Upstream is used to specify the certificates to be used in mutual TLS connections to upstream services. These are set at gateway level as a map of domain -> certificate id or path. For example if you want Tyk to use the certificate ab23ef123 for requests to the example.com upstream and /certs/default.pem for all other upstreams then: In tyk.conf you would configure "security": {"certificates": {"upstream": {"*": "/certs/default.pem", "example.com": "ab23ef123"}}} And if using environment variables you would set this to *:/certs/default.pem,example.com:ab23ef123.

security.certificates.control_api

ENV: TYK_GW_SECURITY_CERTIFICATES_CONTROLAPI
Type: []string
 Certificates used for Control API Mutual TLS

security.certificates.dashboard_api

ENV: TYK_GW_SECURITY_CERTIFICATES_DASHBOARD
Type: []string
 Used for communicating with the Dashboard if it is configured to use Mutual TLS

security.certificates.mdcb_api

ENV: TYK_GW_SECURITY_CERTIFICATES_MDCB
Type: []string
 Certificates used for MDCB Mutual TLS

http_server_options

Gateway HTTP server configuration

http_server_options.read_timeout

ENV: TYK_GW_HTTPSERVEROPTIONS_READTIMEOUT
Type: int
 API Consumer -> Gateway network read timeout. Not setting this config, or setting this to 0, defaults to 120 seconds

http_server_options.write_timeout

ENV: TYK_GW_HTTPSERVEROPTIONS_WRITETIMEOUT
Type: int
 API Consumer -> Gateway network write timeout. Not setting this config, or setting this to 0, defaults to 120 seconds

http_server_options.use_ssl

ENV: TYK_GW_HTTPSERVEROPTIONS_USESSL
Type: bool
 Set to true to enable SSL connections

http_server_options.enable_http2

ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLEHTTP2
Type: bool
 Enable HTTP2 protocol handling

http_server_options.enable_strict_routes

ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLESTRICTROUTES
Type: bool
 EnableStrictRoutes changes the routing to avoid nearest-neighbour requests on overlapping routes
  • if disabled, /apple will route to /app, the current default behavior,
  • if enabled, /app only responds to /app, /app/ and /app/* but not /apple
Regular expressions and parameterized routes will be left alone regardless of this setting.

http_server_options.enable_path_prefix_matching

ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLEPATHPREFIXMATCHING
Type: bool
 EnablePathPrefixMatching changes how the gateway matches incoming URL paths against routes (patterns) defined in the API definition. By default, the gateway uses wildcard matching. When EnablePathPrefixMatching is enabled, it switches to prefix matching. For example, a defined path such as /json will only match request URLs that begin with /json, rather than matching any URL containing /json. The gateway checks the request URL against several variations depending on whether path versioning is enabled:
  • Full path (listen path + version + endpoint): /listen-path/v4/json
  • Non-versioned full path (listen path + endpoint): /listen-path/json
  • Path without version (endpoint only): /json
For patterns that start with /, the gateway prepends ^ before performing the check, ensuring a true prefix match. For patterns that start with ^, the gateway will already perform prefix matching so EnablePathPrefixMatching will have no impact. This option allows for more specific and controlled routing of API requests, potentially reducing unintended matches. Note that you may need to adjust existing route definitions when enabling this option. Example: With wildcard matching, /json might match /api/v1/data/json. With prefix matching, /json would not match /api/v1/data/json, but would match /json/data. Combining EnablePathPrefixMatching with EnablePathSuffixMatching will result in exact URL matching, with /json being evaluated as ^/json$.

http_server_options.enable_path_suffix_matching

ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLEPATHSUFFIXMATCHING
Type: bool
 EnablePathSuffixMatching changes how the gateway matches incoming URL paths against routes (patterns) defined in the API definition. By default, the gateway uses wildcard matching. When EnablePathSuffixMatching is enabled, it switches to suffix matching. For example, a defined path such as /json will only match request URLs that end with /json, rather than matching any URL containing /json. The gateway checks the request URL against several variations depending on whether path versioning is enabled:
  • Full path (listen path + version + endpoint): /listen-path/v4/json
  • Non-versioned full path (listen path + endpoint): /listen-path/json
  • Path without version (endpoint only): /json
For patterns that already end with $, the gateway will already perform suffix matching so EnablePathSuffixMatching will have no impact. For all other patterns, the gateway appends $ before performing the check, ensuring a true suffix match. This option allows for more specific and controlled routing of API requests, potentially reducing unintended matches. Note that you may need to adjust existing route definitions when enabling this option. Example: With wildcard matching, /json might match /api/v1/json/data. With suffix matching, /json would not match /api/v1/json/data, but would match /api/v1/json. Combining EnablePathSuffixMatching with EnablePathPrefixMatching will result in exact URL matching, with /json being evaluated as ^/json$.

http_server_options.ssl_insecure_skip_verify

ENV: TYK_GW_HTTPSERVEROPTIONS_SSLINSECURESKIPVERIFY
Type: bool
 Disable TLS verification. Required if you are using self-signed certificates.

http_server_options.enable_websockets

ENV: TYK_GW_HTTPSERVEROPTIONS_ENABLEWEBSOCKETS
Type: bool
 Enabled WebSockets and server side events support

http_server_options.certificates

ENV: TYK_GW_HTTPSERVEROPTIONS_CERTIFICATES
Type: CertsData
 Deprecated: Use ssl_certificatesinstead.

http_server_options.ssl_certificates

ENV: TYK_GW_HTTPSERVEROPTIONS_SSLCERTIFICATES
Type: []string
 Index of certificates available to the Gateway for use in client and upstream communication. The string value in the array can be two of the following options:
  1. The ID assigned to and used to identify a certificate in the Tyk Certificate Store
  2. The path to a file accessible to the Gateway. This PEM file must contain the private key and public certificate pair concatenated together.

http_server_options.server_name

ENV: TYK_GW_HTTPSERVEROPTIONS_SERVERNAME
Type: string
 Start your Gateway HTTP server on specific server name

http_server_options.min_version

ENV: TYK_GW_HTTPSERVEROPTIONS_MINVERSION
Type: uint16
 Minimum TLS version. Possible values: https://tyk.io/docs/api-management/certificates#supported-tls-versions

http_server_options.max_version

ENV: TYK_GW_HTTPSERVEROPTIONS_MAXVERSION
Type: uint16
 Maximum TLS version.

http_server_options.skip_client_ca_announcement

ENV: TYK_GW_HTTPSERVEROPTIONS_SKIPCLIENTCAANNOUNCEMENT
Type: bool
 When mTLS enabled, this option allows to skip client CA announcement in the TLS handshake. This option is useful when you have a lot of ClientCAs and you want to reduce the handshake overhead, as some clients can hit TLS handshake limits. This option does not give any hints to the client, on which certificate to pick (but this is very rare situation when it is required)

http_server_options.flush_interval

ENV: TYK_GW_HTTPSERVEROPTIONS_FLUSHINTERVAL
Type: int
 Set this to the number of seconds that Tyk uses to flush content from the proxied upstream connection to the open downstream connection. This option needed be set for streaming protocols like Server Side Events, or gRPC streaming.

http_server_options.skip_url_cleaning

ENV: TYK_GW_HTTPSERVEROPTIONS_SKIPURLCLEANING
Type: bool
 Allow the use of a double slash in a URL path. This can be useful if you need to pass raw URLs to your API endpoints. For example: http://myapi.com/get/http://example.com.

http_server_options.skip_target_path_escaping

ENV: TYK_GW_HTTPSERVEROPTIONS_SKIPTARGETPATHESCAPING
Type: bool
 Disable automatic character escaping, allowing to path original URL data to the upstream.

http_server_options.ssl_ciphers

ENV: TYK_GW_HTTPSERVEROPTIONS_CIPHERS
Type: []string
 Custom SSL ciphers applicable when using TLS version 1.2. See the list of ciphers here https://tyk.io/docs/api-management/certificates#supported-tls-cipher-suites

http_server_options.max_request_body_size

ENV: TYK_GW_HTTPSERVEROPTIONS_MAXREQUESTBODYSIZE
Type: int64
 MaxRequestBodySize configures a maximum size limit for request body size (in bytes) for all APIs on the Gateway. Tyk Gateway will evaluate all API requests against this size limit and will respond with HTTP 413 status code if the body of the request is larger. Two methods are used to perform the comparison:
  • If the API Request contains the Content-Length header, this is directly compared against MaxRequestBodySize.
  • If the Content-Length header is not provided, the Request body is read in chunks to compare total size against MaxRequestBodySize.
A value of zero (default) means that no maximum is set and API requests will not be tested. See more information about setting request size limits here: https://tyk.io/docs/api-management/traffic-transformation/#request-size-limits

version_header

ENV: TYK_GW_VERSIONHEADER
Type: string
 Expose version header with a given name. Works only for versioned APIs.

suppress_redis_signal_reload

ENV: TYK_GW_SUPPRESSREDISSIGNALRELOAD
Type: bool
 Disable dynamic API and Policy reloads, e.g. it will load new changes only on procecss start.

reload_interval

ENV: TYK_GW_RELOADINTERVAL
Type: int64
 ReloadInterval defines a duration in seconds within which the gateway responds to a reload event. The value defaults to 1, values lower than 1 are ignored.

hash_keys

ENV: TYK_GW_HASHKEYS
Type: bool
 Enable Key hashing

disable_key_actions_by_username

ENV: TYK_GW_DISABLEKEYACTIONSBYUSERNAME
Type: bool
 DisableKeyActionsByUsername disables key search by username. When this is set to true you are able to search for keys only by keyID or key hash (if hash_keys is also set to true) Note that if hash_keys is also set to true then the keyID will not be provided for APIs secured using basic auth. In this scenario the only search option would be to use key hash If you are using the Tyk Dashboard, you must configure this setting with the same value in both Gateway and Dashboard

hash_key_function

ENV: TYK_GW_HASHKEYFUNCTION
Type: string
 Specify the Key hashing algorithm. Possible values: murmur64, murmur128, sha256.

basic_auth_hash_key_function

ENV: TYK_GW_BASICAUTHHASHKEYFUNCTION
Type: string
 Specify the Key hashing algorithm for “basic auth”. Possible values: murmur64, murmur128, sha256, bcrypt. Will default to “bcrypt” if not set.

hash_key_function_fallback

ENV: TYK_GW_HASHKEYFUNCTIONFALLBACK
Type: []string
 Specify your previous key hashing algorithm if you migrated from one algorithm to another.

enable_hashed_keys_listing

ENV: TYK_GW_ENABLEHASHEDKEYSLISTING
Type: bool
 Allows the listing of hashed API keys

min_token_length

ENV: TYK_GW_MINTOKENLENGTH
Type: int
 Minimum API token length

template_path

ENV: TYK_GW_TEMPLATEPATH
Type: string
 Path to error and webhook templates. Defaults to the current binary path.

policies

The policies section allows you to define where Tyk can find its policy templates. Policy templates are similar to key definitions in that they allow you to set quotas, access rights and rate limits for keys. Policies are loaded when Tyk starts and if changed require a hot-reload so they are loaded into memory. A policy can be defined in a file (Open Source installations) or from the same database as the Dashboard.

policies.policy_source

ENV: TYK_GW_POLICIES_POLICYSOURCE
Type: string
 Set this value to file to look in the file system for a definition file. Set to service to use the Dashboard service.

policies.policy_connection_string

ENV: TYK_GW_POLICIES_POLICYCONNECTIONSTRING
Type: string
 This option is required if policies.policy_source is set to service. Set this to the URL of your Tyk Dashboard installation. The URL needs to be formatted as: http://dashboard_host:port.

policies.policy_record_name

ENV: TYK_GW_POLICIES_POLICYRECORDNAME
Type: string
 This option only applies in OSS deployment when the policies.policy_source is either set to file or an empty string. If policies.policy_path is not set, then Tyk will load policies from the JSON file specified by policies.policy_record_name.

policies.allow_explicit_policy_id

ENV: TYK_GW_POLICIES_ALLOWEXPLICITPOLICYID
Type: bool
 In a Pro installation, Tyk will load Policy IDs and use the internal object-ID as the ID of the policy. This is not portable in cases where the data needs to be moved from installation to installation. If you set this value to true, then the id parameter in a stored policy (or imported policy using the Dashboard API), will be used instead of the internal ID. This option should only be used when moving an installation to a new database.

policies.policy_path

ENV: TYK_GW_POLICIES_POLICYPATH
Type: string
 This option only applies in OSS deployment when the policies.policy_source is either set to file or an empty string. If policies.policy_path is set, then Tyk will load policies from all the JSON files under the directory specified by the policies.policy_path option. In this configuration, Tyk Gateway will allow policy management through the Gateway API.

ports_whitelist

ENV: TYK_GW_PORTWHITELIST
Type: PortsWhiteList
 Defines the ports that will be available for the API services to bind to in the format documented here https://tyk.io/docs/api-management/non-http-protocols/#allowing-specific-ports. Ports can be configured per protocol, e.g. https, tls etc. If configuring via environment variable TYK_GW_PORTWHITELIST then remember to escape JSON strings.

disable_ports_whitelist

ENV: TYK_GW_DISABLEPORTWHITELIST
Type: bool
 Disable port whilisting, essentially allowing you to use any port for your API.

app_path

ENV: TYK_GW_APPPATH
Type: string
 If Tyk is being used in its standard configuration (Open Source installations), then API definitions are stored in the apps folder (by default in /opt/tyk-gateway/apps). This location is scanned for .json files and re-scanned at startup or reload. See the API section of the Tyk Gateway API for more details.

use_db_app_configs

ENV: TYK_GW_USEDBAPPCONFIGS
Type: bool
 If you are a Tyk Pro user, this option will enable polling the Dashboard service for API definitions. On startup Tyk will attempt to connect and download any relevant application configurations from from your Dashboard instance. The files are exactly the same as the JSON files on disk with the exception of a BSON ID supplied by the Dashboard service.

db_app_conf_options

This section defines API loading and shard options. Enable these settings to selectively load API definitions on a node from your Dashboard service.

db_app_conf_options.connection_string

ENV: TYK_GW_DBAPPCONFOPTIONS_CONNECTIONSTRING
Type: string
 Set the URL to your Dashboard instance (or a load balanced instance). The URL needs to be formatted as: http://dashboard_host:port

db_app_conf_options.connection_timeout

ENV: TYK_GW_DBAPPCONFOPTIONS_CONNECTIONTIMEOUT
Type: int
 Set a timeout value, in seconds, for your Dashboard connection. Default value is 30.

db_app_conf_options.node_is_segmented

ENV: TYK_GW_DBAPPCONFOPTIONS_NODEISSEGMENTED
Type: bool
 Set to true to enable filtering (sharding) of APIs.

db_app_conf_options.tags

ENV: TYK_GW_DBAPPCONFOPTIONS_TAGS
Type: []string
 The tags to use when filtering (sharding) Tyk Gateway nodes. Tags are processed as OR operations. If you include a non-filter tag (e.g. an identifier such as node-id-1, this will become available to your Dashboard analytics).

storage

This section defines your Redis configuration.

storage.type

ENV: TYK_GW_STORAGE_TYPE
Type: string
 This should be set to redis (lowercase)

storage.host

ENV: TYK_GW_STORAGE_HOST
Type: string
 The Redis host, by default this is set to localhost, but for production this should be set to a cluster.

storage.port

ENV: TYK_GW_STORAGE_PORT
Type: int
 The Redis instance port.

storage.addrs

ENV: TYK_GW_STORAGE_ADDRS
Type: []string
 If you have multi-node setup, you should use this field instead. For example: [“host1:port1”, “host2:port2”].

storage.master_name

ENV: TYK_GW_STORAGE_MASTERNAME
Type: string
 Redis sentinel master name

storage.sentinel_password

ENV: TYK_GW_STORAGE_SENTINELPASSWORD
Type: string
 Redis sentinel password

storage.username

ENV: TYK_GW_STORAGE_USERNAME
Type: string
 Redis user name

storage.password

ENV: TYK_GW_STORAGE_PASSWORD
Type: string
 If your Redis instance has a password set for access, you can set it here.

storage.database

ENV: TYK_GW_STORAGE_DATABASE
Type: int
 Redis database

storage.optimisation_max_idle

ENV: TYK_GW_STORAGE_MAXIDLE
Type: int
 Set the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.

storage.optimisation_max_active

ENV: TYK_GW_STORAGE_MAXACTIVE
Type: int
 Set the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.

storage.timeout

ENV: TYK_GW_STORAGE_TIMEOUT
Type: int
 Set a custom timeout for Redis network operations. Default value 5 seconds.

storage.enable_cluster

ENV: TYK_GW_STORAGE_ENABLECLUSTER
Type: bool
 Enable Redis Cluster support

storage.use_ssl

ENV: TYK_GW_STORAGE_USESSL
Type: bool
 Enable SSL/TLS connection between your Tyk Gateway & Redis.

storage.ssl_insecure_skip_verify

ENV: TYK_GW_STORAGE_SSLINSECURESKIPVERIFY
Type: bool
 Disable TLS verification

storage.ca_file

ENV: TYK_GW_STORAGE_CAFILE
Type: string
 Path to the CA file.

storage.cert_file

ENV: TYK_GW_STORAGE_CERTFILE
Type: string
 Path to the cert file.

storage.key_file

ENV: TYK_GW_STORAGE_KEYFILE
Type: string
 Path to the key file.

storage.tls_max_version

ENV: TYK_GW_STORAGE_TLSMAXVERSION
Type: string
 Maximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.

storage.tls_min_version

ENV: TYK_GW_STORAGE_TLSMINVERSION
Type: string
 Minimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.

disable_dashboard_zeroconf

ENV: TYK_GW_DISABLEDASHBOARDZEROCONF
Type: bool
 Disable the capability of the Gateway to autodiscover the Dashboard through heartbeat messages via Redis. The goal of zeroconf is auto-discovery, so you do not have to specify the Tyk Dashboard address in your Gatewaytyk.conf file. In some specific cases, for example, when the Dashboard is bound to a public domain, not accessible inside an internal network, or similar, disable_dashboard_zeroconf can be set to true, in favor of directly specifying a Tyk Dashboard address.

slave_options

The slave_options allow you to configure the RPC slave connection required for MDCB installations. These settings must be configured for every RPC slave/worker node.

slave_options.use_rpc

ENV: TYK_GW_SLAVEOPTIONS_USERPC
Type: bool
 Set to true to connect a worker Gateway using RPC.

slave_options.use_ssl

ENV: TYK_GW_SLAVEOPTIONS_USESSL
Type: bool
 Set this option to true to use an SSL RPC connection.

slave_options.ssl_insecure_skip_verify

ENV: TYK_GW_SLAVEOPTIONS_SSLINSECURESKIPVERIFY
Type: bool
 Set this option to true to allow the certificate validation (certificate chain and hostname) to be skipped. This can be useful if you use a self-signed certificate.

slave_options.connection_string

ENV: TYK_GW_SLAVEOPTIONS_CONNECTIONSTRING
Type: string
 Use this setting to add the URL for your MDCB or load balancer host.

slave_options.rpc_key

ENV: TYK_GW_SLAVEOPTIONS_RPCKEY
Type: string
 Your organization ID to connect to the MDCB installation.

slave_options.api_key

ENV: TYK_GW_SLAVEOPTIONS_APIKEY
Type: string
 This the API key of a user used to authenticate and authorize the Gateway’s access through MDCB. The user should be a standard Dashboard user with minimal privileges so as to reduce any risk if the user is compromised. The suggested security settings are read for Real-time notifications and the remaining options set to deny.

slave_options.enable_rpc_cache

ENV: TYK_GW_SLAVEOPTIONS_ENABLERPCCACHE
Type: bool
 Set this option to true to enable RPC caching for keys.

slave_options.bind_to_slugs

ENV: TYK_GW_SLAVEOPTIONS_BINDTOSLUGSINSTEADOFLISTENPATHS
Type: bool
 For an Self-Managed installation this can be left at false (the default setting). For Legacy Cloud Gateways it must be set to ‘true’.

slave_options.disable_keyspace_sync

ENV: TYK_GW_SLAVEOPTIONS_DISABLEKEYSPACESYNC
Type: bool
 Set this option to true if you don’t want to monitor changes in the keys from a primary Gateway.

slave_options.group_id

ENV: TYK_GW_SLAVEOPTIONS_GROUPID
Type: string
 This is the zone that this instance inhabits, e.g. the cluster/data-center the Gateway lives in. The group ID must be the same across all the Gateways of a data-center/cluster which are also sharing the same Redis instance. This ID should also be unique per cluster (otherwise another Gateway cluster can pick up your keyspace events and your cluster will get zero updates).

slave_options.call_timeout

ENV: TYK_GW_SLAVEOPTIONS_CALLTIMEOUT
Type: int
 Call Timeout allows to specify a time in seconds for the maximum allowed duration of a RPC call.

slave_options.ping_timeout

ENV: TYK_GW_SLAVEOPTIONS_PINGTIMEOUT
Type: int
 The maximum time in seconds that a RPC ping can last.

slave_options.rpc_pool_size

ENV: TYK_GW_SLAVEOPTIONS_RPCPOOLSIZE
Type: int
 The number of RPC connections in the pool. Basically it creates a set of connections that you can re-use as needed. Defaults to 5.

slave_options.key_space_sync_interval

ENV: TYK_GW_SLAVEOPTIONS_KEYSPACESYNCINTERVAL
Type: float32
 You can use this to set a period for which the Gateway will check if there are changes in keys that must be synchronized. If this value is not set then it will default to 10 seconds.

slave_options.rpc_cert_cache_expiration

ENV: TYK_GW_SLAVEOPTIONS_RPCCERTCACHEEXPIRATION
Type: float32
 RPCCertCacheExpiration defines the expiration time of the rpc cache that stores the certificates, defined in seconds

slave_options.rpc_global_cache_expiration

ENV: TYK_GW_SLAVEOPTIONS_RPCGLOBALCACHEEXPIRATION
Type: float32
 RPCKeysCacheExpiration defines the expiration time of the rpc cache that stores the keys, defined in seconds

slave_options.synchroniser_enabled

ENV: TYK_GW_SLAVEOPTIONS_SYNCHRONISERENABLED
Type: bool
 SynchroniserEnabled enable this config if MDCB has enabled the synchoniser. If disabled then it will ignore signals to synchonise recources

management_node

ENV: TYK_GW_MANAGEMENTNODE
Type: bool
 If set to true, distributed rate limiter will be disabled for this node, and it will be excluded from any rate limit calculation.
If you set db_app_conf_options.node_is_segmented to true for multiple Gateway nodes, you should ensure that management_node is set to false. This is to ensure visibility for the management node across all APIs.
For pro installations, management_node is not a valid configuration option. Always set management_node to false in pro environments.

auth_override

This is used as part of the RPC / Hybrid back-end configuration in a Tyk Enterprise installation and isn’t used anywhere else.

enable_fixed_window_rate_limiter

ENV: TYK_GW_ENABLEFIXEDWINDOWRATELIMITER
Type: bool
 EnableFixedWindow enables fixed window rate limiting.

enable_redis_rolling_limiter

ENV: TYK_GW_ENABLEREDISROLLINGLIMITER
Type: bool
 Redis based rate limiter with sliding log. Provides 100% rate limiting accuracy, but require two additional Redis roundtrips for each request.

enable_sentinel_rate_limiter

ENV: TYK_GW_ENABLESENTINELRATELIMITER
Type: bool
 To enable, set to true. The sentinel-based rate limiter delivers a smoother performance curve as rate-limit calculations happen off-thread, but a stricter time-out based cool-down for clients. For example, when a throttling action is triggered, they are required to cool-down for the period of the rate limit. Disabling the sentinel based rate limiter will make rate-limit calculations happen on-thread and therefore offers a staggered cool-down and a smoother rate-limit experience for the client. For example, you can slow your connection throughput to regain entry into your rate limit. This is more of a “throttle” than a “block”. The standard rate limiter offers similar performance as the sentinel-based limiter. This is disabled by default.

enable_rate_limit_smoothing

ENV: TYK_GW_ENABLERATELIMITSMOOTHING
Type: bool
 EnableRateLimitSmoothing enables or disables rate limit smoothing. The rate smoothing is only supported on the Redis Rate Limiter, or the Sentinel Rate Limiter, as both algorithms implement a sliding log.

enable_non_transactional_rate_limiter

ENV: TYK_GW_ENABLENONTRANSACTIONALRATELIMITER
Type: bool
 An enhancement for the Redis and Sentinel rate limiters, that offers a significant improvement in performance by not using transactions on Redis rate-limit buckets.

drl_notification_frequency

ENV: TYK_GW_DRLNOTIFICATIONFREQUENCY
Type: int
 How frequently a distributed rate limiter synchronises information between the Gateway nodes. Default: 2 seconds.

drl_threshold

ENV: TYK_GW_DRLTHRESHOLD
Type: float64
 A distributed rate limiter is inaccurate on small rate limits, and it will fallback to a Redis or Sentinel rate limiter on an individual user basis, if its rate limiter lower then threshold. A Rate limiter threshold calculated using the following formula: rate_threshold = drl_threshold * number_of_gateways. So you have 2 Gateways, and your threshold is set to 5, if a user rate limit is larger than 10, it will use the distributed rate limiter algorithm. Default: 5

drl_enable_sentinel_rate_limiter

ENV: TYK_GW_DRLENABLESENTINELRATELIMITER
Type: bool
 Controls which algorthm to use as a fallback when your distributed rate limiter can’t be used.

enforce_org_data_age

ENV: TYK_GW_ENFORCEORGDATAAGE
Type: bool
 Allows you to dynamically configure analytics expiration on a per organization level

enforce_org_data_detail_logging

ENV: TYK_GW_ENFORCEORGDATADETAILLOGGING
Type: bool
 Allows you to dynamically configure detailed logging on a per organization level

enforce_org_quotas

ENV: TYK_GW_ENFORCEORGQUOTAS
Type: bool
 Allows you to dynamically configure organization quotas on a per organization level

monitor

The monitor section is useful if you wish to enforce a global trigger limit on organization and user quotas. This feature will trigger a webhook event to fire when specific triggers are reached. Triggers can be global (set in the node), by organization (set in the organization session object) or by key (set in the key session object) While Organization-level and Key-level triggers can be tiered (e.g. trigger at 10%, trigger at 20%, trigger at 80%), in the node-level configuration only a global value can be set. If a global value and specific trigger level are the same the trigger will only fire once: 
"monitor": {
  "enable_trigger_monitors": true,
  "configuration": {
   "method": "POST",
   "target_path": "http://domain.com/notify/quota-trigger",
   "template_path": "templates/monitor_template.json",
   "header_map": {
     "some-secret": "89787855"
   },
   "event_timeout": 10
 },
 "global_trigger_limit": 80.0,
 "monitor_user_keys": false,
 "monitor_org_keys": true
},

monitor.enable_trigger_monitors

ENV: TYK_GW_MONITOR_ENABLETRIGGERMONITORS
Type: bool
 Set this to true to have monitors enabled in your configuration for the node.

monitor.configuration.method

ENV: TYK_GW_MONITOR_CONFIG_METHOD
Type: string
 The method to use for the webhook.

monitor.configuration.target_path

ENV: TYK_GW_MONITOR_CONFIG_TARGETPATH
Type: string
 The target path on which to send the request.

monitor.configuration.template_path

ENV: TYK_GW_MONITOR_CONFIG_TEMPLATEPATH
Type: string
 The template to load in order to format the request.

monitor.configuration.header_map

ENV: TYK_GW_MONITOR_CONFIG_HEADERLIST
Type: map[string]string
 Headers to set when firing the webhook.

monitor.configuration.event_timeout

ENV: TYK_GW_MONITOR_CONFIG_EVENTTIMEOUT
Type: int64
 The cool-down for the event so it does not trigger again (in seconds).

monitor.global_trigger_limit

ENV: TYK_GW_MONITOR_GLOBALTRIGGERLIMIT
Type: float64
 The trigger limit, as a percentage of the quota that must be reached in order to trigger the event, any time the quota percentage is increased the event will trigger.

monitor.monitor_user_keys

ENV: TYK_GW_MONITOR_MONITORUSERKEYS
Type: bool
 Apply the monitoring subsystem to user keys.

monitor.monitor_org_keys

ENV: TYK_GW_MONITOR_MONITORORGKEYS
Type: bool
 Apply the monitoring subsystem to organization keys.

max_idle_connections

ENV: TYK_GW_MAXIDLECONNS
Type: int
 Maximum idle connections, per API, between Tyk and Upstream. By default not limited.

max_idle_connections_per_host

ENV: TYK_GW_MAXIDLECONNSPERHOST
Type: int
 Maximum idle connections, per API, per upstream, between Tyk and Upstream. Default:100

max_conn_time

ENV: TYK_GW_MAXCONNTIME
Type: int64
 Maximum connection time. If set it will force gateway reconnect to the upstream.

close_connections

ENV: TYK_GW_CLOSECONNECTIONS
Type: bool
 If set, disable keepalive between User and Tyk

enable_custom_domains

ENV: TYK_GW_ENABLECUSTOMDOMAINS
Type: bool
 Allows you to use custom domains

allow_master_keys

ENV: TYK_GW_ALLOWMASTERKEYS
Type: bool
 If AllowMasterKeys is set to true, session objects (key definitions) that do not have explicit access rights set will be allowed by Tyk. This means that keys that are created have access to ALL APIs, which in many cases is unwanted behavior unless you are sure about what you are doing.

service_discovery.default_cache_timeout

ENV: TYK_GW_SERVICEDISCOVERY_DEFAULTCACHETIMEOUT
Type: int
 Service discovery cache timeout

proxy_ssl_insecure_skip_verify

ENV: TYK_GW_PROXYSSLINSECURESKIPVERIFY
Type: bool
 Globally ignore TLS verification between Tyk and your Upstream services

proxy_enable_http2

ENV: TYK_GW_PROXYENABLEHTTP2
Type: bool
 Enable HTTP2 support between Tyk and your upstream service. Required for gRPC.

proxy_ssl_min_version

ENV: TYK_GW_PROXYSSLMINVERSION
Type: uint16
 Minimum TLS version for connection between Tyk and your upstream service.

proxy_ssl_max_version

ENV: TYK_GW_PROXYSSLMAXVERSION
Type: uint16
 Maximum TLS version for connection between Tyk and your upstream service.

proxy_ssl_ciphers

ENV: TYK_GW_PROXYSSLCIPHERSUITES
Type: []string
 Allow list of ciphers for connection between Tyk and your upstream service.

proxy_default_timeout

ENV: TYK_GW_PROXYDEFAULTTIMEOUT
Type: float64
 This can specify a default timeout in seconds for upstream API requests. Default: 30 seconds

proxy_ssl_disable_renegotiation

ENV: TYK_GW_PROXYSSLDISABLERENEGOTIATION
Type: bool
 Disable TLS renegotiation.

proxy_close_connections

ENV: TYK_GW_PROXYCLOSECONNECTIONS
Type: bool
 Disable keepalives between Tyk and your upstream service. Set this value to true to force Tyk to close the connection with the server, otherwise the connections will remain open for as long as your OS keeps TCP connections open. This can cause a file-handler limit to be exceeded. Setting to false can have performance benefits as the connection can be reused.

uptime_tests

Tyk nodes can provide uptime awareness, uptime testing and analytics for your underlying APIs uptime and availability. Tyk can also notify you when a service goes down.

uptime_tests.disable

ENV: TYK_GW_UPTIMETESTS_DISABLE
Type: bool
 To disable uptime tests on this node, set this value to true.

uptime_tests.poller_group

ENV: TYK_GW_UPTIMETESTS_POLLERGROUP
Type: string
 If you have multiple Gateway clusters connected to the same Redis instance, you need to set a unique poller group for each cluster.

uptime_tests.config.failure_trigger_sample_size

ENV: TYK_GW_UPTIMETESTS_CONFIG_FAILURETRIGGERSAMPLESIZE
Type: int
 The sample size to trigger a HostUp or HostDown event. For example, a setting of 3 will require at least three failures to occur before the uptime test is triggered.

uptime_tests.config.time_wait

ENV: TYK_GW_UPTIMETESTS_CONFIG_TIMEWAIT
Type: int
 The value in seconds between tests runs. All tests will run simultaneously. This value will set the time between those tests. So a value of 60 will run all uptime tests every 60 seconds.

uptime_tests.config.checker_pool_size

ENV: TYK_GW_UPTIMETESTS_CONFIG_CHECKERPOOLSIZE
Type: int
 The goroutine pool size to keep idle for uptime tests. If you have many uptime tests running at a high time period, then increase this value.

uptime_tests.config.enable_uptime_analytics

ENV: TYK_GW_UPTIMETESTS_CONFIG_ENABLEUPTIMEANALYTICS
Type: bool
 Set this value to true to have the node capture and record analytics data regarding the uptime tests.

health_check

This section enables the configuration of the health-check API endpoint and the size of the sample data cache (in seconds).

health_check.enable_health_checks

ENV: TYK_GW_HEALTHCHECK_ENABLEHEALTHCHECKS
Type: bool
 Setting this value to true will enable the health-check endpoint on /Tyk/health.

health_check.health_check_value_timeouts

ENV: TYK_GW_HEALTHCHECK_HEALTHCHECKVALUETIMEOUT
Type: int64
 This setting defaults to 60 seconds. This is the time window that Tyk uses to sample health-check data. You can set a higher value for more accurate data (a larger sample period), or a lower value for less accurate data. The reason this value is configurable is because sample data takes up space in your Redis DB to store the data to calculate samples. On high-availability systems this may not be desirable and smaller values may be preferred.

health_check_endpoint_name

ENV: TYK_GW_HEALTHCHECKENDPOINTNAME
Type: string
 HealthCheckEndpointName Enables you to change the liveness endpoint. Default is “/hello”

readiness_check_endpoint_name

ENV: TYK_GW_READINESSCHECKENDPOINTNAME
Type: string
 ReadinessCheckEndpointName Enables you to change the readiness endpoint Default is “/ready”

graceful_shutdown_timeout_duration

ENV: TYK_GW_GRACEFULSHUTDOWNTIMEOUTDURATION
Type: int
 GracefulShutdownTimeoutDuration sets how many seconds the gateway should wait for an existing connection to finish before shutting down the server. Defaults to 30 seconds.

oauth_refresh_token_expire

ENV: TYK_GW_OAUTHREFRESHEXPIRE
Type: int64
 Change the expiry time of a refresh token. By default 14 days (in seconds).

oauth_token_expire

ENV: TYK_GW_OAUTHTOKENEXPIRE
Type: int32
 Change the expiry time of OAuth tokens (in seconds).

oauth_token_expired_retain_period

ENV: TYK_GW_OAUTHTOKENEXPIREDRETAINPERIOD
Type: int32
 Specifies how long expired tokens are stored in Redis. The value is in seconds and the default is 0. Using the default means expired tokens are never removed from Redis.

oauth_redirect_uri_separator

ENV: TYK_GW_OAUTHREDIRECTURISEPARATOR
Type: string
 Character which should be used as a separator for OAuth redirect URI URLs. Default: ;.

oauth_error_status_code

ENV: TYK_GW_OAUTHERRORSTATUSCODE
Type: int
 Configures the OAuth error status code returned. If not set, it defaults to a 403 error.

enable_key_logging

ENV: TYK_GW_ENABLEKEYLOGGING
Type: bool
 By default all key IDs in logs are hidden. Set to true if you want to see them for debugging reasons.

ssl_force_common_name_check

ENV: TYK_GW_SSLFORCECOMMONNAMECHECK
Type: bool
 Force the validation of the hostname against the common name, even if TLS verification is disabled.

enable_analytics

ENV: TYK_GW_ENABLEANALYTICS
Type: bool
 Tyk is capable of recording every hit to your API to a database with various filtering parameters. Set this value to true and fill in the sub-section below to enable logging.
For performance reasons, Tyk will store traffic data to Redis initially and then purge the data from Redis to MongoDB or other data stores on a regular basis as determined by the purge_delay setting in your Tyk Pump configuration.

analytics_config

This section defines options on what analytics data to store.

analytics_config.type

ENV: TYK_GW_ANALYTICSCONFIG_TYPE
Type: string
 Set empty for a Self-Managed installation or rpc for multi-cloud.

analytics_config.ignored_ips

ENV: TYK_GW_ANALYTICSCONFIG_IGNOREDIPS
Type: []string
 Adding IP addresses to this list will cause Tyk to ignore these IPs in the analytics data. These IP addresses will not produce an analytics log record. This is useful for health checks and other samplers that might skew usage data. The IP addresses must be provided as a JSON array, with the values being single IPs. CIDR values are not supported.

analytics_config.enable_detailed_recording

ENV: TYK_GW_ANALYTICSCONFIG_ENABLEDETAILEDRECORDING
Type: bool
 Set this value to true to have Tyk store the inbound request and outbound response data in HTTP Wire format as part of the Analytics data. Please note, this will greatly increase your analytics DB size and can cause performance degradation on analytics processing by the Dashboard. This setting can be overridden with an organization flag, enabed at an API level, or on individual Key level.

analytics_config.enable_geo_ip

ENV: TYK_GW_ANALYTICSCONFIG_ENABLEGEOIP
Type: bool
 Tyk can store GeoIP information based on MaxMind DB’s to enable GeoIP tracking on inbound request analytics. Set this value to true and assign a DB using the geo_ip_db_path setting.

analytics_config.geo_ip_db_path

ENV: TYK_GW_ANALYTICSCONFIG_GEOIPDBLOCATION
Type: string
 Path to a MaxMind GeoIP database The analytics GeoIP DB can be replaced on disk. It will cleanly auto-reload every hour.

analytics_config.normalise_urls

This section describes methods that enable you to normalise inbound URLs in your analytics to have more meaningful per-path data.

analytics_config.normalise_urls.enabled

ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_ENABLED
Type: bool
 Set this to true to enable normalisation.

analytics_config.normalise_urls.normalise_uuids

ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_NORMALISEUUIDS
Type: bool
 Each UUID will be replaced with a placeholder

analytics_config.normalise_urls.normalise_ulids

ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_NORMALISEULIDS
Type: bool
 Each ULID will be replaced with a placeholder

analytics_config.normalise_urls.normalise_numbers

ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_NORMALISENUMBERS
Type: bool
 Set this to true to have Tyk automatically match for numeric IDs, it will match with a preceding slash so as not to capture actual numbers:

analytics_config.normalise_urls.custom_patterns

ENV: TYK_GW_ANALYTICSCONFIG_NORMALISEURLS_CUSTOM
Type: []string
 This is a list of custom patterns you can add. These must be valid regex strings. Tyk will replace these values with a {var} placeholder.

analytics_config.pool_size

ENV: TYK_GW_ANALYTICSCONFIG_POOLSIZE
Type: int
 Number of workers used to process analytics. Defaults to number of CPU cores.

analytics_config.records_buffer_size

ENV: TYK_GW_ANALYTICSCONFIG_RECORDSBUFFERSIZE
Type: uint64
 Number of records in analytics queue, per worker. Default: 1000.

analytics_config.storage_expiration_time

ENV: TYK_GW_ANALYTICSCONFIG_STORAGEEXPIRATIONTIME
Type: int
 You can set a time (in seconds) to configure how long analytics are kept if they are not processed. The default is 60 seconds. This is used to prevent the potential infinite growth of Redis analytics storage.

analytics_config.enable_multiple_analytics_keys

ENV: TYK_GW_ANALYTICSCONFIG_ENABLEMULTIPLEANALYTICSKEYS
Type: bool
 Set this to true to have Tyk automatically divide the analytics records in multiple analytics keys. This is especially useful when storage.enable_cluster is set to true since it will distribute the analytic keys across all the cluster nodes.

analytics_config.purge_interval

ENV: TYK_GW_ANALYTICSCONFIG_PURGEINTERVAL
Type: float32
 You can set the interval length on how often the tyk Gateway will purge analytics data. This value is in seconds and defaults to 10 seconds.

analytics_config.serializer_type

ENV: TYK_GW_ANALYTICSCONFIG_SERIALIZERTYPE
Type: string
 Determines the serialization engine for analytics. Available options: msgpack, and protobuf. By default, msgpack.

enable_separate_analytics_store

ENV: TYK_GW_ENABLESEPERATEANALYTICSSTORE
Type: bool
 Enable separate analytics storage. Used together with analytics_storage.

analytics_storage.type

ENV: TYK_GW_ANALYTICSSTORAGE_TYPE
Type: string
 This should be set to redis (lowercase)

analytics_storage.host

ENV: TYK_GW_ANALYTICSSTORAGE_HOST
Type: string
 The Redis host, by default this is set to localhost, but for production this should be set to a cluster.

analytics_storage.port

ENV: TYK_GW_ANALYTICSSTORAGE_PORT
Type: int
 The Redis instance port.

analytics_storage.addrs

ENV: TYK_GW_ANALYTICSSTORAGE_ADDRS
Type: []string
 If you have multi-node setup, you should use this field instead. For example: [“host1:port1”, “host2:port2”].

analytics_storage.master_name

ENV: TYK_GW_ANALYTICSSTORAGE_MASTERNAME
Type: string
 Redis sentinel master name

analytics_storage.sentinel_password

ENV: TYK_GW_ANALYTICSSTORAGE_SENTINELPASSWORD
Type: string
 Redis sentinel password

analytics_storage.username

ENV: TYK_GW_ANALYTICSSTORAGE_USERNAME
Type: string
 Redis user name

analytics_storage.password

ENV: TYK_GW_ANALYTICSSTORAGE_PASSWORD
Type: string
 If your Redis instance has a password set for access, you can set it here.

analytics_storage.database

ENV: TYK_GW_ANALYTICSSTORAGE_DATABASE
Type: int
 Redis database

analytics_storage.optimisation_max_idle

ENV: TYK_GW_ANALYTICSSTORAGE_MAXIDLE
Type: int
 Set the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.

analytics_storage.optimisation_max_active

ENV: TYK_GW_ANALYTICSSTORAGE_MAXACTIVE
Type: int
 Set the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.

analytics_storage.timeout

ENV: TYK_GW_ANALYTICSSTORAGE_TIMEOUT
Type: int
 Set a custom timeout for Redis network operations. Default value 5 seconds.

analytics_storage.enable_cluster

ENV: TYK_GW_ANALYTICSSTORAGE_ENABLECLUSTER
Type: bool
 Enable Redis Cluster support

analytics_storage.use_ssl

ENV: TYK_GW_ANALYTICSSTORAGE_USESSL
Type: bool
 Enable SSL/TLS connection between your Tyk Gateway & Redis.

analytics_storage.ssl_insecure_skip_verify

ENV: TYK_GW_ANALYTICSSTORAGE_SSLINSECURESKIPVERIFY
Type: bool
 Disable TLS verification

analytics_storage.ca_file

ENV: TYK_GW_ANALYTICSSTORAGE_CAFILE
Type: string
 Path to the CA file.

analytics_storage.cert_file

ENV: TYK_GW_ANALYTICSSTORAGE_CERTFILE
Type: string
 Path to the cert file.

analytics_storage.key_file

ENV: TYK_GW_ANALYTICSSTORAGE_KEYFILE
Type: string
 Path to the key file.

analytics_storage.tls_max_version

ENV: TYK_GW_ANALYTICSSTORAGE_TLSMAXVERSION
Type: string
 Maximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.

analytics_storage.tls_min_version

ENV: TYK_GW_ANALYTICSSTORAGE_TLSMINVERSION
Type: string
 Minimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.

liveness_check.check_duration

ENV: TYK_GW_LIVENESSCHECK_CHECKDURATION
Type: time.Duration
 Frequencies of performing interval healthchecks for Redis, Dashboard, and RPC layer. Expressed in Nanoseconds. For example: 1000000000 -> 1s. Default: 10 seconds.

dns_cache

This section enables the global configuration of the expireable DNS records caching for your Gateway API endpoints. By design caching affects only http(s), ws(s) protocols APIs and doesn’t affect any plugin/middleware DNS queries. 
"dns_cache": {
  "enabled": true, //Turned off by default
  "ttl": 60, //Time in seconds before the record will be removed from cache
  "multiple_ips_handle_strategy": "random" //A strategy, which will be used when dns query will reply with more than 1 ip address per single host.
}

dns_cache.enabled

ENV: TYK_GW_DNSCACHE_ENABLED
Type: bool
 Setting this value to true will enable caching of DNS queries responses used for API endpoint’s host names. By default caching is disabled.

dns_cache.ttl

ENV: TYK_GW_DNSCACHE_TTL
Type: int64
 This setting allows you to specify a duration in seconds before the record will be removed from cache after being added to it on the first DNS query resolution of API endpoints. Setting ttl to -1 prevents record from being expired and removed from cache on next check interval.

dns_cache.multiple_ips_handle_strategy

ENV: TYK_GW_DNSCACHE_MULTIPLEIPSHANDLESTRATEGY
Type: string
 A strategy which will be used when a DNS query will reply with more than 1 IP Address per single host. As a DNS query response IP Addresses can have a changing order depending on DNS server balancing strategy (eg: round robin, geographically dependent origin-ip ordering, etc) this option allows you to not to limit the connection to the first host in a cached response list or prevent response caching.
  • pick_first will instruct your Tyk Gateway to connect to the first IP in a returned IP list and cache the response.
  • random will instruct your Tyk Gateway to connect to a random IP in a returned IP list and cache the response.
  • no_cache will instruct your Tyk Gateway to connect to the first IP in a returned IP list and fetch each addresses list without caching on each API endpoint DNS query.

disable_regexp_cache

ENV: TYK_GW_DISABLEREGEXPCACHE
Type: bool
 If set to true this allows you to disable the regular expression cache. The default setting is false.

regexp_cache_expire

ENV: TYK_GW_REGEXPCACHEEXPIRE
Type: int32
 If you set disable_regexp_cache to false, you can use this setting to limit how long the regular expression cache is kept for in seconds. The default is 60 seconds. This must be a positive value. If you set to 0 this uses the default value.

local_session_cache

Tyk can cache some data locally, this can speed up lookup times on a single node and lower the number of connections and operations being done on Redis. It will however introduce a slight delay when updating or modifying keys as the cache must expire. This does not affect rate limiting.

local_session_cache.disable_cached_session_state

ENV: TYK_GW_LOCALSESSIONCACHE_DISABLECACHESESSIONSTATE
Type: bool
 By default sessions are set to cache. Set this to true to stop Tyk from caching keys locally on the node.

enable_separate_cache_store

ENV: TYK_GW_ENABLESEPERATECACHESTORE
Type: bool
 Enable to use a separate Redis for cache storage

cache_storage.type

ENV: TYK_GW_CACHESTORAGE_TYPE
Type: string
 This should be set to redis (lowercase)

cache_storage.host

ENV: TYK_GW_CACHESTORAGE_HOST
Type: string
 The Redis host, by default this is set to localhost, but for production this should be set to a cluster.

cache_storage.port

ENV: TYK_GW_CACHESTORAGE_PORT
Type: int
 The Redis instance port.

cache_storage.addrs

ENV: TYK_GW_CACHESTORAGE_ADDRS
Type: []string
 If you have multi-node setup, you should use this field instead. For example: [“host1:port1”, “host2:port2”].

cache_storage.master_name

ENV: TYK_GW_CACHESTORAGE_MASTERNAME
Type: string
 Redis sentinel master name

cache_storage.sentinel_password

ENV: TYK_GW_CACHESTORAGE_SENTINELPASSWORD
Type: string
 Redis sentinel password

cache_storage.username

ENV: TYK_GW_CACHESTORAGE_USERNAME
Type: string
 Redis user name

cache_storage.password

ENV: TYK_GW_CACHESTORAGE_PASSWORD
Type: string
 If your Redis instance has a password set for access, you can set it here.

cache_storage.database

ENV: TYK_GW_CACHESTORAGE_DATABASE
Type: int
 Redis database

cache_storage.optimisation_max_idle

ENV: TYK_GW_CACHESTORAGE_MAXIDLE
Type: int
 Set the number of maximum idle connections in the Redis connection pool, which defaults to 100. Set to a higher value if you are expecting more traffic.

cache_storage.optimisation_max_active

ENV: TYK_GW_CACHESTORAGE_MAXACTIVE
Type: int
 Set the number of maximum connections in the Redis connection pool, which defaults to 500. Set to a higher value if you are expecting more traffic.

cache_storage.timeout

ENV: TYK_GW_CACHESTORAGE_TIMEOUT
Type: int
 Set a custom timeout for Redis network operations. Default value 5 seconds.

cache_storage.enable_cluster

ENV: TYK_GW_CACHESTORAGE_ENABLECLUSTER
Type: bool
 Enable Redis Cluster support

cache_storage.use_ssl

ENV: TYK_GW_CACHESTORAGE_USESSL
Type: bool
 Enable SSL/TLS connection between your Tyk Gateway & Redis.

cache_storage.ssl_insecure_skip_verify

ENV: TYK_GW_CACHESTORAGE_SSLINSECURESKIPVERIFY
Type: bool
 Disable TLS verification

cache_storage.ca_file

ENV: TYK_GW_CACHESTORAGE_CAFILE
Type: string
 Path to the CA file.

cache_storage.cert_file

ENV: TYK_GW_CACHESTORAGE_CERTFILE
Type: string
 Path to the cert file.

cache_storage.key_file

ENV: TYK_GW_CACHESTORAGE_KEYFILE
Type: string
 Path to the key file.

cache_storage.tls_max_version

ENV: TYK_GW_CACHESTORAGE_TLSMAXVERSION
Type: string
 Maximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.

cache_storage.tls_min_version

ENV: TYK_GW_CACHESTORAGE_TLSMINVERSION
Type: string
 Minimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.

enable_bundle_downloader

ENV: TYK_GW_ENABLEBUNDLEDOWNLOADER
Type: bool
 Enable downloading Plugin bundles Example: 
"enable_bundle_downloader": true,
"bundle_base_url": "http://my-bundle-server.com/bundles/",
"public_key_path": "/path/to/my/pubkey",

bundle_base_url

ENV: TYK_GW_BUNDLEBASEURL
Type: string
 Is a base URL that will be used to download the bundle. In this example we have bundle-latest.zip specified in the API settings, Tyk will fetch the following URL: http://my-bundle-server.com/bundles/bundle-latest.zip (see the next section for details).

bundle_insecure_skip_verify

ENV: TYK_GW_BUNDLEINSECURESKIPVERIFY
Type: bool
 Disable TLS validation for bundle URLs

enable_jsvm

ENV: TYK_GW_ENABLEJSVM
Type: bool
 Set to true if you are using JSVM custom middleware or virtual endpoints.

jsvm_timeout

ENV: TYK_GW_JSVMTIMEOUT
Type: int
 Set the execution timeout for JSVM plugins and virtal endpoints

disable_virtual_path_blobs

ENV: TYK_GW_DISABLEVIRTUALPATHBLOBS
Type: bool
 Disable virtual endpoints and the code will not be loaded into the VM when the API definition initialises. This is useful for systems where you want to avoid having third-party code run.

tyk_js_path

ENV: TYK_GW_TYKJSPATH
Type: string
 Path to the JavaScript file which will be pre-loaded for any JSVM middleware or virtual endpoint. Useful for defining global shared functions.

middleware_path

ENV: TYK_GW_MIDDLEWAREPATH
Type: string
 Path to the plugins dirrectory. By default is “./middleware`.

coprocess_options

Configuration options for Python and gRPC plugins.

coprocess_options.enable_coprocess

ENV: TYK_GW_COPROCESSOPTIONS_ENABLECOPROCESS
Type: bool
 Enable gRPC and Python plugins

coprocess_options.coprocess_grpc_server

ENV: TYK_GW_COPROCESSOPTIONS_COPROCESSGRPCSERVER
Type: string
 Address of gRPC user

coprocess_options.grpc_recv_max_size

ENV: TYK_GW_COPROCESSOPTIONS_GRPCRECVMAXSIZE
Type: int
 Maximum message which can be received from a gRPC server

coprocess_options.grpc_send_max_size

ENV: TYK_GW_COPROCESSOPTIONS_GRPCSENDMAXSIZE
Type: int
 Maximum message which can be sent to gRPC server

coprocess_options.grpc_authority

ENV: TYK_GW_COPROCESSOPTIONS_GRPCAUTHORITY
Type: string
 Authority used in GRPC connection

coprocess_options.grpc_round_robin_load_balancing

ENV: TYK_GW_COPROCESSOPTIONS_GRPCROUNDROBINLOADBALANCING
Type: bool
 GRPCRoundRobinLoadBalancing enables round robin load balancing for gRPC services; you must provide the address of the load balanced service using dns:/// protocol in coprocess_grpc_server.

coprocess_options.python_path_prefix

ENV: TYK_GW_COPROCESSOPTIONS_PYTHONPATHPREFIX
Type: string
 Sets the path to built-in Tyk modules. This will be part of the Python module lookup path. The value used here is the default one for most installations.

coprocess_options.python_version

ENV: TYK_GW_COPROCESSOPTIONS_PYTHONVERSION
Type: string
 If you have multiple Python versions installed you can specify your version.

ignore_endpoint_case

ENV: TYK_GW_IGNOREENDPOINTCASE
Type: bool
 Ignore the case of any endpoints for APIs managed by Tyk. Setting this to true will override any individual API and Ignore, Blacklist and Whitelist plugin endpoint settings.

ignore_canonical_mime_header_key

ENV: TYK_GW_IGNORECANONICALMIMEHEADERKEY
Type: bool
 When enabled Tyk ignores the canonical format of the MIME header keys. For example when a request header with a “my-header” key is injected using “global_headers”, the upstream would typically get it as “My-Header”. When this flag is enabled it will be sent as “my-header” instead. Current support is limited to JavaScript plugins, global header injection, virtual endpoint and JQ transform header rewrites. This functionality doesn’t affect headers that are sent by the HTTP client and the default formatting will apply in this case. For technical details refer to the CanonicalMIMEHeaderKey functionality in the Go documentation.

log_level

ENV: TYK_GW_LOGLEVEL
Type: string
 You can now set a logging level (log_level). The following levels can be set: debug, info, warn, error. If not set or left empty, it will default to info.

log_format

ENV: TYK_GW_LOGFORMAT
Type: string
 You can now configure the log format to be either the standard or json format If not set or left empty, it will default to standard.

access_logs

AccessLogs configures the output for access logs. If not configured, the access log is disabled.

access_logs.enabled

ENV: TYK_GW_ACCESSLOGS_ENABLED
Type: bool
 Enabled controls the generation of access logs by the Gateway. Default: false.

access_logs.template

ENV: TYK_GW_ACCESSLOGS_TEMPLATE
Type: []string
 Template configures which fields to include in the access log. If no template is configured, all available fields will be logged. Example: [“client_ip”, “path”]. Template Options:
  • api_key will include they obfuscated or hashed key.
  • client_ip will include the ip of the request.
  • host will include the host of the request.
  • method will include the request method.
  • path will include the path of the request.
  • protocol will include the protocol of the request.
  • remote_addr will include the remote address of the request.
  • upstream_addr will include the upstream address (scheme, host and path)
  • upstream_latency will include the upstream latency of the request.
  • latency_total will include the total latency of the request.
  • user_agent will include the user agent of the request.
  • status will include the response status code.

tracing

Section for configuring OpenTracing support Deprecated: use OpenTelemetry instead.

tracing.name

ENV: TYK_GW_TRACER_NAME
Type: string
 The name of the tracer to initialize. For instance appdash, to use appdash tracer

tracing.enabled

ENV: TYK_GW_TRACER_ENABLED
Type: bool
 Enable tracing

tracing.options

ENV: TYK_GW_TRACER_OPTIONS
Type: map[string]interface{}
 Tracing configuration. Refer to the Tracing Docs for the full list of options.

opentelemetry

Section for configuring OpenTelemetry.

opentelemetry.enabled

ENV: TYK_GW_OPENTELEMETRY_ENABLED
Type: bool
 A flag that can be used to enable or disable the trace exporter.

opentelemetry.exporter

ENV: TYK_GW_OPENTELEMETRY_EXPORTER
Type: string
 The type of the exporter to sending data in OTLP protocol. This should be set to the same type of the OpenTelemetry collector. Valid values are “grpc”, or “http”. Defaults to “grpc”.

opentelemetry.endpoint

ENV: TYK_GW_OPENTELEMETRY_ENDPOINT
Type: string
 OpenTelemetry collector endpoint to connect to. Defaults to “localhost:4317”.

opentelemetry.headers

ENV: TYK_GW_OPENTELEMETRY_HEADERS
Type: map[string]string
 A map of headers that will be sent with HTTP requests to the collector.

opentelemetry.connection_timeout

ENV: TYK_GW_OPENTELEMETRY_CONNECTIONTIMEOUT
Type: int
 Timeout for establishing a connection to the collector. Defaults to 1 second.

opentelemetry.resource_name

ENV: TYK_GW_OPENTELEMETRY_RESOURCENAME
Type: string
 Name of the resource that will be used to identify the resource. Defaults to “tyk”.

opentelemetry.span_processor_type

ENV: TYK_GW_OPENTELEMETRY_SPANPROCESSORTYPE
Type: string
 Type of the span processor to use. Valid values are “simple” or “batch”. Defaults to “batch”.

opentelemetry.context_propagation

ENV: TYK_GW_OPENTELEMETRY_CONTEXTPROPAGATION
Type: string
 Type of the context propagator to use. Valid values are:
  • “tracecontext”: tracecontext is a propagator that supports the W3C Trace Context format (https://www.w3.org/TR/trace-context/).
  • “b3”: b3 is a propagator serializes SpanContext to/from B3 multi Headers format. Defaults to “tracecontext”.

opentelemetry.tls

TLS configuration for the exporter.

opentelemetry.tls.enable

ENV: TYK_GW_OPENTELEMETRY_TLS_ENABLE
Type: bool
 Flag that can be used to enable TLS. Defaults to false (disabled).

opentelemetry.tls.insecure_skip_verify

ENV: TYK_GW_OPENTELEMETRY_TLS_INSECURESKIPVERIFY
Type: bool
 Flag that can be used to skip TLS verification if TLS is enabled. Defaults to false.

opentelemetry.tls.ca_file

ENV: TYK_GW_OPENTELEMETRY_TLS_CAFILE
Type: string
 Path to the CA file.

opentelemetry.tls.cert_file

ENV: TYK_GW_OPENTELEMETRY_TLS_CERTFILE
Type: string
 Path to the cert file.

opentelemetry.tls.key_file

ENV: TYK_GW_OPENTELEMETRY_TLS_KEYFILE
Type: string
 Path to the key file.

opentelemetry.tls.max_version

ENV: TYK_GW_OPENTELEMETRY_TLS_MAXVERSION
Type: string
 Maximum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.3”.

opentelemetry.tls.min_version

ENV: TYK_GW_OPENTELEMETRY_TLS_MINVERSION
Type: string
 Minimum TLS version that is supported. Options: [“1.0”, “1.1”, “1.2”, “1.3”]. Defaults to “1.2”.

opentelemetry.sampling

Defines the configurations to use in the sampler.

opentelemetry.sampling.type

ENV: TYK_GW_OPENTELEMETRY_SAMPLING_TYPE
Type: string
 Refers to the policy used by OpenTelemetry to determine whether a particular trace should be sampled or not. It’s determined at the start of a trace and the decision is propagated down the trace. Valid Values are: AlwaysOn, AlwaysOff and TraceIDRatioBased. It defaults to AlwaysOn.

opentelemetry.sampling.rate

ENV: TYK_GW_OPENTELEMETRY_SAMPLING_RATE
Type: float64
 Parameter for the TraceIDRatioBased sampler type and represents the percentage of traces to be sampled. The value should fall between 0.0 (0%) and 1.0 (100%). For instance, if the sampling rate is set to 0.5, the sampler will aim to sample approximately 50% of the traces. By default, it’s set to 0.5.

opentelemetry.sampling.parent_based

ENV: TYK_GW_OPENTELEMETRY_SAMPLING_PARENTBASED
Type: bool
 Rule that ensures that if we decide to record data for a particular operation, we’ll also record data for all the subsequent work that operation causes (its “child spans”). This approach helps in keeping the entire story of a transaction together. Typically, ParentBased is used in conjunction with TraceIDRatioBased. Using it with AlwaysOn or AlwaysOff might not be as effective since, in those cases, you’re either recording everything or nothing, and there are no intermediary decisions to consider. The default value for this option is false.

newrelic.app_name

ENV: TYK_GW_NEWRELIC_APPNAME
Type: string
 New Relic Application name

newrelic.license_key

ENV: TYK_GW_NEWRELIC_LICENSEKEY
Type: string
 New Relic License key

newrelic.enable_distributed_tracing

ENV: TYK_GW_NEWRELIC_ENABLEDISTRIBUTEDTRACING
Type: bool
 Enable distributed tracing

enable_http_profiler

ENV: TYK_GW_HTTPPROFILE
Type: bool
 Enable debugging of your Tyk Gateway by exposing profiling information through https://tyk.io/docs/api-management/troubleshooting-debugging

use_redis_log

ENV: TYK_GW_USEREDISLOG
Type: bool
 Enables the real-time Gateway log view in the Dashboard.

use_sentry

ENV: TYK_GW_USESENTRY
Type: bool
 Enable Sentry logging

sentry_code

ENV: TYK_GW_SENTRYCODE
Type: string
 Sentry API code

sentry_log_level

ENV: TYK_GW_SENTRYLOGLEVEL
Type: string
 Log verbosity for Sentry logging

use_syslog

ENV: TYK_GW_USESYSLOG
Type: bool
 Enable Syslog log output

syslog_transport

ENV: TYK_GW_SYSLOGTRANSPORT
Type: string
 Syslong transport to use. Values: tcp or udp.

syslog_network_addr

ENV: TYK_GW_SYSLOGNETWORKADDR
Type: string
 Graylog server address

use_graylog

ENV: TYK_GW_USEGRAYLOG
Type: bool
 Use Graylog log output

graylog_network_addr

ENV: TYK_GW_GRAYLOGNETWORKADDR
Type: string
 Graylog server address

use_logstash

ENV: TYK_GW_USELOGSTASH
Type: bool
 Use logstash log output

logstash_transport

ENV: TYK_GW_LOGSTASHTRANSPORT
Type: string
 Logstash network transport. Values: tcp or udp.

logstash_network_addr

ENV: TYK_GW_LOGSTASHNETWORKADDR
Type: string
 Logstash server address

track_404_logs

ENV: TYK_GW_TRACK404LOGS
Type: bool
 Show 404 HTTP errors in your Gateway application logs

statsd_connection_string

ENV: TYK_GW_STATSDCONNECTIONSTRING
Type: string
 Address of StatsD server. If set enable statsd monitoring.

statsd_prefix

ENV: TYK_GW_STATSDPREFIX
Type: string
 StatsD prefix

event_handlers

ENV: TYK_GW_EVENTHANDLERS
Type: apidef.EventHandlerMetaConfig
 Event System

hide_generator_header

ENV: TYK_GW_HIDEGENERATORHEADER
Type: bool
 HideGeneratorHeader will mask the ‘X-Generator’ and ‘X-Mascot-…’ headers, if set to true.

force_global_session_lifetime

ENV: TYK_GW_FORCEGLOBALSESSIONLIFETIME
Type: bool
 Enable global API token expiration. Can be needed if all your APIs using JWT or oAuth 2.0 auth methods with dynamically generated keys.

session_lifetime_respects_key_expiration

ENV: TYK_GW_SESSIONLIFETIMERESPECTSKEYEXPIRATION
Type: bool
 SessionLifetimeRespectsKeyExpiration respects the key expiration time when the session lifetime is less than the key expiration. That is, Redis waits the key expiration for physical removal.

global_session_lifetime

ENV: TYK_GW_GLOBALSESSIONLIFETIME
Type: int64
 global session lifetime, in seconds.

kv.KV

ENV: TYK_GW_KV_KV
Type: struct
 See more details https://tyk.io/docs/tyk-self-managed/#store-configuration-with-key-value-store

kv.consul.address

ENV: TYK_GW_KV_CONSUL_ADDRESS
Type: string
 Address is the address of the Consul server

kv.consul.scheme

ENV: TYK_GW_KV_CONSUL_SCHEME
Type: string
 Scheme is the URI scheme for the Consul server

kv.consul.datacenter

ENV: TYK_GW_KV_CONSUL_DATACENTER
Type: string
 The datacenter to use. If not provided, the default agent datacenter is used.

kv.consul.http_auth.username

ENV: TYK_GW_KV_CONSUL_HTTPAUTH_USERNAME
Type: string
 Username to use for HTTP Basic Authentication

kv.consul.http_auth.password

ENV: TYK_GW_KV_CONSUL_HTTPAUTH_PASSWORD
Type: string
 Password to use for HTTP Basic Authentication

kv.consul.tls_config.address

ENV: TYK_GW_KV_CONSUL_TLSCONFIG_ADDRESS
Type: string
 Address

kv.consul.tls_config.ca_file

ENV: TYK_GW_KV_CONSUL_TLSCONFIG_CAFILE
Type: string
 CA file

kv.consul.tls_config.ca_path

ENV: TYK_GW_KV_CONSUL_TLSCONFIG_CAPATH
Type: string
 CA Path

kv.consul.tls_config.cert_file

ENV: TYK_GW_KV_CONSUL_TLSCONFIG_CERTFILE
Type: string
 Cert file

kv.consul.tls_config.key_file

ENV: TYK_GW_KV_CONSUL_TLSCONFIG_KEYFILE
Type: string
 Key file

kv.consul.tls_config.insecure_skip_verify

ENV: TYK_GW_KV_CONSUL_TLSCONFIG_INSECURESKIPVERIFY
Type: bool
 Disable TLS validation

kv.vault.token

ENV: TYK_GW_KV_VAULT_TOKEN
Type: string
 Token is the vault root token

kv.vault.kv_version

ENV: TYK_GW_KV_VAULT_KVVERSION
Type: int
 KVVersion is the version number of Vault. Usually defaults to 2

secrets

ENV: TYK_GW_SECRETS
Type: map[string]string
 Secrets configures a list of key/value pairs for the gateway. When configuring it via environment variable, the expected value is a comma separated list of key-value pairs delimited with a colon. Example: TYK_GW_SECRETS=key1:value1,key2:/value2 Produces: {"key1": "value1", "key2": "/value2"} The secret value may be used as secrets://key1 from the API definition. In versions before gateway 5.3, only listen_path and target_url fields have had the secrets replaced. See more details https://tyk.io/docs/tyk-self-managed/#how-to-access-the-externally-stored-data

override_messages

Override the default error code and or message returned by middleware. The following message IDs can be used to override the message and error codes: AuthToken message IDs
  • auth.auth_field_missing
  • auth.key_not_found
OIDC message IDs
  • oauth.auth_field_missing
  • oauth.auth_field_malformed
  • oauth.key_not_found
  • oauth.client_deleted
Sample Override Message Setting 
"override_messages": {
  "oauth.auth_field_missing" : {
   "code": 401,
   "message": "Token is not authorized"
 }
}

cloud

ENV: TYK_GW_CLOUD
Type: bool
 Cloud flag shows the Gateway runs in Tyk Cloud.

jwt_ssl_insecure_skip_verify

ENV: TYK_GW_JWTSSLINSECURESKIPVERIFY
Type: bool
 Skip TLS verification for JWT JWKs url validation

resource_sync

ResourceSync configures mitigation strategy in case sync fails.

resource_sync.retry_attempts

ENV: TYK_GW_RESOURCESYNC_RETRYATTEMPTS
Type: int
 RetryAttempts defines the number of retries that the Gateway should perform during a resource sync (APIs or policies), defaulting to zero which means no retries are attempted.

resource_sync.interval

ENV: TYK_GW_RESOURCESYNC_INTERVAL
Type: int
 Interval configures the interval in seconds between each retry on a resource sync error.

oas_config

OAS holds the configuration for various OpenAPI-specific functionalities

oas_config.validate_examples

ENV: TYK_GW_OAS_VALIDATEEXAMPLES
Type: bool
 ValidateExamples enables validation of values provided in example and examples fields against the declared schemas in the OpenAPI Document. Defaults to false.

oas_config.validate_schema_defaults

ENV: TYK_GW_OAS_VALIDATESCHEMADEFAULTS
Type: bool
 ValidateSchemaDefaults enables validation of values provided in default fields against the declared schemas in the OpenAPI Document. Defaults to false.

streaming

Streaming holds the configuration for Tyk Streaming functionalities

streaming.enabled

ENV: TYK_GW_STREAMING_ENABLED
Type: bool
 This flag enables the Tyk Streaming feature.

streaming.allow_unsafe

ENV: TYK_GW_STREAMING_ALLOWUNSAFE
Type: []string
 AllowUnsafe specifies a list of potentially unsafe streaming components that should be allowed in the configuration. By default, components that could pose security risks (like file access, subprocess execution, socket operations, etc.) are filtered out. This field allows administrators to explicitly permit specific unsafe components when needed. Use with caution as enabling unsafe components may introduce security vulnerabilities.