Tyk — Open Source API Gateway with Developer Portal

Introduction

Tyk is a high-performance open source API gateway written in Go. It offers quota enforcement, rate limiting, auth (OAuth2, OIDC, JWT, HMAC, mTLS), transformations, analytics, and a developer portal — all as either a standalone gateway, a Docker deployment, or a Kubernetes-native operator. Over 10,000 GitHub stars and a decade of production use across banks, telcos, and public sector APIs.

What Tyk Does

• Terminates and routes API traffic to upstream services with per-route policies.
• Enforces rate limits, quotas, and circuit breakers using Redis for distributed counters.
• Authenticates clients via OAuth2, OIDC, JWT, HMAC, mTLS, custom auth plugins, or keyless modes.
• Federates GraphQL schemas from multiple upstreams (Universal Data Graph) alongside REST.
• Serves a developer portal for API discovery, signup, docs, and key issuance.

Architecture Overview

Tyk is a Go binary that sits between clients and upstream services, reading API definitions from either a local file, a Redis-backed store, or the Tyk Dashboard. Each request flows through a middleware chain: auth → rate limit → transform → cache → dispatch → response transform. Plugins can be written in Go, Python, JavaScript, Lua, or gRPC for cross-language middleware. The dashboard (commercial, but free for <= 5 users) is optional; the gateway is fully functional with just Redis. Kubernetes deployments use the Tyk Operator to reconcile API and Policy CRDs.

Self-Hosting & Configuration

• Run tyk-gateway as a Docker container or systemd service; pair with Redis (required) and optionally MongoDB/Postgres for analytics.
• Configure APIs via JSON definitions in /opt/tyk-gateway/apps/ or through the dashboard UI/REST API.
• Deploy on Kubernetes with the official Helm chart and Tyk Operator; APIs become ApiDefinition CRDs.
• Extend via native Go plugins (compile into the gateway), JS middleware (hot-reloaded), or gRPC plugins (any language).
• Enable OpenTelemetry tracing in tyk.conf to get full request traces across upstream hops.

Key Features

• Multi-protocol: REST, GraphQL (incl. federation), gRPC, WebSocket, TCP, and SOAP.
• Plugin system in five languages covers 95% of customization needs without forking.
• Built-in developer portal with self-service signup, key management, and OAS-rendered docs.
• Native Kubernetes operator syncs Git-managed API configs with cluster state.
• Open source gateway is full-featured; the dashboard is the only paid tier.

Comparison with Similar Tools

• Kong Gateway — Lua/OpenResty-based; similar feature surface, plugin ecosystem larger, Tyk has better multi-protocol.
• Apache APISIX — OpenResty-based, newer, strong dynamic routing; Tyk wins on multi-language plugins.
• KrakenD — stateless aggregation gateway; lighter but no developer portal.
• Envoy + istio — powerful L7 proxy; best for service mesh, needs more ops investment.
• AWS API Gateway — managed, vendor-locked; Tyk gives parity on your own infra.

FAQ

Q: Do I need the dashboard? A: No — every feature can be driven via the gateway REST API and config files. The dashboard is UX sugar.

Q: How are plugins deployed? A: Go plugins compile into the gateway; JS/Lua/Python/gRPC plugins load at runtime from a configured path or gRPC endpoint.

Q: Does Tyk scale horizontally? A: Yes — Redis synchronizes counters and tokens across gateway replicas. Stick behind any L4 LB.

Q: What is the license? A: Mozilla Public License 2.0 for the gateway; the dashboard and portal ship under a commercial license with a generous free tier.

Sources

• https://github.com/TykTechnologies/tyk
• https://tyk.io/docs/