You have found an old page
Visit the new DocsTyk v2.2 Documentation Components
- Create an account
- Log into your cloud dashboard
- Tutorial: Create an API with the Dashboard (Cloud)
- Tutorial: Create API Without GUI (Cloud)
- Tutorial: Create an API Token Without GUI (Cloud)
- Tutorial: Create an API Token with Dashboard (Cloud)
- Tutorial: Create a security policy using the API
- Create a security policy with the dashboard
- What is a policy?
- Create a portal entry
- What is Tyk Hybrid?
- What are the benefits of hybrid?
- Install the Hybrid Gateway
- How does a hybrid gateway work?
- Test a new API (Cloud)
- Test a new API (On-Prem)
- What is Tyk Cloud?
- Install Tyk: Ubuntu: Gateway
- Configure Tyk Gateway Community Edition
- Configure Tyk Gateway with Dashboard
- Install Tyk: Dashboard: Ubuntu
- Configure Tyk Dashboard
- Install Tyk: Ubuntu: Pump
- What is Tyk On-Premise?
- Install Tyk: Redhat: Gateway
- Install Tyk: Dashboard: Redhat
- Install Tyk: Redhat: Pump
- Tutorial: Create API (CE: REST)
- Tutorial: Create API (CE:File)
- Tutorial: Create an API Token (CE)
- Tutorial: Create a Policy (CE)
- Tutorial: Create API Without GUI (OP:Pro)
- Tutorial: Create an API Token Without GUI (OP: Pro)
- Tutorial: Create policy without GUI (OP:Pro)
- Tutorial: Create API with GUI (OP:Pro)
- What is Tyk Gateway?
- What is Tyk Dashboard?
- What is Tyk Pump?
- What is Tyk Identity Broker?
- What is MDCB?
- Concept: API Definition
- Concept: API Session Object
- Concept: Meta Data
- Context Variables
- Concept: API Catalogue
- Concept: Gateway API
- Dashboard API
- Concept: Key Hashing
- Concepts: Dashboard: Organisations
- Create a Dashboard User (GUI)
- Create a Dashboard User (API)
- User Roles
- TLS/SSL
- What is a Bearer Token?
- Enable bearer tokens in your API Definition (GUI)
- Enable bearer tokens in your API Definition (file)
- What is Basic Auth?
- Enable basic auth in your API Definition (file)
- Enable basic auth in your API Definition (GUI)
- Create a basic auth user
- HMAC Signatures
- JSON Web Tokens
- OpenID Connect
- Open (Keyless)
- Security Policies: Detailed Guide
- Security Policies: Partitioned
- Secure your APIs by Method and Path
- Token-level security
- Rate Limiting
- Rate Limit: Add with the GUI
- Rate Limit: Using Session Object
- Quotas
- Quotas: With GUI
- Quotas: With Session Object
- Token Expiry
- Maximum Request Sizes
- Max Request Size: With API Definition
- Max Request Size: GUI
- Transform Request Headers: API Definition
- Request Headers Transform: GUI
- Request Headers: Meta Data
- Request Headers: Context Variables
- Request Headers: Global Edits
- Response headers
- Request Body transformation
- Request Body: Form Data
- Request Body: XML Data
- Request body: JSON data
- Request Body: Context Data
- Request Body: Meta Data
- Request body modification: setup via API
- Request body modification: setup via Dashboard
- Response Body Transformation
- URL Rewrite Overview
- Rewrite a URL with the API Definition
- Rewrite a URL with the Endpoint Designer
- URL Rewriter: Context Variables
- Request method transform
- Virtual Endpoints
- Caching: Overview
- Caching: Global
- Caching: Per-path
- Caching: Upstream control
- Service Discovery
- Service Discovery Config: API Definition
- Service Discovery: GUI
- SD: Consul Example
- SD Etcd Example
- SD: Eureka Example
- SD: Mesosphere Example
- Load Balancing
- Circuit Breakers Overview
- Circuit Breakers Config: API Definition
- Circuit Breakers Config: Dashboard
- Enforced Timeouts
- Uptime tests
- Uptime tests configuration: API Definition
- Uptime tests: Initial configuration
- Uptime tests: Load balancing and Service Discovery
- Uptime tests: Events
- Add an uptime test: Dashboard
- What is API Sharding?
- Configure a gateway as a shard
- Target an API Definition for a shard
- Tag an API for a shard using the dashboard
- Multi Data Center Bridge: Introduction
- MDCB Logical Architecture
- Setting up Tyk MDCB
- Prepare the Tyk Gateway as a Slave
- Move APIs between environments
- Move policies between environments
- Move tokens between environments
- Report, Monitor and Trigger Events
- JavaScript API
- Add events to your API Definition
- Event types
- Event data
- Events: Webhooks: API Definition
- Events: JS Functions
- Add a webhook with the dashboard
- Monitors
- Enable websockets
- Logging
- Aggregated logs with Sentry
- Customise: JS Middleware Overview
- Middleware Scripting
- Install Middleware on Tyk Community Edition
- Install Middleware on Tyk Pro
- Install Middleware on Tyk Hybrid
- Enable Detail Request Logging
- Tyk Identity Broker Overview
- Tyk Identity Broker Configuration
- Secret
- HttpServerOptions.UseSSL
- HttpServerOptions.CertFile
- HttpServerOptions.KeyFile
- BackEnd
- BackEnd.Hosts
- BackEnd.Password
- BackEnd.Database
- BackEnd.EnableCluster
- BackEnd.MaxIdle
- BackEnd.MaxActive
- TykAPISettings
- TykAPISettings.GatewayConfig.Endpoint
- TykAPISettings.GatewayConfig.Port
- TykAPISettings.GatewayConfig.AdminSecret
- TykAPISettings.DashboardConfig.Endpoint
- TykAPISettings.DashboardConfig.Port
- TykAPISettings.DashboardConfig.AdminSecret
- Integration Tutorials: Social Overview
- Integration Tutorials: Custom
- Integration Tutorials: OpenLDAP
- What is the developer portal
- Developer Portal Concepts: API Catalogue
- Developer Portal Concepts: Key Requests
- Developer Portal Concepts: Policies
- Developer Portal Concepts: Developers
- Developer Portal Concepts: Documentation
- Tutorial: Publish to your developer portal
- Portal Customisation: Overview
- Portal Customisation: With the Dashboard
- Portal Customisation: With Templates
- Tyk Portal: Navigation
- Portal: Developer Metadata
- Tyk Portal: Developer Profiles Overview
- Tutorial: Tyk portal: Update a developers access level
- Tyk Portal: Events and Notifications
- Tyk Portal: Monetisation
- Tyk Gateway Configuration
- listen_port
- secret
- node_secret
- template_path
- use_db_app_configs
- db_app_conf_options
- db_app_conf_options.connection_string
- db_app_conf_options.node_is_segmented
- db_app_conf_options.tags
- app_path
- storage
- storage.type
- storage.host
- storage.port
- storage.password
- storage.optimisation_max_idle
- enable_analytics
- analytics_config
- analytics_config.enable_detailed_recording
- analytics_config.enable_geo_ip
- analytics_config.geo_ip_db_path
- analytics_config.ignored_ips
- analytics_config.normalise_urls
- analytics_config.normalise_urls.enabled
- analytics_config.normalise_urls.normalise_uuids
- analytics_config.normalise_urls.normalise_numbers
- analytics_config.normalise_urls.custom_patterns
- health_check
- health_check.enable_health_checks
- health_check.health_check_value_timeouts
- optimisations_use_async_session_write
- allow_master_keys
- policies
- policies.policy_source
- policies.policy_connection_string
- hash_keys
- suppress_redis_signal_reload
- use_sentry
- sentry_code
- enforce_org_data_age
- enforce_org_quotas
- enforce_org_data_detail_logging
- enable_non_transactional_rate_limiter
- enable_sentinel_rate_limiter
- experimental_process_org_off_thread
- http_server_options
- http_server_options.use_ssl
- http_server_options.certificates
- http_server_options.flush_interval
- http_server_options.enable_websockets
- http_server_options.close_connections
- disable_virtual_path_blobs
- monitor
- monitor.enable_trigger_monitors
- monitor.configuration.method
- monitor.configuration.target_path
- monitor.configuration.template_path
- monitor.configuration.header_map
- monitor.configuration.event_timeout
- monitor.global_trigger_limit
- monitor.monitor_user_keys
- monitor.monitor_org_keys
- local_session_cache
- local_session_cache.disable_cached_session_state
- uptime_tests
- uptime_tests.disable
- uptime_tests.config
- uptime_tests.config.enable_uptime_analytics
- uptime_tests.config.failure_trigger_sample_size
- uptime_tests.config.time_wait
- uptime_tests.config.checker_pool_size
- hostname
- enable_custom_domains
- enable_jsvm
- enable_api_segregation
- control_api_hostname
- oauth_refresh_token_expire
- oauth_token_expire
- allow_explicit_policy_id
- auth_override
- disable_dashboard_zeroconf
- http_server_options.skip_url_cleaning
- policies.policy_record_name
- management_node
- Search Users
- SD: Linkerd Example
- Installation on Heroku
- Home
- Tyk v2.2 Documentation Components
- Developer Portal Concepts: Policies
Developer Portal Concepts: Policies
In the context of the developer portal, a security policy is the main “element” being exposed to public access. The policy is the same as a standard policy, and the policy forms the baseline template that gets used when the portal generates a token for the developer.
Security policies are used instead of a one-to-one mapping because they encapsulate all the information needed for a public API programme:
- Rate limits
- Quota
- Access Lists (What APIs and which versions are permitted)
- Granular access (Which methods and paths are allowed, e.g. you may want to only expose read-only access to the portal, so only GET requests are allowed)
- Multi-key-management (With a policy, you can manage thousands of tokens, instead of one by one)
Within the developer portal admin area, under a developer record, you will see their subscriptions. Those subscriptions represent the tokens they have and their policy level access. It is possible to then “upgrade” or “downgrade” a developers access without actually managing their token, but just assigning a new policy to that token.