You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Tag names for the new JWKS endpoints use "JWK cache invalidation" while summary/descriptions say "JWK". Consider aligning tag capitalization and pluralization with existing conventions to keep Swagger grouping consistent.
tags:
- JWK cache invalidation/tyk/cache/jwks:
delete:
description: Invalidate JWK cache for all APIs.operationId: invalidateJWKCacheForAllAPIsresponses:
"200":
content:
application/json:
example:
message: cache invalidatedstatus: okschema:
$ref: '#/components/schemas/ApiStatusMessage'description: Cache invalidated."403":
content:
application/json:
example:
message: Attempted administrative access with invalid or missing key!status: errorschema:
$ref: '#/components/schemas/ApiStatusMessage'description: Forbiddensummary: Invalidate JWK cache for all APIstags:
- JWK cache invalidation
The type for allowedValues in CustomClaimValidationConfig appears to include an internal Go AST type signature instead of a user-facing type hint; this likely needs to be documented as a generic list/array (e.g., any/[]interface{}) with supported primitives.
**Field: `allowedValues` (`[]&ast.InterfaceType{Interface:195124, Methods:(*ast.FieldList)(0xc0003b1170), Incomplete:false}`)**
AllowedValues contains the values that Tyk will use to validate the claim for "exact_match" and "contains" validation types.
Not used for "required" validation type.
Supports string, number, boolean, and array values.
For arrays, validation succeeds if any array element matches any allowed value.
SecurityProcessingMode description mentions OR logic across requirements; consider clarifying how multiple schemes within a single requirement (AND semantics) are handled to avoid ambiguity for readers implementing complex security.
**Field: `securityProcessingMode` (`string`)**
SecurityProcessingMode controls how multiple security requirements are processed.
- "legacy" (default): Only first security requirement processed, uses BaseIdentityProvider
- "compliant": All security requirements processed with OR logic, dynamic identity provider
Tyk classic API definition: `security_processing_mode`.
**Field: `security` (`[][]string`)**
Security contains Tyk vendor extension security requirements for proprietary auth methods.
This is concatenated with OpenAPI security requirements when SecurityProcessingMode is "compliant".
Fix the rendered type for allowedValues; it currently shows a Go AST debug type, which is confusing and incorrect for users. Replace it with a clear, user-facing type description, e.g., "[]any" or "[]interface{}".
-**Field: `allowedValues` (`[]&ast.InterfaceType{Interface:195124, Methods:(*ast.FieldList)(0xc0003b1170), Incomplete:false}`)**+**Field: `allowedValues` (`[]any`)**
AllowedValues contains the values that Tyk will use to validate the claim for "exact_match" and "contains" validation types.
Not used for "required" validation type.
Supports string, number, boolean, and array values.
For arrays, validation succeeds if any array element matches any allowed value.
Suggestion importance[1-10]: 8
__
Why: The rendered type shows an internal Go AST debug string, which is clearly incorrect for docs; replacing with a user-facing type like []any significantly improves accuracy and clarity.
Medium
General
Add 404 not-found response
Add a "404" response to document behavior when the provided apiID does not exist. This prevents clients from misinterpreting missing APIs as successful invalidations and aligns with typical REST error patterns.
/tyk/cache/jwks/{apiID}:
delete:
description: Invalidate JWK cache for the given API.
operationId: invalidateJWKCache
parameters:
- description: The API ID.
example: ae67bb862a3241a49117508e0f9ee839
in: path
name: apiID
required: true
schema:
type: string
responses:
"200":
content:
application/json:
example:
message: cache invalidated
status: ok
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: Cache invalidated.
"403":
content:
application/json:
example:
message: Attempted administrative access with invalid or missing key!
status: error
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: Forbidden
+ "404":+ content:+ application/json:+ example:+ message: API not found+ status: error+ schema:+ $ref: '#/components/schemas/ApiStatusMessage'+ description: API ID not found.
summary: Invalidate cache for given API ID.
tags:
- JWK cache invalidation
Suggestion importance[1-10]: 6
__
Why: The existing path lacks a 404 response for unknown apiID, and documenting it would improve client expectations; however, it's speculative without confirmation of backend behavior.
Low
Ensure unique operationId
Add an "operationId" uniqueness check by renaming to avoid potential collisions with similarly named operations. Ensure operationId strings are unique across the spec to prevent client generation conflicts.
/tyk/cache/jwks:
delete:
description: Invalidate JWK cache for all APIs.
- operationId: invalidateJWKCacheForAllAPIs+ operationId: invalidateJWKCacheAll
responses:
"200":
content:
application/json:
example:
message: cache invalidated
status: ok
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: Cache invalidated.
"403":
content:
application/json:
example:
message: Attempted administrative access with invalid or missing key!
status: error
schema:
$ref: '#/components/schemas/ApiStatusMessage'
description: Forbidden
summary: Invalidate JWK cache for all APIs
tags:
- JWK cache invalidation
Suggestion importance[1-10]: 4
__
Why: Uniqueness of operationId is important, but the suggestion arbitrarily renames it without evidence of a collision in this spec; impact is minor unless a conflict is proven.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
lghiur
changed the title
User description
Triggered by: lghiur
Included:
Tyk Gateway: true
Tyk Dashboard: false
Tyk MDCB false
Tyk Pump false
Intended for: master
Changes sourced from: release-5.10.0
Config info generator branch: main
Note: Gateway - Docs updates for 5.10.0 (branch suffix: docs)
JIRA: https://tyktech.atlassian.net/browse/TT-15719
PR Type
Documentation
Description
Add JWK cache invalidation endpoints
Document certificate expiry monitoring config
Expand OAS security and JWT fields
Clarify external service proxy/mTLS config
Diagram Walkthrough
File Walkthrough
gateway-swagger.yml
Introduce JWK cache invalidation API endpointstyk-docs/assets/others/gateway-swagger.yml
gateway-config.md
Document certificate expiry monitor and external servicestyk-docs/content/shared/gateway-config.md
x-tyk-gateway.md
Expand OAS security and JWT/JWKS configuration docstyk-docs/content/shared/x-tyk-gateway.md
securityrequirements.claims.
validation.