Over a million developers have joined DZone.

Tyk Management API: OAuth2 Application Flow (client_credntials grant type)

DZone's Guide to

Tyk Management API: OAuth2 Application Flow (client_credntials grant type)

Tyk is a lightweight, open source API Gateway and Management Platform enables you to control who accesses your API, when they access it and how they access it.

· Integration Zone ·
Free Resource

SnapLogic is the leading self-service enterprise-grade integration platform. Download the 2018 GartnerMagic Quadrant for Enterprise iPaaS or play around on the platform, risk free, for 30 days.

What Is Tyk?

Tyk is a lightweight, open source API Gateway and Management Platform enables you to control who accesses your API, when they access it and how they access it. Tyk will also record detailed analytics on how your users are interacting with your API and when things go wrong.

Tyk enables you also to use different authentictions and authorization types to access your APIs :

  • Basic

  • Hmac

  • OAuth1 and OAuth2

OAuth2 Flows

Tyk can act as a full blown OAuth 2.0 provider for Authorization an access tokens, and all your applications would need to integrate with is Tyk’s API and notification endpoints.

Tyk supports the following grants:

  • Authorization Code

  • Refresh token

  • Password

  • Client Credentials

In this post I will focus only on The Tyk OAuth2 Client Crendials flow which will be described in the following sections.


  • Tyk 2.2

  • Tyk Gateway declaration

Client Credentials Flow

The Client Credentials flow is probably the most simple flow of OAuth 2 flows. The main difference from the others is that this flow is not associated with a resource owner.

One usage of this flow would be retrieving client statistics for example. Since the access token would be connected to the client only, the access token won't have access to private user data for example.

Set up Client Credentials Flow Via Tyk


First we have to attach policies file to tyk.conf

Adding a policy to a file-based (Community Edition) Tyk Gateway is very easy. Polices are loaded into memory on load and so need to be specified in advanced in a file called policies.json. To add a policy, simply create or edit the /policies/policies.json file and add the policy object to the object array:


Adjust the policy to your needs.

Oauth API

To enable the client credentials grant type we need to add it to our app file in apps/ folder.


Now we need to restart Tyk service in order to load apps and policies in memory.

Be careful; I'm not sure that a simple Tyk reload can load everything in memory. I'm using Tyk 2.2.0 and this works only with service restart.

Create Oauth Client

To create a new OAuth client we have to mention the policy to use when generating tokens as follow in thos curl:

curl -X POST \
http://localhost:8082/tyk/oauth/clients/create \
-H 'Content-Type: application/json' \
-H 'x-tyk-authorization: 352d20ee67be67f6341b4c0605b044b8' \
-d '{
"api_id": "openApi",
"redirect_uri": "http://www.test.fr",

The response of this curl must be like:

"client_id": "81fa2838c4ba4e88712adcb821e118c8",
"redirect_uri": "http://www.chezmama.fr",
"api_id": "openApi",
"policy_id": "openApi",
"secret": "NTA3YmY0YjItODUyNC00YjU1LTc4YmEtZjNhYTBkODg0N2Yw"

Retrieving Token

Now we use the client_id and secret generated while creating new OAuth client to retrieve a new access token.

curl -X POST \
http://localhost:8082/hub/v2/oauth/token/ \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'client_id=c8daec0b0baf4d01508d283428612049&client_secret=ODA2MmRhN2YtOWU3Yy00ODkyLTUyZGMtNmY4ZmQ0MDIyYjM3&grant_type=client_credentials'

You can use the Authorization header in the base64 encoding of client_id:secret potman to generate this using basic auth option:

Basic Auth via potman

Download A Buyer's Guide to Application and Data Integration, your one-stop-shop for research, checklists, and explanations for an application and data integration solution.

oauth2 ,tyk ,integration ,security ,api ,oauth 2

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}