This guide focuses on the Enterprise Edition of Tyk AI Studio. For the Community Edition, please refer to the Tyk AI Studio GitHub repository. The Community Edition uses different Docker images (tykio/tyk-ai-studio and tykio/tyk-microgateway) and does not require a license key.
This guide explains how to deploy Tyk AI Studio (control plane), an Edge Gateway (data plane), and PostgreSQL on Kubernetes using Helm. AI Studio manages configuration centrally and the Edge Gateway processes AI requests, receiving configuration via gRPC.
Replace the placeholder secrets with your generated values. The grpcAuthToken / edgeAuthToken and microgatewayEncryptionKey / encryptionKey pairs must match.
Expandable
Copy
Ask AI
midsommar: image: repository: tykio/tyk-ai-studio-ent tag: v2.0.0 service: type: NodePort ports: - name: http port: 8080 targetPort: 8080 nodePort: 32580 - name: gateway port: 9090 targetPort: 9090 nodePort: 32590 - name: grpc port: 50051 targetPort: 50051config: allowRegistrations: "true" siteUrl: "http://localhost:32580" # Update post-install if not localhost fromEmail: "noreply@localhost" devMode: "true" # Required for login over plain HTTP databaseType: "postgres" tykAiSecretKey: "CHANGE-ME-first-secret" tykAiLicense: "your-license-key" ociCacheDir: "./data/cache/plugins" ociRequireSignature: "false" gatewayMode: "control" grpcPort: "50051" grpcHost: "0.0.0.0" grpcTlsInsecure: "true" grpcAuthToken: "CHANGE-ME-third-secret" microgatewayEncryptionKey: "CHANGE-ME-second-secret" # proxyUrl auto-resolves to the Edge Gateway k8s service — no need to set itdatabase: internal: true user: "tyk" password: "your-db-password" name: "tyk_ai_studio"postgres: persistence: enabled: true size: 1Gimicrogateway: enabled: true image: repository: tykio/tyk-microgateway-ent tag: v2.0.0 service: type: NodePort port: 8080 nodePort: 32591 config: edgeId: "edge-1" edgeNamespace: "default" secrets: edgeAuthToken: "CHANGE-ME-third-secret" # Must match config.grpcAuthToken encryptionKey: "CHANGE-ME-second-secret" # Must match config.microgatewayEncryptionKey tykAiLicense: "your-license-key"
The Edge Gateway’s internal service URL is used for routing by default, but the portal needs to display the correct external URL for tools and datasources. After install, patch the config with your cluster’s node IP:
Copy
Ask AI
# Get the node IP and set the gateway URLNODE_IP=$(kubectl get nodes -o jsonpath='{.items[0].status.addresses[?(@.type=="InternalIP")].address}')GATEWAY_URL="http://${NODE_IP}:32591"# Patch the configmap with correct URLs and restart AI StudioSTUDIO_URL="http://${NODE_IP}:32580"kubectl patch configmap midsommar-config -p \ "{\"data\":{\"SITE_URL\":\"${STUDIO_URL}\",\"TOOL_DISPLAY_URL\":\"${GATEWAY_URL}\",\"DATASOURCE_DISPLAY_URL\":\"${GATEWAY_URL}\"}}"kubectl rollout restart deployment midsommar
Tip: If you know your cluster’s external IP or hostname upfront, you can skip this step by setting config.toolDisplayUrl and config.datasourceDisplayUrl in your values file instead.
# Check all pods are runningkubectl get pods# Check AI Studio health (via NodePort)curl -s http://${NODE_IP}:32580/health# Check Edge Gateway health (via NodePort)curl -s http://${NODE_IP}:32591/health
After deployment, you need to create your first admin user:
Access the application: Navigate to your configured SITE_URL (e.g., https://studio.yourdomain.com)
Register with admin email: Use the EXACT email address you set in the ADMIN_EMAIL environment variable in your configuration.
Complete registration: The first user who registers with the admin email will automatically become the administrator.
Important: The first user registration must use the same email address specified in the ADMIN_EMAIL environment variable. This user will have full administrative privileges.
AI Studio pre-populates OpenAI and Anthropic LLM configurations on first startup with placeholder secrets (OPENAI_KEY and ANTHROPIC_KEY). To start using them:
Open AI Studio at the siteUrl you configured and log in with your admin account
Navigate to Governance → Secrets in the sidebar
Click on OPENAI_KEY and edit it to add your OpenAI API key
Click on ANTHROPIC_KEY and edit it to add your Anthropic API key
Navigate to AI Portal → Edge Gateways in the sidebar
Verify your edge gateway (edge-1) shows as Connected
Click Push Configuration to sync the latest settings to the Edge Gateway
Once the sync status shows Synced, the Edge Gateway is ready to proxy LLM requests.For further setup (additional LLMs, users, applications), see the Initial Configuration guide.
To deploy multiple edge gateways for different regions, override edgeId and edgeNamespace per instance. You can either deploy separate Helm releases or create additional Kubernetes Deployments with unique values:
