Skip to main content

Documentation Index

Fetch the complete documentation index at: https://tyk.io/docs/llms.txt

Use this file to discover all available pages before exploring further.

Availability

ComponentVersionEdition
GatewayAvailable since v5.12.0All
To inspect the gateway’s live configuration without SSH access, you can enable configuration inspection endpoints on the Control API port.

Configuration Inspection Endpoints

Gateway offers two endpoints for configuration inspection:
EndpointQuery ParameterDescription
GET /configfield=<path> (optional)Returns the full gateway configuration, or a single field if field is specified
GET /envenv=<VAR> (optional)Returns all environment variable mappings, or a single mapping if env is specified
Both endpoints are available on the Control API port and require authentication via the X-Tyk-Authorization header. Requests without this header return HTTP 403.

Enable Configuration Inspection

By default, configuration inspection endpoints are disabled to prevent accidental exposure of sensitive information. When disabled, all configuration inspection endpoints return HTTP 404. To enable it, set enable_config_inspection to true in your tyk.conf or use the equivalent environment variable.
In production environments, we recommend keeping configuration inspection disabled.
{
  "enable_config_inspection": true
}

Examples

Inspect Full Gateway Configuration

curl -H "X-Tyk-Authorization: $TYK_GW_SECRET" http://localhost:8080/config
Response: 
{
  "hostname": "",
  "listen_address": "",
  "listen_port": 8080,
  "control_api_hostname": "",
  "control_api_port": 0,
  "secret": "*REDACTED*",
  "node_secret": "*REDACTED*",
  "pid_file_location": "./tyk-gateway.pid",
  "allow_insecure_configs": true,
  "public_key_path": "",
  "allow_remote_config": true,
  "enable_config_inspection": true,
  "security": {
  }
...
}

Inspect a Single Config Field

To retrieve the value of a specific configuration field, use the field query parameter with the field name: 
curl -H "X-Tyk-Authorization: $TYK_GW_SECRET" \
  "http://localhost:8080/config?field=listen_port"
Response: 
{
  "config_field": "listen_port",
  "env": "TYK_GW_LISTENPORT",
  "value": "8080",
  "obfuscated": false
}

Sensitive Field Redaction

Fields that contain secrets (for example, secret, passwords, and connection strings) are automatically shown as *REDACTED* in all responses. The obfuscated field in the response indicates whether the value has been redacted. 
{
  "config_field": "secret",
  "env": "TYK_GW_SECRET",
  "value": "*REDACTED*",
  "obfuscated": true
}

Inspect Environment Variables

To view all environment variable mappings: 
curl -H "X-Tyk-Authorization: $TYK_GW_SECRET" http://localhost:8080/env
Gateway will only return environment variables that are prefixed with TYK_GW_.
Response: 
[
  "TYK_GW_ENABLECONFIGINSPECTION=true",
  "TYK_GW_EXPERIMENTALPROCESSORGOFFTHREAD=false",
  "TYK_GW_GRACEFULSHUTDOWNTIMEOUTDURATION=0",
  "TYK_GW_CONTROLAPIPORT=0",
  "TYK_GW_TEMPLATEPATH=./templates",
  "TYK_GW_SSLFORCECOMMONNAMECHECK=false",
  "TYK_GW_ENABLEBUNDLEDOWNLOADER=false",
  "TYK_GW_JSVMTIMEOUT=0",
  "TYK_GW_FORCEGLOBALSESSIONLIFETIME=false",
  "TYK_GW_DISABLEDASHBOARDZEROCONF=false",
  "TYK_GW_MANAGEMENTNODE=false",
...
]