|
| 1 | +--- |
| 2 | +title: "Access Control Overview" |
| 3 | +description: "Understand how Tyk manages API access, limits consumption, and scales using Sessions, Keys, and Policies." |
| 4 | +keywords: "Access Control, Sessions, Keys, Policies, Rate Limits, Quotas, Plans, Products" |
| 5 | +sidebarTitle: "Overview" |
| 6 | +--- |
| 7 | + |
| 8 | +## Introduction |
| 9 | + |
| 10 | +When managing APIs, one of the most critical tasks is controlling what access your API clients have to your services. You need to ensure that clients can only access the APIs, paths, and HTTP methods they are authorized for, while also enforcing consumption limits like rate limits and quotas to protect your upstream services. |
| 11 | + |
| 12 | +In Tyk, access control is built on three core concepts: **Sessions**, **Keys**, and **Policies**. Understanding how these three elements interact is the key to managing API access securely and at scale. |
| 13 | + |
| 14 | +## The Foundation: Session |
| 15 | + |
| 16 | +At the heart of Tyk's access control is the **Session**. |
| 17 | + |
| 18 | +Every active client connection in Tyk is represented by a Session, which is typically stored in the data plane's Redis database. This object is the ultimate source of truth for a client's current state. It contains: |
| 19 | +- **Access Rights:** Which APIs, versions, paths, and methods the client is allowed to access. |
| 20 | +- **Consumption Limits:** The client's rate limit (requests per second) and quota (requests per month/week/etc.). |
| 21 | +- **Current Usage:** Real-time tracking of how much of their quota they have consumed. |
| 22 | +- **Metadata:** Custom data associated with the client that can be used for routing, transformations, or analytics. |
| 23 | + |
| 24 | +When a request arrives, Tyk evaluates the Session to determine if the request should be allowed through to your upstream service. |
| 25 | + |
| 26 | +## Identifying the Client: Keys and Authentication |
| 27 | + |
| 28 | +If the Session dictates *what* a client can do, how does Tyk know *who* the client is? This is where **Keys** and Authentication come in. |
| 29 | + |
| 30 | +A "Key" is simply the mechanism used to resolve the Session. While Tyk supports many different authentication methods, they all fall into one of two categories based on how the Session is created: |
| 31 | + |
| 32 | +### 1. Pre-Registered Sessions |
| 33 | + |
| 34 | +For most authentication methods, the client must be pre-registered with Tyk. A Session is created and stored in Redis at the time of registration. When a request arrives, Tyk uses the provided credentials as a lookup key to retrieve this existing session. |
| 35 | + |
| 36 | +This category includes: |
| 37 | +- [**Auth Tokens**](/api-management/authentication/bearer-token): The token itself is the lookup key. |
| 38 | +- [**Basic Authentication**](/api-management/authentication/basic-authentication): The username acts as the lookup key. |
| 39 | +- [**HMAC Signatures**](/basic-config-and-security/security/authentication-authorization/hmac-signatures) The Key ID provided in the request is the lookup key. |
| 40 | +- [**Certificate Auth**](/api-management/authentication/certificate-auth) A hash of the client's TLS certificate acts as the lookup key. |
| 41 | + |
| 42 | +### 2. Dynamically Generated Sessions |
| 43 | + |
| 44 | +For [**JWT Auth**](/api-management/authentication/jwt-authorization), Tyk does not require a pre-existing Session in its database prior to the first request. Instead, Tyk validates the token and dynamically generates the Session on the fly based on the token's claims. This Session is then persisted to Redis, with the [identity](/api-management/authentication/jwt-authorization#identifying-the-session-owner) as the lookup key. |
| 45 | + |
| 46 | +Regardless of the authentication method you choose, the end result is always a Session that Tyk uses to enforce access control. |
| 47 | + |
| 48 | +## Managing at Scale: Policies |
| 49 | + |
| 50 | +While you could configure access rights and limits directly on individual Sessions, this becomes unmanageable at scale. If you have 10,000 clients and you want to grant them access to a newly published API, updating 10,000 individual Sessions in Redis is not practical. |
| 51 | + |
| 52 | +This is where **Policies** come in. A Policy is a templated set of rules that defines access rights and consumption limits. |
| 53 | + |
| 54 | +Instead of writing these rules directly into the Session, the Session simply references a **Policy ID**. When a client makes a request, Tyk loads the Session, sees the Policy ID, and applies the rules defined in that Policy. If you need to update access for all 10,000 clients, you simply update the Policy once, and the changes take effect immediately for all associated sessions. |
| 55 | + |
| 56 | +### Partitioned Policies vs. Monolithic Policies |
| 57 | + |
| 58 | +Tyk supports two approaches to policies: |
| 59 | +- **Monolithic Policies:** A single policy that defines both access rights and consumption limits. |
| 60 | +- **Partitioned Policies:** Multiple policies applied to a single session, where one policy might define access rights (e.g., "Product A") and another might define consumption limits (e.g., "Gold Plan"). |
| 61 | + |
| 62 | +**We strongly encourage the use of Partitioned Policies.** They offer much greater flexibility and reusability. |
| 63 | + |
| 64 | +If you are using the **Tyk Developer Portal**, you will see this concept in action. The Portal uses the terminology [**Products**](/portal/api-products) (policies that define API access rights) and [**Plans**](/portal/api-plans) (policies that define rate limits and quotas). Under the hood, these are simply partitioned policies working together to control the client's session. |
| 65 | + |
| 66 | +## Turning Access On and Off |
| 67 | + |
| 68 | +Managing the lifecycle of client access is straightforward with Tyk: |
| 69 | + |
| 70 | +- **Key Revocation:** You can instantly revoke a client's access by deleting their Session from Redis. |
| 71 | +- **Key Expiry:** Sessions can be configured with a Time-To-Live (TTL), after which they automatically expire and are removed. |
| 72 | +- **Policy Disabling:** You can disable a Policy, which will immediately block access for all clients whose sessions rely on that Policy. |
| 73 | + |
| 74 | +## Next Steps |
| 75 | + |
| 76 | +Now that you understand the core concepts, you can dive deeper into how to implement them: |
| 77 | + |
| 78 | +- [Understanding Sessions](/api-management/access-control/sessions-and-keys/understanding-sessions) |
| 79 | +- [Managing Session Lifecycle](/api-management/access-control/sessions-and-keys/session-lifecycle) |
| 80 | +- [Creating and Managing Policies](/api-management/access-control/policies/managing-policies) |
0 commit comments