Tyk

What Is Tyk?

Most API gateways handle REST. Some handle GraphQL. A handful handle gRPC. Tyk handles all of them — plus SOAP, TCP, and AsyncAPI — from a single gateway written in Go, deployed wherever your infrastructure lives.

Founded in London in 2014, Tyk Technologies built one of the earliest open-source API management platforms to compete seriously with commercial offerings from AWS, Apigee, and MuleSoft. A decade later, with $43M raised, ISO 27001 and SOC 2 certifications, and recognition in the Sunday Times 100 Fastest-Growing Tech Companies, Tyk has become the reference implementation for what a European-built API gateway can achieve.

The platform centres on three deployment modes: a fully self-hosted on-premises installation, a Tyk Cloud managed service, and a hybrid model where the control plane runs in Tyk's cloud while the data plane (which handles actual API traffic) runs in your own environment. This flexibility is not a marketing concession — it is the architectural response to the reality that enterprise API management involves diverse infrastructure contexts, compliance requirements, and operational maturity levels.

Tyk Gateway, the core routing and policy enforcement engine, is free and open-source under the Mozilla Public Licence. This is not a stripped-down community edition. It is the same gateway that runs in production at financial services firms, government agencies, and fast-growing fintechs.

Key Features

Universal Protocol Support

The defining technical feature of Tyk is protocol breadth. Where most API gateways are REST-native with GraphQL support added later, Tyk treats all API types as first-class citizens.

REST APIs get the full routing, rate limiting, authentication, and transformation stack. GraphQL APIs get native proxying with schema stitching — multiple GraphQL services can be composed into a single unified graph at the gateway layer, without a separate schema federation service. gRPC services are proxied directly, with HTTP/2 support. SOAP APIs can be exposed as REST endpoints through Tyk's mediation layer, allowing legacy services to participate in modern API ecosystems without rewriting.

AsyncAPI support means event-driven APIs (WebSocket, SSE, Kafka-backed) can be managed alongside synchronous APIs in the same platform. For organisations modernising legacy architectures while building new microservices, this protocol breadth is operationally significant.

Authentication and Security

Tyk supports the full range of modern API authentication schemes: API keys, JWT, OAuth 2.0 (including client credentials and authorisation code flows), OIDC, Basic Auth, mutual TLS (mTLS), and HMAC signing. Multiple authentication methods can be combined on a single API.

Rate limiting is granular: per-API, per-key, per user, per IP address, per organisation. Quotas limit total request volumes over defined windows. Circuit breakers protect upstream services from cascading failures. All of these are configurable through the Tyk Dashboard or as code via the Tyk API.

Content transformation allows request and response modification at the gateway: add or remove headers, rewrite URLs, transform JSON bodies, convert between SOAP and REST. This transformation capability handles a large class of API mediation problems without requiring a separate service.

Developer Portal

Tyk includes a developer portal — a self-service interface where API consumers can discover APIs, read documentation, and request access keys. The portal handles the provisioning workflow: a developer requests access, an API owner approves or auto-approves, and the system issues and tracks API keys automatically.

For organisations publishing APIs externally (to partners, customers, or the public), this portal is the difference between a functional gateway and a complete API product. Building equivalent functionality with an open-source gateway alone typically requires custom development.

Deployment Flexibility

The self-hosted deployment runs entirely on your infrastructure. Both the Tyk Gateway (data plane) and the Tyk Dashboard (control plane) operate on your servers, with no data flowing through Tyk's infrastructure. For organisations in regulated industries — banking, insurance, government — this full air-gap capability is the primary purchasing criterion.

The hybrid deployment splits the control plane and data plane. Tyk manages the dashboard, portal, and analytics aggregation in its cloud. Your infrastructure runs the gateway workers that handle actual API traffic. Secrets, request bodies, and customer data never leave your environment; management state lives in Tyk's cloud. This hybrid model is the practical balance between managed convenience and data sovereignty.

Tyk Cloud is the fully managed option. Tyk provisions, operates, and scales the entire stack. Cloud deployments support multiple hosting regions, including European locations for data residency compliance.

Kubernetes Integration

Tyk ships a Kubernetes Operator that enables declarative API management configuration. You define APIs, security policies, and rate limits as Kubernetes custom resources; the operator reconciles these with the Tyk control plane. This GitOps-compatible workflow integrates naturally into organisations already managing infrastructure declaratively.

Helm charts cover standard deployment patterns. Tyk can run as a standalone deployment or as a sidecar gateway in service mesh architectures.

Pricing

Tyk's pricing structure reflects its open-source heritage: the gateway itself is free, and the management layer is where commercial tiers begin.

The open-source OSS edition is the Tyk Gateway only — the routing, rate limiting, authentication, and policy engine — deployed and managed without a dashboard. This is entirely free, production-grade, and capable of handling millions of API calls. Configuration is via JSON files or the Tyk API directly.

The Core tier adds the Tyk Dashboard, developer portal, and analytics on a usage-based pricing model — you pay for what you use, with the rate scaling as API call volume grows. This makes it accessible for teams starting out without committing to a flat-rate contract.

The Professional tier shifts to flat-rate pricing, removing usage-based billing variability. This is better suited to organisations with predictable, high-volume API traffic where usage-based costs would exceed the flat rate.

Enterprise pricing is custom and covers multi-region and multi-cloud deployments, dedicated account teams, custom SLAs, and compliance documentation (ISO 27001, SOC 2 Type II). Neither Core nor Professional list specific prices on the public pricing page — prospective customers contact sales for current rates.

One practical note: many organisations use the OSS gateway in production and only move to paid tiers when the developer portal or enterprise analytics become requirements.

EU Compliance & Privacy

Tyk is headquartered in London. Post-Brexit, the UK holds an EU adequacy decision for data transfers from the EEA, meaning UK-based data controllers are treated equivalently to EU controllers for GDPR purposes. The adequacy decision is subject to periodic review, which introduces a long-term regulatory consideration for EU organisations.

On technical compliance, Tyk's self-hosted and hybrid deployments provide strong data sovereignty. In a full self-hosted deployment, no API traffic, request/response data, or customer information passes through Tyk's infrastructure. The gateway runs entirely within your environment. Tyk holds ISO 27001 and SOC 2 Type II certifications, covering its own operations rather than your deployment.

For EU-specific deployments, the hybrid model with a European cloud hosting location for the control plane addresses data residency requirements while preserving managed operational convenience. Tyk explicitly supports GDPR, HIPAA, and CCPA compliance patterns through its gateway configuration — rate limiting, data masking, audit logging, and key revocation all contribute to compliance posture.

The OSS gateway is fully auditable. Financial services and government customers routinely conduct security assessments on the open-source code before deploying to production.

Who It's Best For

Enterprise API teams managing multiple API types (REST, GraphQL, gRPC, SOAP) that need a single gateway rather than protocol-specific routing layers.

Financial services and regulated industries that require full self-hosted deployment with no external data flows. Tyk's hybrid and on-premises options are purpose-built for this constraint.

Organisations modernising legacy services who need SOAP-to-REST mediation at the gateway layer, avoiding expensive middleware rewrite projects.

Teams evaluating Kong who want stronger native GraphQL support, a broader protocol range, or a Go-based architecture with a lighter resource footprint.

API-first companies that need a developer portal for external API consumers alongside the core gateway, without building custom portal software.

Tyk is less suitable for individual developers or small teams that only manage a handful of REST APIs — the operational complexity of a full API management platform is overkill at small scale. The community edition also requires hands-on configuration management without a GUI.

The Verdict

A decade in, Tyk has done what most open-source API platforms fail to do: build genuine enterprise traction without abandoning the open-source foundation that made it worth trusting in the first place. The universal protocol support is not a feature list — it is an architectural commitment to the reality that modern organisations do not manage a single API type. The deployment flexibility (OSS, Cloud, Hybrid, self-hosted) is not indecision — it is the recognition that compliance constraints vary. With ISO 27001, SOC 2, and a 150-person team behind it, Tyk is the European-built API gateway that competes in the same tier as Kong and AWS API Gateway — with a compliance story neither can fully match.

Frequently Asked Questions

Is Tyk Gateway really free and open-source?

Yes. The Tyk Gateway component is fully open-source (MPL-2.0) and free to use forever. There are no usage limits, no per-API pricing, and no feature lockout. The management dashboard and developer portal are separate closed-source components that require a paid plan.

What protocols does Tyk support?

Tyk supports REST, GraphQL, gRPC, SOAP, TCP, and AsyncAPI protocols in a single gateway. This multi-protocol support is one of its key advantages over narrower alternatives.

Can I self-host Tyk for GDPR compliance?

Yes. Tyk's self-hosted deployment keeps all API traffic, analytics data, and secrets within your own infrastructure. No data flows through Tyk's servers, making it straightforward to meet GDPR data residency requirements.

How does Tyk compare to Kong?

Both are open-source API gateways with commercial management layers. Tyk is written in Go (lighter footprint), while Kong uses Nginx/OpenResty (Lua-based). Kong has a larger plugin ecosystem; Tyk offers stronger native GraphQL support and a broader protocol range. Kong has a larger community; Tyk has stronger UK/European enterprise customer base.

Does Tyk support Kubernetes?

Yes. Tyk provides a Kubernetes Operator for declarative API management configuration, Helm charts for deployment, and can be deployed as a sidecar or standalone gateway in Kubernetes environments.