Skip to main content
This guide provides an overview of the Tyk Gateway’s middleware architecture and how to extend its functionality with custom plugins. It is intended for developers who are new to Tyk plugin development. For more in-depth information on writing plugins in a specific language, see our detailed guides: For information on how to write plugins in a specific language, see the following guides:

Data Available to Plugins

Custom plugins have access to a rich set of data, including the request and response objects, the session object, and metadata, depending on which part of the API lifecycle the plugin is invoked.

Request and Response Objects

The request and response objects provide access to the HTTP request and response, including headers, body, and other information.

Session Object

The session object contains information about the authenticated user, including their API key, rate limits, and access rights. The session object is only available in the PostKeyAuth, Post, and Response stages.

Metadata

The metadata object is a key-value store that can be used to pass data between middleware and plugins. The metadata object is available in all stages of the middleware execution chain.

Built-in Middleware Reference

For a detailed reference of all built-in middleware, see the Built-in Middleware Reference. | RateCheckMW | Pre | Yes | Yes | No | Yes | | IPWhiteListMiddleware | Pre | No | No | No | Yes | | IPBlackListMiddleware | Pre | No | No | No | Yes | | CertificateCheckMW | Pre | No | No | No | Yes | | OrganizationMonitor | Pre | No | No | No | Yes | | Oauth2KeyExists | AuthCheck | Yes | Yes | Yes | Yes | | ExternalOAuthMiddleware | AuthCheck | Yes | Yes | Yes | Yes | | BasicAuthKeyIsValid | AuthCheck | Yes | Yes | Yes | Yes | | HTTPSignatureValidationMiddleware | AuthCheck | Yes | Yes | Yes | Yes | | JWTMiddleware | AuthCheck | Yes | Yes | Yes | Yes | | OpenIDMW | AuthCheck | Yes | Yes | Yes | Yes | | StripAuth | AuthCheck | No | No | No | Yes | | KeyExpired | PostKeyAuth | Yes | No | No | Yes | | AccessRightsCheck | PostKeyAuth | Yes | No | No | Yes | | GranularAccessMiddleware | PostKeyAuth | Yes | No | No | Yes | | RateLimitAndQuotaCheck | PostKeyAuth | Yes | No | No | Yes | | RateLimitForAPI | Post | No | No | No | Yes | | GraphQLMiddleware | Post | No | Yes | Yes | Yes | | ValidateJSON | Post | No | Yes | No | Yes | | RequestSigning | Post | No | Yes | No | Yes | | ValidateRequest | Post | No | Yes | No | Yes | | TransformMiddleware | Post | No | Yes | Yes | Yes | | URLRewriteMiddleware | Post | No | Yes | No | Yes | | mockResponseMiddleware | Post | No | Yes | No | Yes | | ResponseMiddleware | Response | Yes | Yes | Yes | Yes |

Custom Plugin Injection Points (Hooks)

Custom plugins can be injected into the middleware chain at specific points, known as hooks. These hooks allow you to execute custom logic at different stages of the request and response lifecycle. The following hooks are available for custom plugins:
  • Pre-request Hook: Executes at the beginning of the Pre stage.
  • Authentication Hook: Executes during the AuthCheck stage.
  • Post-authentication Hook: Executes at the beginning of the PostKeyAuth stage.
  • Post-request Hook: Executes at the beginning of the Post stage.
  • Response Hook: Executes at the beginning of the Response stage.
Each hook provides access to the request and response objects, as well as the session and metadata. The data available at each hook is detailed in the middleware reference table above.