Tyk Enterprise Developer Portal Release Notes
Last updated:
Licensed Protected Product
This page contains all release notes for Enterprise Developer Portal displayed in a reverse chronological order
Support Lifetime
Our minor releases are supported until our next minor comes out.
1.14 Release Notes
1.14.1 Release Notes
Release Date 4th September 2025
Release Highlights
This release delivers key bug fixes to improve stability in the Developer Portal. Updates include better handling of SSO user assignments and Organisation persistence, safeguards against cross-Organisation visibility in auto-approved registrations, and improved resilience when Teams are deleted. We’ve also fixed issues with API Product transitions and policy persistence, ensuring existing tokens remain valid.
For a comprehensive list of changes, please refer to the detailed changelog below.
Breaking Changes
There are no breaking changes in this release.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on version 1.14.0 or an older version, we recommend upgrading to this release ASAP.
To upgrade the Portal’s theme, please follow the upgrade instructions.
Download
- 
- 
docker pull tykio/portal:v1.14.1
 
- 
Changelog
Fixed
- 
Improved SSO User Assignment and Login BehaviorWe have resolved issues where SSO users could lose their Team assignments or the system could incorrectly reassign them to the default Organisation and Team after logging in. SSO now correctly links returning users to their existing profiles, preserving Team and Organisation memberships and preventing duplicate accounts. We have also improved the SSO configuration UI to make default and group-based Team assignments clearer. 
- 
Saving and Updating Documentation-Only ProductsWe fixed an issue where the Portal could report an error when users added API access to a documentation-only API Product. This fix ensures seamless transitions between documentation-only and regular products, and correctly manages associated policies in Tyk Dashboard. 
- 
Corrected User Assignment in Auto-Approved Organisation RegistrationsFixed an issue where auto-approved Organisation (Org) registrations could incorrectly assign a user to multiple Orgs, causing cross-Organisation visibility. Users are now always placed only in their new Org’s default Team, ensuring proper isolation across both auto-approved and manual approval flows. 
- 
Improved Handling of SSO Profiles When Teams Are DeletedFixed an issue where deleting a Team referenced in an SSO profile’s UserGroupMappingcaused validation errors and prevented the profile form from loading or being updated. SSO profiles now gracefully handle deleted Team references, allowing administrators to view, edit, and save changes.
- 
Improved Persistence of Access Token ValidityResolved an issue where removing all API access from a Product would delete the associated access policy, causing previously issued tokens to stop working when access was later re-added. Now, access policies are preserved in draft status, temporarily invalidating tokens. When users add API access back to the API Product, the existing tokens will become valid again. Note that if the authentication method of the APIs within the Product is changed, all previously issued access tokens will remain invalid. 
1.14.0 Release Notes
Release Date 23 July 2025
Release Highlights
Tyk Streams APIs Come To Developer Portal
We’ve added support for Tyk Streams APIs in the Developer Portal, allowing API Providers to expose access to event-driven APIs alongside traditional REST APIs. Developers can now subscribe to Products that enable webhook delivery for specific events, receiving real-time messages routed through Tyk Streams. This opens up new integration patterns for async APIs, such as push notifications, system alerts, or data change events.
New Developer App Visibility Controls
We have added more flexible Developer App visibility controls, giving team members the ability to limit the visibility of their apps to themselves (Personal), their Team, or their Organisation (Org). This means that when logged into the Developer Portal, team members will only see their apps, apps shared within their teams, and apps marked as visible to the entire organization. Org Admin users will continue to have visibility of all developer apps created in their Organisation. The exceptions to this rule are for the Default Team, where team-level visibility is not implemented, and the Default Org, where all apps are treated as personal (private).
Enhanced Team Management
We have also enhanced the user and team management experience. Now, users can be removed from the default team (which should only be used for inactive users). This allows platform teams to ensure that users can only see the other members of their team, rather than all users in their Organisation. We’ve also fixed a bug where Org Admins could add users to other Organisations deployed on the Portal.
Prevent Web Crawlers From Indexing Your Portal
We have added a /robots.txt endpoint, allowing administrators to define crawler directives in a plain text entry form in the Portal Admin UI.
For a comprehensive list of changes, please refer to the detailed changelog below.
Breaking Changes
There are no breaking changes in this release.
For the complete API specification, see Tyk EDP API documentation.
Deprecations
SQLite has reached its End of Life in this release, aligning with the Tyk Dashboard. SQLite was previously recommended for use only in basic proofs of concept. Now, for such scenarios and in production, we recommend using PostgreSQL or MySQL for improved scalability and support.
Upgrade instructions
If you are on version 1.13.0 or an older version, we recommend upgrading to this release ASAP.
To upgrade the portal’s theme, please follow the upgrade instructions for the portal’s themes.
Download
- 
- 
docker pull tykio/portal:v1.14.0
 
- 
Changelog
Added
- 
New Application Visibility ControlsAdded the facility to limit the visibility of developer apps to the user, team, or Organisation (org). Org Admin users will continue to have visibility of all developer apps created in their Organisation. To minimize the risk of unintentional visibility when users are members of the default teams and/or organization, team-level visibility is not implemented in the Default Team for each organization, and all apps are treated as personal (private) in the default organization. To avoid breaking existing setups, all current apps will default to organisation visibility. 
- 
Added Support for Asynchronous APIsThe Developer Portal now supports Tyk Streams, enabling developers to request access to event-driven APIs. Developers can authenticate with portal tokens and receive real-time webhook notifications. 
- 
API Product Tag Access in Theme TemplatesPortal theme templates now have access to API product tags, allowing for the dynamic display or categorization of API products based on these tags. 
- 
Configurable Robots.txt SupportAdded native support for serving a configurable robots.txtfile via a new/robots.txtendpoint. Portal admins can now define and manage crawler directives directly from the Portal Admin UI.
- 
Improved Team and User ManagementWe have enhanced team and user access controls by restricting team members from viewing other users’ details, limiting Admin Users to adding users only to teams to which they belong, automatically assigning users to the default organization team if no team is selected during invitation, and allowing Admin Users to assign users to multiple teams. 
Changed
- 
Upgrade to Go 1.23The Developer Portal has been upgraded from Golang 1.22 to Golang 1.23, bringing enhanced performance, strengthened security, and access to the latest features available in the new Golang release. 
Fixed
- 
API Product Metadata Loss when Updating the Developer Portal CatalogFixed an issue where API Product metadata could be lost when modifying the product in the Developer Portal. This was due to incorrect manipulation of the underlying Tyk policy object. 
- 
API Product Synchronization FixesFixed an issue where associations with APIs or even entire Products could be lost during synchronization with the Tyk Dashboard. The synchronization logic has been improved to ensure that all associated APIs and product details are consistently preserved. 
- 
Scope-to-Policy Mapping Lost when Configuring DCRFixed an issue where existing scope-to-policy mapping for an API could be lost when DCR is enabled via the Developer Portal. The logic has been improved to ensure that scope-to-policy mapping is preserved. 
1.13 Release Notes
1.13.2 Release Notes
Release Date 20 June 2025
Release Highlights
This patch release contains a bug fix. For a comprehensive list of changes, please refer to the detailed changelog below.
Breaking Changes
This release has no breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on 1.13.1 or an older version, we advise you to upgrade ASAP to this release.
To upgrade the portal’s theme please follow the upgrade instructions for the portal’s themes.
Download
- Docker image v1.13.2
- 
docker pull tykio/portal:v1.13.2
 
- 
- The default theme package
Changelog
Fixed
- 
Preserved JWT scope mappings when enabling DCRFixed an issue where enabling DCR for an API would delete scope-to-policy mappings from the API definition, invalidating access tokens containing the expected scopes. Scope-to-policy mappings are now correctly managed when modified on Tyk Portal or Tyk Dashboard, with the source of truth being the API definition registered with the Dashboard. 
- 
Fixed API middleware error from dashboard–portal mismatchFixed an issue where middleware configuration for an API could be corrupted (for example, Request header transform middleware settings were changed in Developer Portal. This was due to a misalignment between Dashboard and Developer Portal in their interpretation of the API definition and has now been corrected. 
1.13.1 Release Notes
Release Date 19 April 2025
Release Highlights
This release is focused mainly on bug fixes. For a comprehensive list of changes, please refer to the detailed changelog below.
Breaking Changes
This release has no breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on 1.13.0 or an older version, we advise you to upgrade ASAP to this release.
To upgrade the portal’s theme please follow the upgrade instructions for the portal’s themes.
Download
- Docker image v1.13.1
- 
docker pull tykio/portal:v1.13.1
 
- 
- The default theme package
Changelog
Fixed
- 
Revoking one client credential no longer deletes all from KeycloakFixed an issue where all client credentials associated with an app would be incorrectly removed from Keycloak when credentials are revoked in the Tyk Portal. This would lead to credentials existing in the Tyk Developer Portal but not in Keycloak. Now, when an app with multiple client credentials has one set of credentials revoked in the Tyk Developer Portal, only those credentials will be removed from Keycloak, with the others remaining valid. 
- 
SSO now works properly with multiple portal replicasFixed an issue where users couldn’t log in via SSO when multiple instances (replicas) of Portal were deployed 
- 
Password no longer overwritten on user profile updatesAddressed an issue where editing and saving a user’s profile in the admin portal would unintentionally change their password due to double encryption. Admins can now safely update user details without affecting login credentials. Passwords will only change when explicitly updated. 
- 
API description field restoredResolved a regression introduced in v1.13.0 that removed the ability to view or edit API descriptions on the API Product page. The API description field is now visible and editable again, restoring parity with earlier versions and ensuring API documentation remains complete and user-friendly. 
1.13.0 Release Notes
Release Date 31 Jan 2025
Release Highlights
The v1.13.0 release includes the following new features and improvements:
- Improved UX for Products and Plan listing.
- Added the ability to create, edit, and remove Productsfrom the portal.
- Added the ability to create, edit, and remove Planfrom the portal.
- EDP Resources now support custom IDs that allow the migration of elements between environments.
- Security: 4 CVEs fixed.
- Bugfixes: 5 bugs fixed.
For a comprehensive list of changes, please refer to the detailed changelog below.
Breaking Changes
The Plans API object includes two changes:
- The data type of the RateLimit field has been changed from string to integer.
- The data type of the Quota field has been changed from string to integer.
For the complete API specification, see Tyk EDP API documentation.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on 1.12.0 or an older version, we advise you to upgrade ASAP to this release.
While upgrading to 1.13.0,
- Portal will automatically migrate the new Custom IDs to most of the existing resources. For more information, please refer to the changelog.
- Users are advised to take appropriate actions in their system regarding the PlansAPI object changes as described in the breaking changes section.
To upgrade the portal’s theme, please follow the upgrade instructions for the portal’s themes.
Download
- Docker image v1.13.0
- 
docker pull tykio/portal:v1.13.0
 
- 
- The default theme package
Changelog
Added
- 
Improved UX for products and plan listingThe portal now provides an enhanced UI for browsing and managing products and plans, making it easier for administrators to organize and maintain their API offerings. 
- 
Product and plan managementAdministrators can now create, edit, and remove ProductsandPlansdirectly from the portal admin UI, eliminating the need to manage these through the Tyk Dashboard. The new features include the following:- Product creation with full configuration options.
- Plan management with pricing and quota settings.
- Direct editing of existing ProductsandPlans.
- Removal of deprecated offerings.
 With the added features, Portal provides greater control over the API lifecycle management process. 
- 
Documentation-only productsAdded support for creating documentation-only products in the Enterprise Developer Portal. This feature allows API Providers to: - Create products that serve purely as documentation repositories.
- Share API documentation without exposing actual API endpoints.
- Preview API documentation before making APIs available.
 This is particularly useful for scenarios where APIs are in development or when you want to share documentation with a limited audience before making the APIs publicly available. 
- 
Custom ID support for resourcesEDP Resources now supports custom IDs (in addition to auto-increment integer IDs) to facilitate migration and reference between environments. This feature covers: - API Resources: Products, plans, tutorials, OAS documents, OAuth providers, and client types
- Organizational Entities: Organizations, Users, Groups, and Catalogs
- Content/Resources: Pages, content blocks, tags, menus, and menu items
 This enhancement makes it easier to maintain consistency across different environments and simplifies the migration process between environments. 
- 
Enhanced login controlsAdmins can now configure more enhanced login controls, such as limits, expiration and intervals. These settings can be adjusted in the General Settings section of the portal admin UI to help maintain secure access to the portal. 
- 
SSO profile management APIsAdded new APIs for managing SSO profiles, enabling programmatic control over SSO configurations. These APIs allow administrators to: - Create SSO profiles
- List all SSO profiles
- Get details of a specific profile
- Update existing profiles
- Delete profiles
 These endpoints enable the automation of SSO setup and management through CI/CD pipelines. Use cases include: - Automated deployment of SSO configurations across environments
- Integration with identity management systems
- Automated testing of SSO configurations
 This addition complements the embedded Tyk Identity Broker functionality introduced in v1.12.0, providing a complete programmatic interface for SSO management. 
- 
Product and plan management APIsAdded new APIs for managing Products and Plans programmatically, enabling automation of the product lifecycle. These APIs include: Products: - Create products
- List all products
- Get product details
- Update products
- Delete products
 Plans: - Create plans
- Update plans
- Delete plans
 Note The Plans API object has schema changes; please refer to the breaking changes section for details. These APIs complement the UI-based product management capabilities, enabling automated workflows and CI/CD integration for product lifecycle management. 
Fixed
- 
App edit CSRF token validationFixed an issue where CSRF token validation was failing during application edits, which prevented users from saving changes to their applications. This has been resolved by implementing proper token lifecycle management and validation. 
- 
Fixed MySQL SSO profile handlingFixed an issue where EDP embedded Tyk Identity Broker profiles weren’t being properly handled in MySQL environments, which caused storing SSO profiles failures. This has been resolved by correcting the database query handling for SSO profile data. 
- 
Custom attribute deletionFixed an issue where deleting a single custom attribute would inadvertently remove all user custom attributes, which caused loss of user profile data. This has been resolved by implementing proper scoping for attribute deletion operations. 
- 
Catalog deletion impactFixed an issue where removing an active catalog would cause UI rendering problems for developers, which resulted in a poor user experience. This has been resolved by implementing proper cascading deletion of catalog resources. 
- 
Theme upload validationFixed an issue where uploading themes containing nested theme directories would corrupt the original theme, which caused theme installation failures. This has been resolved by implementing validation to detect and prevent nested theme uploads. 
Security Fixes
- 
High priority CVEs fixedFixed the following high priority CVEs identified in the Tyk Enterprise Developer Portal: 
1.12 Release Notes
1.12.0 Release Notes
Release Date 13 Nov 2024
Release Highlights
The v1.12.0 release includes the following new features and improvements:
- Embedded Tyk Identity Broker. From this release, you don’t need to deploy a separate Tyk Identity Broker to SSO into the portal.
- Now admins can create Apps and Credentials for developers directly from the portal admin UI.
- Credentials notifications. Now admins can configure email notifications for credential expiration and credential expiration warnings.
- Stronger passwords. Now admins can configure the password policy from the portal admin UI.
- Security: 3 new high CVEs fixed.
- Bugfixes: 4 bugs fixed.
For a comprehensive list of changes, please refer to the detailed changelog below.
Breaking Changes
This release has no breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on 1.11.0 or an older version we advise you to upgrade ASAP directly to this release.
To upgrade the portal’s theme please follow the upgrade instructions for the portal’s themes.
Download
- Docker image v1.12.0
- 
docker pull tykio/portal:v1.12.0
 
- 
- The default theme package
Changelog
Added
- 
Embedded Tyk Identity Broker (TIB)From this release, you can configure the portal to serve an internal Tyk Identity Broker. This means that you don’t need to deploy a separate Tyk Identity Broker service to SSO into the portal. This enables a new section under the portal admin UI where admins can manage SSO profiles for admins and developers.  We support out of the box integration with the following SSO providers type: - Open ID Connect: Support for OpenID Connect (OIDC) Identity Tokens provided by any standards compliant OIDC provider such as Auth0.
- LDAP: Bind users to an LDAP server such as Azure Active Directory, using their username and password.
- Social: The social provider should provide seamless integration with Google+ Github, Facebook, Salesforce, Digital Ocean and more.
 You can read more about the supported SSO providers here. 
- 
Creation of apps and credentialsAdmins now have enhanced control over application and credential creation in the portal, streamlining the onboarding process and reducing the need for API-based setups. With this update, admins can create applications and assign them to specific users, making it easier to onboard developers who aren’t using self-service options. For custom authorization scenarios —like when using an external OAuth2.0 provider— admins can now issue credentials directly in the portal. These credentials are stored as key-value pairs that developers can view, providing a more seamless alternative to manual credential sharing.  Admins can also generate auth token credentials, with added flexibility to define custom token values if needed for compatibility with other systems. Additionally, OAuth2.0 credentials can now be created within the portal, ensuring stable, secure access for developers with the added benefit of immutability after creation.  Overall, these improvements simplify the process for managing applications and credentials, offering a more streamlined experience for admins and developers alike. 
- 
Password policyAdmins can now configure the password policy from the portal admin UI. This includes setting the minimum password length, reused passwords, multi case, and more.  
- 
Credentials notificationsAdmins can now configure two types of notifications: - Credential expiration: This notification is sent to developers when their credentials expire. You can modify the email template in the keyexpired.tmplfile included in the theme package.
- Credential expiration warnings: This notification is sent to developers when their credentials are about to expire. Admins can set the number of days before the expiration in the portal admin UI. You can modify the email template in the keytoexpire.tmplfile included in the theme package.
  
- Credential expiration: This notification is sent to developers when their credentials expire. You can modify the email template in the 
Changed
- 
Upgrade to Go 1.22The Enterprise Developer Portal has been upgraded from Golang 1.21 to Golang 1.22, bringing enhanced performance, strengthened security, and access to the latest features available in the new Golang release. 
Fixed
- 
Fixed a bug where values of dropdown custom attributes weren't removed correctlyFixed a bug where values of dropdown custom attributes weren’t removed correctly preventing admins from updating User custom attributes. 
- 
Fixed a certificate upload issue in Kubernetes environmentsFixed an issue that was causing certificate uploads to fail when the file size exceeded 2KB in Kubernetes environments. 
- 
Fixed a bug that prevented to load OAS files from S3 storageWe have addressed a bug that was causing the portal to fail loading OAS files from S3 storage. 
- 
Fixed typos in email subjectsWe have fixed typos in email subjects that were causing notifications to be sent with incorrect information. 
Security Fixes
- 
High priority CVEs fixedFixed the following high priority CVEs identified in the Tyk Enterprise Developer Portal, providing increased protection against security vulnerabilities: 
1.11 Release Notes
1.11.0 Release Notes
Release Date 25 Sept 2024
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Release Highlights
The v1.11.0 release includes the following new features and improvements:
- New Portal admin UI.
- Closer to API Parity: APIs for Tags, blog posts, Product images, Webhooks, and rotate credentials. A total of 23 new endpoints.
- 22 bugs fixed
- 19 CVEs fixed
- CSRF protection, new TLS configuration and better recovery link security.
Performance Optimizations
To improve stability under high loads, we conducted performance testing and identified that improper database configurations can cause unexpected portal restarts. To prevent this and ensure optimal performance, we recommend the following database settings:
Recommended Configuration:
- PORTAL_DATABASE_MAX_OPEN_CONNECTIONS: Set this value based on your database’s maximum connection limit divided by the number of portal instances. For example, if your database allows 200 connections and you are running 4 portal instances, set PORTAL_DATABASE_MAX_OPEN_CONNECTIONS to 50 per instance. This ensures that all instances can share the available connections without exceeding the database’s limit, which could otherwise lead to performance degradation or errors.
- PORTAL_DATABASE_MAX_IDLE_CONNECTIONS: Set to 15 or a lower value based on your expected load. This setting keeps a reasonable number of connections readily available without tying up resources unnecessarily.
For reference, with 2 portal instances, PORTAL_DATABASE_MAX_OPEN_CONNECTIONS set to 30 and PORTAL_DATABASE_MAX_IDLE_CONNECTIONS set to 15, we could handle 90 active users.
Upgrade instructions
If you are on 1.10.0 or an older version we advise you to upgrade ASAP directly to this release.
To upgrade the portal’s theme please follow the upgrade instructions for the portal’s themes.
Download
- Docker image v1.11.0
- 
docker pull tykio/portal:v1.11.0
 
- 
- The default theme package
Changelog
Added
- New Portal admin UI.
- Added CRUD APIs for Tags.
- Added CRUD APIs for Webhooks.
- Added CRUD APIs for Product images.
- Added APIs to manage blog posts along with their tags and categories.
- Added a new API endpoint that allows the rotation of API credentials.
- UI and API for themes soft delete. Soft deleted themes are not shown in the UI and API, but are kept in the database for future reference.
- Added new TLS variables to set MinVersion (portal_tls_min_version, MaxVersion (PORTAL_TLSCONFIG_MAXVERSION, and CipherSuites (PORTAL_TLS_CIPHER_SUITES.
- Added a new configuration to manage the idle timeout of the portal’s session (PORTAL_SESSION_IDLE_TIMEOUT.
- Added CSRF protection injection to portal’s form. Now you don’t need to add it manually to your templates.
Changed
- Changed passwordrecovery links to be valid for 24 hours.
- Changed password recovery links to be unique and valid for one use only.
- Changed the default value of PORTAL_DATABASE_CONNECTION_MAX_LIFETIME to 1800000 milliseconds.
- Changed session token queries for better performance.
- Introduced new indexes for better performance.
Fixed
- Fixed sensitive information leak on password recovery links.
- Fixed the wrong permission list for super admin in the external portal dashboard.
- Fixed deletion of related APIDetail records when a Product is deleted.
- Fixed a bug that caused the portal to panic when users sent a PUT request to the/API/pages/ endpoint without a template.
- Fixed a bug where markdown content wasn’t adding IDs attribute automatically to sections.
- Fixed an issue where the OAS file was not attached to the API resource associated with an API product when multiple API resources were linked.
- Fixed SSO issues when SameSite Header is set to Strict.
- Fixed issues where certain files might not have been unpacked correctly due to conflicts or incorrect path resolution, particularly when themes with similar names were involved.
- Fixed an issue with how PostgreSQL connection strings, specifically the sslmode configuration, were being handled. Portal now fully conforms to PostgreSQL documentation and standards, ensuring that SSL certificates are correctly utilized without causing connection errors.
- Fixed a bug where sessions were expiring independently if users were active or not.
- Fixed distroless image bootstrapping issue.
- Fixed an issue where fetching a theme by its ID returned empty field values due to whitespace characters being stripped from the ID.
- Fixed deleting and rotating shared credentials within an organization.
- Fixed a rendering error while deleting credentials. Now, it shows an error page instead of a blank page.
- Fixed a bug where product content was truncated after 255 characters in MySQL and MariaDB. This update ensures that full-length product content is now stored and displayed without truncation.
- Fixed the portal API behavior to handle cases where the “Accept” header is absent. Previously, such requests resulted in a 500 Internal Server Error with no response body, causing the portal to panic.
- Fixed a duplicated 404 error page when there is a not found error.
- Fixed credential revocation error when OAuth2.0 provider is deleted.
- Fixed an issue where credentials weren’t deleted with OAuth2.0 provider removal.
- Fixed an issue where the graph only displayed the peak value of 100, even when the average error rate was below 100.
- Fixed several errors in the portal API specification.
- Fixed the 19 CVEs, among which are:
- CVE-2024-28834
- CVE-2024-28835
- CVE-2023-5678
- CVE-2023-6129
- CVE-2023-6237
- CVE-2024-0727
- CVE-2023-50387
- CVE-2023-50868
- CVE-2023-5678
- CVE-2023-6129
- CVE-2023-6237
- CVE-2024-0727
- CVE-2024-24792
- CVE-2023-45288
- CVE-2023-5678
- CVE-2023-6129
- CVE-2023-6237
- CVE-2024-0727
- CVE-2024-24792
- CVE-2023-45288
 
1.10 Release Notes
1.10.0 Release Notes
Release Date 27 Jun 2024
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Release Highlights
The 1.10.0 addresses twenty high-priority bugs and vulnerabilities and introduces three new features:
- OAS APIs support.
- Theme cache.
- Configuration options for database connections.
Upgrade instructions
If you are on 1.9.0 or an older version we advise you to upgrade ASAP directly to this release.
To upgrade the portal’s theme please follow the upgrade instructions for the portal’s themes.
Download
- Docker image v1.10.0
- 
docker pull tykio/portal:v1.10.0
 
- 
- The default theme package
Changelog
Added
- Added OAS APIs support.
- Added an assets cache for improved performance on database-backed themes. This speeds up the portal’s pages loading time by 30%. It’s enabled by default and you can disable using PORTAL_ASSETS_CACHE_DISABLE.
- Added three new configuration options to manage database connections lifecycle: PORTAL_DATABASE_MAX_OPEN_CONNECTIONS, PORTAL_DATABASE_MAX_IDLE_CONNECTIONS, and PORTAL_DATABASE_CONNECTION_MAX_LIFETIME.
Fixed
- Fixed the bug where PORTAL_SESSION_LIFETIMEwas calculated in minutes instead of seconds.
- Fixed the bug where access requests were not removed when an application is deleted.
- Fixed the bug where stoplight library was blocking the portal’s startup if it’s not available.
- Fixed the bug where browsing into API Product throws an error when Baseline URL is provided in provider section.
- Fixed the bug where it was possible to create new access requests from the admin dashboard.
- Fixed the bug where the portal was not displaying the quota renewal rate when a custom renewal rate was set in a policy.
- Fixed the bug where the first user is always created under Organization 0 when the /portal-api/usersendpoint is invoked for the first time.
- Fixed the bug where the portal /readyprobe was not taking into consideration the bootstrap and tables automigration process.
- Fixed the bug where sometimes, the plan added to the cart was not updated after a product change.
- Fixed the bug where it was not possible to delete an application that was provisioned with an access request created through the API.
- Fixed the bug where users where not able to submit the cart from parallel submission (two different tabs or browsers).
- Fixed the bug where creating an app was not possible when there was no DCR scope specified for the Product but there was a scope specified for the Plan.
- Fixed the bug where the portal logout was not clearing browser user data and logging the user out completely.
- Fixed the bug where it was not possible to delete non authToken apps from the developer portal when approved products and plans are removed.
- Fixed the bug where it was not possible to download the theme without adding an extra /to the URL.
- Fixed the bug where carts submissions where emptying other users carts if they have the same content in it.
- Fixed the bug where it was not possible to delete an application after making an API call to update it and associate it to a different user.
- Fixed the bug where the portal was exposing technical details on error messages on the Forgot passwordpage.
- Fixed the bug where sometimes, content blocks where not being displayed correctly on the portal admin page.
- Fixed the bug where stoplight was not rendered correctly in mobile devices.
- Fixed the bug where editing current developer password was causing a panic.
1.9 Release Notes
1.9.0 Release Notes
Release Date 27 Apr 2024
Breaking Changes
This release has no breaking changes.
Future breaking changes
In 2.0.0 release (the next after the next release) we will introduce the capability to create products and plans in the portal instead of creating policies for products and plans in the dashboard.
To achieve that, we will need to change the plans and products architecture. The main change is that plans will include access rights to APIs and endpoint.
As a result of this, 2.0.0 won’t be backwards compatible with the previous versions. We will provide migration scripts and instructions before that release.
Deprecations
There are no deprecations in this release.
Release Highlights
The 1.9.0 release addresses several security vulnerability and bugs and introduces two new capabilities:
- Webhooks for events that happen in the portal.
- Admin APIs for OAuth2.0 configuration.
Upgrade instructions
If you are on 1.8.5 or an older version we advise you to upgrade ASAP directly to this release.
This release doesn’t introduce any changes to the theme, so a theme upgrade is not required.
Download
- Docker image v1.9.0
- 
docker pull tykio/portal:v1.9.0
 
- 
- The default theme package
Changelog
Added
- Added the webhooks capability that enable real-time, automated data updates between the portal and 3rd party applications.
- Added admin APIs for managing OAuth2.0 configuration.
Fixed
- Fixed the error where the admin APIs returned 500 instead of 422 when an incorrectly formatted json is passed in the request body.
- Fixed the error where missing DCR registration access token caused crash during DCR client revocation.
- Fixed the error where API-created Access Requests were always auto-approved.
- Fixed the following vulnerabilities related to Go 1.19 by upgrading Go version to 1.21:
1.8 Release Notes
1.8.5 Release Notes
Release Date 5 Apr 2024
Breaking Changes
This release has no breaking changes.
Future breaking changes
Currently, there are no planned breaking changes.
Deprecations
There are no deprecations in this release.
Release Highlights
The 1.8.5 release addresses CVE-2024-3094 vulnerability that was introduced in the 1.8.4 release. If you are not on v1.8.4 then there’s no urgency in updating.
Upgrade instructions
If you are on 1.8.4 you should upgrade ASAP directly to this release. This release doesn’t introduce any changes to the theme, so a theme upgrade is not required.
If you are on 1.8.3 or older version please follow the upgrade instructions to upgrade the portal’s themes.
Download
- Docker image v1.8.5
- 
docker pull tykio/portal:v1.8.5
 
- 
- The default theme package
Changelog
Fixed
- Fixed CVE-2024-3094 by replacing Debian base image.
1.8.4 Release Notes
Release Date 5 Mar 2024
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on 1.8.1 or an older version we advise you to upgrade ASAP directly to this release.
To upgrade the portal’s theme please follow the upgrade instructions for the portal’s themes.
Release Highlights
The 1.8.4 release addresses ten high-priority bugs and vulnerabilities, and introduces multiple improvements to experience of admins in the portal’s admin app.
Download
Changelog
Added
- Added new configuration option for setting the SameSiteattribute on the portal’s cookie.
- Added new welcome email for admin users that is sent when new admin account is created.
- Added new welcome email for developers that is sent when new developer account is created.
- Added a fallback mechanism for referencing assets. This searches for assets, such as images, referenced in the rich text editor or markdown editor. It searches the container’s filesystem whenever the portal can’t find the referenced asset in the PORTAL_STORAGE.
Changed
- Changed the title for the subject of the new developer registration request from “Registering email - subject” in the settings UI to “Developer Registration Approval Request - Subject” to better reflect the context in which this email is used.
- Adjusted the portal’s behavior for saving pages through the admin API or the Pages UI. Now, if a content block referenced in a template is absent in the page using that template, the portal will ignore this issue instead of preventing the page from being saved. When rendering the respective page, any missing content blocks will be filled with empty strings.
- Changed title for the portal’s private pages for better SEO performance:
| URL | Page title | 
|---|---|
| /portal/private/analytics | Analytics | 
| /portal/private/dashboard | Dashboard | 
| /portal/private/apps/ | Create an application | 
| /portal/private/apps/:id | Applications | 
| /portal/private/users | Users | 
| /portal/private/organisation | Create an organization | 
| /portal/private/users/invite | Invite a user | 
| /portal/private/users | Users | 
| /portal/private/users/:id | Users | 
| /portal/private/profile | Profile | 
| /auth/password/login | Developer portal login | 
| /auth/password/new | Password reset | 
- Changed the credential provisioning flow to automatically include DeveloperID, OrganizationID, ApplicationID, and TeamIDs in the credential metadata.
- Added warning regarding potential PII exposure to the custom attributes menu.
- Changed the behavior of the portal for 404 errors. Now whenever a user requests non-existing page both private (e.i. requiring sign-in to access) or public, the portal now always renders the not_found.tmpltemplate.
- Changed the behavior of the Securecookie attribute that is set by PORTAL_SESSION_SECURE so that theSecureattribute is always add to theSet-Cookieheader wheneverPORTAL_SESSION_SECUREis set totrueor when TLS is enabled.
- Changed the behavior of removing a developer profile within the developers UI in the admin app. Now, when an admin tries to remove a developer profile and some of their credentials have been removed from the credentials provider, or if the provider itself is down or unreachable, the portal asks the admin if they still want to remove the developer profile by displaying a modal window.
- Extended the DELETE /users/:idAPI endpoint by adding the ?force query parameter to force removal of a user even if some of their credentials have been removed from the credentials provider, or if the provider itself is down or unreachable.
- Extended the GET /pages/:id/content-blocks/:id:API endpoint by adding additional fields in the response body:Content,MarkdownContent,MarkdownEnabled,Name, andPageID.
- Extended filesize limit for individual files in themes to 5 MB.
- Made the organization invite email’s subject configurable via the emails settings section.
Fixed
- Fixed the bug where it was impossible to create an ordered list in the rich text editor in the admin app due to CSS issues.
- Fixed the bug where it was possible to copy the ‘portal-session’ cookie and use it with different IP address or browser.
- Fixed the bug where the audit log didn’t reflect some actions initiated by admin users and developers.
- Fixed the bug where sensitive data such as hashed API tokens and passwords were exposed in the audit log.
- Fixed the bug where menu items were still persistent after deletion.
- Fixed the bug where admin users couldn’t edit custom attributes created after a user profile is created.
- Fixed the bug where the UI errors when uploading theme were not consistent with the API error messages.
- Fixed the bug where scroll appeared in the API description box in the API Product page when the API description was longer than 50 symbols.
1.8.3 Release Notes
Release Date 22 Jan 2024
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on 1.8.1 or an older version we advise you to upgrade ASAP directly to this release.
To upgrade the portal’s theme please follow the upgrade instructions for the portal’s themes.
Release Highlights
The 1.8.3 release addresses ten high-priority bugs and introduces new admin APIs for managing tags and OAuth2.0 client types attached to API Products.
Download
Changelog
Added
- Added new admin API for managing tags attached to API Products.
- Added new admin API for managing OAuth2.0 client types attached to API Products.
Fixed
- Fixed the bug where the search bar in the My Apps section of the Developer dashboard didn’t search for an application.
- Fixed the bug where it was possible to update read-only details of an API Product via an API call.
- Fixed the bug where deleting an access request credentials also deleted the access request.
- Fixed the bug where the button to save a link when editing a hyperlink in the admin UI in the text editor wasn’t displayed.
- Fixed the bug where the Exports function didn’t export analytics to a CSV file under the Error rate(average) tab in the developer Dashboard.
- Fixed the bug where the portal did not accept themes with names containing dots and displayed a not found error when uploading a theme with a dot in its name.
- Fixed the bug in a multi-pod deployment where, when a theme is uploaded, only the pod that uploaded it updates its theme list, while the other pods remain unaware of the new theme.
- Fixed the bug where the Portal allowed pages to be created with duplicate content block names. Subsequently, only the last content block with the duplicate name was displayed.
- Fixed the bug where the portal’s page renderer ignored content-blocks under the ifstatement with references to multiple content-blocks (e.g.{{ if and .blocks.Block1.Content .blocks.Block2.Content .blocks.Block3.Content }}). Subsequently, content that depended on these conditional blocks would not be rendered.
- Fixed the bug where the product auth type is removed after a product is updated.
1.8.2 Release Notes
Release Date 22 Dec 2023
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on 1.8.1 or an older version we advise you to upgrade ASAP directly to this release.
To upgrade the portal’s theme please follow the upgrade instructions for the portal’s themes.
Release Highlights
The 1.8.2 release addresses multiple high-priority bugs:
- Fixed the bug where an API Consumer could add incompatible products to a cart making its state inconsistent.
- Fixed the bug where it was possible to use the same session cookie from different IP addresses making the portal vulnerable to the Cross-Site Request Forgery (CSRF) attack.
- Fixed the bug where an admin user couldn’t create a new team in Kubernetes environment.
- Fixed the bug where the navigation in the API documentation was broken when Redoc is selected as a documentation rendering engine.
- Fixed the bug where an API Consumer could bypass the access request rate limit by creating additional applications.
- Fixed the bug where the page rendering fails if the page refers to a template that has no template/layout pair definition in the theme manifest.
- Fixed the bug where creating new content blocks in non-default themes led to duplication of those content blocks in the admin UI.
- Fixed the bug where .Markdowncontent blocks where not shown.
Download
Changelog
Fixed
- Fixed the bug where an API Consumer could add incompatible products to a cart making its state inconsistent.
- Fixed the bug where it was possible to use the same session cookie from different IP addresses making the portal vulnerable to the Cross-Site Request Forgery (CSRF) attack.
- Fixed the bug where an admin user couldn’t create a new team in Kubernetes environment.
- Fixed the bug where the navigation in the API documentation was broken when Redoc is selected as a documentation rendering engine.
- Fixed the bug where an API Consumer could bypass the access request rate limit by creating additional applications.
- Fixed the bug where the page rendering fails if the page refers to a template that has no template/layout pair definition in the theme manifest.
- Fixed the bug where creating new content blocks in non-default themes led to duplication of those content blocks in the admin UI.
- Fixed the bug where .Markdowncontent blocks where not shown.
1.8.1 Release Notes
Release Date 5 Dec 2023
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on 1.8.0 or an older version we advise you to upgrade ASAP directly to this release. Unlike 1.8.0, 1.8.1 fixes the broken backward compatability for the default visual theme. Therefore, the upgrade path from earlier versions are straightforward. It is enough to just pull the latest version of the portal’s container.
To upgrade the portal’s theme please follow the upgrade instructions for the portal’s themes.
Release Highlights
The 1.8.1 release addresses multiple high-priority bugs:
- Restored backward compatibility for the default visual theme which was broken in the previous release.
- Fixed the bug where the live portal UI was broken when there is more than one OpenAPI specification attached to an API Product.
- Fixed the bug where the collapsible components in the admin application of the portal didn’t open.
- Fixed the bug where the client type wasn’t a required field when creating OAuth2.0 clients via the DCR flow.
- Fixed the bug where CPU usage unexpectedly increased in Kubernetes without external traffic.
- Fixed the bug where admin users were not able to approve access requests in Kubernetes environment.
- Fixed the bug where the usage analytics didn’t show in the Developer Dashboard.
- Upgraded the version of Stoplight to the latest available version in the default theme.
Download
Changelog
Added
- Add a config option to expose the Golang profiling information which allows for debugging issues related to resource consumption.
Changed
- Upgraded the version of Stoplight to the latest available version in the default theme.
Fixed
- Restored backward compatibility for the default visual theme which was broken in the previous release.
- Fixed the bug where CPU usage unexpectedly increased in Kubernetes without external traffic.
- Fixed the bug where admin users were not able to approve access requests in Kubernetes environment.
- Fixed the bug where the usage analytics didn’t show in the Developer Dashboard.
- Fixed the bug where the live portal UI was broken when there is more than one OpenAPI specification attached to an API Product.
- Fixed the bug where the collapsible components in the admin application of the portal didn’t open.
- Fixed the bug where the client type wasn’t a required field when creating OAuth2.0 clients via the DCR flow.
1.8.0 Release Notes
Release Date 24 Nov 2023
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on 1.7.0 or an older version we advise you to upgrade ASAP directly to this release. When upgrading from 1.6.0 or earlier versions, customers may experience problems when starting the portal. One of the possible issues is the following:
- When the portal theme manifest has a reference to a template that is not present in the theme then the theme won’t be loaded. This check that prevents admin users from uploading themes with potential errors was introduced in version 1.7.0.
- At the same time, the default theme in version 1.6.0 of the portal had a reference in the theme manifest to the portal_hometemplate that didn’t exist in the theme.
- The portal doesn’t update the theme automatically because in that case any customer-made changes will be lost. Subsequently, upgrading from 1.6.0 to 1.8.0 may result in the following error when loading the theme:
{"level":"info","time":"2023-11-23T12:25:35.646Z","caller":"application/themes.go:121","message":"Failed to initialize theme '/themes/default': loading theme templates code references: getting template portal_home: portal_home.tmpl not found"}
{"level":"info","time":"2023-11-23T12:25:35.646Z","caller":"application/themes.go:135","message":"0 themes loaded."}
panic: theme 'default' not found
- Moreover, when there was a single theme in the portal, it wouldn’t start because it didn’t recognize the theme as valid.
To overcome the issue, please follow our upgrade instructions for your storage type as outlined in the sections below.
The following instructions explain the easiest way to upgrade the default theme when upgrading from 1.6.0 to 1.8.0.
In order to upgrade the theme, you will need to remove the existing default theme and let the portal unpack the current default theme that is compatible with v1.8.0 release. Therefore, the update is performed in four steps:
- (Optionally) Save a copy of the current default theme if there are any changes to it that you want to save.
- Remove the existing default theme that prevents the portal from starting.
- Start the portal so that it will unpack the compatible theme.
- (Optionally) Apply changes from the saved theme.
In later releases, we will publish the theme within a public git repository. This way you can apply git-flow when upgrading the theme.
Note
If your current active theme is not the default theme, downgrade to v1.6.0 and activate the default theme first before implementing the below steps.
Upgrade default theme within filesystem storage type
To upgrade the default theme that is stored in a filesystem (fileSystem mounted by localhost or PVC or csi-driver) you will need a shell to access that specific file system. Execute the following steps to upgrade the theme:
- Navigate to the theme directory. Locate the theming directory used for the portal application defined by Theming.Pathin the portal config file orPORTAL_THEMING_PATHenvironment variable. By default, the theming path is./themes. So, it will be placed in thethemesdirectory relative to wherever the portal app is run from.
- (Optional) Save a copy of the current default theme if there are changes that you want to keep.
- Remove the default theme. To remove the existing version of the default theme from a filesystem, navigate to the theme directory and remove the default theme:
rm -rf ./default
- Start the portal. Once the default theme is deleted, start the portal v1.8.0 again, and it will start with the upgraded default theme.
- (Optional) Once the portal is operational again, you can download the correct default theme and apply any changes from the existing theme that was saved in step 2.
Upgrade default theme within S3 storage type
To upgrade the default theme that is stored in an S3 bucket you will access to the S3 console with read-write rights. Execute the following steps to upgrade the theme:
- Navigate to the S3 bucket that is used to store themes. This bucket is defined by S3.Bucketin the portal config file orPORTAL_S3_BUCKETenvironment variable. The default theme should be present in the theming directory that is defined byTheming.Pathin the portal config orPORTAL_THEMING_PATHenvironment variable. By default, the theming path is set to/themes.
- (Optional) Save a copy of the current default theme if there are changes that you want to keep.
- Remove the default theme by deleting the default directory from the theming directory.
- Start the portal. Once the default theme is deleted, start the portal v1.8.0 again and it will start with the upgraded default theme.
- (Optional) Once the portal is operational again, you can download the correct default theme and apply any changes from the existing theme that was saved in step 2.
Upgrade default theme within DB storage type
To upgrade the default theme that is stored in a database bucket (the db storage type) you should be able to run SQL commands on the database that the portal is using. Execute the following steps to upgrade the theme:
- (Optional) If you need to save changes to the existing default theme, downgrade to 1.6.0, start the portal and download the theme either via the UI or the admin APIs.
- Remove the default theme. The portal stores its themes in the Assetstable. Run the following SQL command to remove the default theme from the database:
delete from assets where path like "%<theming-path>/default%";
Before executing the command be sure to replace the <theming-path> with the path defined by Theming.Path in the portal config or PORTAL_THEMING_PATH environment variable. By default, it is /themes, so if you have not explicitly changed this, your command should be as follows:
delete from assets where path like "%/themes/default%";
- Start the portal. Once the default theme is deleted, start the portal v1.8.0 again and it will start with the upgraded default theme.
- (Optional) Once the portal is operational again, you can download the correct default theme and apply any changes from the existing theme that was saved in step 1.
Note
For PVC, if you are stuck with a crashing issue on a newer portal release (version > v1.7.0) running in k8s with PVC storage that contains an older theme (from version < v1.7.0), roll back to v1.6.0 or start a temporary pod with the same PVC mounted to it. Then delete all the existing themes as stated above and deploy the new release.
Release Highlights
Custom attributes for the User model and the sign-up form customization
We added the capability to add additional data fields to the User model and set their behavior. This way API Providers can: Extend the User model with additional fields of one of four types:
- String
- Number
- List of strings
- Boolean
- Configure the behavior of these fields:
- Add the new data fields to the user sign-up form
- Force the portal to add the fields to the key metadata to make them available to custom plugins during API calls
- Make the fields required or optional and lock them once a user profile is created
 
- Set visibility and access rights for the custom data fields:
- Determine if developers can view the fields or are they restricted to only admin users?
- Can developers edit the fields?
 
All settings are available via the admin API and the UI.
To create a custom attribute, define it in the custom attributes menu:

This is how it looks like in the user sign-up form:

CORS settings
In this release, we introduced the config options to set up CORS settings such as:
- Allowed origins
- Allowed headers
- Allowed methods
- Are credentials (cookie or client-side certificates) allowed?
- max-age of the preflight request cache
These settings are useful when the portal sits behind a proxy or a CDN and the portal admin needs to configure the CORS settings on the portal side so that the incoming call from a third-party origin (e.g. a CDN or a proxy) are not rejected by the browser. To set the CORS configuration please refer to the Portal’s configuration documentation.
Connection testing to OAuth2.0 Identity providers
We enhanced our OAuth2.0 support by adding the capability to test connections to OAuth2.0 Identity providers (IdPs) when setting up OAuth2.0 with the Tyk Enterprise Developer Portal. This way, you can make sure the Portal has connectivity with the IdP before saving the OAuth2.0 settings and creating the first OAuth2.0 client.

Verbose logs for the DCR flow
In addition to the new connection testing functionality, we added one more tool to help customers resolve complex integration issues when integrating with OAuth2.0 providers.
Now when the PORTAL_DCR_LOG_ENABLED environment variable is set to true, the portal will output not only the status and status code of the request to the IdP, but also actual payload returned by the IdP:
{"level":"error","time":"2023-10-10T17:02:27.484+0200","caller":"client/dcr-helpers.go:152","message":"IdPResponse: {\"error\":\"insufficient_scope\",\"error_description\":\"Policy 'Allowed Client Scopes' rejected request to client-registration service. Details: Not permitted to use specified clientScope\"}
Download
Changelog
Added
- Added the custom attributes to the User model so that the portal admins can extend the data stored in the user profile and customize the user sign-up form.
- Added the capability to test the connection to OAuth2.0 Identity providers menu to help the portal admin troubleshoot connectivity issues when configuring OAuth2.0 with the portal.
- Added the config options for configuring the CORS settings.
Changed
- Display an actual item title instead of a generic iterative name in the Pages and the Providers UI (e.g. “HeaderButtonLabel” instead of “ContentBlock 1” in the Pages menu).
- When PORTAL_DCR_LOG_ENABLED is enabled the portal now returns not only the status and status code of the request to the IdP but also actual payload returned by the IdP
Fixed
- Fixed the bug where the database credentials were printed in the logs when bootstrapping the portal.
- Fixed the bug where the session cookie was disclosing the username and role.
- Fixed the bug where the Forgot Password page did not reflect the current theme.
- Fixed the bug where the DCR flow failed to create a client with policies managed by Tyk Operator.
- Fixed the bug where an admin user couldn’t upload a new theme file in Kubernetes environment.
- Fixed the bug where the portal application went down after running for several hours in Kubernetes environment.
- Fixed the bug where it was possible to remove the default organization which resulted in the portal being non-operational.
- Fixed the bug where the portal panicked when an IdP was not available while creating a new OAuth2.0 client.
- Fixed the bug where a developer could access API Products regardless of the access rights set by catalogs.
- Fixed the bug where it wasn’t possible to change a team for a user.
- Fixed the bug where the error wasn’t displayed to an admin user when the theme validation failed while uploading a theme package.
- Fixed the bug where the rich text editor added extra <p>tags to the text.
- Fixed the bug where the live portal UI was broken when there is more than one OpenAPI specification attached to an API Product.
- Fixed the bug where it wasn’t possible to remove an API from an API Product.
1.7 Release Notes
1.7.0 Release Notes
Release Date 6 Oct 2023
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on a 1.6.0 or an older version we advise you to upgrade ASAP directly to this release.
Release Highlights
Content blocks validation
We added validation to the content pages. Now when an admin user tries to delete a content block that is necessary to render the page, the portal won’t let them to save the page.

Audit log capability
We added capability to enable audit log for any action that changes state of the portal or queries data from the portal. When the audit log is enabled, every action of admin users or developers performed via the UI or an API (only for admin users) will be noted in the audit log. To enable the audit log, just specify path to the audit log file and enable it.
To configure the audit log with environment variables, use PORTAL_AUDIT_LOG_ENABLE to enable the audit log and PORTAL_AUDIT_LOG_PATH to specify path to the audit log file:
PORTAL_AUDIT_LOG_ENABLE=true
PORTAL_AUDIT_LOG_PATH=./audit.log
To configure the audit log with the config file, use AuditLog.Enable to enable the audit log and AuditLog.Path to specify path to the audit log file:
  "AuditLog": {
    "Enable": true,
    "Path": "./audit"
  }
When specifying path ot the audit file make sure it’s mapped to a file on the host machine.
Capability to limit frequency of access requests
Now admin users can specify how often developers can request access to a specific plan. This way the admins can prevent developers from creating too many keys and abusing their free plan.

Download
Changelog
Added
- Added content blocks validation for content pages to avoid changes to content pages that result in page render errors.
- Added the audit log capability to track any action that changes state of the portal or queries data from the portal.
- Added the capability to limit frequency of access requests to block any abuse of free plans.
Changed
- Disable autocomplete for passwords in the default theme to prevent the access credentials from being stored on the local computer. The stored credentials can be captured by an attacker who gains control over the user’s computer.
Fixed
- Fixed the bug where developers could get access to applications of other developers if they know the app ID.
- Fixed the bug where developers and apps of an organization were not deleted when the organization was deleted.
- Fixed the bug where it was possible to remove the default organization with resulted in the portal being non-operational.
1.6 Release Notes
1.6.0 Release Notes
Release Date 5 Sep 2023
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on a 1.5.0 or an older version we advise you to upgrade ASAP directly to this release.
Release Highlights
OAuth2.0 flow now supports multiple identity providers
Now the Tyk Enterprise Developer portal can use multiple identity providers (IdPs) for OAuth2.0 via the Dynamic Client Registration flow. If your company has multiple OAuth2.0 providers now you can utilize them all for OAuth2.0 authentication. For instance, if your company uses different IdPs for different products (e.g. one for the U.S. and another for the EU) you can now achieve that with Tyk.
Just create multiple IdPs in the App registration menu:

And then use them to enable OAuth2.0 authentication for API Products:

New Admin API for all content-blocks
You can download all CMS content with just one API call with the brand new API endpoint GET /pages/all/content-blocks that returns all content blocks for all pages. Now migration between environments and deployment is much easier.
Support for Mutual TLS
For customers who need extra security for their APIs such financial institutions and payment providers we introduced an ability for the portal to surface Mutual TLS APIs. Now you can configure API Key and OAuth2.0 API to support Mutual TLS. Just create an API that supports multiple authentication mechanisms in the Dashboard and publish it to the portal:

Now your developers can discover and request access to them in the portal:


Display-only support for API Products with custom authentication
This new capability allows you to display on the portal the APIs that use your own custom authentication mechanisms. We appreciate that many customer use their own auth mechanisms and even though at the moment we cannot create credentials for custom authentication schemas, we still want to support customers using these.
To display API Products that support custom authentication, you need simply to create an API Product that include APIs with custom authentication and synchronize it to the portal:

Download
Changelog
Added
- Added support for multiple IdPs of the OAuth2.0 flow. If a customer has multiple OAuth2.0 providers now they can utilize them all for OAuth2.0 authentication with Tyk.
- Added new admins APIs for querying all content-blocks to improve data migration capabilities of the portal.
- Added support for API Products that use Mutual TLS. Now API Providers can surface their API Products that use Mutual TLS authentication on the portal and developer can request access to them.
- Added display-only support for API Products with custom authentication. This allows API Providers to expose on the portal their APIs that use custom authentication for documentation purposes.
Changed
- Simplified the connection settings to the portal assets storage (where all images, themes, and other CMS files are stored) to help our customers get up to speed quicker. We are well aware that installing and configuring on-premise software can be tricky, especially when it comes to infrastructure, storage and databases. Hence, we have decided to ease this burden for you:
- By default, the portal uses the dbstorage type for storing its themes and other CMS assets and it doesn’t require any additional configuration. This means, you can start the portal right away without specifying any additional setting for the assets storage.
- We also simplified setting up S3 storage: now you need only to configure connection settings to the bucket and the portal will handle the rest.
 
- By default, the portal uses the 
Fixed
- In 1.6.0 multiple important security bugs are fixed:
- Added the ability to disable the theme upload capability. Since we don’t validate the theme content it might have viruses and other malicious software. So, to provide super secure environments, we added a setting to disable the theme upload via the UI and API:
    
    
    
      
        
        
          
          
            
              
            
          
        
      
    
    
     
- Fixed the bug where the session is not invalidated after a user logs out.
- Fixed the role permission issue where a provider-admin can deactivate and delete a super-admin.
- Fixed the Users API resource which allowed any value to be entered into the Provider and Role fields.
 
- Added the ability to disable the theme upload capability. Since we don’t validate the theme content it might have viruses and other malicious software. So, to provide super secure environments, we added a setting to disable the theme upload via the UI and API:
    
    
    
      
        
        
          
          
            
              
            
          
        
      
    
    
    
- In addition to the security fixes, several bugs related to the theme management are fixed:
- The list of available templates is now automatically updated when a new theme is loaded.
 
- Fixed the bug where theme unpacking required unnecessary write permission to the /tmp folder.
- Fixed icon alignment in the UI on the main page of the default theme.
1.5 Release Notes
1.5.0 Release Notes
Release Date 17 Jul 2023
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on a 1.4.0 or an older version we advise you to upgrade ASAP directly to this release.
Release Highlights
Improved API Providers page
Now the API Provider page has the Status and Last synced columns that help to digest the current status of an API Provider (Up, Down, or Unknown) and the last time it was synchronized. Now it’s much easier to digest the current status of API Providers connected to the portal.

Add the SSL insecure skip verify flag for API Providers
With this new option, Tyk Enterprise Developer portal can be configured to use untrusted certificates when connecting the Tyk Dashboard which helps run local PoCs, quickly and easily.

New admin APIs
In 1.5.0 we introduced the following APIs:
- CRUD API for Get started guides.
- CRUD API for OpenAPI Spec for APIs included in API products.
- CRUD API for API Providers.
Better OAuth2.0 flow without the scope to policy mapping
It also allows adding access to API Products to existing credentials. This way, if an API Consumer wants to add a new API Product to an existing credential, they can simply do it without the need to recreate them from scratch.
Download
Changelog
Added
- Added the Status and Last synced columns to the API Provider page to make easier to digest status of each API Provider.
- Added the Skip SSL Verify flag for the API Providers. It’s now possible to use self-signed certificates for PoCs.
- Added new admin APIs for the Get started guides, Open API Specifications and API Providers to enable migration of configurations between different environments of the portal.
- Added improved OAuth2.0 flow without the scope to policy mapping which makes it much easier to configure OAuth2.0 with Tyk.
- Enable API Providers to set security response headers in the portal config to make API Providers flexible in configuring their UI security settings.
Fixed
- In 1.5.0 multiple important security bugs are fixed:
- Add secure and httpOnly flags to enhance the security of session cookies.
- Fixed the bug with the role permission issue when a provider-admin can deactivate and delete a super-admin.
- Fixed the bug with the Users API resource where it was possible to enter any value in the Provider and Role fields.
 
- In addition to the security fixes, several bugs related to the theme management are fixed:
- The list of available templates is now automatically updated when a new theme is loaded.
- The issue encountered with theme unpacking requiring write permission to the /tmp folder is now resolved. Write permission is no longer required.
- Fixed the icon issue alignment on the main page of the default theme.
 
1.4 Release Notes
1.4.0 Release Notes
Release Date 2 June 2023
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on a 1.3.0 or an older version we advise you to upgrade ASAP directly to this release.
Release Highlights
SQL support for the portal’s assets
Until recently, SQL storage was not supported for the portal’s assets: OAS files, themes, images, etc. Therefore, customers had to use at least two types of storage:
- SQL for the portal’s metadata (users, products, access requests, etc).
- Filesystem or S3 for assets (pictures, themes, etc).
This is especially inconvenient in Kubernetes environment when customers had to use persistent volumes.
With this new feature, customers can simply use the same SQL database (MySQL, MariaDB and PostgreSQL) for both assets and metadata. To use the db storage type just set the PORTAL_STORAGE=db for environment variables or "Storage": "db" in a config file and you are good to go!
Response status code added to API analytics filters
API Consumers now can filter API analytics by response status codes. This allows them to analyze traffic and error rate for specific response code for their API Products.

Displaying Basic Auth APIs
We introduced display-only support for basic APIs. That means API Providers can publish documentation for the basic auth APIs. However, developers cannot use the portal to get access to the basic auth APIs.
Download
Changelog
Added
- Added SQL support for the portal’s assets to simplify the storage configuration. Now our customers can store all data in one database.
- Added response status code filters in the API analytics for developers to enhance self-service capabilities for developers.
- Added displaying Basic Auth APIs so that API Providers can expose on the portal their APIs that use basic auth for documentation purposes.
- Added input validation for organization name to prevent organization with empty names from being created.
Fixed
- Fixed typo in the name of the demo user.
- Rewritten labels for Auth token credentials to remove customers’ confusion with opaque names of fields.
Security Fixes
- ZipSlip vulnerability in the theme upload flow is now resolved.
- Added input validation for preventing XSS attacks for catalogs and organizations in the admin app.
1.3 Release Notes
1.3.0 Release Notes
Release Date 17 Apr 2023
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on a 1.2.0 or an older version we advise you to upgrade ASAP directly to this release.
Release Highlights
API Analytics UI for developers
We added the new API Analytics UI which extends self-service capabilities for developers. This provides developers with an ability to analyze performance of the APIs which they consume, in addition to traffic composition for their apps. The API Analytics UI has four tabs that help developers to navigate different analytical views:
- The overview tab provides an overarching view on the API Products consumed by a developer. This tab has all information needed to quickly digest the current state of API Products, including: total traffic, number of errors, error breakdown by response code and top APIs by error code.
  
    
    
      
      
    
  
 
- The Total API Calls tab enables developers to analyze traffic from their application to the APIs they consume and how it’s changing over time.
  
    
    
      
      
    
  
 
- The Errors tab provides developers with information relating to total errors and error rates. Here developers can identify any issues with the APIs which they consume without filling any support tickets. Developers can switch between the total number of error and error rates.
  
    
    
      
      
    
  
 
- The Latency tab helps developers to analyze response time of the APIs they consume so that they can factor for it in their applications.
  
    
    
      
      
    
  
 
Theme management API
The theme management API enables SDLC for the theme management in the portal. Admin users can leverage this API to programmatically:
- Create new themes.
- Update existing themes.
- Select the currently active theme.
Enhanced error logging for DCR and SSO flows
We introduced more verbose error logging for the DCR flow and for Single Sign-On to help customers set up the SSO and DCR faster. This is especially important for complex environments with highly customized or non-standard IdPs.
Download
Changelog
Added
- Added API Consumer Analytics to digest summary analytics for developers’ applications so that developers can analyze performance of the APIs which they consume.
- Added enhanced error logging in all places where the DCR flow is used. A log structure is now provided, including the status code from an IdP to help API Providers to debug DCR integrations.
- Added enhanced error logging to the SSO flow to facilitate setting up SSO.
- Added the Theme management API to enable API Providers to update themes using CI/CD pipelines.
Fixed
- Fixed grammar in the Provider menu UI.
- Fixed broken link to the Access requests menu item in the portal admin dashboard.
- Fixes to the shopping cart flow were made as follows:
- Fixed the bug where the ‘Add to cart’ button in the API Product page were not clickable;
- Added form validation in the checkout flow.
 
- Fixed the API Product page to show only catalogs available to a developer.
1.2 Release Notes
1.2.0 Release Notes
Release Date 21 Mar 2023
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
If you are on a 1.1.0 or an older version we advise you to upgrade ASAP directly to this release.
Release Highlights
This release is primarily focused on improved deployment support for Kubernetes and a variety of features to achieve better developer experience.
Full Kubernetes support
The Tyk Enterprise Developer Portal is now available in Kubernetes and customer can launch it using our helm charts. This feature makes the portal Kubernetes friendly by adding liveness, readiness probes, graceful shutdown and changing the portal lifecycle so that it’s possible to set an initial user and bootstrap the portal via APIs.
SSO for API Consumers and admins
API Providers can configure Single Sign-on for the Enterprise developer portal so that it’s possible to login developers and admins to the portal user 3rd party IdP.
API Analytics for API Consumers
This capability enables API Providers to get aggregated statistics about consumption of their APIs using Tyk Pump. In 1.2.0, we enabled the portal to attach the following tags to API Keys and oAuth clients:
- Application (app-XXX, where XXX is the app ID);
- Organization (org-XXX, where XXX is the org ID).
Admin API for API Products
This feature provides an API to make it easier for admin users to manage their API Products:
- List available API Products.
- Change the content and description.
- Add link to Open API specification for APIs.
Add TLS support
This feature enables API Provides to secure the portal with HTTPs.
Add enhanced logging configuration
This new setting allows API Providers to set the logging level and format. This offers API Providers more control over the logging behavior of their APIs.
Download
Changelog
Added
- Added Kubernetes support and helm charts.
- Added Single Sign-on for API Consumers and admin users so that they can use their IdPs for managing admin users and developers.
- Added organization and application metadata to auth tokens and OAuth2.0 clients so that API Providers can use Tyk Pump to create aggregated reports based on the metadata from tokens and OAuth2.0 clients.
- Added Admin APIs for API Products to enable API Providers to update API Products using CI/CD pipelines.
- Added TLS support for the portal’s UI.
- Added config options to set the logging level and format. This offers API Providers more control over the logging behavior of their APIs.
Fixed
- Fixed grammar in the copy section of the admin application on the Application page.
- Fixes an issue with DCR that was encountered when a developer deletes an app with two DCR products from different catalogs. In that case, the client was deleted from IdP but the app was not deleted from the Portal.
1.1 Release Notes
1.1.0 Release Notes
Release Date 20 Jan 2023
Breaking Changes
This release has no breaking changes.
Future breaking changes
This release doesn’t introduce future breaking changes.
Deprecations
There are no deprecations in this release.
Upgrade instructions
We advise you to upgrade ASAP directly to this release.
Release Highlights
This release introduce a variety of features to improve developer experience. Additionally, we’ve included support for the S3 storage type as well as some bug fixes.
Organization management for API Consumers
Now API Consumers can create organizations and securely share credentials between their teammates. In greater detail:
- API Consumers can request to upgrade their account to an organizational account.
- API Consumers can invite teammates to their organization and manage their roles.
- API Consumers in the same organization share access credentials so that the API Consumer team will still have access to API credentials even if an admin user is on vacation or left the organization.
- API Providers can configure whether they allow API consumers to request an upgrade to their accounts for an organizational account.
- API Providers can manually accept, reject or configure to accept all such request to accepted by default.
Get started guides
API Providers can add Get started guides to API Products for better developer experiences:
- API Providers can add the Get started guides to API Products to speed-up onboarding of API Consumers.
- API Providers can use HTML or Markdown editors for authoring content for API Consumers such as the Get started guides and blog posts.
Tags for API Products and blog posts
API Providers can select which blogs posts to display on an API Product page using the tags feature. To achieve that, an API Provider can specify tags for both API Products and blog posts. Blog posts that match tags with an API Product are displayed in the ‘Related blog content’ section in the API Product page. This offers API Providers greater control over what blog posts to display on their API Product page.
S3 support
We added S3 support for the portal assets storage (themes, images, OAS files). This update enhances the extensibility of our platform, allowing you to choose different storage solutions to better align with your specific needs.
Download
Changelog
Added
- Added the organization management capability for API Consumers to safely share API access credentials between team members.
- Added the Get started guides for API Products so that admins can explain to their consumers how use their API Products.
- Added support for S3 storage for the portal’s assets storage. Now our customers can use s3storage in addition to the filesystem which is especially important in Kubernetes environments.
- Added tags for API Products and blog posts so that API Providers have greater control over which blog posts to display on their API Product page.
Fixed
- Fixed a bug in the DCR flow where scopes from an API Product were not assigned to the OAuth2.0 client when creating a new OAuth2.0 client.
- Fixed a bug with the bootstrap process to print JWT instead of the portal’s internal auth token when bootstrapping the portal.
- Fixed a bug where plans and products were not removed for Tyk Dashboard instances that were disconnected from the portal instance. Subsequently, after this fix plans and products are only displayed for available Tyk Dashboard instances.
Further Information
Upgrading Tyk
Please refer to the upgrading Tyk page for further guidance with respect to the upgrade strategy.
FAQ
Please visit our Developer Support page for further information relating to reporting bugs, upgrading Tyk, technical support and how to contribute.