Tyk FIPS Policy

Last updated:

What is FIPS

The Federal Information Processing Standards (FIPS) are U.S. government standards for cryptographic modules, defined by the National Institute of Standards and Technology (NIST).

The most relevant standard for API management is FIPS 140-2, which specifies how cryptographic modules must be designed and validated.

FIPS compliance is often required for organizations in:

  • Government and defense
  • Healthcare and life sciences
  • Financial services
  • Critical infrastructure

For API management, FIPS matters because it ensures:

  • Secure data in transit: only strong, approved algorithms are used.

  • Robust authentication & key management: cryptographic operations like token signing and API key hashing are performed using validated methods.

  • Regulatory alignment: supports compliance where FIPS 140-2 is mandated.

Tyk’s FIPS Offering

Tyk provides a FIPS-compliant package of the Tyk Gateway (Enterprise Edition) and Tyk Pump (together, the FIPS Tyk Product). Please note that the FIPS Tyk Product has not been submitted to a NIST testing lab for validation and Tyk is not FIPS certified..

FIPS-compliant means that the FIPS Tyk Product only uses FIPS 140-2 approved cryptographic algorithms (see below) when running in FIPS mode. This is only available to specific Tyk-built packages or Docker images of the FIPS Tyk Product. These packages and images are not publicly accessible.

  • The FIPS Tyk Product uses the BoringCrypto module, enabling only FIPS 140-2 approved algorithms when run in FIPS mode.

  • These packages are distributed separately, identifiable by the -fips suffix (e.g., tyk-gateway-fips, tyk-pump-fips).

  • The FIPS Tyk Product is available for selected enterprise-supported Linux distributions. Please contact your account manager for details.

  • The FIPS Tyk Product has not been submitted to a NIST testing lab. It is therefore FIPS-compliant, as per the above definition, and is not FIPS-certified.

  • Compliance applies only to the binaries we ship as part of the FIPS Tyk Product only, not to the entire system or deployment environment or otherwise. Customers remain responsible for ensuring compliance with their overall deployment.

Configuring Tyk for FIPS Mode

When running the FIPS Tyk Product in the Tyk Gateway, you must set the key hashing algorithm to SHA-256:

In tyk.conf:

"hash_key_function": "sha256"
Or via environment variable:

TYK_GW_HASHKEYFUNCTION=sha256

When using FIPS mode for Tyk Pump, you do not need to set this algorithm.

Important Note

Use of the FIPS Tyk Product is conditional upon:

  • A paid enterprise license agreement.
  • Acceptance of any additional terms specific to FIPS releases.

Please speak with your Tyk account manager for more information.

FAQ

What level of FIPS 140-2 compliance does Tyk support?

Tyk provides compliance by ensuring that in FIPS mode, only FIPS 140-2 approved algorithms are used. The Tyk FIPS Product is not FIPS-certified.

 
Can I use Tyk in FIPS mode in the Tyk Cloud environment?

Yes, on the data plane with hybrid gateways using the Tyk FIPS product deployed on your premises that connect to the Tyk Cloud control plane.

 
Does FIPS mode affect performance?

There is no expected impact on performance.

 
Are all Tyk components FIPS-compliant?

Compliance applies only to the specific FIPS Tyk Product binaries. Other components, plugins, and integrations must be reviewed separately by customers for compliance. The Tyk FIPS Product is provided in certain Linux distributions. Docker images are also available containing these binaries, however Tyk does not claim FIPS compliance at the image level, only the binaries.

 

See also

Return to Top