Branch/Environment/Version
- Branch/Version:
5.8.5 (also confirmed present in release-5.9 and master)
- Environment: On-prem (OSS)
Describe the bug
When issuing an OAuth 2.0 access token via the Tyk Admin API (POST /tyk/oauth/authorize-client), the resulting key/session object has date_created set to Go's zero time value (0001-01-01T00:00:00Z) instead of the actual token creation time.
Additionally, date_created cannot be corrected via PUT /tyk/keys/{keyId} because the update handler explicitly preserves the original value (newSession.DateCreated = originalKey.DateCreated), making the field permanently stuck at the zero value.
Reproduction steps
- Set up an API with OAuth 2.0 authentication enabled
- Create an OAuth client via POST /tyk/oauth/clients/{apiId}
- Issue an OAuth token via POST /tyk/oauth/authorize-client with a valid client_id, client_secret, grant_type=client_credentials
- Retrieve the created key via GET /tyk/keys/{token}
- Observe the date_created field in the response
Actual behavior
The date_created field is set to Go's zero time value:
"date_created": "0001-01-01T00:00:00Z"
Expected behavior
The date_created field should be set to the timestamp when the OAuth token was issued, e.g.:
"date_created": "2026-03-23T13:10:00Z"
Screenshots/Video
N/A
Logs (debug mode or log file):
N/A — no error is logged; the zero value is silently stored.
Configuration (tyk config file):
Standard Tyk OSS configuration with OAuth 2.0 enabled on an API. No special configuration required to reproduce.
Additional context
Root cause identified in gateway/oauth_manager.go. The SaveAccess function creates a new session but never sets DateCreated:
newSession := user.NewSessionState() // DateCreated = zero value (time.Time{})
// ...
newSession.OauthClientID = accessData.Client.GetId()
newSession.Expires = time.Now().Unix() + int64(accessData.ExpiresIn)
// DateCreated is never assigned!
r.sessionManager.UpdateSession(accessData.AccessToken, newSession, sessionLifetime, false)
Proposed one-line fix in gateway/oauth_manager.go:
newSession.Expires = time.Now().Unix() + int64(accessData.ExpiresIn)
newSession.DateCreated = time.Now() // ← add this line
By contrast, date_created is correctly set in the regular key creation flow (POST /tyk/keys). This is an OAuth-specific omission.
Note: the workaround of patching via PUT /tyk/keys does not work because api.go explicitly preserves the original date_created on every update.
Branch/Environment/Version
5.8.5 (also confirmed present in release-5.9 and master)
Describe the bug
When issuing an OAuth 2.0 access token via the Tyk Admin API (POST /tyk/oauth/authorize-client), the resulting key/session object has date_created set to Go's zero time value (0001-01-01T00:00:00Z) instead of the actual token creation time.
Additionally, date_created cannot be corrected via PUT /tyk/keys/{keyId} because the update handler explicitly preserves the original value (newSession.DateCreated = originalKey.DateCreated), making the field permanently stuck at the zero value.
Reproduction steps
Actual behavior
The date_created field is set to Go's zero time value:
"date_created": "0001-01-01T00:00:00Z"
Expected behavior
The date_created field should be set to the timestamp when the OAuth token was issued, e.g.:
"date_created": "2026-03-23T13:10:00Z"
Screenshots/Video
N/A
Logs (debug mode or log file):
N/A — no error is logged; the zero value is silently stored.
Configuration (tyk config file):
Standard Tyk OSS configuration with OAuth 2.0 enabled on an API. No special configuration required to reproduce.
Additional context
Root cause identified in gateway/oauth_manager.go. The SaveAccess function creates a new session but never sets DateCreated:
newSession := user.NewSessionState() // DateCreated = zero value (time.Time{})
// ...
newSession.OauthClientID = accessData.Client.GetId()
newSession.Expires = time.Now().Unix() + int64(accessData.ExpiresIn)
// DateCreated is never assigned!
r.sessionManager.UpdateSession(accessData.AccessToken, newSession, sessionLifetime, false)
Proposed one-line fix in gateway/oauth_manager.go:
newSession.Expires = time.Now().Unix() + int64(accessData.ExpiresIn)
newSession.DateCreated = time.Now() // ← add this line
By contrast, date_created is correctly set in the regular key creation flow (POST /tyk/keys). This is an OAuth-specific omission.
Note: the workaround of patching via PUT /tyk/keys does not work because api.go explicitly preserves the original date_created on every update.