diff --git a/tyk-docs/content/developer-support/release-notes/dashboard.md b/tyk-docs/content/developer-support/release-notes/dashboard.md
index 9245297155..9ed7c3ceae 100644
--- a/tyk-docs/content/developer-support/release-notes/dashboard.md
+++ b/tyk-docs/content/developer-support/release-notes/dashboard.md
@@ -35,6 +35,414 @@ Our minor releases are supported until our next minor comes out.
---
+## 5.10 Release Notes
+
+### 5.10.0 Release Notes
+
+#### Release Date 13th October 2025
+
+#### Release Highlights
+
+For a comprehensive list of changes, please refer to the detailed [changelog]({{< ref "#Changelog-v5.10.0" >}}).
+
+##### Streamlined API Versioning Experience
+
+The Tyk Dashboard now provides a completely redesigned versioning experience for Tyk OAS APIs, making API version management intuitive and efficient through guided workflows and centralized controls.
+
+**Intuitive version creation**
+
+- **Step-by-step wizard**: Guided process for creating new API versions with clear configuration options at each step
+- **Smart configuration cloning**: Choose to inherit settings from existing versions or start fresh
+- **Flexible publishing**: Control version activation and Gateway deployment during creation
+- **Pre-configuration support**: Set up versioning parameters before creating any versions, preparing APIs for future versioning needs
+
+**Centralized version management**
+
+- **Unified "Versions" tab**: Single location to view and manage all aspects of API versioning
+- **Clear configuration visibility**: Version identifier settings, proxy options, and version lists displayed in one organized interface
+- **Inline editing**: Modify version names and configuration directly without navigating between screens
+- **Consistent experience**: Same interface and capabilities whether working with base or child APIs
+
+**Key benefits**
+
+- Eliminate confusion around version setup and management
+- Reduce time spent navigating between different configuration screens
+- Enable proactive versioning preparation for future API evolution
+- Provide clear visibility into version configuration and relationships
+
+Perfect for teams managing multiple API versions or planning version rollout strategies, this enhancement makes API versioning accessible to users of all experience levels while maintaining the power and flexibility that advanced users require.
+
+
+##### Certificate Expiry Monitoring and Notifications
+
+The Tyk Dashboard now provides proactive certificate lifecycle management to help prevent service outages caused by expired mTLS certificates.
+
+Proactive monitoring capabilities:
+- **Event-driven alerts**: Certificate expiry events are now available in the Tyk OAS API Designer for webhook and event handler configuration
+- **Dashboard API notifications**: New endpoint provides programmatic access to certificate status information
+ - **Smart monitoring**: Automatic detection of certificates approaching expiry or already expired with configurable warning thresholds
+ - **Duplicate prevention**: Intelligent notification system prevents alert flooding while ensuring visibility
+
+**Key benefits**
+
+- Prevent unexpected API outages due to expired certificates
+- Enable automated certificate renewal workflows through event handlers
+- Provide clear visibility into certificate health across your API infrastructure
+- Support integration with existing monitoring and alerting systems
+
+Perfect for organizations managing multiple certificates across complex API infrastructures where manual certificate tracking becomes impractical.
+
+For more details, please see the dedicated [Gateway events]({{< ref "api-management/gateway-events" >}}) section.
+
+#### Breaking Changes
+
+There are no breaking changes in this release.
+
+#### Dependencies {#dependencies-5.10.0}
+
+| Dashboard Version | Recommended Releases | Backwards Compatibility |
+|--------|-------------------|-------------|
+| 5.10.0 | MDCB v2.8.5 | MDCB v2.8.5 |
+| | Operator v1.2.0 | Operator v0.17 |
+| | Sync v2.1.3 | Sync v2.1.0 |
+| | Helm Chart v4.0 | Helm all versions |
+| | EDP v1.14.1 | EDP all versions |
+| | Pump v1.12.2 | Pump all versions |
+| | TIB (if using standalone) v1.7.0 | TIB all versions |
+
+##### 3rd Party Dependencies & Tools {#3rdPartyTools-v5.10.0}
+
+| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
+| ---------------------- | --------------- | ------------------- | -------- |
+| [GoLang](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins]({{< ref "api-management/plugins/golang" >}}) must be built using Go 1.24 |
+| [Redis](https://redis.io/download/) | 5.x, 6.x, 7.x | 5.x, 6.x, 7.x | |
+| [Valkey](https://valkey.io/download/) | 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
+| [MongoDB](https://www.mongodb.com/try/download/community) | 6, 7, 8 | 5, 6, 7, 8 | |
+| [DocumentDB](https://aws.amazon.com/documentdb/) | 4, 5 | 4, 5 | |
+| [PostgreSQL](https://www.postgresql.org/download/) | 13.x - 17.x | 13.x - 17.x | |
+| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3) | v3.0.x | v3.0.x | Supported by [Tyk OAS]({{< ref "api-management/gateway-config-tyk-oas#tyk-vendor-extension-reference" >}})|
+
+#### Deprecations
+
+There are no deprecations in this release.
+
+#### Upgrade instructions {#upgrade-5.10.0}
+
+If you are upgrading to 5.10.0, please follow the detailed [upgrade instructions](#upgrading-tyk).
+
+#### Downloads
+
+- [Docker Image to pull](https://hub.docker.com/r/tykio/tyk-dashboard/tags?page=&page_size=&ordering=&name=v5.10.0)
+ - ```bash
+ docker pull tykio/tyk-dashboard:v5.10.0
+ ```
+- Helm charts
+ - [tyk-charts v4.0.0]({{< ref "developer-support/release-notes/helm-chart#400-release-notes" >}})
+
+Please note that the Tyk Helm Charts are configured to install the LTS version of Tyk Dashboard. You will need to modify them to install v5.10.0.
+
+#### Changelog {#Changelog-v5.10.0}
+
+##### Added
+
+
+-
+
+Enhanced versioning experience for Tyk OAS APIs
+
+Completely redesigned the versioning experience for Tyk OAS APIs with an intuitive wizard-driven workflow and centralized version management interface.
+
+**New version creation wizard**
+
+- **Guided configuration process**: Step-by-step wizard for creating new API versions with clear decision points
+- **Configuration cloning options**: Choose whether to clone settings from an existing version, with selection from available versions when multiple exist
+- **Version identifier setup**: Configure version location (header, URL path, query parameter) and key name if not already set
+- **Publishing controls**: Decide whether to immediately activate the new version and select target Gateways using segment tags
+
+**Centralized version management**
+
+- **New "Versions" tab**: Unified interface displaying version identifier configuration and complete version list for both base and child APIs
+- **Pre-configuration support**: Set up version identifier location, key name, and proxy options before creating any child versions, preparing non-versioned APIs to become base APIs
+- **Clear configuration visibility**: Version identifier and proxy settings prominently displayed above the version list
+- **Inline editing capabilities**: Edit version names directly for any API version, and modify versioning configuration from the base API
+- **Streamlined access**: Create new versions from any API (base or child) with direct access to the creation wizard
+
+**Improved user experience**
+
+- Removed legacy version management screens that were difficult to locate
+- Consistent versioning interface across all Tyk OAS APIs
+- Reduced complexity in version setup and management workflows
+
+This enhancement significantly simplifies API versioning workflows and provides better visibility into version configuration and management.
+
+
+
+-
+
+Certificate expiry notifications and event handling
+
+Added certificate expiry monitoring capabilities to help administrators proactively manage certificate lifecycles and prevent service outages.
+
+**Event handling integration**
+
+- Certificate expiry events (`CertificateExpiringSoon` and `CertificateExpired`) are now available as selectable options in the event handling section, enabling users to assign webhooks or other event handlers directly through the UI
+
+**Dashboard notifications system**
+
+- **Proactive notification endpoint**: New `GET /api/org/notifications` Dashboard API endpoint provides organization-specific notifications for expiring and expired certificates
+- **Smart monitoring**: In-memory notification repository automatically checks certificate metadata storage and creates notifications for certificates approaching expiry or already expired
+- **Configurable thresholds**: Dashboard configuration options for refresh intervals and warning thresholds:
+
+**Notification details**
+
+- **Severity classification**: Notifications marked as "warning" for soon-to-expire certificates or "critical" for expired certificates
+- **Rich metadata**: Each notification includes certificate ID, expiry date, days remaining, and other relevant details
+- **Duplicate prevention**: Hash-based system prevents duplicate notifications for the same certificate status
+
+**Note:** This release provides the foundational API and event integration for certificate monitoring. Enhanced UI functionality for certificate management will be available in a future release.
+
+This enhancement provides multiple layers of certificate expiry visibility through Gateway events and API-based notifications, ensuring administrators can maintain certificate health across their API infrastructure.
+
+
+
+-
+
+Enhanced JWT claims configuration for Tyk OAS APIs
+
+Updated the Tyk OAS API Designer to support multiple claim sources for JWT authentication, enabling multi-Identity Provider scenarios where different providers use different claim names.
+
+**UI enhancements**
+
+- **Multiple subject claims**: Replace the single "Subject identity claim" field with support for multiple claim sources
+- **Multiple policy claims**: Replace the single "Policy claim" field with support for multiple claim mapping sources
+- **Multiple scope claims**: Replace the single "Scope claim" field with support for multiple scope claim sources
+
+**Current implementation**
+
+- Updated API editor schema to accept the new multi-value claim fields
+- Multi-value claim configuration available through the API Designer interface
+- Advanced JWT validation features (custom claims framework, issuer/audience/subject validation, JWT ID enforcement) must be configured directly in the API definition via the API editor or external API calls
+- Existing single-value configurations remain functional for backward compatibility
+
+This enhancement supports scenarios where different Identity Providers use different claim names (e.g., Keycloak's `scope` vs Okta's `scp`) within the same API configuration, laying the foundation for comprehensive JWT claim validation workflows.
+
+**Note:** Full API Designer integration for these fields will be available in a future release.
+
+
+
+-
+
+OpenAPI compliant multi-authentication configuration for Tyk OAS APIs
+
+Added initial support for OpenAPI Specification compliant multi-authentication configuration in Tyk OAS APIs, enabling flexible authentication workflows that follow standard OpenAPI security patterns.
+
+**UI enhancements**
+
+- We have added a new toggle in the Tyk OAS API Designer's *Server > Authentication* section to choose between "legacy" and "compliant" authentication processing modes when Multiple Authentication Methods is selected:
+ - **Legacy mode**: Existing configuration interface remains available for legacy mode behavior (AND logic for all authentication methods)
+ - **Compliant mode**: Users selecting compliant mode are directed to configure authentication directly in the API editor for full OpenAPI security specification support
+
+**Current implementation**
+
+- Manual configuration of compliant mode security settings available through the API definition editor
+- OpenAPI import with automatic authentication configuration continues to configure legacy mode by default (no change to existing behavior)
+- Advanced authentication combinations (OR logic between security entries) must be configured directly in the API definition
+
+This enhancement provides the foundation for OpenAPI compliant authentication workflows while maintaining complete backward compatibility with existing authentication configurations.
+
+**Note:** Full integration for compliant mode authentication configuration will be available in a future release.
+
+
+
+
+
+##### Changed
+
+
+-
+
+Upgrade Tyk Dashboard to Golang 1.24
+
+The Tyk Dashboard has been updated to [Golang 1.24](https://tip.golang.org/doc/go1.24), improving security by staying current with the latest Go versions.
+
+
+
+
+
+
+##### Fixed
+
+
+
+-
+
+Fixed Policy and Key Management UI for versioned APIs
+
+Fixed UI issues in policy and key management that caused confusion and unnecessary validation errors. The API Versions field in the Dashboard UI now appears only when relevant - specifically for versioned Tyk Classic APIs.
+
+The field is no longer displayed for Tyk OAS APIs or non-versioned Tyk Classic APIs, eliminating confusion about when version selection is required and preventing policies and keys from failing to save due to irrelevant validation requirements.
+
+
+
+-
+
+Fixed issues with Tyk OAS API Debugger
+
+Fixed some issues in the Tyk OAS API Debugger (Test Your API panel) when inspecting API tests:
+
+- The debugger only displayed request middleware execution, omitting response middleware from the debug output
+- The debugger did not show the details of the transformations applied by Request Body Transform and Request Header Transform middleware
+- The debugger incorrectly reported errors for endpoints using Response Body Transform middleware, even when API calls completed successfully
+
+The test debugger now correctly shows both request and response middleware execution, accurately displays the execution status, and eliminates false error messages that could mislead developers during API testing and troubleshooting.
+
+
+
+-
+
+Fixed Dashboard default page_size behavior
+
+Fixed an issue where the Tyk Dashboard did not correctly apply a default `page_size` value when none was specified in the Dashboard configuration, potentially causing unexpected pagination behavior.
+
+The Dashboard now properly defaults to a page size of 10 items as documented, ensuring consistent and predictable pagination across all Dashboard views.
+
+
+
+-
+
+Fixed multiple issues with the creation of child versions of Tyk OAS APIs
+
+Fixed several issues that affected the creation of new child versions of Tyk OAS APIs to ensure reliable version creation and proper validation:
+
+UI and API Creation:
+- Resolved an issue that prevented users from creating new versions via the API Designer's Manage Versions screen
+- Added validation for the `base_api_id` parameter - providing a non-existent ID would previously create the API successfully, but leave it invisible in the Dashboard UI
+- Added stricter validation for version names - users can no longer create API versions without specifying a valid `new_version_name`, preventing unusable or empty version entries
+- Improved error messaging when the `base_api_version_name` parameter is missing or incorrectly specified
+
+Version Management:
+- Fixed an issue where creating new child versions would incorrectly reset the default version back to the base API, overriding previously configured settings
+
+The system now provides comprehensive validation with clear error responses (`HTTP 400 Bad Request` and `HTTP 422 Unprocessable Entity`), ensures that all API versions have meaningful identifiers, and maintains proper default version settings during the creation of child versions.
+
+
+
+-
+
+Fixed `/versions` endpoint to only accept valid Tyk OAS base APIs
+
+Fixed an issue where the `/api/apis/oas/{apiId}/versions` endpoint incorrectly returned version data for Tyk Classic APIs and non-versioned Tyk OAS APIs. The endpoint now properly validates requests and returns `HTTP 422 Unprocessable Entity` when the target API is not a valid Tyk OAS base API, ensuring the endpoint only returns meaningful version information.
+
+
+
+-
+
+Fixed OpenAPI `servers` section handling for regex-based custom domains
+
+Fixed an issue where custom domains containing regular expressions were not correctly parsed and stored in the `servers` section of OpenAPI descriptions for Tyk OAS APIs. The Dashboard now properly converts regex-based domains into valid OpenAPI `servers` entries with appropriate variables, ensuring accurate API documentation and preventing validation errors during API editing.
+
+This fix includes enhanced syntax validation for regular expression (regex) patterns and improved capture group handling, which previously could cause Gateway crashes.
+
+
+
+-
+
+Fixed delayed application of global webhook changes for Tyk OAS APIs
+
+Fixed an issue where updates to [global webhooks]({{< ref "api-management/gateway-events#local-and-global-webhooks" >}}) were not immediately applied to Tyk OAS APIs using those webhooks. When global webhook configurations were modified, the Gateway would continue using the previous settings for affected Tyk OAS APIs until a manual reload occurred.
+
+The system now automatically triggers a Gateway reload for all impacted Tyk OAS APIs when global webhook configurations are updated, ensuring that the new webhook settings take effect immediately.
+
+
+
+-
+
+Fixed cross-interface compatibility for keys and policies with Tyk OAS and non-versioned Tyk Classic APIs
+
+Fixed an issue where keys and policies created or updated via the Dashboard API were sometimes rejected by the Dashboard UI, and vice versa, due to inconsistent handling of the `versions` field for non-versioned Tyk Classic APIs. The issue occurred because the API and UI used different formats when populating the versions list in access rights.
+
+Both interfaces now consistently accept either `null` or `[]` (empty array) values in the `versions` field of the access control list, ensuring seamless interoperability between API and UI workflows for policy and key management. Tyk OAS APIs use a [different approach]({{< ref "api-management/api-versioning#how-api-versioning-works-with-tyk" >}}) to versioning, with each (base or child) version having a unique API ID that is added to the access list.
+
+
+
+-
+
+Fixed visibility of orphaned Tyk OAS API versions when using PostgreSQL
+
+Fixed an issue where orphaned child versions of a Tyk OAS API would disappear from the Dashboard UI after their base API was deleted, specifically when using PostgreSQL as the datastore.
+
+Orphaned Tyk OAS API versions now remain visible in the Dashboard, ensuring consistent behavior across all supported datastores and preventing loss of access to existing API versions.
+
+
+
+-
+
+Fixed inconsistent ordering of Tyk OAS API versions in Dashboard UI
+
+Fixed an issue where the child versions of a Tyk OAS API were sorted by creation date in the **Created APIs** and alphabetically by version name (e.g., v1, v2) in the **Versions** list.
+
+Now versions are always sorted alphabetically by version name, providing predictable and controllable ordering.
+
+
+
+-
+
+Fixed Dashboard API panic when accessing logs without timestamp parameters in PostgreSQL
+
+Fixed an issue where the Tyk Dashboard API would panic and return `HTTP 500 Internal Server Error` when accessing the `/api/logs` endpoint without the required `start` and `end` timestamp parameters in PostgreSQL environments using table sharding.
+
+The API now properly handles missing parameters by returning `HTTP 400 Bad Request` with a descriptive error message, improving error handling and API reliability.
+
+
+
+-
+
+Fixed PATCH endpoint validation to reject Tyk OAS API definitions when expecting OpenAPI description
+
+Fixed an inconsistency where the Dashboard API's `PATCH /api/apis/oas/{apiId}` endpoint incorrectly accepted full Tyk OAS API definitions containing Tyk Vendor Extensions, when it should only accept standard OpenAPI descriptions.
+
+The endpoint now properly validates incoming requests and returns `HTTP 400 Bad Request` if the Tyk Vendor Extension is present, ensuring consistent behavior with the Dashboard UI and maintaining the intended separation between OpenAPI description updates and full API configuration changes.
+
+
+
+-
+
+Fixed incorrect creation of duplicate or blank API categories
+
+Fixed an issue where duplicate or blank API categories could be created for Tyk OAS APIs when using the Dashboard API's `PUT /api/apis/oas/{API_ID}/categories` endpoint. Now, if blank or duplicate category labels are provided in the body of the `PUT` request, these will be ignored.
+
+This matches the validation in the API Designer which does not allow blank or duplicated categories to be assigned to APIs.
+
+
+
+-
+
+Fixed GraphQL API creation via upstream introspection when OPA rules modify requests
+
+Fixed an issue where creating GraphQL APIs using upstream introspection in the Dashboard could fail with `HTTP 502 Bad Gateway` errors when OPA rules (typically using `patch_request`) modified the introspection request body.
+
+The problem occurred because the Dashboard did not recalculate the `Content-Length` header after OPA modifications, causing length mismatches that resulted in proxy errors. The Dashboard now properly recalculates the content length for modified introspection requests, ensuring reliable GraphQL API creation regardless of OPA rule configurations.
+
+
+
+
+
+
+##### Security Fixes
+
+-
+
+High priority CVEs fixed
+
+Fixed the following high-priority CVEs identified in the Tyk Dashboard, providing increased protection against security
+vulnerabilities:
+- CVE-2024-47875
+- CVE-2024-45801
+
+
+
+
+
## 5.9 Release Notes
### 5.9.2 Release Notes
diff --git a/tyk-docs/content/developer-support/release-notes/gateway.md b/tyk-docs/content/developer-support/release-notes/gateway.md
index 16aa58deb1..d756639e43 100644
--- a/tyk-docs/content/developer-support/release-notes/gateway.md
+++ b/tyk-docs/content/developer-support/release-notes/gateway.md
@@ -41,6 +41,417 @@ aliases:
Our minor releases are supported until our next minor comes out.
---
+## 5.10 Release Notes
+
+### 5.10.0 Release Notes
+
+#### Release Date 13th October 2025
+
+#### Release Highlights
+
+For a comprehensive list of changes, please refer to the detailed [changelog]({{< ref "#Changelog-v5.10.0" >}}).
+
+##### OpenAPI Compliant Multi-Authentication for Tyk OAS APIs
+
+Tyk Gateway now supports true OpenAPI specification compliant authentication workflows, giving developers the flexibility to implement industry-standard security patterns while maintaining backward compatibility.
+
+OpenAPI compliant authentication brings:
+
+- **Multiple authentication paths**: Process all entries in the OpenAPI `security` section, not just the first one
+- **Flexible security combinations**: Enable authentication scenarios like "OAuth2 OR Auth Token" where clients can choose their preferred method
+- **Proprietary method integration**: Seamlessly combine standard OpenAPI authentication with Tyk's proprietary methods (Custom Authentication plugin, HMAC) using the same flexible logic
+- **Standards compliance**: Follow OpenAPI security specification patterns that developers expect
+
+Backward compatibility guaranteed:
+
+- **Legacy mode preserved**: Existing APIs continue to work unchanged with the current AND-only logic
+- **Opt-in enhancement**: Switch to compliant mode via the `securityProcessingMode` configuration when ready
+- **No breaking changes**: Existing multi-security configurations remain functional
+
+**Real-world applications**
+
+- Support diverse client authentication capabilities within the same API
+- Implement progressive authentication strategies (basic → advanced security)
+- Align with OpenAPI tooling and documentation expectations
+- Reduce integration complexity for API consumers
+
+Perfect for organizations wanting to leverage standard OpenAPI security patterns while maintaining the flexibility of Tyk's advanced authentication features.
+
+For more details, please see the dedicated [Multi Auth]({{< ref "basic-config-and-security/security/authentication-authorization/multiple-auth/" >}}) section.
+
+##### Comprehensive JWT Claim Validation for Tyk OAS APIs
+
+Tyk Gateway now provides enterprise-grade JWT validation capabilities exclusively for Tyk OAS APIs, enabling complete control over token validation beyond basic expiry and signature checks.
+
+**Complete registered claim validation**
+
+- **Multi-Identity Provider support**: Validate issuer, audience, and subject claims against multiple allowed values
+- **Flexible claim mapping**: Configure different claim names for subject, policy, and scope mapping to support various Identity Providers (Keycloak, Okta, Auth0, etc.) within the same API
+- **JWT ID enforcement**: Require unique token identifiers for enhanced security
+
+**Advanced custom claim validation**
+
+- **Flexible validation rules**: Define validation for any JWT claim using required, exact match, or containment rules
+- **Rich data type support**: Handle strings, numbers, booleans, and arrays with nested claim access using dot notation
+- **Non-blocking validation**: Monitor claim compliance without rejecting requests, perfect for gradual policy enforcement
+
+**Real-world applications**
+
+- Role-based access control with custom permission claims
+- Department or organization-based API access restrictions
+- Multi-tenant scenarios with flexible claim validation
+- Gradual migration from legacy authentication systems
+
+This enhancement makes Tyk's JWT middleware the primary validation mechanism for complex enterprise authentication scenarios, providing the flexibility needed for modern Identity Provider integrations while maintaining backward compatibility.
+
+Ideal for organizations that require sophisticated JWT validation beyond standard token checks.
+
+For more details, please see the dedicated [JWT Auth]({{< ref "basic-config-and-security/security/authentication-authorization/json-web-tokens#managing-authorization-with-jwt" >}}) section.
+
+##### Advanced JWKS Cache Management for Tyk OAS APIs
+
+Tyk Gateway now provides comprehensive JWKS (JSON Web Key Set) cache control for Tyk OAS APIs, delivering significant performance improvements and operational flexibility for JWT validation workflows with:
+
+- **Configurable cache timeouts**: Set custom cache durations per Identity Provider to match their key rotation schedules
+- **On-demand cache invalidation**: Instantly refresh cached keys for any API (Classic or OAS) when Identity Providers rotate their signing keys
+- **Intelligent pre-fetching**: Eliminate first-request latency by fetching JWKS data during Tyk OAS API initialization
+
+**Key benefits**
+
+- Faster JWT validation with reduced Identity Provider round-trips
+- Zero cold-start delays for JWT-protected endpoints
+- Immediate response to Identity Provider key rotations
+- Better performance in high-traffic JWT validation scenarios
+
+This enhancement is particularly valuable for organizations migrating to Tyk OAS APIs or those requiring consistent low-latency JWT validation performance with multiple Identity Providers that have different key rotation policies.
+
+For more details, please see the [JWT Auth]({{< ref "basic-config-and-security/security/authentication-authorization/json-web-tokens#jwt-signatures" >}}) section.
+
+##### Centralized External Service Configuration
+
+Tyk Gateway now provides unified configuration for all external service connections through the new
+`external_services` section. This enhancement brings together previously scattered and incomplete configuration options into a single, coherent system that supports:
+
+- **Proxy configuration**: Apply proxy settings globally or per service, with automatic support for standard environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY`)
+- **mTLS certificate management**:Centralized certificate configuration for secure connections to external services
+- **Comprehensive service coverage**: Covers all external integrations, including databases, OAuth providers, and webhook endpoints
+
+This improvement simplifies deployment in enterprise environments where proxy servers and certificate management are critical, while maintaining full backward compatibility with existing configurations.
+
+**Key benefits**
+- Reduced configuration complexity and duplication
+- Better security through centralized certificate management
+- Simplified proxy configuration for containerized deployments
+- Consistent external service connection handling across all Tyk components
+
+For more details, please see the dedicated [section]({{< ref "configure/external-service" >}}).
+
+##### Proactive Certificate Expiry Monitoring
+
+Tyk Gateway now automatically monitors certificate health and proactively alerts administrators before certificates expire, helping prevent service outages caused by expired mTLS certificates.
+
+The new certificate monitoring system provides:
+
+- **Early warning notifications**: Configurable alerts when certificates approach expiry (default: 30 days)
+- **Immediate expiry detection**: Real-time notifications when expired certificates are detected in use
+- **Comprehensive coverage**: Monitors certificates used in both client-to-Gateway and Gateway-to-upstream connections
+- **Smart throttling**: Built-in cooldown mechanisms prevent alert flooding while ensuring visibility
+
+These events integrate seamlessly with existing monitoring and alerting systems through Tyk's standard event framework, enabling teams to set up automated workflows for certificate renewal and replacement.
+
+**Key benefits**
+
+- Prevent unexpected API outages due to expired certificates
+- Reduce manual certificate monitoring overhead
+- Enable proactive certificate lifecycle management
+- Improve overall API reliability and uptime
+
+Perfect for organizations managing multiple certificates across complex API infrastructures where manual tracking becomes impractical.
+
+For more details, please see the dedicated [Gateway events]({{< ref "api-management/gateway-events" >}}) section.
+
+#### Breaking Changes
+
+There are no breaking changes in this release.
+
+#### Dependencies {#dependencies-5.10.0}
+
+##### Compatibility Matrix For Tyk Components
+
+| Gateway Version | Recommended Releases | Backwards Compatibility |
+|--------|-------------------|---- |
+| 5.10.0 | MDCB v2.8.5 | MDCB v2.8.5 |
+| | Operator v1.2.0 | Operator v0.17 |
+| | Sync v2.1.3 | Sync v2.1.0 |
+| | Helm Chart v4.0 | Helm all versions |
+| | Pump v1.12.2 | Pump all versions |
+
+##### 3rd Party Dependencies & Tools
+
+| Third Party Dependency | Tested Versions | Compatible Versions | Comments |
+| ---------------------- | --------------- | ------------------- | -------- |
+| [Go](https://go.dev/dl/) | 1.24 | 1.24 | [Go plugins]({{< ref "api-management/plugins/golang" >}}) must be built using Go 1.24 |
+| [Redis](https://redis.io/download/) | 6.2.x, 7.x, 7.4.x | 6.2.x, 7.x, 7.4.x | |
+| [Valkey](https://valkey.io/download/) | 7.2.x, 8.0.x, 8.1.x | 7.2.x, 8.0.x, 8.1.x | |
+| [OpenAPI Specification](https://spec.openapis.org/oas/v3.0.3)| v3.0.x | v3.0.x | Supported by [Tyk OAS]({{< ref "api-management/gateway-config-tyk-oas" >}}) |
+
+Given the potential time difference between your upgrade and the release of this version, we recommend users verify the ongoing support of third-party dependencies they install, as their status may have changed since the release.
+
+#### Deprecations
+
+There are no deprecations in this release.
+
+#### Upgrade instructions {#upgrade-5.10.0}
+
+If you are upgrading to 5.10.0, please follow the detailed [upgrade instructions](#upgrading-tyk).
+
+#### Downloads
+
+- [Docker image to pull](https://hub.docker.com/r/tykio/tyk-gateway/tags?page=&page_size=&ordering=&name=v5.10.0)
+ - ```bash
+ docker pull tykio/tyk-gateway:v5.10.0
+ ```
+- Helm charts
+ - [tyk-charts v4.0.0]({{[}})
+
+Please note that the Tyk Helm Charts are configured to install the LTS version of Tyk Gateway. You will need to modify them to install v5.10.0.
+
+- [Source code tarball of Tyk Gateway v5.10.0](https://github.com/TykTechnologies/tyk/releases/tag/v5.10.0)
+
+#### Changelog {#Changelog-v5.10.0}
+
+##### Added
+
+]
+
+-
+
+OpenAPI compliant multi-authentication mode for Tyk OAS APIs
+
+Added OpenAPI Specification compliant multi-authentication support for Tyk OAS APIs, providing flexible authentication workflows that follow standard OpenAPI security patterns.
+
+**Compliant mode (new)**
+- Processes all entries in the OpenAPI `security` section sequentially, not just the first entry
+- Supports a local `security` section in the Tyk vendor extension for proprietary authentication methods (Custom Authentication plugin, HMAC)
+- Uses AND logic within each security entry and OR logic between entries, enabling flexible authentication combinations such as: OAuth2 OR Auth Token
+- Allows clients to authenticate using any of the defined security combinations
+
+**Legacy mode (existing behavior)**
+- Continues to use only the first entry from the OpenAPI `security` section
+- Combines all declared methods with proprietary vendor extension methods using AND logic
+- Requires clients to satisfy ALL authentication methods
+
+The authentication processing mode is controlled by the new `server.authentication.securityProcessingMode`
+field in the Tyk Vendor Extension, with `legacy` as the default to ensure backward compatibility. In compliant mode, proprietary authentication methods are configured in the new `server.authentication.security` section within the vendor extension, following the same array structure as the OpenAPI `security` section. This prevents breaking changes for existing API definitions that contain multiple entries in the
+`security` section but were designed for legacy processing behavior.
+
+
+
+-
+
+Enhanced JWT claim validation for Tyk OAS APIs
+
+Tyk OAS APIs now support comprehensive validation of JWT registered claims, extending beyond basic token validation to provide complete access control capabilities. This enhancement includes:
+
+**Registered claim validation**
+
+- **Subject, issuer, and audience validation**: Validate tokens against allowed values with support for multiple entries per claim type
+- **JWT ID enforcement**: Require presence of unique token identifiers (`jti`) when needed
+- **Flexible claim mapping**: Configure different claim names for subject, base policy, and scope-to-policy mapping to support multiple Identity Providers within the same API setup (e.g., Keycloak's `scope` vs Okta's `scp`)
+
+**Custom claim validation framework**
+
+- **Flexible validation rules**: Define validation for any custom JWT claim using three rule types: `required` (claim must exist), `exact_match` (claim equals specific values), or `contains` (claim contains specific values)
+- **Advanced data support**: Handle string, number, boolean, and array data types with nested claim access using dot notation (e.g., `user.department`)
+- **Non-blocking validation**: Configure rules to log warnings instead of rejecting requests for monitoring and gradual enforcement scenarios
+
+These features enable advanced use cases, such as role-based access control, department validation, and custom permission schemes, while maintaining backward compatibility with existing JWT configurations.
+
+**Note:** Available only for Tyk OAS APIs and configured directly in the API definition via the Tyk Vendor Extension.
+
+
+
+-
+
+Enhanced JWKS caching with configurable timeout, invalidation, and pre-fetching
+
+Enhanced the JWKS (JSON Web Key Set) caching system with three key improvements to reduce latency and provide better control over JWT validation:
+
+Configurable cache timeout - Tyk OAS APIs can now specify custom cache timeout values for JWKS endpoints in their JWT validation configuration, allowing fine-tuned control over cache refresh intervals based on Identity Provider requirements.
+
+- Cache invalidation API - Administrators can now manually invalidate JWKS cache entries via new Gateway API endpoints (`DELETE /tyk/cache/jwks/{apiID}` and `DELETE /tyk/cache/jwks`), either targeting specific APIs or purging all cached JWKS data. This enables immediate cache refresh when Identity Provider keys are rotated.
+- Automatic pre-fetching - For Tyk OAS APIs, JWKS data is now automatically fetched and cached when API definitions are loaded, eliminating cold-start delays for JWT validation. Pre-fetching includes comprehensive logging of fetch attempts and results, and failures do not prevent API initialization.
+
+**Note:** For Tyk Classic APIs, JWKS caching behavior remains unchanged with on-demand fetching during token validation using the default cache timeout (60 seconds). Cache invalidation via the new API endpoints works for both Classic and OAS APIs.
+
+These enhancements improve JWT validation performance for Tyk OAS APIs and provide administrators with better tools for managing JWKS cache lifecycle when Identity Provider keys change.
+
+
+
+-
+
+Enhanced external service integration with proxy and mTLS support
+
+Added a new `external_services` section in the [Gateway configuration]({{< ref "configure/external-service" >}}) to provide centralized configuration for proxy settings and mTLS certificates when communicating with external services. This includes connections to persistent and temporal storage, OAuth 2.0 Authorization Servers, and webhook targets.
+
+Tyk Gateway can now apply proxy settings from standard environment variables (`HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY`) or use the new granular configuration options. All existing configuration methods remain supported, including legacy options such as `jwt_ssl_insecure_skip_verify` and `http_proxy`.
+
+
+
+
+-
+
+Gateway Certificate Expiry Notification Events
+
+Introduced a proactive event system to warn administrators when mTLS certificates are approaching expiry. The Gateway now emits two new [API events]({{< ref "api-management/gateway-events#api-events" >}}) to provide visibility into certificate status:
+
+- `CertificateExpiringSoon` - Generated when a certificate is used in an API request (either client-to-Gateway or Gateway-to-upstream) within a configurable time period of its expiry date
+- `CertificateExpired` - Generated when an attempt is made to use an already expired certificate, in addition to the standard error response sent to the API client
+
+A cooldown mechanism prevents event flooding by throttling the generation of these notifications. The threshold for the `CertificateExpiringSoon` event and cooldown parameters are configured in the Gateway configuration:
+
+```
+"security": {
+ "certificate_expiry_monitor": {}
+}
+```
+
+The default threshold is 30 days before expiry.
+
+
+
+
+
+##### Changed
+
+
+-
+
+Go 1.24 Upgrade for Tyk Gateway
+
+The Tyk Gateway has been updated to [Golang 1.24](https://tip.golang.org/doc/go1.24), improving security by staying up-to-date with Go versions.
+
+
+
+-
+
+Support for pre-configurable versioning setup for Tyk OAS APIs
+
+Implemented changes to the validation of Tyk OAS API definitions to support the enhanced versioning workflow implemented in Tyk Dashboard v5.10.0. This allows the pre-configuration of versioning settings before creating any child versions. You can now define the version identifier location (header, URL path, or query parameter) and key/name/pattern, and the request proxying behavior on a non-versioned API, preparing it to become a base API.
+
+
+
+
+##### Fixed
+
+
+-
+
+Fixed panic when an unexpected query parameter is provided to the Gateway API
+
+Fixed an issue where sending certain unexpected query parameters to the `GET /tyk/apis/oas/{id}` endpoint could cause a panic.
+
+
+
+-
+
+Fixed duplication of version identifier configuration when importing OpenAPI description
+
+Fixed an issue where importing an OpenAPI description with an `apiKey` security scheme, while using the `authentication` query parameter, resulted in the unnecessary generation of a `header` object within the Tyk Vendor Extension (`x-tyk-api-gateway`), duplicating information already present in the declared OpenAPI security scheme.
+
+
+
+-
+
+Fixed mock responses not working with internal API proxying
+
+Fixed an issue where Tyk OAS mock response middleware failed to execute when internal API proxying was enabled. Mock responses configured in the target API are now correctly returned when a request is redirected to another API on the same Tyk Gateway instance via [internal looping]({{< ref "advanced-configuration/transform-traffic/looping" >}}).
+
+
+
+-
+
+Base API CORS settings incorrectly applied to child API versions
+
+Fixed an issue where CORS settings from the base API were incorrectly applied to all versions of a Tyk OAS API, preventing child API versions from using their own CORS configuration. This occurred because the CORS check was performed before the request was routed to the correct API version.
+
+The processing order has been corrected so that requests are first routed to the appropriate version (base or child), then the correct CORS settings are applied, allowing each API version to have its own CORS configuration.
+
+
+
+-
+
+Fixed Request Body Transform middleware not being applied with regex in URL rewrite
+
+Fixed an issue where Response Body Transformation middleware failed to apply to endpoints that used URL rewrite with regex patterns. When the endpoint path contained regex metacharacters (e.g., $, ^, (), []), these characters interfered with the body transformation's internal pattern-matching process, preventing the middleware from executing.
+
+
+
+-
+
+Fixed duration format validation errors in Tyk OAS API definitions
+
+Resolved an issue where the Gateway automatically converted Readable Duration values (such as uptime test timeouts) in Tyk OAS API definitions from integer-based formats to decimal formats, which triggered schema validation warnings. The effect of this was seen in the Tyk OAS API editor in the Dashboard UI where, for example, a duration of '4s500ms' would be converted to '4.5s' when reopening an API definition.
+
+Duration values are now consistently serialized and maintained in their original, integer-based format, preventing these validation errors.
+
+
+
+-
+
+Fixed TLS configuration not being applied for Redis rate limiting
+
+Fixed an issue where Tyk Gateway did not properly apply the configured TLS settings when connecting to Redis for rate limiting operations. This could result in connection failures and incorrect `HTTP 429 Too Many Requests` responses being returned to clients. The rate limiter now correctly establishes TLS connections to Redis.
+
+
+
+-
+
+Fixed Gateway crash when deleting APIs with Uptime Test enabled
+
+Fixed a bug where deleting an API with the Uptime Test feature enabled could cause the Gateway to crash due to a nil pointer dereference during cleanup operations. The Gateway now properly handles memory cleanup when removing APIs with active uptime tests, preventing crashes and ensuring stable API lifecycle management.
+
+
+
+-
+
+Fixed Gateway re-registration failures after restart
+
+Fixed an issue where Gateways could fail to re-register with the Dashboard after a restart, particularly during upgrades or in large-scale deployments. This resulted in `Authorization failed (Nonce empty)` errors and Gateway crash loops that prevented successful registration.
+
+The fix includes an updated license handler with hardened registration logic, enhanced Dashboard authentication retry mechanisms, and support for new "Unlimited Gateway" licenses, ensuring Gateways register reliably without entering failure loops even during heavy churn or rolling upgrades.
+
+
+
+-
+
+Fixed body decompression errors with GraphQL APIs when analytics is enabled
+
+Fixed an issue that caused repeated `Body decompression error: EOF` log messages when analytics were enabled for GraphQL APIs. The problem occurred because the Gateway attempted to decompress the response body after it had already been consumed for analytics processing, resulting in End of File (EOF) errors.
+
+The Gateway now properly handles response body consumption for GraphQL APIs with analytics, eliminating the spurious error logs.
+
+
+
+-
+
+Stricter validation for version name parameter when creating a new child API version
+
+Fixed an issue where users could create child Tyk OAS API versions using the `/tyk/apis/oas` endpoint without specifying a valid version name (`new_version_name`). The Gateway API now rejects such requests with an `HTTP 422 Unprocessable Entity` error, ensuring all versions have meaningful identifiers and preventing the creation of unusable or empty version entries.
+
+
+
+-
+
+Fixed inconsistent middleware updates for Tyk OAS API `PATCH` requests
+
+Fixed an issue where updating a Tyk OAS API via `PATCH /tyk/apis/oas/{apiId}` did not properly update the Tyk Vendor Extension (`x-tyk-api-gateway`). When endpoints were removed or modified in the OpenAPI description, their corresponding middleware definitions could persist incorrectly in the vendor extension, leaving the API definition in an inconsistent state.
+
+The vendor extension is now correctly rebuilt to reflect all changes made to the OpenAPI description.
+
+
+
+
## 5.9 Release Notes
diff --git a/tyk-docs/data/releases/dashboard.json b/tyk-docs/data/releases/dashboard.json
index 9c480d197b..938cebc6d3 100644
--- a/tyk-docs/data/releases/dashboard.json
+++ b/tyk-docs/data/releases/dashboard.json
@@ -1,9 +1,13 @@
{
"home": "tyk-dashboard",
"licensed": true,
- "latest": "5.9.2",
+ "latest": "5.10.0",
"lts": "5.8.6",
"releaseNotesPath": "developer-support/release-notes/dashboard",
+ "5.10.0": {
+ "date": "04/09/2025",
+ "docker": "https://hub.docker.com/r/tykio/tyk-dashboard/tags?page=1&name=v5.10.0"
+ },
"5.9.2": {
"date": "04/09/2025",
"docker": "https://hub.docker.com/r/tykio/tyk-dashboard/tags?page=1&name=v5.9.2"
diff --git a/tyk-docs/data/releases/gateway.json b/tyk-docs/data/releases/gateway.json
index 25db9c0abb..228318e632 100644
--- a/tyk-docs/data/releases/gateway.json
+++ b/tyk-docs/data/releases/gateway.json
@@ -1,9 +1,14 @@
{
"home": "tyk-oss-gateway",
"licensed": false,
- "latest": "5.9.2",
+ "latest": "5.10.0",
"lts": "5.8.6",
"releaseNotesPath": "developer-support/release-notes/gateway",
+ "5.10.0": {
+ "date": "04/09/2025",
+ "tag": "https://github.com/TykTechnologies/tyk/releases/tag/v5.10.0",
+ "docker": "https://hub.docker.com/r/tykio/tyk-gateway/tags?page=1&name=v5.10.0"
+ },
"5.9.2": {
"date": "04/09/2025",
"tag": "https://github.com/TykTechnologies/tyk/releases/tag/v5.9.2",