This chapter covers API Gateway Lambda Authorizers and JWT Authorizers, two mechanisms for controlling access to your REST or HTTP APIs in AWS. For the SAA-C03 exam, this topic appears in roughly 5-8% of questions, typically as part of a larger scenario involving serverless architectures or API security. You will need to understand the differences, use cases, configuration details, and how they integrate with other services like Cognito, IAM, and Lambda. We will dive deep into the internals, default values, and common exam traps.
Jump to a section
Imagine a nightclub (your API) with two types of entry control: a generic bouncer who checks IDs against a printed VIP list (JWT Authorizer) and a custom bouncer who calls a separate verification service to run background checks (Lambda Authorizer). The generic bouncer (JWT Authorizer) has a simple job: he receives an ID card (JWT token) from a guest, checks the name on the card against a pre-printed list of VIPs (the issuer and audience validation), and if the name is on the list, he lets the guest in. He doesn't need to call anyone; he just looks at the list and the card's expiration date. The custom bouncer (Lambda Authorizer) works differently: he takes the ID card, scans it into a tablet that runs a custom app (your Lambda function). That app can check the guest's name against multiple databases (identity sources), verify their criminal record (OAuth scopes), and even look up their drink preferences (custom context). The app returns a decision (Allow/Deny) plus a special wristband (IAM policy) dictating which areas of the club the guest can access. The custom bouncer is slower but far more flexible. Inside the club, the guest's wristband is checked at each door (resource-level authorization). If the guest tries to enter the VIP lounge but their wristband says 'General Admission Only', they are denied. This is exactly how API Gateway authorizers work: JWT Authorizers are fast and simple for standard OIDC/OAuth flows, while Lambda Authorizers allow custom logic and fine-grained access control based on any criteria you can code.
What Are API Gateway Authorizers and Why Do They Exist?
API Gateway is a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at scale. When you expose an API, you need to control who can invoke your endpoints. API Gateway offers several mechanisms for authentication and authorization: IAM roles and policies, Cognito User Pools, Lambda Authorizers (formerly known as Custom Authorizers), and JWT Authorizers. The SAA-C03 exam focuses on the latter two: Lambda Authorizers and JWT Authorizers, especially in the context of HTTP APIs (which are newer and simpler than REST APIs).
JWT Authorizers are a lightweight, low-latency option for APIs that use JSON Web Tokens (JWTs) issued by a trusted identity provider (IdP) such as Auth0, Okta, or Amazon Cognito. The authorizer simply validates the JWT signature, expiry, issuer, and audience. It does not execute any custom code. It is ideal for scenarios where you need simple token-based authentication and your authorization logic is limited to claims within the token.
Lambda Authorizers are more flexible. You write a Lambda function that receives the token or request context and returns an IAM policy that determines whether the request is allowed or denied, and optionally what resources are accessible. This allows you to implement custom logic, such as checking against a database, calling external services, or using complex rules. Lambda Authorizers can be used with both REST APIs and HTTP APIs.
How They Work Internally
#### JWT Authorizer Mechanism
When a client sends a request to an API Gateway endpoint protected by a JWT Authorizer, the following steps occur:
The client includes a JWT in the Authorization header (or another specified header) as a Bearer token.
API Gateway intercepts the request before it reaches the backend integration (e.g., Lambda, HTTP, or AWS service).
The JWT Authorizer validates the token by:
- Verifying the token signature using the public key from the issuer's JWKS (JSON Web Key Set) endpoint. The issuer is specified in the authorizer configuration (e.g., https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx).
- Checking the exp (expiration) claim to ensure the token has not expired.
- Validating the iss (issuer) claim matches the configured issuer.
- Validating the aud (audience) claim matches the configured audience (for REST APIs, this is optional; for HTTP APIs, it is required).
4. If validation succeeds, the request is forwarded to the backend integration, and the claims from the JWT are available to the backend in the $context.authorizer.claims variable.
5. If validation fails, API Gateway returns a 401 Unauthorized response immediately, without invoking the backend.
Important defaults and limits: - The JWT Authorizer caches the JWKS keys for up to 300 seconds (5 minutes) by default. You cannot change this cache TTL. - The maximum JWT size is 10 KB. - The issuer URL must be HTTPS. - For HTTP APIs, the JWT Authorizer supports only the RS256, RS384, RS512, ES256, ES384, ES512 signature algorithms (asymmetric). It does not support HS256 (symmetric) because that would require API Gateway to know the client secret, which is not secure.
#### Lambda Authorizer Mechanism
A Lambda Authorizer works differently:
The client sends a request with a token (e.g., Bearer token) or request parameters (headers, query strings, etc.).
API Gateway invokes the Lambda authorizer function synchronously before the backend integration.
The Lambda function receives an event with the token or request context. It then executes custom logic to validate the token. This could involve:
- Calling an external OAuth server to introspect the token.
- Querying a DynamoDB table to check user permissions.
- Decoding a JWT and verifying claims manually.
4. The Lambda function returns a response that includes:
- Principal Identifier: A string that identifies the user (optional but recommended).
- Policy Document: An IAM policy (similar to an IAM role policy) that specifies Effect (Allow/Deny) and Resource (ARNs of API Gateway methods or stages). The policy can be scoped to specific HTTP methods and paths using the arn:aws:execute-api:{region}:{account-id}:{api-id}/{stage}/{method}/{path} format.
- Context: A map of key-value pairs that are passed to the backend integration via $context.authorizer.{key}. This is useful for passing user attributes, roles, or other data.
- Usage Identifier Key (for REST APIs only): Used for API keys and usage plans.
5. API Gateway caches the returned policy for a configurable TTL (default 300 seconds, min 0, max 3600). If caching is enabled, subsequent requests with the same token will use the cached policy instead of invoking the Lambda again.
6. If the Lambda function returns an error or times out (default timeout is 30 seconds, but the maximum is 30 seconds for REST APIs and 29 seconds for HTTP APIs), API Gateway returns a 500 Internal Server Error.
Key differences from JWT Authorizers: - Lambda Authorizers can be used with both REST APIs and HTTP APIs, but the event format differs slightly. - Lambda Authorizers allow you to return a policy that grants access to specific resources (e.g., only GET /users, not POST /users). JWT Authorizers only validate the token; the backend must enforce fine-grained authorization. - Lambda Authorizers incur additional cost and latency due to the Lambda invocation.
Configuration and Verification
#### Configuring a JWT Authorizer (HTTP API)
Using the AWS CLI, you can create an HTTP API and attach a JWT Authorizer:
# Create HTTP API
aws apigatewayv2 create-api --name MyHttpApi --protocol-type HTTP
# Create a JWT Authorizer
aws apigatewayv2 create-authorizer \
--api-id <api-id> \
--authorizer-type JWT \
--identity-source '$request.header.Authorization' \
--name MyJwtAuthorizer \
--jwt-configuration 'Issuer=https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxx,Audience=["myapp"]'Note: The identity-source specifies where the token is found. The default is $request.header.Authorization. You can also use $request.queryStringParameter.token, etc.
#### Configuring a Lambda Authorizer (REST API)
For REST API:
# Create REST API
aws apigateway create-rest-api --name MyRestApi
# Create Lambda Authorizer
aws apigateway create-authorizer \
--rest-api-id <api-id> \
--name MyLambdaAuthorizer \
--type TOKEN \
--auth-type CUSTOM \
--authorizer-uri arn:aws:apigateway:us-east-1:lambda:path/2015-03-31/functions/arn:aws:lambda:us-east-1:123456789012:function:MyAuthFunction/invocations \
--identity-source 'method.request.header.Authorization' \
--authorizer-result-ttl-in-seconds 300For HTTP API, the command uses apigatewayv2 and the authorizer type is REQUEST (not TOKEN), and the identity source is specified differently.
Interaction with Related Technologies
Cognito User Pools: Often used as the JWT issuer for JWT Authorizers. Cognito issues JWTs that can be validated by API Gateway. You can also use a Lambda Authorizer to integrate with Cognito for more complex scenarios like custom claims or group-based authorization.
IAM: API Gateway also supports IAM authorization (AWS_IAM), which uses SigV4 signing. This is separate from authorizers but can be used together. For example, you might have a Lambda Authorizer for user authentication and IAM for service-to-service calls.
AWS WAF: You can associate a Web ACL with your API Gateway to provide additional protection against common web exploits. Authorizers handle authentication/authorization, while WAF handles threat detection.
CloudFront: If you use CloudFront in front of API Gateway, you can use CloudFront's Lambda@Edge for authorization, but the SAA-C03 exam focuses on API Gateway authorizers.
Client Sends Request with Token
The client application includes a JWT in the Authorization header as a Bearer token (e.g., `Authorization: Bearer <token>`). Alternatively, for Lambda Authorizers using REQUEST type, the token can be in a query string parameter or custom header. The API Gateway endpoint must be configured to accept the request. The request is sent to the API Gateway's public endpoint URL. At this stage, no backend integration has been invoked yet.
API Gateway Intercepts and Identifies Authorizer
API Gateway receives the request and checks the route configuration. It determines which authorizer (if any) is attached to the route or method. If no authorizer is configured, the request proceeds directly to the backend. If an authorizer is configured, API Gateway extracts the token from the specified identity source (e.g., header). For JWT Authorizers, it then validates the token's signature and claims. For Lambda Authorizers, it prepares an event payload to send to the Lambda function.
Validation or Lambda Invocation
For JWT Authorizers: API Gateway fetches the JWKS from the issuer's endpoint (if not cached), verifies the signature using the public key, checks the `exp`, `iss`, and `aud` claims. If any check fails, a 401 response is returned. For Lambda Authorizers: API Gateway invokes the Lambda function synchronously with an event containing the token or request context. The Lambda function executes custom logic and returns a policy document. If the Lambda returns an error or times out, a 500 response is returned.
Policy Evaluation and Caching
For Lambda Authorizers: API Gateway evaluates the returned IAM policy. If the policy contains a Deny statement that matches the request's resource, the request is rejected with a 403 Forbidden. If an Allow statement matches, the request is forwarded to the backend. API Gateway caches the policy for the configured TTL (default 300 seconds). For JWT Authorizers: there is no policy; the token is simply validated. The backend receives the claims and must enforce fine-grained authorization itself.
Backend Integration Execution
Once authorization is successful, API Gateway forwards the request to the configured backend integration (e.g., Lambda function, HTTP endpoint, or AWS service). The backend can access the authorizer context via `$context.authorizer.claims` (for JWT) or `$context.authorizer.{key}` (for Lambda). The backend processes the request and returns a response, which API Gateway then sends back to the client.
Enterprise Scenario 1: Mobile App Authentication with Cognito and JWT Authorizer
A company builds a mobile app that uses Amazon Cognito User Pools for user registration and login. The app calls an HTTP API backed by AWS Lambda. They configure a JWT Authorizer on the API Gateway, pointing to the Cognito User Pool as the issuer. The JWT Authorizer validates the access token (or ID token) on every request. This setup is simple, low-latency, and requires no custom code for token validation. In production, they serve millions of requests per day. The main performance consideration is the JWKS cache: API Gateway caches the public keys for 5 minutes, so even if the Cognito User Pool rotates keys, there is a small window where old keys are used. This is acceptable for most use cases. Misconfiguration often occurs when the audience claim is not set correctly: if the app sends an ID token (which has aud set to the app client ID) but the authorizer expects an access token (which has aud set to the resource server), validation fails. The team must ensure they configure the correct token type and audience.
Enterprise Scenario 2: Multi-Tenant SaaS API with Lambda Authorizer
A SaaS provider offers a multi-tenant API where each tenant has custom permissions. They use a Lambda Authorizer to look up the tenant's subscription plan in a DynamoDB table. The authorizer receives the JWT, decodes it to extract the tenant ID, queries DynamoDB, and returns a policy that allows access only to the tenant's specific resources (e.g., /tenant/{tenantId}/*). They set the cache TTL to 60 seconds to quickly reflect changes in subscription status. A common issue is that the Lambda authorizer timeout is too short (default 30 seconds) for complex lookups; they increased it to 29 seconds (max for HTTP API). Another issue is that the policy document size limit is 8 KB; they must keep policies compact. They also use the authorizer context to pass tenant-specific data to the backend Lambda, avoiding extra database calls.
Scenario 3: Internal Microservices with Fine-Grained Access
A financial institution uses a REST API with a Lambda Authorizer that integrates with an internal OAuth 2.0 server. The authorizer introspects the token by calling the OAuth server's introspection endpoint. It then returns a policy that restricts access based on the token's scopes. For example, a token with scope read:accounts can only call GET /accounts, while write:accounts allows POST /accounts. The authorizer caches policies for 300 seconds, but for sensitive operations, they set TTL to 0 to force re-evaluation on every request. They also use the authorizer to log all access attempts for auditing. The main challenge is ensuring the Lambda authorizer is highly available and has enough concurrency to handle peak load; they set reserved concurrency on the Lambda function.
What SAA-C03 Tests
The exam tests your ability to choose between JWT Authorizers and Lambda Authorizers based on requirements. Key objective codes: Domain 3 (High Performance), Objective 3.7: 'Choose the appropriate authorization mechanism for an API.' You must understand:
When to use JWT Authorizer (simple token validation with a trusted IdP, no custom logic)
When to use Lambda Authorizer (custom logic, need for fine-grained resource-level policies, integration with legacy systems)
The differences between REST API and HTTP API authorizer configurations
The caching behavior and TTL values
Common Wrong Answers and Why Candidates Choose Them
'Use a Lambda Authorizer for all cases because it is more flexible.' This is wrong because JWT Authorizers are simpler, faster, and cheaper. The exam wants you to choose the simplest solution that meets requirements. If the requirement is just token validation, JWT Authorizer is correct.
'Lambda Authorizers can only validate tokens from Cognito.' False. Lambda Authorizers can validate any token using custom code. JWT Authorizers are limited to issuers that support JWKS.
'JWT Authorizers support both symmetric and asymmetric keys.' Wrong. API Gateway JWT Authorizers only support asymmetric algorithms (RS256, ES256, etc.) because symmetric keys would require API Gateway to store a secret, which is a security risk.
'You can use a Lambda Authorizer with HTTP APIs only.' False. Lambda Authorizers work with both REST and HTTP APIs, but the configuration differs (TOKEN vs REQUEST type).
Specific Numbers and Terms
Default cache TTL: 300 seconds (5 minutes). Can be set between 0 and 3600 seconds.
Lambda authorizer timeout: 30 seconds for REST API, 29 seconds for HTTP API.
Maximum policy document size: 8 KB.
JWT Authorizer identity source default: $request.header.Authorization.
JWKS cache time: 300 seconds (not configurable).
JWT maximum size: 10 KB.
Signature algorithms supported: RS256, RS384, RS512, ES256, ES384, ES512.
Edge Cases and Exceptions
If the JWT authorizer's issuer URL is unreachable (e.g., network issue), API Gateway will fail to validate and return 500. This is a potential single point of failure.
Lambda Authorizer caching: If you set TTL to 0, every request invokes the Lambda, increasing cost and latency. However, this ensures real-time policy changes.
For REST APIs, you can use TOKEN or REQUEST type Lambda Authorizers. TOKEN type only passes the token; REQUEST type passes the entire request context (headers, query params, etc.). The exam may ask which to use when you need to evaluate multiple headers.
If the Lambda authorizer returns a policy with an empty Resource array (or missing), API Gateway denies all requests.
How to Eliminate Wrong Answers
If the scenario mentions 'custom logic', 'database lookup', or 'fine-grained resource permissions', eliminate JWT Authorizer.
If the scenario mentions 'simple token validation', 'OIDC-compliant IdP', or 'low latency', eliminate Lambda Authorizer.
If the scenario mentions 'Cognito User Pool', both could work, but JWT Authorizer is simpler unless custom claims processing is needed.
Watch for trick answers that say 'IAM authorization' when the question asks about token-based auth.
JWT Authorizers are for simple token validation with a trusted OIDC issuer; Lambda Authorizers are for custom authorization logic.
Default cache TTL for Lambda Authorizer policies is 300 seconds; range 0-3600 seconds.
JWKS keys are cached for 300 seconds (not configurable) for JWT Authorizers.
Lambda Authorizer timeout: 30s (REST API) or 29s (HTTP API).
JWT Authorizers only support asymmetric algorithms (RS256, RS384, RS512, ES256, ES384, ES512).
Lambda Authorizer policy maximum size is 8 KB; must use execute-api ARN format.
For HTTP APIs, Lambda Authorizer type is REQUEST; for REST APIs, type can be TOKEN or REQUEST.
JWT Authorizer identity source default is $request.header.Authorization; can be changed to query string or other headers.
Cognito User Pools are a common JWT issuer for JWT Authorizers.
Lambda Authorizer can pass context to backend via $context.authorizer.{key}.
If Lambda Authorizer returns an error or invalid policy, API Gateway returns 500 Internal Server Error.
JWT maximum size is 10 KB; larger tokens will be rejected.
These come up on the exam all the time. Here's how to tell them apart.
JWT Authorizer
Validates JWT tokens using issuer's JWKS endpoint; no custom code.
Lower latency (no Lambda invocation overhead); typically < 10ms.
Limited to token validation; no fine-grained resource policies.
Only works with OIDC-compliant issuers (e.g., Cognito, Auth0, Okta).
Supports only asymmetric signing algorithms (RS256, ES256, etc.).
Lambda Authorizer
Executes a custom Lambda function for any authorization logic.
Higher latency due to Lambda cold starts and execution time.
Can return IAM policies for fine-grained access control (method/path level).
Works with any identity provider or custom token format (e.g., SAML, custom JWT).
Supports any logic; can call external APIs, databases, etc.
Mistake
JWT Authorizers can validate any JWT token regardless of issuer.
Correct
JWT Authorizers require the issuer to be specified and the JWKS endpoint to be accessible. They only support issuers that publish a JWKS URI in their OpenID Connect configuration. Custom or self-signed JWTs without a public JWKS endpoint cannot be validated.
Mistake
Lambda Authorizers can only be used with REST APIs, not HTTP APIs.
Correct
Lambda Authorizers work with both REST APIs and HTTP APIs. For HTTP APIs, the authorizer type is REQUEST and the event format is different, but the functionality is similar.
Mistake
The policy returned by a Lambda Authorizer can grant access to any AWS resource.
Correct
The policy is scoped to API Gateway resources only. It uses the `execute-api` service ARN format. You cannot grant access to S3 buckets or DynamoDB tables via this policy; those are handled separately via IAM roles for the backend.
Mistake
JWT Authorizers support both symmetric and asymmetric signing algorithms.
Correct
API Gateway JWT Authorizers only support asymmetric algorithms (RS256, RS384, RS512, ES256, ES384, ES512). Symmetric algorithms like HS256 are not supported because they require a shared secret that API Gateway would need to store securely.
Mistake
You can disable caching for JWT Authorizers to force re-validation on every request.
Correct
JWT Authorizers do not have a configurable cache. The JWKS keys are cached internally for 300 seconds, and you cannot change this. However, the token validation itself is always performed on every request (the signature and claims are checked each time). The caching only applies to the public keys.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A JWT Authorizer validates a JSON Web Token (JWT) using the issuer's public keys (JWKS) without invoking any custom code. It is fast and simple but only validates the token's signature, expiry, issuer, and audience. A Lambda Authorizer invokes a Lambda function that you write, which can execute any custom logic, such as looking up user permissions in a database, calling external services, or validating non-JWT tokens. The Lambda function returns an IAM policy that grants or denies access to specific API resources. Use JWT Authorizer when you have a trusted OIDC provider and simple token validation is sufficient. Use Lambda Authorizer when you need custom authorization logic or fine-grained resource-level access control.
Yes. Lambda Authorizers are supported for both REST APIs and HTTP APIs. For HTTP APIs, the authorizer type must be REQUEST (not TOKEN). The event format passed to the Lambda function differs slightly: for HTTP APIs, it includes the entire request context (headers, query strings, etc.) in a structured format. The Lambda function still returns an IAM policy. You configure the authorizer using the AWS Management Console, CLI, or SDK with the `apigatewayv2` commands.
API Gateway evaluates the returned IAM policy against the incoming request. If the policy contains a Deny statement that matches the request's resource (method and path), API Gateway returns a 403 Forbidden response to the client. The backend integration is not invoked. If the policy contains both Allow and Deny statements that match, Deny takes precedence (as in standard IAM policy evaluation). If no Allow statement matches, the request is also denied by default (implicit deny).
When a Lambda Authorizer returns a policy, API Gateway caches that policy for a configurable TTL (time-to-live) in seconds. The default is 300 seconds (5 minutes), and you can set it between 0 and 3600 seconds. The cache key is the token itself (for TOKEN type) or a combination of identity sources (for REQUEST type). If the same token is used again within the TTL, API Gateway uses the cached policy without invoking the Lambda function again. Setting TTL to 0 disables caching, forcing a Lambda invocation on every request.
The JWT Authorizer supports only asymmetric (public-key) algorithms: RS256, RS384, RS512, ES256, ES384, and ES512. It does not support symmetric algorithms like HS256 because that would require API Gateway to know the client secret, which is a security risk. The issuer must expose a JWKS endpoint containing the public keys used to verify the token's signature. The token must be signed with one of these algorithms to be validated.
No. A JWT Authorizer specifically expects a JSON Web Token (JWT) that conforms to the JWT standard (RFC 7519). It validates the JWT structure, signature, and claims. If you have a custom token format (e.g., a simple opaque token or a SAML assertion), you must use a Lambda Authorizer to implement custom validation logic.
The maximum JWT size is 10 KB. If the token exceeds this size, API Gateway will reject the request with a 400 Bad Request error. This limit applies to both JWT Authorizers and Lambda Authorizers when the token is passed as a header or query parameter.
You've just covered API Gateway Lambda Authorizers and JWT Authorizers — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?