A public API for a B2B file exchange site is deployed on API Gateway. Clients must authenticate with standards-based tokens issued by an external OpenID Connect provider. Which authorization mechanism should be used?
A JWT authorizer validates tokens from a trusted OIDC issuer with low operational overhead.
Why this answer
Option C is correct because API Gateway's JWT authorizer natively validates JSON Web Tokens issued by an external OpenID Connect (OIDC) provider. It verifies the token's signature, expiry, and issuer against the OIDC provider's JWKS endpoint without requiring custom Lambda code, making it the simplest and most secure choice for standards-based token authentication.
Exam trap
The trap here is that candidates often confuse API keys (which are for rate limiting and client identification) with authentication, or assume IAM authorization can be used for external users, but IAM requires AWS credentials and is not designed for third-party OIDC tokens.
How to eliminate wrong answers
Option A is wrong because API keys only provide client identification, not authentication; they do not validate the identity of the caller or support OIDC tokens. Option B is wrong because IAM authorization is designed for AWS principals (e.g., IAM users/roles) and requires AWS Signature V4 signing, which is not suitable for internet clients using external OIDC tokens. Option D is wrong because a VPC endpoint policy controls access to API Gateway via VPC endpoints, not authentication or token validation for public internet clients.