Type of Custom Authorizers Supported by API Gateway

    Amazon API Gateway supports two types of custom authorizers: Lambda authorizers and HTTP authorizers. Both of these types enable developers to control access to their APIs by using custom logic to authenticate and authorize requests.

    1. Lambda Authorizers

    Lambda authorizers (previously known as “custom authorizers”) are AWS Lambda functions that provide a flexible way to manage access to your APIs. They allow you to use custom logic to authenticate and authorize API requests. You can use Lambda authorizers with both REST and WebSocket APIs.

    How Lambda authorizers work

    When a request is made to your API, the Lambda authorizer function is invoked. This function processes the request’s authorization token (usually an OAuth or JWT token) and returns an IAM policy that either allows or denies access to the API. The IAM policy is then used by API Gateway to authorize the request.


    Suppose you have an API that requires users to be authenticated using JWT tokens. You can create a Lambda authorizer that validates the JWT token and checks if the user has the necessary permissions to access the API.

    def lambda_handler(event, context):
        token = event['authorizationToken']
        # Validate the JWT token and extract claims
        claims = validate_jwt(token)
        # Check if the user has necessary permissions
        if has_permission(claims):
            return generate_policy(claims['sub'], 'Allow', event['methodArn'])
            return generate_policy(claims['sub'], 'Deny', event['methodArn'])

    2. HTTP Authorizers

    HTTP authorizers are a newer addition to the API Gateway and offer a way to authorize requests by making an HTTP call to an external service. They work with REST and HTTP APIs, but not with WebSocket APIs.

    How HTTP authorizers work

    When a request is made to your API, API Gateway sends an authorization request to the specified HTTP endpoint. The external service processes the request and returns a JSON object that contains an IAM policy and additional context information. API Gateway uses the IAM policy to authorize the request.


    Suppose you have an API that requires users to be authenticated using an external OAuth 2.0 provider. You can create an HTTP authorizer that sends an HTTP request to your OAuth 2.0 provider to validate the access token and check the user’s permissions.

      "version": "2.0",
      "type": "HTTP",
      "authorizerUri": "",
      "identitySource": ["$request.header.Authorization"]

    Important Details

    • Lambda authorizers offer more flexibility and can be used with REST, HTTP, and WebSocket APIs. HTTP authorizers, on the other hand, only work with REST and HTTP APIs.
    • Both Lambda and HTTP authorizers enable you to use custom logic to authorize requests, but Lambda authorizers use an AWS Lambda function, whereas HTTP authorizers rely on an external HTTP service.
    • Lambda authorizers may introduce higher latency, as the Lambda function needs to be invoked on each request. HTTP authorizers have the advantage of being able to cache the IAM policies, reducing the number of calls to the external service.
    • When using Lambda authorizers, you should be aware of the AWS Lambda service limits, such as concurrent executions and function duration. These limits may impact the performance and availability of your authorizer.
    Disclaimer: While we make every effort to update the information, products, and services on our website and related platforms/websites, inadvertent inaccuracies, typographical errors, or delays in updating the information may occur. The material provided on this site and associated web pages is for reference and general information purposes only. In case of any inconsistencies between the information provided on this site and the respective product/service document, the details mentioned in the product/service document shall prevail. Subscribers and users are advised to seek professional advice before acting on the information contained herein. It is recommended that users make an informed decision regarding any product or service after reviewing the relevant product/service document and applicable terms and conditions. If any inconsistencies are observed, please reach out to us.

    Latest Articles

    Related Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Join our newsletter and stay updated!