AWS API Gateway Tutorial, Part 4: Secure the API Using Custom Authorizers


In part 1, you configured Auth0 for use with API Gateway, in part 2, you configured an API using API Gateway, and in part 3, you created the custom authorizer that can be used to retrieve the appropriate policies when your API receives an access request. In this part of the tutorial, we will show you how to use the custom authorizer to secure your API's endpoints.

Configure API Gateway Resources to use the Custom Authorizer

Log in to AWS and navigate to the API Gateway Console.

For details, see the Amazon API Gateway developer guide: Use API Gateway Lambda Authorizers.

Custom authorizers are set on a method by method basis; if you want to secure multiple methods using a single authorizer, you'll need to repeat the following instructions for each method.

Open the PetStore API we created in part 2 of this tutorial. Under the Resource tree in the center pane, select the GET method under the /pets resource.

Select Method Request.

Under Settings, click the pencil icon to the right Authorization and choose the jwt-rsa-custom-authorizer custom authorizer you created in part 3.

Click the check mark icon to save your choice of custom authorizer. Make sure the API Key Required field is set to false.

Deploy the API

To make your changes public, you'll need to deploy your API.

If successful, you'll be redirected to the Test Stage Editor. Copy down the Invoke URL provided in the blue ribbon at the top, since you'll need this to test your deployment.

Test Your Deployment

You can test your deployment by making a GET call to the Invoke URL you copied in the previous step.

curl --request GET \
  --url https://your_invoke_url/pets
var client = new RestClient("https://your_invoke_url/pets");
var request = new RestRequest(Method.GET);
IRestResponse response = client.Execute(request);
package main

import (

func main() {

	url := "https://your_invoke_url/pets"

	req, _ := http.NewRequest("GET", url, nil)

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := ioutil.ReadAll(res.Body)


HttpResponse<String> response = Unirest.get("https://your_invoke_url/pets")
var request = require("request");

var options = {method: 'GET', url: 'https://your_invoke_url/pets'};

request(options, function (error, response, body) {
  if (error) throw new Error(error);

#import <Foundation/Foundation.h>

NSMutableURLRequest *request = [NSMutableURLRequest requestWithURL:[NSURL URLWithString:@"https://your_invoke_url/pets"]
[request setHTTPMethod:@"GET"];

NSURLSession *session = [NSURLSession sharedSession];
NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:request
                                            completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
                                                if (error) {
                                                    NSLog(@"%@", error);
                                                } else {
                                                    NSHTTPURLResponse *httpResponse = (NSHTTPURLResponse *) response;
                                                    NSLog(@"%@", httpResponse);
[dataTask resume];
$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://your_invoke_url/pets",

$response = curl_exec($curl);
$err = curl_error($curl);


if ($err) {
  echo "cURL Error #:" . $err;
} else {
  echo $response;
import http.client

conn = http.client.HTTPSConnection("your_invoke_url")

conn.request("GET", "/pets")

res = conn.getresponse()
data =

require 'uri'
require 'net/http'
require 'openssl'

url = URI("https://your_invoke_url/pets")

http =, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request =

response = http.request(request)
puts response.read_body
import Foundation

let request = NSMutableURLRequest(url: NSURL(string: "https://your_invoke_url/pets")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "GET"

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
  } else {
    let httpResponse = response as? HTTPURLResponse



In this tutorial, you have

  1. Configured Auth0 for use with API Gateway
  2. Imported an API for use with API Gateway
  3. Created a custom authorizer to secure your API's endpoints, which required working with AWS IAM and Lambda
  4. Secured your API with your custom authorizer