Why am I getting API Gateway 401 Unauthorized errors after creating a Lambda authorizer?

Last updated: 2021-11-04

My Amazon API Gateway API is returning 401 Unauthorized errors after I created a Lambda authorizer for it. Why is this happening, and how do I troubleshoot the issue?

Short description

Note: API Gateway can return 401 Unauthorized errors for many reasons. This article addresses 401 errors related to Lambda authorizers only.

When an API Gateway API with a Lambda authorizer receives an unauthorized request, API Gateway returns a 401 Unauthorized response.

For token-based Lambda authorizers

401 Unauthorized errors usually occur when a required token is missing or not validated by the authorizer's token validation expression.

For request parameter-based Lambda authorizers

401 Unauthorized errors usually occur when configured identity sources are missing, null, empty, or not valid.

To troubleshoot this type of error, verify what information must be included in requests to your API by reviewing your Lambda authorizer's configuration. Then, test the authorizer by calling your API with the required header and token value, or identity sources.

Note: For example Lambda authorizer setups, see Create a token-based Lambda authorizer function and Create a request-based Lambda authorizer function.

Resolution

Review the Lambda authorizer's configuration

1.    Open the API Gateway console.

2.    On the APIs pane, choose the name of your API.

3.    In the left navigation pane, under the name of your API, choose Authorizers. The Authorizers page opens.

4.    Review the authorizer's configuration for one of the following based on your use case:

For token-based Lambda authorizers

If Lambda Event Payload is set as Token, then check the Token Source value. The Token Source value must be used as the request header in calls to your API.

Important: If you entered a regular expression for Token Validation, then API Gateway validates the token against this expression. For example, if you entered the regular expression \w{5}, then only token values with 5-character alphanumeric strings are validated.

-or-

For request parameter-based Lambda authorizers

If Lambda Event Payload is set as Request, then check the configured Identity Sources. The identity sources can be headers, query strings, stage variables, or $context variables.

Important: If Authorization Caching is activated, then requests to your API are validated against all the configured identity sources.

5.    If you have Authorization Caching activated ("Authorization cached for {0} minutes"), turn off caching for testing in the next step.

For more information, see Configure a Lambda authorizer using the API Gateway console.

Deploy your API

If you changed your Lambda authorizer's configuration or any other API settings, redeploy your API to commit the changes.

Test your Lambda authorizer

To test your Lambda authorizer, make a test call to your API by doing one of the following:

Important: Make sure that you format the request according to your Lambda authorizer's configuration.

To test a Lambda authorizer using the API Gateway console

1.    Open the API Gateway console.

2.    On the APIs pane, choose the name of your API.

3.    In the left navigation pane, under the name of your API, choose Authorizers.

4.    On the Authorizers page, choose Test for your authorizer.

5.    In the Test Authorizer dialog box, do one of the following based on your use case:

For token-based Lambda authorizers

For the {headerName} (header) value, enter a valid authorization token.

-or-

For request parameter-based Lambda authorizers

Under Request Parameters, enter values for all identity sources that are configured for your authorizer.

6.    Choose Test.

If the request is formatted correctly, API Gateway returns a Response Code: 200 message.

To test a Lambda authorizer using Postman or curl

For instructions on how to test a Lambda authorizer using the Postman app, see Call an API with API Gateway Lambda authorizers.

For more information about curl, see the cURL project website.

Note: If you turned off Authorization Caching for your Lambda authorizer before testing, then you can reactivate it after testing. If you reactivate Authorization Caching, then make sure that you redeploy your API to commit the changes.