Why am I getting API Gateway 401 Unauthorized errors after creating a Lambda authorizer?

Last updated: 2020-05-08

Calls to my Amazon API Gateway API are getting 401 Unauthorized errors after I created a Lambda authorizer. Why am I getting these errors?

Short Description

Note: API Gateway can return 401 Unauthorized errors in a variety of scenarios. This article addresses only 401 errors related to Lambda authorizers.

When an API Gateway API with a Lambda authorizer receives an unauthorized request, API Gateway returns a 401 Unauthorized response. For token-based authorizers, the error generally occurs when a required token is missing or invalidated by the authorizer's token validation expression. For request parameter-based authorizers, the error generally occurs when configured identity sources are missing, null, empty, or invalid.

For more information about Lambda authorizer types, see Use API Gateway Lambda authorizers.

Resolution

Review your Lambda authorizer's configuration in the API Gateway console to determine what must be included in requests to your API. Then, test the authorizer by calling your API with the required header and token value or identity sources.

Tip: For help with correctly configuring a Lambda authorizer, you can use the example setups in the API Gateway Developer Guide. For instructions, see EXAMPLE: Create a token-based Lambda authorizer function or EXAMPLE: Create a request-based Lambda authorizer function.

Check the Lambda authorizer's configuration

  1. In the API Gateway console, on the APIs pane, choose the name of your API.
  2. In the left navigation pane, choose Authorizers under your API.
  3. Review the authorizer for the following:
    If Lambda Event Payload is set as Token, check the value of Token Source. This value must be used as the request header. If you entered a regular expression for Token Validation, then API Gateway validates the token against this expression. For example, if you entered the regular expression \w{5}, only token values with 5-character alphanumeric strings are successfully validated.
    If Lambda Event Payload is set as Request, check the configured Identity Sources. These can be headers, query strings, stage variables, or $context variables. If Authorization Caching is enabled, requests to your API are validated against all the configured identity sources.
  4. If you have Authorization Caching set ("Authorization cached for {0} minutes"), disable caching for testing in the next step.

For more information, see Configure a Lambda authorizer using the API Gateway console.

Deploy your API

If you changed your Lambda authorizer's configuration or any other API settings, deploy your API to commit the changes.

Test the Lambda authorizer

Call your API as a test, being sure to form the request according to your Lambda authorizer's configuration.

API Gateway console

  1. In the API Gateway console, on the Authorizers page, choose Test for your authorizer.
  2. In the Test Authorizer dialog box, do one of the following:
    For a token-based authorizer, enter a valid authorization token value next to {headerName} (header).
    For a request parameter-based authorizer, under Request Parameters, enter values for all identity sources that are configured for the authorizer.
  3. Choose Test.

If authorization is successful, you see Response Code: 200.

Postman or curl

You can also call your API as a test using the Postman app or using curl from a command interface. For example instructions using Postman, see Call an API with API Gateway Lambda authorizers. For more information about curl, see the cURL project website.

Note: If you disabled Authorization Caching for your Lambda authorizer before testing, you can re-enable it after testing. If you re-enable the setting, be sure to redeploy your API afterward.