Why am I getting API Gateway 401 Unauthorized errors after creating a Lambda authorizer?

5 minute read
0

My Amazon API Gateway API is returning 401 Unauthorized errors after I created an AWS Lambda authorizer for it. Why is this happening, and how do I troubleshoot the issue?

Short description

Note: API Gateway can return 401 Unauthorized errors for many reasons. This article addresses only 401 Unauthorized response errors returned by API Gateway without calling the authorizer Lambda function.

When an API Gateway API with a Lambda authorizer receives an unauthorized request, API Gateway returns a 401 Unauthorized response.

For token-based Lambda authorizers

401 Unauthorized errors usually occur when a required token is missing or isn't validated by the authorizer's token validation expression.

For request parameter-based Lambda authorizers

401 Unauthorized errors usually occur when configured identity sources are missing, null, empty, or not valid.

To troubleshoot this type of error, verify the information that must be included in requests to your API by reviewing your Lambda authorizer's configuration. Then, test the authorizer by calling your API with the required header and token value or the identity sources.

Note: For example Lambda authorizer setups, see Create a token-based Lambda authorizer function and Create a request-based Lambda authorizer function.

Resolution

Review the Lambda authorizer's configuration

1.    Open the API Gateway console.

2.    On the APIs pane, choose the name of your API.

3.    In the navigation pane, under the name of your API, choose Authorizers. The Authorizers page opens.

4.    Review the authorizer's configuration for one of the following based on your use case:

For token-based Lambda authorizers

If Lambda Event Payload is set as Token, then check the Token Source value. The Token Source value must be used as the request header in calls to your API.

Important: If you entered a regular expression for Token Validation, then API Gateway validates the token against this expression. For example, if you entered the regular expression \ w{5}, then only token values with 5-character alphanumeric strings are successfully validated.

-or-

For request parameter-based Lambda authorizers

If Lambda Event Payload is set as Request, then check the configured Identity Sources. The identity sources can be headers, query strings, multi-value query strings, stage variables, or $context variables.

Important: If Authorization Caching is turned on, then requests to your API are validated against all the configured identity sources.

5.    If you have Authorization Caching turned on (for example, "Authorization cached for 1 minute"), turn off caching for testing in the next step.

For more information, see Configure a Lambda authorizer using the API Gateway console.

Deploy your API

If you changed your Lambda authorizer's configuration or any other API settings, redeploy your API to commit the changes.

Test your Lambda authorizer

To test your Lambda authorizer, make a test call to your API by doing one of the following:

Important: Make sure that you format the request according to your Lambda authorizer's configuration.

To test a Lambda authorizer using the API Gateway console

1.    Open the API Gateway console.

2.    On the APIs pane, choose the name of your API.

3.    In the navigation pane, under the name of your API, choose Authorizers.

4.    On the Authorizers page, choose Test for your authorizer.

5.    In the Test Authorizer dialog box, do one of the following based on your use case:

For token-based Lambda authorizers

1.    Choose Test without giving any value for Authorization Token. API Gateway returns a Response Code: 401 because Authorization Token is empty.

2.    If Token Validation with regular expression \ w{5} is configured, enter a value that isn't valid, such as "abc123", as Authorization Token. Then, choose Test. API Gateway returns a Response Code: 401 because Authorization Token doesn’t satisfy the Token Validation expression.

3.    For the Authorization Token value, enter allow and then choose Test. API Gateway returns a Response Code: 200 message.

-or-

For request parameter-based Lambda authorizers

1.    Delete the Request Parameters and choose Test. API Gateway returns a Response Code: 401 because Request Parameters are missing.

2.    For Request Parameters, enter headerValue1, queryValue1, and stageValue1 and choose Test. API Gateway returns a Response Code: 200 message.

To test a Lambda authorizer using Postman or curl

For instructions on how to test a Lambda authorizer using the Postman app, see Call an API with API Gateway Lambda authorizers.

For more information about curl, see the cURL project website.

Note:

  • If you turned off Authorization Caching for your Lambda authorizer before testing, you can reactivate it after testing. If you reactivate Authorization Caching, make sure that you redeploy your API to commit the changes.
  • If you receive Cross-Origin Resource Sharing (CORS) errors from the Lambda authorizer, you can add the CORS headers for the DEFAULT 4XX API Gateway responses. For more information, see How do I troubleshoot CORS errors from my API Gateway API?

Related information

Controlling and managing access to a REST API in API Gateway

How do I turn on Amazon CloudWatch Logs for troubleshooting my API Gateway REST API or WebSocket API?

2 Comments

API Gateway -> Develop -> Authorization -> Manage authorizer

There are no any button "Test authorizer" neither when I click "Edit" button for an authorizer.

Also there aren't token-based Lambda authorizers at all.

profile picture
replied a month ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a month ago