How do I troubleshoot API Gateway REST API endpoint 403 "Missing Authentication Token" errors?

3 minute read
1

When I try to invoke my Amazon API Gateway REST API, I get 403 "Missing Authentication Token" error messages.

Short description

API Gateway REST API endpoints return Missing Authentication Token errors for the following reasons:

To troubleshoot other 403 errors for API Gateway, see How do I troubleshoot HTTP 403 errors from API Gateway?

Resolution

Confirm that there's a configured operation and resource in the API Gateway resource path

Follow the instructions in Set up an operation using the API Gateway console. For more information, see Set up API resources.

Important: For the changes to take effect, you must deploy the API.

For APIs with proxy resource integration where the request operation is sent to the root resource, verify that there's an operation that's configured under the root resource.

Confirm that the API Gateway responses aren't modified, or the backend integration isn't sending the response

Make sure that the gateway responses aren't modified in the API. Also, make sure that the error doesn't come from the integration backend. Check the API Gateway execution logs and backend logs.

Confirm that the API request is signed when IAM authentication is turned on

For more information, see Signing AWS API requests and Elements of an AWS API request signature.

Confirm that you're sending the correct HTTP operation request to the REST API endpoint

Test a REST API endpoint from a web browser to automatically send a GET HTTP operation request.

To test a POST HTTP operation request, use a different HTTP client. For example, use Postman on the Postman website or curl on the curl website.

Example curl command that uses the POST HTTP method request

$ curl -X POST  <API URL> -d <request body>

Example sending request with JSON header

$ curl --location -X POST 'https://1234WXYZ.execute-api.us-east-1.amazonaws.com/stage/lambda_proxy' --header 'Content-Type: application/json' --data-raw '{"x":"y"}'

Examples sending curl POST request with AWS V4 signature authentication

$ curl -X POST "<ENDPOINT>" -d <data> --user <AWS_ACCESS_KEY>:<AWS_SECRET_KEY> --aws-sigv4 "aws:amz:<REGION>:<SERVICE>"
$ curl -X POST "https://1234WXYZ.execute-api.us-east-1.amazonaws.com/stage/lambda_proxy" -d '{"x":"y"}' --user ABCD:1234 --aws-sigv4 "aws:amz:us-east-1:execute-api"

Related information

How do I activate IAM authentication for API Gateway REST APIs?

2 Comments

You need to change the permissions in Function overview to AllowPublicAccess on URL without IAM Access, and generate an new URL.

Daniel
replied 6 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 6 months ago