Amazon API Gateway REST API Reference


Represents an authorization layer for methods. If enabled on a method, API Gateway will activate the authorizer when a client calls the method.

Relation Description Method Templated

A relation that refers to the current resource.


Changes information about an authorizer.


Deletes an authorizer.



  "id" : "String",
  "name" : "String",
  "type" : "String",
  "providerARNs" : [ "String" ],
  "authType" : "String",
  "authorizerUri" : "String",
  "authorizerCredentials" : "String",
  "identitySource" : "String",
  "identityValidationExpression" : "String",
  "authorizerResultTtlInSeconds" : "Integer"

  • id
  • The identifier for the authorizer resource.

  • name
  • [Required] The name of the authorizer.

  • type
  • [Required] The type of the authorizer. Currently, the valid type is TOKEN for a Lambda function or COGNITO_USER_POOLS for an Amazon Cognito user pool.

  • providerARNs
  • A list of the provider ARNs of the authorizer. For an TOKEN authorizer, this is not defined. For authorizers of the COGNITO_USER_POOLS type, each element corresponds to a user pool ARN of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.

  • authType
  • Optional customer-defined field, used in Swagger imports/exports. Has no functional impact.

  • authorizerUri
  • [Required] Specifies the authorizer's Uniform Resource Identifier (URI). For TOKEN authorizers, this must be a well-formed Lambda function URI, for example, arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:{account_id}:function:{lambda_function_name}/invocations. In general, the URI has this form arn:aws:apigateway:{region}:lambda:path/{service_api}, where {region} is the same as the region hosting the Lambda function, path indicates that the remaining substring in the URI should be treated as the path to the resource, including the initial /. For Lambda functions, this is usually of the form /2015-03-31/functions/[FunctionARN]/invocations.

  • authorizerCredentials
  • Specifies the credentials required for the authorizer, if any. Two options are available. To specify an IAM role for Amazon API Gateway to assume, use the role's Amazon Resource Name (ARN). To use resource-based permissions on the Lambda function, specify null.

  • identitySource
  • [Required] The source of the identity in an incoming request. For a TOKEN authorizer, this value is a mapping expression with the same syntax as integration parameter mappings. The only valid source for tokens is 'header', so the expression should match 'method.request.header.[headerName]'. The value of the header '[headerName]' will be interpreted as the incoming token. For COGNITO_USER_POOLS authorizers, this property is used.

  • identityValidationExpression
  • A validation expression for the incoming identity. For TOKEN authorizers, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn't match, the client receives a 401 Unauthorized response.

  • authorizerResultTtlInSeconds
  • The TTL in seconds of cached authorizer results. If greater than 0, API Gateway will cache authorizer responses. If this field is not set, the default value is 300. The maximum value is 3600, or 1 hour.


See Also

Enable custom authorization