Amazon API Gateway
Developer Guide

Use an API Key in API Gateway

You can use an API key in API Gateway to identify apps calling the API and control API access based on the API key. You can use an API key to control how an API is used. For example, you can generate an API key and give it to specific app developers to make the API available for their app users. When an API key is enabled, API calls must contain the specified key, as the value of the x-api-key header of the requests. Requests without the matching API key will then be rejected. API keys are useful to control that an API is used as expected and curtail abusive uses by changing the API keys. They should not be treated as a security mechanism for controlling access to an API.


  1. You must have an API available in API Gateway. Follow the instructions in Creating an API.

  2. You must have deployed the API in API Gateway at least once. Follow the instructions in Deploying an API.

Use an API Key with the API Gateway Console

To enable an API key with the API Gateway console, follow these instructions:

  1. Sign in to the API Gateway console at

  2. Choose the GET method under a resource of your choosing.

  3. Choose the Method Request box

  4. If API Key Required is set to false, choose the pencil icon next to it. From the drop-down menu list, choose true. Finally, choose the check-mark icon to save the setting.


    The steps above configures the API Gateway to enforce using API key. Otherwise, the API key created following the instructions below will not be used.
  5. In the secondary navigation bar, in the first list next to the console home button, choose API Keys.

  6. Choose Create API Key.

  7. For Name, type a name for the API key entry.

  8. (Optional) For Description, type a description for the API key entry.

  9. To enable the API key, select Enabled.

  10. Choose Save. Make a note of the key displayed in API key.

  11. For API Stage Association, for Select API, choose the name of the API.

  12. For Select stage, choose the name of the stage.

  13. Choose Add, and then choose Save.

  14. Deploy or redeploy the API for the effect to take place.

  15. Callers must now add to each call a custom header named x-api-key, along with the value of the API key. For example, if the API key value is bkayZOMvuy8aZOhIgxq94K9Oe7Y70Hw55, the custom header would be as follows:

    x-api-key: bkayZOMvuy8aZOhIgxq94K9Oe7Y70Hw55


In addition to, or instead of, enabling an API key, you can restrict access to certain IAM users only. For instructions, see Configure How a User Calls an API Method.