Enable API Gateway Authentication

Amazon API Gateway can use the JSON Web tokens (JWT) returned by Cognito User Pools to authenticate API calls. In this step, you’ll configure an authorizer for your API to use the user pool you created in module 1.

Since Cognito User Pools implements OpenID Connect JSON web tokens, API Gateway is able to compare the signature of an access or identity token against the known public keys of the Cognito User Pool which allows verification and authentication to happen without having to write additional code in your application.

High-Level Instructions

In the Amazon API Gateway console, create a new Cognito user pool authorizer for your API. Configure it to use the user pool that you created in the previous module. You can test the configuration in the console by copying and pasting the identity token printed to the console after you log in via the /signin path of your current website. Once setup, you will change your application’s code to send the proper JSON web token with its API requests to authenticate.

Step-by-step instructions (expand for details)

If the API now invokes correctly and application funcions as expected summoning unicorns, you may proceed to complete either:

Optional module 2 extension with Fine-grained IAM-based authorization with API Gateway


To proceed to the module 3 without completing the optional module extension, choose 3. AWS integration with IAM-based AuthZ on the left side menu.