Why do I get API Gateway "401 Unauthorized" errors after I create a Lambda authorizer?
After I created an AWS Lambda authorizer for my Amazon API Gateway API, I receive "401 Unauthorized" errors. I want to know why this happens and how I can troubleshoot the issue.
Short description
When an API Gateway API that has a Lambda authorizer receives an unauthorized request, API Gateway returns a 401 Unauthorized response.
Note: API Gateway returns 401 Unauthorized response errors for many reasons. The following resolution applies only to 401 Unauthorized response errors that you receive when API Gateway doesn't call the authorizer Lambda function.
For token-based Lambda authorizers
401 Unauthorized errors usually occur when a required token is missing, or the authorizer's token didn't validate the validation expression.
For request parameter-based Lambda authorizers
401 Unauthorized errors usually occur when the configured identity sources are missing, null, empty, or not valid.
To troubleshoot this type of error, verify the required information that you include in requests to your API. Then, call your API with the required header and token value or identity sources to test the authorizer.
For example Lambda authorizer setups, see Example TOKEN authorizer Lambda function and Example REQUEST authorizer Lambda function.
Resolution
Review the Lambda authorizer's configuration
Complete the following steps:
- Open the API Gateway console.
- In the APIs navigation pane, choose the name of your API.
- Under the name of your API, choose Authorizers.
- Review the authorizer's configuration for your use case:
Token-based Lambda authorizers
If Lambda Event Payload is set as Token, then check the Token Source value. You must use the Token Source value as the request header in calls to your API.
Important: If you enter a regular expression for Token Validation, then API Gateway validates the token against this expression. For example, if you enter the regular expression \ w{5}, then only token values with 5-character alphanumeric strings are successfully validated.
Request parameter-based Lambda authorizers
If Lambda Event Payload is set as Request, then check the configured Identity Sources. The identity sources might be headers, query strings, multi-value query strings, stage variables, or $context variables.
Important: If Authorization Caching is turned on, then requests to your API are validated against all the configured identity sources. Turn off caching to test your Lambda authorizer.
Deploy your API
If you changed your Lambda authorizer's configuration or any other API settings, then redeploy your API to commit the changes.
Test your Lambda authorizer
To test your Lambda authorizer, use either the API Gateway console, cURL, or Postman to make a test call to your API.
Important: Make sure that you format the request according to your Lambda authorizer's configuration.
Use the API Gateway console to test the Lambda authorizer
Complete the following steps:
- Open the API Gateway console.
- In the APIs navigation pane, choose the name of your API.
- Under the name of your API, choose Authorizers.
- On the Authorizers page, choose the name of the authorizer that you want to test.
- In Test Authorizer section, complete the following steps for your use case:
Token-based Lambda authorizers
Choose Test authorizer, and don't give a value for Authorization Token. API Gateway returns a Response Code: 401 because the Authorization Token is empty.
If you configured Token Validation with the regular expression \ w{5}, then enter a value for Authorization Token that isn't valid, such as "abc123". Then, choose Test authorizer. API Gateway returns a Response Code: 401 because the Authorization Token doesn't satisfy the Token Validation expression.
For the Authorization Token value, enter allow, and then choose Test authorizer. API Gateway returns a Response Code: 200 message.
Request parameter-based Lambda authorizers
Delete the request parameters, and then choose Test authorizer. API Gateway returns a Response Code: 401 because the request parameters are missing.
For Request Parameters, enter headerValue1, queryValue1, and stageValue1, and then choose Test authorizer. API Gateway returns a Response Code: 200 message.
Use Postman or cURL to test a Lambda authorizer
For instructions on how to use Postman to test a Lambda authorizer, see Call an API with API Gateway Lambda authorizers. For more information about Postman, see the Postman website.
For information about cURL, see curl on the cURL project website.
Note:
- If you turned off Authorization Caching for your Lambda authorizer before you tested, then you must reactivate it after you test. When you reactivate Authorization Caching, make sure that you redeploy your API to commit the changes.
- If you receive Cross-Origin Resource Sharing (CORS) errors from the Lambda authorizer, then add the CORS headers for the DEFAULT 4XX API Gateway responses. For more information, see How do I troubleshoot CORS errors from my API Gateway API?
Related information
Controlling and managing access to a REST API in API Gateway
How do I turn on CloudWatch Logs for troubleshooting my API Gateway REST API or WebSocket API?
API Gateway -> Develop -> Authorization -> Manage authorizer
There are no any button "Test authorizer" neither when I click "Edit" button for an authorizer.
Also there aren't token-based Lambda authorizers at all.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 10 months ago
- asked 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 days ago
- AWS OFFICIALUpdated a year ago
