How do I troubleshoot API Gateway REST API endpoint 403 "Missing Authentication Token" errors?
I tried to invoke my Amazon API Gateway REST API and received 403 "Missing Authentication Token" error messages.
Short description
API Gateway REST API endpoints return Missing Authentication Token errors for the following reasons:
- The API request is made to an operation or resource that doesn't exist.
- The API request isn't signed when the AWS Identity and Access Management (IAM) authentication is turned on for the API operation.
- The API might be configured with a modified gateway response, or the response comes from a backend integration.
To troubleshoot other 403 errors for API Gateway, see How do I troubleshoot HTTP 403 errors from API Gateway?
Resolution
Confirm that there's a configured operation and resource in the API Gateway resource path
Follow the instructions in Set up a method using the API Gateway console. For more information, see Set up API resources.
Important: For the changes to take effect, you must deploy the API.
For APIs with proxy resource integration where the request is sent to the root resource, verify that there's an operation configured under the root resource.
Confirm that the API Gateway responses wasn't modified and that the backend integration didn't send the response
Make sure that the gateway responses wasn't modified in the API. Also, make sure that the error doesn't come from the integration backend. Check the API Gateway execution logs and backend logs.
Confirm that the API request is signed when IAM authentication is turned on
For more information, see AWS Signature Version 4 for API requests and Elements of an AWS API request signature.
Confirm that you sent the correct HTTP operation request to the REST API endpoint
Test a REST API endpoint from a web browser to automatically send a GET HTTP operation request.
To test a POST HTTP operation request, use a different HTTP client. For example, use Postman on the Postman website or curl on the curl website.
Example curl command that uses the POST HTTP method request
curl -X POST API URL -d request body
Example send request with JSON header
curl --location -X POST 'https://1234WXYZ.execute-api.your-aws-region.amazonaws.com/stage/lambda_proxy' --header 'Content-Type: application/json' --data-raw '{"x":"y"}'
Examples send curl POST request with AWS V4 signature authentication
curl -X POST "ENDPOINT" -d data --user AWS_ACCESS_KEY:AWS_SECRET_KEY --aws-sigv4 "aws:amz:AWS_REGION:AWS_SERVICE"
curl -X POST "https://1234WXYZ.execute-api.us-east-1.amazonaws.com/stage/lambda_proxy" -d '{"x":"y"}' --user ABCD:1234 --aws-sigv4 "aws:amz:your-aws-region:execute-api"
Related information
How do I activate IAM authentication for API Gateway REST APIs?
- Language
- English
You need to change the permissions in Function overview to AllowPublicAccess on URL without IAM Access, and generate an new URL.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
We encountered this error message and the problem ended up being that the TLS certificate attached to the Custom Domain for the API had been deleted. This probably falls under the category "The API request is made to an operation or resource that doesn't exist." but it's certainly not the first place we thought of to look.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked a year ago
- asked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 7 days ago
