How do I troubleshoot API Gateway REST API endpoint 403 "Missing Authentication Token" errors?

3 minute read

When I try to invoke my Amazon API Gateway REST API, I get 403 "Missing Authentication Token" error messages. How do I troubleshoot these errors?

Short description

API Gateway REST API endpoints return Missing Authentication Token errors for the following reasons:

The API request is made to a method or resource that doesn't exist.
The API request isn't signed when the API method has AWS Identity and Access Management (IAM) authentication turned on.
The API might be configured with a modified Gateway response or the response comes from a backend integration.

To troubleshoot other 403 errors for API Gateway, see How do I troubleshoot HTTP 403 errors from API Gateway?

Resolution

Confirm that there's a method and resource configured in the API Gateway resource path

Follow the instructions in Set up a method using the API Gateway console. For more information, see Set up API resources.

Important: You must deploy the API for the changes to take effect.

For APIs with proxy resource integration where the request method is sent to the root resource, verify that there's a method configured under the root resource.

Confirm that the API Gateway responses haven't been modified or the backend integration isn't sending the response

Make sure that the gateway responses aren't modified in the API. Also, make sure that the error isn't coming from the integration backend. Check the API Gateway execution logs and backend logs.

Confirm that the API request is signed if the API method has IAM authentication turned on

For more information, see Signing AWS API requests and Elements of an AWS API request signature.

Confirm that you're sending the correct HTTP method request to the REST API endpoint

Testing a REST API endpoint from a web browser automatically sends a GET HTTP method request.

To test a POST HTTP method request, use a different HTTP client. For example: Postman or curl.

Example curl command that uses the POST HTTP method request

$ curl -X POST  <API URL> -d <request body>

Example sending request with JSON header

$ curl --location -X POST 'https://1234WXYZ.execute-api.us-east-1.amazonaws.com/stage/lambda_proxy' --header 'Content-Type: application/json' --data-raw '{"x":"y"}'

Examples sending curl POST request with AWS V4 signature authentication

$ curl -X POST "<ENDPOINT>" -d <data> --user <AWS_ACCESS_KEY>:<AWS_SECRET_KEY> --aws-sigv4 "aws:amz:<REGION>:<SERVICE>"

$ curl -X POST "https://1234WXYZ.execute-api.us-east-1.amazonaws.com/stage/lambda_proxy" -d '{"x":"y"}' --user ABCD:1234 --aws-sigv4 "aws:amz:us-east-1:execute-api"

Related information

How do I activate IAM authentication for API Gateway REST APIs?

Topics

Serverless Front-End Web & Mobile Networking & Content Delivery

Relevant content

API Gateway User Authentication Best Practices
Herbie
asked 2 years ago
How to generate an authentication token to connect to Websocket API using HTTP @connections endpoints.
rePost-User-7798264
asked 3 months ago
Getting {"message":"Missing Authentication Token"}"for Simple API Gateway Response
rePost-User-4140128
asked 9 months ago
Lambda + API Gateway + Custom Domain Name = Missing Authentication Token
Accepted Answer
mauro0x52
asked 5 years ago
Missing Auth Token using API Gateway
ForixIT Devs
asked 3 months ago
How do I troubleshoot HTTP 403 errors from API Gateway?
AWS OFFICIALUpdated 10 months ago
How can I troubleshoot missing CloudWatch logs for API Gateway REST APIs?
AWS OFFICIALUpdated a year ago
How can I troubleshoot 403 "missing authentication token" errors when invoking API Gateway REST or HTTP APIs with a custom domain name?
AWS OFFICIALUpdated 10 months ago
How do I troubleshoot HTTP 403 Forbidden errors when using a Lambda authorizer with an API Gateway REST API?
AWS OFFICIALUpdated a year ago
Invoking VMware Cloud on AWS REST API calls from Terraform
EXPERT
Patrick Kremer
published 7 months ago