authentication for APIGateway using CloudFront cookies


I am working on a setup where website access to and and so on is secured using CloudFront signed cookies set by Lambda@Edge. There also is a central APIGateway-based web API under the domain that is being called from all websites.

I am now trying to add authentication to the API so that only users having the cloudfront signed cookies can make a call on behalf of the website where call originates from.

Is there a way to do so?

1 Answer
Accepted Answer

You could put the traffic to your API gateway via CloudFront, and protect API gateway with API key.

So you would have "" -> CloudFront (Where you verify the cookie + add X-API-KEY to request -> API Gateway To add the x-api-key you can specify it in the CloudFront settings without the need to use Lambda@Edge

Here the information on how to set up API Gateway with its own CloudFront distribution

answered 2 years ago
  • I did check it out but got the impression it is not a fit. the challenge is that I need to use a cookie that belongs to domain to authenticate against But I cannot set that cookie when at as it is another domain. I would have to use a higher domain like However, then users from could access what I don't want them to be able to. I now ended up with a scenario where I have Lambda@Edge create a JWT that has the originating domain, e.g. as payload and I do set that cookie under so it will be sent along with every api call to

  • still, looks like that approach is the only feasible solution

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions