- Newest
- Most votes
- Most comments
When you configure a Lambda authorizer, you usually also configure TTL. This value is used to cache the response from the Lambda authorizer. This means that API Gateway will not invoke the function for each request. If the response is cached, it uses it, otherwise, it calls the authorizer again. This is usually the mechanism that is used to prevent deleted users from getting in. They will have access for a few more minutes and then the GW will invoke the authorizer again, which will not find the user in the DB, and the will reject it.
Same works for API Key. The authorizer returns a key, that is cached as well, and is used to throttle the users. The API Key should not change. It remains the same for the lifetime of the user.
Each user needs a single API Key. You should create those upfront, or create them on the fly when the user logs in for the first time. Save them in a DB and get it from there the next time they login. Assign those API keys to a usage plan, depending on their quota.
You use the same API key for all operations by that user. API Keys should not be used for auth, only for throttling.
Relevant content
- asked a month ago
- asked 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
Thank you, Uri!
I get what you're saying completely. My main concern was how to handle situations where my API consumers' credentials are stored in an external database. To implement usage plans, it seems I have to manage a unique API Key for each user. Even though they could potentially be identified by the principal_id in Usage Plans.
Right now, every user account action (like create, update, or delete) needs manual adjustments in the API Key set, which feels very repetitive.
What's the purpose of the API Key then? If it's not advised to use it for authentication and I'm already using an external user database, why can't I just use that for the Usage plans?