Comment on page
AWS API Gateway
Configure an authorizer that uses Passage to protect API routes.
The AWS API Gateway provides developers with a scalable and secure entry point to their developed API services. Using a JWT Authorizer integrated with Passage allows developers to control access to their API in a native, no-code way while getting all of the passwordless benefits of Passage.
AWS authorizers are designed to protect specific API routes from unauthorized requests. On routes that need protection, attach a JWT authorizer and configure it to integrate with your Passage Application. There are a few settings that need to be configured:
- The Name is a unique name to identify your JWT authorizer (once this has been configured it can be added to any other route you wish to protect)
- The Identity Source is where the JWT authorizer expects to find the JWT to be in the request. By default it expects the token to be in the Authorization header (
Authorization: Bearer <JWT>).
- The Issuer URL is the Passage domain from where the JWT originates. Set your issuer URL to
- The Audience is used to validate that the AWS API Gateway is a valid recipient of the JWT. The Authorizer validates that the
audclaim inside of the JWT matches the value entered in the Audience field. In Passage's case, this will be the app's Authentication Origin, which can be found in the Console Settings.
The completed form should look something like this:
Create and attach the JWT authorizer and now this route will be protected from unauthorized requests. To make an authenticated request:
curl -H "Authorization: Bearer [PASSAGE_JWT]" \
-X [METHOD] \
Any request with an invalid PASSAGE_JWT or a missing Authorization Header will respond with an Unauthorized 401 Response.
After validating the JWT, API Gateway passes the claims in the token to the API route’s integration. Backend resources, such as Lambda functions, can access the JWT claims. For example, to get the Passage User ID for a request you will use: