Say you have an API deployed on Amazon API gateway:

$ curl https://*******.execute-api.ap-south-1.amazonaws.com/dev
{
    "message": "Hello!"
}

Anybody can hit that URL & get a response. If you don’t want that, there are several ways to secure an API endpoint such that API Gateway won’t invoke the API unless the caller authenticates itself. One way to secure APIs is by using Amazon Cognito. Let’s see how to set this up for an app that intends to call a secure API.

We’ll begin by creating a Cognito user pool:

We’ll step through settings so we can customize them:

We don’t require any attributes since this pool will only be used by apps programmatically:

No need to allow users to sign themselves up:

No need to verify any attributes. We don’t intend to send any SMSes either:

Add an app client & create the pool:

Provide a domain name so we can fetch the tokens:

Add a resource server:

Enable the Cognito identity provider & the “client credentials” OAuth flow for the app:

Now let’s use this pool to secure the API. Back in the API Gateway console, create a new authorizer of type Cognito:

Now go into the Method Request of the method you wish to secure & change its Authorization from NONE to our authorizer:

Add OAuth Scopes:

Deploy the API & retry invoking it:

$ curl https://*******.execute-api.ap-south-1.amazonaws.com/dev
{
    "message": "Unauthorized"
}

There you go! It’s now secure!

Now let’s see how a legitimate app would invoke this API. The first step is to get the access token. Note down the client ID & secret from Cognito:

Get access token:

$ curl -X POST --user : https://secure-api.auth.us-east-1.amazoncognito.com/oauth2/token?grant_type=client_credentials -H 'Content-Type: application/x-www-form-urlencoded'
{
    "access_token": "*******",
    "expires_in": 3600,
    "token_type": "Bearer"
}

Invoke API:

$ curl https://*******.execute-api.ap-south-1.amazonaws.com/dev -H 'Authorization: Bearer '
{
    "message": "Hello!"
}