Authorizers

Defining a Function Authorizer within a Service

Authorizers are defined in the api.authorizers table within the service manifest.

service.toml

[api.authorizers.iam]
auth_type = "iam"
# IAM authorizers take no parameters

To be of any use, an authorizer must be attached to a function (see authorizer_id in Functions). The type of authorizer must also be supported by the API provider. At this time the default provider (AWS Lambda/APIGW) supports two types of authorization; IAM or JWT.

Authorizers protect only the publicly defined API of a function (such as an HTTP route); a Lambda function can still be invoked by other means (such as the AWS SDK).

Without an attached authorizer, your functions will be publicly accessible via HTTP if a route is defined. We recommend always using at least an IAM authorizer during development. Tools such as Postman will help you test protected routes.

service.toml

[api.authorizers.cognito]
auth_type = "JWT"
audience = ["client_id"]
issuer = "issuer_url"
scopes = ["claim1", "claim2", ...] # optional

The JWT type is used for authorizers such as Cognito or Auth0, which support JWT/OAuth authorization.

PreviousFunctions NextIOmod Dependencies

Last updated 3 years ago