Authorizers
Defining a Function Authorizer within a Service
Authorizers are defined in the
api.authorizers table within the service manifest.service.toml
[api.authorizers.iam]
auth_type = "iam"
# IAM authorizers take no parameters
To be of any use, an authorizer must be attached to a function (see
authorizer_id in Functions). The type of authorizer must also be supported by the API provider. At this time the default provider (AWS Lambda/APIGW) supports two types of authorization; IAM or JWT.Authorizers protect only the publicly defined API of a function (such as an HTTP route); a Lambda function can still be invoked by other means (such as the AWS SDK).
Without an attached authorizer, your functions will be publicly accessible via HTTP if a route is defined. We recommend always using at least an IAM authorizer during development. Tools such as Postman will help you test protected routes.
service.toml
[api.authorizers.cognito]
auth_type = "JWT"
audience = ["client_id"]
issuer = "issuer_url"
scopes = ["claim1", "claim2", ...] # optional
The JWT type is used for authorizers such as Cognito or Auth0, which support JWT/OAuth authorization.
Last modified 1yr ago