Using an API key in Amazon API Gateway

I have created an API Key and added it to my functions. I have then deployed the api and tested it but still get:

"message": "Forbidden"

How do I pass the api key with my JSON request as I have been using "x-api-key": "theKey"?

The x-api-key parameter is passed as a HTTP header parameter (i.e. it is not added to the JSON body). How you pass HTTP headers depend on the HTTP client you use.

For example, if you use curl and assuming that you POST the JSON payload, a request would look something like (where you replace [api-id] with the actual id and [region] with the AWS region of your API):

$ curl -X POST -H "x-api-key: theKey" -H "Content-Type: application/json" -d '{"key":"val"}' https://[api-id].execute-api.[region].amazonaws.com

I had to add an API Usage plan, and then link the plan to the API stage.

Seems like this is the only way to link the key to the API, not sure if this is a recent change on AWS.

If you set 'API Key Required' option to true, please check below.

1. you have to pass 'x-api-key' HTTP Header Parameter to API Gateway.

2. The API Key had to be created.

3. In addition, you need to check a Usage Plan for the API Key on API Gateway Console.

If you set 'API' key required to true, you need to pass the api key as header.

API Key is passed as header field 'x-api-key'. Even after adding this field in header, this issue may occur. In that case, please validate below points

1. Do you have a Usage Plan? if not need to create one.
2. Link you API with Usage Plan. For that add a stage, it will link your API
3. Do you have API Key? if not you need to create an API Key and enable it.
4. Add the Usage Plan which is linked with your API to this API Key. For that, add Usage Plan.

I hope you are not missing to link the API key with the API

I was able to get a successful response from Lambda using below configuration in Postman native app -

Under authorization tab (For some reason this didn't work when i passed the same parameters under header)

Key : x-api-key

Value : your-api-key-value

Add to : Header

For Private API Gateways accessed through public DNS, we need to pass additional header of 'x-apigw-api-id' with the api id along with 'x-api-key' if configured.

curl -v https://{vpce-id}.execute-api.{region}.vpce.amazonaws.com/test -H 'x-apigw-api-id:{api-id}'

Its documented below,

https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html#w20aac13c16c28c11

I don't have enough reputation to set this as a comment, But I was finally able to find the document specifying that 'x-api-key' belongs in the header for API Gateway calls that come from outside clients (like postman, swagger, etc.) in the AWS Documentation.

The relevant part:

> To use header-sourced API keys: > > 1. Create an API with desired API methods. And deploy the API to a > stage. > 2. Create a new usage plan or choose an existing one. Add the deployed > API stage to the usage plan. Attach an API key to the usage plan or > choose an existing API key in the plan. Note the chosen API key > value. > 3. Set up API methods to require an API key. > 4. Redeploy the API to the same stage. If you deploy the API to a new > stage, make sure to update the usage plan to attach the new API > stage. > > The client can now call the API methods while supplying the x-api-key > header with the chosen API key as the header value.

Choose an API key source

Here a good resource explaining different reasons why we could be getting a Forbidden. The two most important are the request URL and the x-api-key header:

https://{api_id}.execute-api.{region}.amazonaws.com/{stage_name}/{resource_name}

Missing stage name will give you 403 for ex. Maybe for security reasons the response is not revealing an issue with the stage name, and thus you get a generic Forbidden.