It’s been a while since I used a custom authorizer so I’m a little rusty here.
The way I’ve always understood custom authorizers is they need to return a policy document with all of the resources the user is allowed to access. By default that policy document is cached against authorization token for 5 minutes.
In your case the first time the custom authorizer is called it grants access to invoke the Lambda handling the POST but not the GET. When you then call the GET it fails because the cached policy says they don’t have access. After 5 minutes when the cache has expired and you attempt to GET it generates a new policy saying you have access to GET but not POST.
Solution 1: Return a policy that allows access to the Lambda’s handling both the POST and GET
Solution 2: Set
resultTtlInSeconds: 0 so that the policy document isn’t cached.