[Fixed] Authorizer with specified header

I understand that I can:

  1. enable private: true to set API keys
  2. enable authorizer: aws_iam with aws iam
  3. enable authorizer: auth for custom authorizer

But I need to use a custom header in autohrizer. What should I do?

I test with authorizer: auth but I found the event has only three parts: authorizationToken, type and methodArn, no other headers are transfered to the event.

    type: 'TOKEN',
    methodArn: 'arn:aws:execute-api:::tnav0j/dev/GET/profile',
    authorizationToken: 'allow' 

So what should I do to authorise a custom header?

For example,

curl --header "X-token: abcd" ${API_Gateway}

This way is similar as x-api-key, but how to use for other headers?

1 Like

Hey @bill,

If I understand your question correctly, the syntax would be something like:

            name: authorizerFunc # <-- Function name or ARN
            resultTtlInSeconds: 0
            identitySource: method.request.header.X-token # <-- custom header
            identityValidationExpression: someRegex
            type: token

Does that help?

For reference, here are docs on Serverless custom authorizer settings.

1 Like

Thanks a lot, @alexdebrie1 That’s what I am looking for.

Finally I realised, whatever I transfer the header with other name in identitySource, in aws event, it is still called authorizationToken, and I still need to use event.authorizationToke to catch its value.

That explains why my code event.headers["X-token"] doesn’t work before.

And it is really good that the key of specified authorization header is case insensitive

1 Like


Do you have any ideas that how to let the authorizer to accepts multiple headers?

curl  --header “X-token: allow” --header “X-department: wireless” https://<api_url> 

I need to authorise both headers.

@bill I think you’d need to use the REQUEST type for your custom authorizer. This passes in the entire request rather than just a single header.

1 Like

thanks, I am not sure if I fully understand this part, but will take a try.

Hi, you can either use TOKEN or REQUEST type of custom authorizer with API Gateway. With TOKEN you’ll get only the one header that you have defined as event payload (along with method arn) and with REQUEST you’ll get the whole request event with all headers (http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html#api-gateway-custom-authorizer-input).
This feature will be supported in the next release of Serverless Framework (https://github.com/serverless/serverless/pull/4372).


Thanks, I already built with latest serverless codes and using this feature.