How to enable CORS for custom authorizers ? (AWS API Gateways)

I’m trying to implement a basic custom authorizer but I have an issue with cors when the authorizer don’t authorize the API call :
I get the expected 401 status code but there are no Access-Control-Allow-Origin header in the response, then I can’t handle it in my front-end code…

I didn’t find any mention of cors attribute in the serverless doc for the authorizer itself, so how can I tell it to add the correct header for “non authorized” responses ?

Thanks in advance

1 Like

Hi @stephanechauvin,
Unfortunately you can’t, that’s a limitation in API gateway and a pain-point for a lot of users.


Ok thx bbilger.

Incredible that AWS isn’t able to quickly address this kind of issue ! :worried:

Things have changed, AWS finally fixed this thing, but I am not sure how to implement it with serverless.
Does anybody have an idea?
Thank you

@RastoStric I have the same question

Did you figure out how to return cors headers from authorizer?

After hours of searching… The answer is here:


Thanks for sharing, I didn’t know it! :+1:

1 Like