Longer TTL for lambda authorizer?

Hello there!

My implementation for lambdas is almost ready. Now the challenge is to protect them using a token.

My identity provider is Apple, and I am using Sign in with apple functionality to generate ID token. This is done not through Cognito, but my own implementation using Apple APIs.

The way I see this works is:

  • API gateway calls lambda authorizer
  • Lambda authorizer verifies Authorization header value (which is token I supply from client)
  • API gateway caches authorizer response with cache key = token, cache value = Policy object I generated in the authorizer

Please correct if my understanding isn’t correct.

Here is the Policy document I generate based on token, just in case if there is any optimization needed in it:

     "principalId": "<user ID extracted from token>",
     "policyDocument": {
         "Version": "2012-10-17",
         "Statement": [
                 "Action": "execute-api:Invoke",
                 "Effect": "Allow",
                 "Resource": [

Now the problem I see is, such verification involves latency. It involves calling to Apple servers, and verifying JWT. This response, as far as I know, is cached for max 3600 seconds by API gateway.

The Apple token I get has 1 day validity. This means that once verified, I don’t have to verify it for 24 hours for a user. If I get caching up to that much duration, it is good and efficient usage of the lambda authorizer.

If cache keeps expiring every 1 hour, it means every lambda call will have an overhead of authorizer.

Is there another obvious solution to this problem that I don’t see it?