I’m having trouble with my AWS API Gateway setup that connects to a Lambda function. When I set the authentication to NONE, everything works perfectly but this makes my API public so anyone can call it with just the URL.
To secure my API, I changed the authentication type to AWS_IAM and added the AmazonAPIGatewayInvokeFullAccess policy to my IAM user. However, now I keep getting this error response:
{ message: "Missing Authentication Token" }
I’m not sure what step I’m missing in the authentication setup. Has anyone faced this issue before?
I ran into this exact same issue a few months ago and the problem was that I wasn’t actually signing my requests properly. When you switch to AWS_IAM authentication, you need to use AWS Signature Version 4 to sign your HTTP requests. Just having the IAM policy isn’t enough - the API Gateway expects properly signed requests with the correct authorization headers. If you’re testing with Postman or curl, you’ll need to configure AWS authentication there too. The “Missing Authentication Token” error is misleading because it’s not really about a missing token, it’s about the request not being signed according to AWS standards. Make sure your client code is using the AWS SDK or manually implementing SigV4 signing.
ah yeah this happend to me too… the issue might be your using the wrong invoke url format. when you switch to iam auth you cant just use the regular https://api-id.execute-api.region.amazonaws.com/stage/resource url in a browser anymore. you need to make signed requests. try checking if your actually calling the api correctly with proper aws credentials configured in your client
This error usually occurs when there’s a mismatch between your API Gateway configuration and how you’re making the request. Double-check that you’re hitting the correct endpoint URL - when you change authentication methods, sometimes the deployment stage doesn’t update properly. You might need to redeploy your API after changing the auth settings. Also verify that your IAM user has the correct permissions and that you’re making requests from the right AWS region. I’ve seen cases where the API Gateway resource policy was blocking requests even with proper IAM permissions. Try testing with the AWS CLI first using aws apigateway test-invoke-method to isolate whether it’s a configuration issue or a client-side signing problem.