This page likely won't work without JavaScript enabled.Notes - AWS API Gateway

API Gateway

Scope of an API and a stage

If an API in AWS API Gateway uses cookies, for example to authenticate the request, this API must be specific to one client, one stage and one origin url. A stage is a stage of development, for example production, staging, development etc. An origin is a URL, including the protocol (HTTP or HTTP over SSL), the domain, and, optionally, the port number, for example "http://example.com:3000" or "https://example.com". Wildcards are not allowed in the origin, when cookies are used.

As a result, you will want to maintain a separate API for every client, and a separate stage for every team and stage. For example

  • API: client-one

    • STAGE: development
    • STAGE: production
  • API: client-two

    • STAGE: development
    • STAGE: staging
    • STAGE: production

Dynamic CORS values

As of 22 Feb 2020 there is no way to make CORS values dynamic. It's not possible to set "Access-Control-Allow-Origin" from a whitelist or a regular expression, since an OPTIONS method on a resource cannot be integrated with a Lambda function. OPTIONS response header values cannot be set using API Gateway's stage variables either.

It's possible to set OPTIONS headers dynamically via an ANY method. An ANY method can invoke a Lambda function.