Skip to content
Code for the accompanying blog post.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Serverless auth

Code for the accompanying blog post.

Use case

How can we secure an HTTP API with a token based authentication strategy, so only authenticated- and authorized clients can access it?


Auth flow

Auth flow

  1. curl will send an HTTP request to the GET /profile endpoint with a token via the Authorization request header.

  2. When the HTTP request reaches APIG, it will check if a Lambda Authorizer is configured for the called endpoint. If so, APIG will invoke the Lambda Authorizer.

  3. The Lambda Authorizer will then:

    • Extract the token from the Authorization request header.
    • Fetch the JWKS (which contains the public key) from Auth0.
    • Verify the token signature with the fetched public key.
    • Verify the token has the correct issuer and audience claims.
  4. If the token is verified, the Lambda Authorizer will return an IAM Policy document with Effect set to Allow.

  5. APIG will now evaluate the IAM Policy and if the Effect is set to Allow, it will invoke the specified Lambda handler.

  6. The Lambda handler will execute and when the get:profile scope is present, it will return the profile data back to the client.


Lint source code with:

npm run lint

Lint and format (prettier) source code with:

npm run lint:format

Run tests with:

npm test


Please read the Contributing Guidelines first.


MIT License

Copyright (c) Daniël Illouz

You can’t perform that action at this time.