Custom domain for API Gateway returning 403


Solution 1

Here is the developer guide if you haven't seen it.

All you need to do is set up a CNAME with your DNS provider pointing at the CF distribution that API Gateway gives you. You won't be able to make API calls directly to the CF distribution. API Gateway maps the API/stage from the Base Path mapping you set up in API Gateway so only API calls directed at the domain name will work correctly.

Solution 2

You need to use host header in your request. Host should be your custom domain.

curl https://<cf-id> -H "Host:"

Solution 3

In my case I had to add base path mapping.

Solution 4

In my case Legacy cache settings headers was the issue.

If you have selected Legacy cache settings in cloud-front behaviour In cloud-front distribution under behaviour-> Legacy cache settings-> Header drop down

After selecting value as None solved my problem

Author by


I am a software engineer living in Canberra.

Updated on December 28, 2021


  • BBS
    BBS 9 months

    I am creating an api using API Gateway and Lambda. Using the url designated in the API Gateway Stage editor everything works fine; however, when I try and move to a custom domain I am running into some issues.

    The first thing I tried was using a CNAME record in Route 53 straight from my domain onto the domain that I got from the API Gateway. That was returning some errors and I think it is the incorrect solution is that correct?

    Next I tried the Custom Domain Names feature in API Gateway. My understanding is this will roll up a CloudFront distribution that I can then map onto from Route 53. When I created the custom domain and added a Domain Mapping it provides me with a url to what I assume is a CloudFront distribution. The link is returning a 403 response and no distribution has been made in CloudFront. What is a good way of debugging this problem?

  • Thiago Silva
    Thiago Silva almost 5 years
    adding the Host header was the missing piece for me. I have an API key required for the APIG, and was already providing the x-api-key custom header, but without the Host header, the request was always forbidden when using cloudfront
  • Nate Barbettini
    Nate Barbettini almost 5 years
    This is the real answer!
  • JamesQMurphy
    JamesQMurphy over 4 years
    No, it's not. The whole point of using a custom domain is so that you can use it instead of using
  • shrumm
    shrumm almost 4 years
    It's useful to verify everything is working before connecting it to the 'real' domain.
  • bormansquirrel
    bormansquirrel over 3 years
    Yes, even if you don't want to have an extra bit in your url layout (e.g., you will need to add a / base path mapping in order to make it work
  • Steven
    Steven about 2 years
    I tried with postman and this solved half of the problem. But you can't set Host header in AJAX requests, the browser does not let you. Is there a solution to this?
  • Fernando Piancastelli
    Fernando Piancastelli over 1 year
    In my case, adding this Host header with my desired is what allowed my Route 53 record to go through - I didn't touch my cloudfront console tab.
  • w33b
    w33b 9 months
    This does not provide an answer to the question. Once you have sufficient reputation you will be able to comment on any post; instead, provide answers that don't require clarification from the asker. - From Review
  • Jesse Barnum
    Jesse Barnum 9 months
    This answer solved my problem.
  • Marcello Romani
    Marcello Romani 9 months
    I wonder if it's possible to use an APIGW custom domain without a cloudfront distribution...
  • Marcello Romani
    Marcello Romani 9 months
    Ah, it depends on the endpoint type, Edge or Regional...
  • Ashish Karpe
    Ashish Karpe 8 months
    Bty my I am getting {“message”:“Forbidden”} on my hosted domain name URL but when I open api endpoint my service is accessed. Note my api is open but my route 53 entry is in different aws account and my custom domain created for api and cloudfront are in different aws account