Making calls to AWS api gateway endpoint with api key using rest client POSTMAN


Solution 1

From working with AWS API Gateway I have fell into the same trap as it seems you have. There are two things that can cause the infamous 403 ("message": "Missing authentication token.") message to be displayed:

  1. CloudFront's aggressive caching

I notice that you are using CloudFront to cache your API request/responses. CloudFront is a great tool — one of the best caching mechanisms if you ask me — but when caching things during development, it's really easy to get caught up with cached error messages. This may be the case here, so my advice is to remove the API from CloudFront until you have got it fully working.

  1. Forgetting to re-deploy

One of the major features of API Gateway is the way AWS handles multiple versions of APIs. Once deployed, you can be safe in the knowledge that your API endpoints will not change — exactly what you want from an API endpoint.

This is due to the way that endpoints are deployed. Each change that is made in the AWS console has to be deployed to a specific deployment in order to be interacted with live.

For instance, if I deploy my API to the "live" deployment and everything works well, that's great. I can now continue to tweak settings in the AWS console to improve the API over time, and when I'm happy with what I've changed I can deploy again to another API deployment, meaning that current API users will not have to change their interaction methods until a deployment is made back onto the deployment they are working on.

The problem you may be experiencing is that even though you have made lots of changes in the AWS console, you may not have re-deployed to the deployment that you are testing in Postman.


In the Resource editor panel, you can provide information about this method's response types, their headers and content types. Here it is possible to provide more meaningful error messages to your endpoints.

Solution 2

It looks like you did not add the resource in your URL. The URL should be something like:

but yours is more like

Solution 3

Requesting API Gateway paths that aren't there returns "message: Missing Authentication Token" payload.

Unfortunately that is pretty confusing.

Solution 4

In my case it was that the method I supported is POST and I tried to GET it in the browser. I retried by doing a POST in Postman and it worked!

Solution 5

I had to add an API Usage plan, and then link the plan to the API stage.

Seems like this is the only way to link the key to the API in AWS..

Subham Tripathi
Author by

Subham Tripathi

Frontend dev at Expedia #SOreadytohelp

Updated on November 19, 2020


  • Subham Tripathi
    Subham Tripathi almost 2 years

    We are developing a mobile/web app for which we are using aws lambda and dynamo db as our backend.The standalone lambda functions are working perfectly. The calls are being routed via api gateway. We are using api keys to leverage the security features that it provides. For some testing purposes, we are trying to call the api end point through a third party rest client POSTMAN.

    The requests are of POST type but no matter what we try, we get

    403 ("message": "Missing authentication token.")

    A snapshot is attached for reference. ( few portions are shaded for security reasons )

    enter image description here

    1. We are unable to fathom the root cause for the behaviour.
    2. if the same can be achieved with some other tool then please suggest.
  • Nabin
    Nabin over 6 years
    Yes, usually we are in hurry of testing things out. But if we are patient to read one more line, we are there.
  • mbatchkarov
    mbatchkarov over 5 years
    Same if you use the wrong HTTP method, eg. POST instead of GET. Super confusing