Skip to main content

Lambda Authorizer

A Lambda Authorizer configured like in the Authorizer guide can help integrate Supertokens with an AppSync service.

1. Set up the AppSync service

Set up the AppSync service with an API key authorization. For more details, please see the AWS documentation.

2. Configure the API Gateway with the authorizer

Follow the Authorizer guide to set up the API Gateway with the /auth, and /graphql resources set up. /auth should be pointed to a lambda that handles the auth APIs.

When setting up the POST method on /graphql, you should use the following settings:

  • Integration type: AWS service
  • AWS Region: the region of the AppSync service
  • AWS Service: AppSync Data Plane
  • AWS Subdomain: the part of the domain of the GraphQL service before .appsync-api.
  • HTTP method: POST
  • Action type: Use path override
  • Path override: /graphql
  • Execution role: the ARN of an execution role that is authorized to call the AppSync service (e.g.: AWSAppSyncInvokeFullAccess)

3. Set up the integration headers

Configure the "Integration Request" of the /graphql POST method.

  • Add HTTP Header mappings:
    • "x-api-key": The API key of the App Sync service, wrapped in single quotes.
    • "x-user-id": context.authorizer.principalId, without quotes.

4. Consume the context in resolvers

You can access the headers you mapped above in resolvers through the context. (e.g., $context.request.headers.custom) For more information, please see the resolver context docs.