In web-scale architectures, some API endpoints perform computationally expensive operations (like triggering web crawlers or running legacy database queries). If these endpoints are left unsecured or exposed to the public internet, bad actors can easily run up massive AWS bills or scrape your price books.

To protect these services, we route all calls through AWS API Gateway secured by Custom Lambda Authorizers that validate incoming JSON Web Tokens (JWTs) before routing the request to downstream handlers.

1. Custom Lambda Authorizers

When an API call hits API Gateway with an Authorization: Bearer header, the gateway forwards the token to an authorizer Lambda. This function decodes the JWT using public keys, checks the expiry, and verifies user scopes. If valid, it returns an IAM Policy allowing the request:

# Minimal IAM Policy generator in Python Lambda
def generate_iam_policy(principal_id, effect, resource_arn):
    return {
        "principalId": principal_id,
        "policyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "execute-api:Invoke",
                    "Effect": effect,
                    "Resource": resource_arn
                }
            ]
        }
    }

2. Rate Limiting and Quota Allocations

By defining API Usage Plans in API Gateway, we assign specific request rates and monthly quotas to different client IDs (e.g., separating internal webhooks from university partners), protecting downstream systems from spikes.