We’re implementing a webhook from a 3rd party system and I’d like to be able to inspect the header of the request to check for the existence certain headers and their values. I had planned to do this in a lambda authorizer but what I’ve found is that, if the Authorization header is not present, API Gateway rejects the request as unauthorised and the authorisation lambda is never called. Is there a way to do this using lambda authorizers? If not, does anyone have any recommendations?

This is how we handle this for our stripe webhooks and it works really well!

Thank you, so does that mean you’re validating with a ‘regular’ lambda rather than a lambda authorizer?

I’m doing the same, regular lambda with the jsonwebtoken package works perfectly for me, I though push the event to sqs and then process them separately.

Same for us, regular lambda into SQS, then another lambda that verifies, then into eventbridge. We need to access our DB to verify our webhooks, so we put an SQS queue in between for batching and throttling

Ok, thanks guys

You can definitely use a lambda authorizer for this. I've done it the past. I like that it reject the requests that don't have the headers you expect. It's default to check Authorization header but you can change it to check for a list of headers you expect to verify in the

HttpLambdaAuthorizer

construct's

identitySource

prop like this:

@Sione How will you deal with requests that don’t need auth with a lambda authoriser?

That is interesting, exactly what I need

Ya lambda authorizer won't work if you have requests that don't need auth. My comment was mainly to point out you can customized the headers that the authorizer expects if it's other than the default Authorization header so it's not rejected as Ross mentioned. Otherwise like everyone mentioned a regular lambda will be the most flexibility.