Set up API Gateway
We create a REST API with two routes and attach a Cognito JWT Authorizer to protect GET /songs.
1. Create the API
- Go to API Gateway Console → Create API
- Select REST API → Build
- Configure:
- API name:
workshop-api - Endpoint type: Regional
- API name:
- Click Create API. You will see the root resource
/.
2. Create resources and methods
/login resource
- Select the root
/→ Actions → Create Resource - Resource name:
login→ Create Resource
Select
/login→ Actions → Create Method → POST → ✓Configure:
- Integration type: Lambda Function
- Lambda proxy integration: ✓ (checked)
- Lambda function:
loginFunction
Click Save → OK to grant permission
/songs resource
Select the root
/→ Actions → Create ResourceResource name:
songs→ Create ResourceSelect
/songs→ Actions → Create Method → GET → ✓Configure:
- Integration type: Lambda Function
- Lambda proxy integration: ✓ (checked)
- Lambda function:
getSongsFunction
Click Save → OK
3. Create Cognito Authorizer
This authorizer will validate the JWT token on every request to GET /songs.
- In the left sidebar → Authorizers → Create New Authorizer
- Configure:
- Name:
CognitoAuthorizer - Type: Cognito
- Cognito User Pool: select
workshop-pool - Token source:
Authorization
- Name:
- Click Create
- Click Test → enter the
idTokenfrom a login call → verify it returns200
4. Attach the Authorizer to GET /songs
- Click on
/songs→ GET method - Click Method Request
- Under Authorization, select
CognitoAuthorizerfrom the dropdown - Click the ✓ checkmark to save
Now GET /songs requires a valid JWT token. POST /login remains public.
5. Enable CORS
For each resource (/login and /songs):
- Select the resource → Actions → Enable CORS
- Keep defaults → Enable CORS and replace existing CORS headers → Yes
6. Deploy the API
- Actions → Deploy API
- Configure:
- Deployment stage: [New Stage]
- Stage name:
dev
- Click Deploy
- Copy the Invoke URL — it looks like:
https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com/dev
Save this URL. You will use it in the Testing section.