Chris Mendez in For Developers, APIs, SaaS, IaaS, PaaS, AWS

AWS: Providing CORS access to your API Gateway

Not all gateways are meant to be public. Therefore, if you want to share limited API access with the world, you will need to use Cross-Origin Resource Sharing (CORS) and API Keys.

These are the tools you will need for API development Tools for API Development


CORS cares about three things: The HEADER type, the HTTP verb (GET, POST, DELETE, UPDATE) and the origin of these requests (aka


We define our HEADER-types within the Method Response and their values within the Integration Response section.

Step 1 - Add Header Access

Within Method Response we identify the header-type, the HTTP verb and allowed origin.

The Method Response section allows you to pick which Headers, Methods and Origins you want to accept.

Step 2 - Insert Header Values

Within the Integration Response, we describe which values are permissible.

In this example we are allowing GET requests from anyone '*' in the world.

Header Mappings

  • Access-Control-Allow-Headers => 'Content-Type,X-Amz-Date,Authorization'
  • Access-Control-Allow-Methods => 'GET,POST'
  • Access-Control-Allow-Origin => '*'

API Keys

API Keys are used to track usage by Group or Organization. They're great for accounting purposes –as a way of keeping record of who is using your service. It's not very hard to use but there is a 4 step process to get started.


The steps to creating API access key include:

  1. Create a key from the API Dashboard
  2. Create a usage plan using the API Dashboard
  3. Link your API stage to a usage plan.
  4. Link your API key to a usage plan.
  5. Enter the IAM role that has access to write data to CloudWatch

Step 1 - Create an API Key

Using the process above, step one consists of creating an API key.
Create API key

Step 2 - Create a usage plan

Usage plans are designed to help you, the API administrator, understand which of your clients is using your API and how much of it. This is especially helpful if you are planning to sell your API service within the AWS Marketplace.
Create usage plan

Step 3 - Link your API key to the usage plan

This step is about associating an API stage to a usage plan.
Link API key to usage plan

Step 4 - Subscribe API key to usage plan

This step focuses on associating an API key to a usage plan for monitoring and account reconciliation.
Subscribe API key to usage plan

Step 5 - Associate an API key to an HTTP Method

There are a few good reason for this. For example, suppose you are an API administrator with 9 available methods. 3 methods are available to the open web, 3 are available to "bronze plan" subscribers and 3 more methods are available to "gold plan" subscribers. As an API administrator, one way to keep things organized is by associating specific API keys to specific methods.

Note: This probably isn't a scalable solution but you get the point.

You associated API keys to methods through the method request.

Click Method Request

Once you've clicked the Method Request of an HTTP verb, you can select Api Key Required to true.
Assign API Key to Method