Skip to content

SYSTEM Cited by 1 source

Amazon API Gateway

What it is

Amazon API Gateway is AWS's managed API ingress — fronts a REST, HTTP, or WebSocket API, handles routing, throttling, authz, request transformation, and caching, forwards requests to a backend (Lambda, ECS, EC2, VPC endpoint, etc.).

Why it appears in Verified Permissions architectures

In the patterns/lambda-authorizer pattern, API Gateway invokes a Lambda authorizer before each request, the authorizer returns an IAM policy (Allow / Deny), API Gateway enforces that policy and forwards or rejects.

API Gateway adds two things beyond the authorizer itself:

  • Authorization-decision cache. When a Lambda authorizer returns an IAM policy, API Gateway can cache that decision keyed by token (or token + route), so subsequent requests from the same principal hit the cached IAM policy without re-invoking the authorizer. Cache TTL is per-authorizer-configured. This is the outer half of the two-level cache that delivers submillisecond authorization in Convera's architecture.
  • Built-in 403 / deny response handling — API Gateway returns the HTTP 4xx directly without touching the backend on deny.

The inner half of the two-level cache is application-level caching of Cognito tokens; together they mean that for repeat calls neither Cognito nor AVP is on the hot path. (Source: sources/2026-02-05-aws-convera-verified-permissions-fine-grained-authorization)

Caveats

  • Cache invalidation on policy change isn't discussed in the Convera source; in general the authorizer-cache TTL becomes the policy-change propagation floor.
  • API Gateway has its own request-rate and account-level service quotas that are not discussed in the Convera source.

Seen in

Last updated · 200 distilled / 1,178 read