Missing Authentication Token while accessing API Gateway?

I am trying to call a Lambda Function through AWS API Gateway. When I mention Authentication type NONE it works fine but API become public and anyone with url can access my API. To make API call secure, I am using Authentication type AWS_IAM and also attached AmazonAPIGatewayInvokeFullAccess policy to my user but getting this error:

{ message: "Missing Authentication Token"}

I don't know what I am missing here.


I've lost some time for a silly reason:

When you create a stage, the link displayed does not contain the resource part of the URL:

API URL: https://1111.execute-api.us-east-1.amazonaws.com/dev

API + RESOURCE URL https://1111.execute-api.us-east-1.amazonaws.com/dev/get-list

The /get-list was missing

And of course, you need to check that the method configuration looks like this:

enter image description here


I think you are directly trying to access API link, this won't work because API is secured using IAM role and you must provide AWS authentication i.e Access key and Secret key.

Use the Postman Chrome extension to test your API: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-use-postman-to-call-api.html


I just had the same issue and it seems it also shows this message if the resource cannot be found.

In my case I had updated the API, but forgotten to redeploy. The issue was resolved after deploying the updated API to my stage.


Make sure you are clicking on the specific Resource first in the Stages tree, as that will populate a URL with the full path to the resource (rather than just the root path): enter image description here

For other causes, see http://www.awslessons.com/2017/aws-api-gateway-missing-authentication-token/


Looks like (as of April 2019) AWS API Gateway throws this exception for a variety of reasons - mostly when you are hitting an endpoint that API Gateway is not able to reach, either because it is not deployed, or also in cases where that particular HTTP method is not supported.

I wish the gateway sends more appropriate error codes like HTTP 405 Method not supported or HTTP 404 not found, instead of a generic HTTP 403 Forbidden.