AWS Certified Developer - Associate (DVA-C02) #3 Domain 1-2 Development with AWS Services — API Gateway
Now that we’ve covered the backend logic in #2 Lambda Deep Dive, this post covers API Gateway — the gateway in front of it that receives HTTP requests. A serverless API almost always looks like client → API Gateway → Lambda → DynamoDB, so the exam asks how you handle authentication, throttling, and caching at this gateway.
REST API vs HTTP API #
API Gateway comes in two kinds. The exam asks “which should you choose?” as a cost/feature trade-off.
| Aspect | REST API | HTTP API |
|---|---|---|
| Cost | More expensive | About 70% cheaper |
| Latency | Moderate | Lower |
| Auth | IAM, Cognito, Lambda authorizer | IAM, JWT (Cognito/OIDC), Lambda authorizer |
| Features | API keys/usage plans, caching, request validation, WAF | Core features only (no caching, no API keys) |
| Recommended for | When you need rich features | Simple Lambda/HTTP proxy, cost/latency first |
The one-liner: if you need more features, REST; if cheap and fast comes first, HTTP API. If you need API keys, usage plans, caching, or request validation, it has to be a REST API.
Lambda integration — proxy vs non-proxy #
There are two ways for API Gateway to invoke Lambda.
- Lambda proxy integration — passes the entire request (headers, query, body, path) to Lambda as a fixed-format event, and Lambda responds in a fixed format carrying
statusCode,headers, andbody. There’s almost no mapping to configure, so it’s simple and the most common. - Non-proxy (custom) integration — transforms requests and responses with mapping templates (VTL). It allows fine-grained control but is complex.
In proxy integration, if Lambda doesn’t honor the fixed response format (
statusCode/body), you get a 502 Bad Gateway. It’s a regular exam error.
Authentication — three methods #
There are three ways to control who can call API Gateway. This distinction is also a core topic that connects to the security domain.
| Method | When it fits |
|---|---|
| IAM authentication (SigV4) | When the caller has AWS credentials (other AWS services, internal systems). The request is SigV4-signed |
| Cognito User Pool authorizer | Apps where users log in. Validates the JWT issued by Cognito |
| Lambda authorizer (custom) | Custom auth logic such as your own tokens or third-party OIDC. Token-based or request-parameter-based |
A Lambda authorizer decides allow/deny by having the auth function return an IAM policy document, and it can cache the result to cut per-request invocations. A custom requirement like “I need to validate an external OAuth token” calls for a Lambda authorizer. For “users logged in with Cognito,” it’s the Cognito authorizer.
Throttling and usage plans #
API Gateway limits request rates to protect the backend.
- Account/stage-level throttling — the default request rate and burst (token bucket) limits.
- Usage plan + API key — applies different call limits and quotas per customer/tier. This is a REST API-only feature.
When the limit is exceeded, the client receives 429 Too Many Requests. The answer to “how do I limit the monthly call count for a specific customer tier?” is usage plan + API key. The trap is that an API key itself is not an authentication mechanism but an identification/metering mechanism.
Caching #
A REST API can enable a response cache at the stage level. It reduces backend calls for the same request, lowering latency and cost. You set a TTL, and you can also allow clients to bypass the cache with a Cache-Control header. HTTP APIs have no caching.
Stages and stage variables #
- Stage — a deployment environment like
devorprod. Deployment is always to a specific stage. - Stage variable — a key-value that injects a different value per stage. For example, you can have the
devstage point to Lambda’sdevalias andprodpoint to theprodalias, so one API definition branches to per-environment backends.
When you tie stage variables to Lambda aliases, you can invoke different function versions per environment without changing the API definition.
CORS #
When you call an API on a different origin from the browser, CORS applies. The browser sends an OPTIONS preflight before the actual request, and API Gateway must respond with headers like Access-Control-Allow-Origin.
Exam trap: if the frontend throws a “CORS error,” the fix is not the code but enabling CORS in API Gateway (or, with proxy integration, in the Lambda response headers). With proxy integration, you often have to put the CORS headers directly into the Lambda response.
Other exam points #
- Request validation — a REST API can validate the request body and parameters with a model (JSON Schema), filtering out bad requests before Lambda.
- WAF attachment — attach WAF to a REST API to block L7 attacks.
- Timeout — the API Gateway integration timeout is at most 29 seconds. Longer work must be reshaped into an asynchronous pattern (202 response + polling/events).
- Endpoint types — Edge-optimized (via CloudFront), Regional, Private (inside a VPC).
Exam question patterns #
- “Cost and latency matter most and I only need a simple Lambda proxy.” → HTTP API.
- “I want a per-customer monthly quota via API keys.” → REST API + usage plan + API key.
- “Allow only users logged in with Cognito.” → Cognito User Pool authorizer.
- “Validate a third-party OAuth token with my own logic.” → Lambda authorizer.
- “A proxy-integration Lambda returns 502.” → Response format mismatch (statusCode/body).
- “The same request repeatedly hits the backend and is slow.” → API Gateway caching.
- “CORS error in the browser.” → Enable CORS in API Gateway/Lambda.
Wrap-up #
What this post locked in:
- REST API (feature-rich, API keys, caching, request validation) vs HTTP API (cheap, low latency)
- Lambda proxy integration is the default. Break the response format and you get 502
- Auth — three branches: IAM (SigV4), Cognito authorizer, Lambda authorizer
- Usage plan + API key for per-customer limits. 429 on exceeding. An API key is metering, not authentication
- Caching, request validation, and WAF are REST API features
- Stage variables + Lambda aliases branch backends per environment
- CORS and the 29-second timeout are regular traps
Next — Domain 1-3 DynamoDB Development #
Behind the API is the data. The most-used database in serverless is DynamoDB. In #4 DynamoDB Development, I’ll cover partition key design, the difference between LSI and GSI, read consistency, conditional writes and optimistic locking, DynamoDB Streams, and DAX caching.