Securing AWS HTTP APIs with JWT Authorizers (Forge)

JimmyLoughran · May 10, 2022, 10:52am

I am creating a simple HTTP API in AWS API Gateway.

I am looking to limit POST requests to the API so they can only be sent from my Atlassian Forge app.

I can see that AWS API Gateway has an option to add JWT authorizers for API routes, with the fields:

Identity source
Issuer URL
Audience

I’m fairly new to the world of API creation and JWT. I came across this helpful tutorial for Auth0, (as well as some documentation from Atlassian) — I am wondering if anyone with some experience in this could explain some of the steps for creating / mapping for these fields to work with a Forge app.

Thanks in advance!

denizoguz · May 12, 2022, 9:31am

Hi,
Instead of JWT, you can use API Keys. You can generate API Keys on AWS Console and store them using secret forge variables. You can access these keys using process.env and pass them to HTTP API in the headers of fetch request.

headers: { "x-api-key": process.env.API_KEY },

HTTP API will simply discard all requests without this API_KEY. Note that, you should only use this method if you are using fetch method from your forge backend, not from the Javascript running on the browser.

JimmyLoughran · May 31, 2022, 9:31am

Thanks for the solution @denizoguz — I’ll use an API key in this case.