Securing AWS HTTP APIs with JWT Authorizers (Forge)


I am creating a simple HTTP API in AWS API Gateway.

I am looking to limit POST requests to the API so they can only be sent from my Atlassian Forge app.

I can see that AWS API Gateway has an option to add JWT authorizers for API routes, with the fields:

  • Identity source
  • Issuer URL
  • Audience

I’m fairly new to the world of API creation and JWT. I came across this helpful tutorial for Auth0, (as well as some documentation from Atlassian) — I am wondering if anyone with some experience in this could explain some of the steps for creating / mapping for these fields to work with a Forge app.

Thanks in advance!

Instead of JWT, you can use API Keys. You can generate API Keys on AWS Console and store them using secret forge variables. You can access these keys using process.env and pass them to HTTP API in the headers of fetch request.

headers: { "x-api-key": process.env.API_KEY },

HTTP API will simply discard all requests without this API_KEY. Note that, you should only use this method if you are using fetch method from your forge backend, not from the Javascript running on the browser.


Thanks for the solution @denizoguz — I’ll use an API key in this case.