How to Setup AWS API Gateway with JWT Authentication for Internal Services

Setup API Gateway Create an HTTP API Gateway in AWS with a custom domain (e.g., api2.yourdomain.com) Configure JWT Authorization: Set up a JWT Authorizer with your authentication provider (e.g., Descope) Configure the Issuer URL and Audience (Project ID) Create VPC Link to connect API Gateway to internal services: Set up a VPC Link in API Gateway Configure security groups to allow traffic between API Gateway and internal ALB Configure routes and integrations: Create routes for your API endpoints Set up integrations with your internal Application Load Balancer Configure HTTP_PROXY integration type with VPC_LINK connection Configure CORS for browser access: Add allowed origins in API Gateway CORS settings Enable CORS headers in your backend services Configure Access-Control-Allow-Origin for your frontend domains Usage To access the API Gateway endpoints: Include a valid JWT token in the Authorization header: curl -X GET "https://api2.yourdomain.com/your/path" -H "Authorization: Bearer " The API Gateway will: Validate the JWT token Check authorization for the requested tenant/path Forward authorized requests to internal services For browser-based applications, ensure your frontend domain is included in both the API Gateway CORS configuration and backend service CORS settings.