Need help?

Our experts have had an average response time of 11.7 minutes in August 2021 to fix urgent issues.

We will keep your servers stable, secure, and fast at all times for one fixed price.

Resolve Amazon API Gateway HTTP 403 Forbidden error

by | Sep 7, 2021

Wondering how to resolve an Amazon API Gateway HTTP 403 Forbidden Error? Relax, the Support Techs at Bobcares are here to assist you.

One of our customers recently ran into trouble when they could not access a valid URL and would up with a 403 Forbidden error. Our Support Techs were able to resolve the issue in a flash. Let’s take a look at how they went about solving this particular problem.

How To Resolve Amazon API Gateway HTTP 403 Forbidden Error?

The HTTP 403 Forbidden error indicates the client is forbidden from accessing a valid URL. Although the server seems to have understood the request, it refuses to comply due to client-side issues. This particular error code arises due to a number of reasons like “The caller isn’t authorized to access an API that’s using AWS Identity and Access Management (IAM) authorization” or “The caller isn’t authorized to access an API that’s using a Lambda authorizer” and so on.

Troubleshooting Tips For Amazon API Gateway HTTP 403 Forbidden Error

These troubleshooting tips via our Support Techs will help you get to the root of the issue.

Identify The Source of the Amazon API Gateway HTTP 403 Forbidden Error

These troubleshooting steps will come in handy to identify the cause of the error:

  1. In case the error was reported by a web browser, it may be due to an incorrect proxy setting. The proxy server returns this error code if HTTP access is denied.
  2. If another AWS service gets in from of the API it can result in a 403 error code.

Check if the Requested Resource Already Exists in the API definition

Check if the requested resource already exists in the API definition, You can use either the AWS Command Line Interface or the API Gateway console. Our Support Techs would like to remind you that the API needs to be deployed with the latest definition.

Get Request & Response Details Using Curl

Use the curl -v to obtain more details if the error can be reproduced. For instance:

curl -X GET -v

Check the Header

In case the error is due to an API key, check whether the “x-api-key” header was included in the request.

Verify the DNS Setting on VPC Endpoint

In case the API was invoked from an Amazon VPC with an interface VPC endpoint, check whether the DNS setting is accurate based on the API type.

Key Points To Remember:

  • The private DNS has to be enabled on the interface endpoint in order to invoke a Regional API from inside a VPC. This will allow the endpoint’s hostname to be resolved by a public DNS.
  • Activate the private DNS on the interface endpoint to invoke a private API from inside the VPC via the API’s private DNS name. This resolves the endpoint’s hostname to the VPC’s local subnet resources.

Verify The Resource Policy

Check for the following issues:

  • In case the API is invoked via a VPC with an interface VPC endpoint, the resource policy has to grant the interface endpoint or the Amazon VPC access to the API.
  • Ensure the resource policy’s formatting and specifications are correct.

Check the API Access Logs

Remember to set up and check the API access logs to ensure that the requests reach the API.

Check HTTP Request & Response Messages

If possible, reproduce the error and use the network tools to capture the HTTP responses and request messages for analysis. You can also save these messages in the HTTP Archive file for offline analysis. After that, analyze the requests and responses between the API and the client to identify where the error occurred.

[Looking for help with the process? We are glad to be of assistance.]

Conclusion: Resolved Amazon API Gateway HTTP 403 Forbidden Error

At the end of the day, our Support Techs helped a client resolve Amazon API Gateway HTTP 403 forbidden error in a jiffy.


Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.



Submit a Comment

Your email address will not be published. Required fields are marked *

Privacy Preference Center


Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]


Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid


Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie


These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.