Authorization Token

The steps for deriving the JWT authorization token are given below,

The client must generate an RSA4096 key pair and share the public key with the Galaxy.
Create a JSON object with the following parameters,
uri:- request URI
nonce:- unique request ID
iat:- request generated timestamp in UTC
exp:- expiration timestamp of request in UTC (must be less than iat+ 30sec)
sub:- API key shared by Galaxy
bodyHash:- SHA256 hash of the request body if applicable.
Sign the above JSON object with the RSA256 algorithm using the RSA4096 private key generated in the first step to create the JWT token.
JWT tokens can be created by directly encoding and assembling the token's components (header, payload, and signature) or by using third-party libraries that automate the process, including encoding. Both approaches produce a Base64 encoded token.
The generated JWT token should be sent as the bearer token via the Authorization HTTP header.

When clients invoke the endpoints, the Lambda Authorizer attached to the API Gateway verifies the authorization token and responds with an HTTP 403 if the verification fails. The following checks will be performed, and the respective error message will be returned if the check fails.

Missing Token: An authorization token was not provided.

{
    "message": "The authorization token was not provided"
}

Malformed Token: An authorization token with an invalid format was provided.
```
{
    "message": "The authorization token was malformed"
}
```
Expired Token: The expired authorization token is presented in the header.
```
{
    "message": "The authorization token has expired"
}
```
Invalid Signature Presented: The signature in the authorization token was invalid.
```
{
    "message": "The signature in the authorization token was invalid"
}
```

Exceeded Maximum Duration: Expiry timestamp in the authorization token is greater than 30 seconds from issued at timestamp.

{
    "message": "The expiration timestamp of the authorization token in UTC must be less than 30 seconds from the issued-at time"
}

Client’s Public Key Not Found: The public key of the client was not found.
```
{
    "message": "The public key of the client was not found"
}
```
Token Issued for Future Timestamp: The authorization token was issued for a future timestamp.
```
{
    "message": "The authorization token was issued for future timestamp"
}
```

Invalid API Key: Invalid API key was provided.

{
    "message": "Invalid API key was provided"
}

Internal Verification Error: An error occurred when verifying the authorization token.

{
    "message": "Unable to verify the authorization token due to an internal processing error"
}

Missing Parameters: The authorization token must contain uri, nonce, iat, exp, and sub.

{
    "message": "Missing parameters in the authorization token, must contain uri, nonce, iat, exp and sub"
}

Invalid Request URI: The API path did not match the request URI specified in the authorization token.

{
    "message": "API path has not matched with the request URI specified in the Authorization token"
}

Payload Hash Mismatch: The payload hash encoded in the authorization token did not match the API payload. This issue applies to POST/PUT APIs only.
```
{
    "message": "Payload hash in the authorization token has not matched with the API payload"
}
```

PreviousAPI Key NextClient Request Identifier

Last updated 4 months ago