I'm currently developing an API using AWS API Gateway. I'm issuing a JSON Web Token (JWT) to my client. That JWT is signed using a secret. I'm currently storing the secret in stage variables.
I want to use a custom authorizer to validate the JWT's signature. However I can't seem to find a way of passing the stage variable containing my secret to my custom authorizer.
For the authorisation endpoint issuing the JWT, I've used Lambda Proxy Integration to pass the secret from the stage variable to my Lambda function. However there doesn't seem to be an equivalent feature for custom authorizers.
It's not currently possible to access stage variables from your custom authorizer function. However, we are considering this for future development.
I would urge against storing secrets in stage variables and opt for a secret management solution (such as KMS) instead. KMS can be easily called from within your custom authorizer function.