# LambdaRequestAuthorizer
<a name="sam-property-api-lambdarequestauthorizer"></a>

Configure a Lambda Authorizer to control access to your API with a Lambda function.

For more information and examples, see [Control API access with your AWS SAM template](serverless-controlling-access-to-apis.md).

## Syntax
<a name="sam-property-api-lambdarequestauthorizer-syntax"></a>

To declare this entity in your AWS Serverless Application Model (AWS SAM) template, use the following syntax.

### YAML
<a name="sam-property-api-lambdarequestauthorizer-syntax.yaml"></a>

```
DisableFunctionDefaultPermissions: Boolean
[FunctionArn](#sam-api-lambdarequestauthorizer-functionarn): String
[FunctionInvokeRole](#sam-api-lambdarequestauthorizer-functioninvokerole): String
[FunctionPayloadType](#sam-api-lambdarequestauthorizer-functionpayloadtype): String
[Identity](#sam-api-lambdarequestauthorizer-identity): LambdaRequestAuthorizationIdentity
```

## Properties
<a name="sam-property-api-lambdarequestauthorizer-properties"></a>

 `DisableFunctionDefaultPermissions`   <a name="sam-api-lambdarequestauthorizer-disablefunctiondefaultpermissions"></a>
Specify `true` to prevent AWS SAM from automatically creating an `AWS::Lambda::Permissions` resource to provision permissions between your `AWS::Serverless::Api` resource and authorizer Lambda function.  
*Default value*: `false`  
*Type*: Boolean  
*Required*: No  
*CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an CloudFormation equivalent.

 `FunctionArn`   <a name="sam-api-lambdarequestauthorizer-functionarn"></a>
Specify the function ARN of the Lambda function which provides authorization for the API.  
AWS SAM will automatically create an `AWS::Lambda::Permissions` resource when `FunctionArn` is specified for `AWS::Serverless::Api`. The `AWS::Lambda::Permissions` resource provisions permissions between your API and authorizer Lambda function.
*Type*: String  
*Required*: Yes  
*CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an CloudFormation equivalent.

 `FunctionInvokeRole`   <a name="sam-api-lambdarequestauthorizer-functioninvokerole"></a>
Adds authorizer credentials to the OpenApi definition of the Lambda authorizer.  
*Type*: String  
*Required*: No  
*CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an CloudFormation equivalent.

 `FunctionPayloadType`   <a name="sam-api-lambdarequestauthorizer-functionpayloadtype"></a>
This property can be used to define the type of Lambda Authorizer for an API.  
*Valid values*: `TOKEN` or `REQUEST`  
*Type*: String  
*Required*: No  
*Default*: `TOKEN`  
*CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an CloudFormation equivalent.

 `Identity`   <a name="sam-api-lambdarequestauthorizer-identity"></a>
This property can be used to specify an `IdentitySource` in an incoming request for an authorizer. This property is only required if the `FunctionPayloadType` property is set to `REQUEST`.  
*Type*: [LambdaRequestAuthorizationIdentity](sam-property-api-lambdarequestauthorizationidentity.md)  
*Required*: Conditional  
*CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an CloudFormation equivalent.

## Examples
<a name="sam-property-api-lambdarequestauthorizer--examples"></a>

### LambdaRequestAuth
<a name="sam-property-api-lambdarequestauthorizer--examples--lambdarequestauth"></a>

#### YAML
<a name="sam-property-api-lambdarequestauthorizer--examples--lambdarequestauth--yaml"></a>

```
Authorizers:
  MyLambdaRequestAuth:
    FunctionPayloadType: REQUEST
    FunctionArn:
      Fn::GetAtt:
        - MyAuthFunction
        - Arn
    FunctionInvokeRole:
      Fn::GetAtt:
        - LambdaAuthInvokeRole
        - Arn
    Identity:
      Headers:
        - Authorization1
```

# LambdaRequestAuthorizationIdentity
<a name="sam-property-api-lambdarequestauthorizationidentity"></a>

This property can be used to specify an IdentitySource in an incoming request for an authorizer. For more information about IdentitySource see the [ApiGateway Authorizer OpenApi extension](https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-swagger-extensions-authorizer.html).

## Syntax
<a name="sam-property-api-lambdarequestauthorizationidentity-syntax"></a>

To declare this entity in your AWS Serverless Application Model (AWS SAM) template, use the following syntax.

### YAML
<a name="sam-property-api-lambdarequestauthorizationidentity-syntax.yaml"></a>

```
  [Context](#sam-api-lambdarequestauthorizationidentity-context): List
  [Headers](#sam-api-lambdarequestauthorizationidentity-headers): List
  [QueryStrings](#sam-api-lambdarequestauthorizationidentity-querystrings): List
  [ReauthorizeEvery](#sam-api-lambdarequestauthorizationidentity-reauthorizeevery): Integer
  [StageVariables](#sam-api-lambdarequestauthorizationidentity-stagevariables): List
```

## Properties
<a name="sam-property-api-lambdarequestauthorizationidentity-properties"></a>

 `Context`   <a name="sam-api-lambdarequestauthorizationidentity-context"></a>
Converts the given context strings to the mapping expressions of format `context.contextString`.  
*Type*: List  
*Required*: No  
*CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an CloudFormation equivalent.

 `Headers`   <a name="sam-api-lambdarequestauthorizationidentity-headers"></a>
Converts the headers to comma-separated string of mapping expressions of format `method.request.header.name`.  
*Type*: List  
*Required*: No  
*CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an CloudFormation equivalent.

 `QueryStrings`   <a name="sam-api-lambdarequestauthorizationidentity-querystrings"></a>
Converts the given query strings to comma-separated string of mapping expressions of format `method.request.querystring.queryString`.  
*Type*: List  
*Required*: No  
*CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an CloudFormation equivalent.

 `ReauthorizeEvery`   <a name="sam-api-lambdarequestauthorizationidentity-reauthorizeevery"></a>
The time-to-live (TTL) period, in seconds, that specifies how long API Gateway caches authorizer results. If you specify a value greater than 0, API Gateway caches the authorizer responses. By default, API Gateway sets this property to 300. The maximum value is 3600, or 1 hour.  
*Type*: Integer  
*Required*: No  
*Default*: 300  
*CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an CloudFormation equivalent.

 `StageVariables`   <a name="sam-api-lambdarequestauthorizationidentity-stagevariables"></a>
Converts the given stage variables to comma-separated string of mapping expressions of format `stageVariables.stageVariable`.  
*Type*: List  
*Required*: No  
*CloudFormation compatibility*: This property is unique to AWS SAM and doesn't have an CloudFormation equivalent.

## Examples
<a name="sam-property-api-lambdarequestauthorizationidentity--examples"></a>

### LambdaRequestIdentity
<a name="sam-property-api-lambdarequestauthorizationidentity--examples--lambdarequestidentity"></a>

#### YAML
<a name="sam-property-api-lambdarequestauthorizationidentity--examples--lambdarequestidentity--yaml"></a>

```
Identity:
  QueryStrings:
    - auth
  Headers:
    - Authorization
  StageVariables:
    - VARIABLE
  Context:
    - authcontext
  ReauthorizeEvery: 100
```