Skip to content

bug: API Gateway HttpUserPoolAuthorizer always return Unauthorized #12913

New issue
New issue
Open
Open
bug: API Gateway HttpUserPoolAuthorizer always return Unauthorized#12913
Labels
status: triage neededRequires evaluation by maintainerstype: bugBug report
@yuki0418

Description

@yuki0418
yuki0418
opened on Jul 26, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

When I authorize API endpoint with HttpUserPoolAuthorizer from aws-cdk-lib/aws-apigatewayv2-authorizers.
It always returns Unauthorized with 401 status code with valid Access Token.

Expected Behavior

Should return 200 status.

How are you starting LocalStack?

With a docker-compose file

Steps To Reproduce

Reproduction repository.
https://github.com/yuki0418/localstack-unauthorize-repro

Requirements

  • pnpm
  • Docker
  • LocalStack Pro

Setup

  1. Run LocalStack Pro
$ export LOCALSTACK_AUTH_TOKEN="<your_localstack_pro_auth_token>"
$ docker compose up

Reproduction Steps

  1. Install packages
$ pnpm install
  1. Bootstrap adn deploy the CDK environment
$ cdklocal bootstrap
$ cdklocal deploy --all --require-approval never
  1. Sign up a user
curl -X POST 'https://test.execute-api.localhost.localstack.cloud:4566/user/signup' \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com", "password": "P@ss1234", "firstName": "Yuki", "lastName": "Ishii"}'
  1. Confirm the user
    You can get the confirmation code from the docker logs
curl -X POST 'https://test.execute-api.localhost.localstack.cloud:4566/user/confirm' \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com", "confirmationCode": "<confirmation_code>"}'
  1. Sign in the user to get the access token
curl -X POST 'https://test.execute-api.localhost.localstack.cloud:4566/user/signin' \
-H "Content-Type: application/json" \
-d '{"email": "test@example.com", "password": "P@ss1234"}'

You will get the access token and IdToken in the response.

  1. Change the email address
curl -X POST 'https://test.execute-api.localhost.localstack.cloud:4566/user/email' \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <Access Token>" \
-d '{"email": "test+1@example.com"}'

You will get with

HTTP/2 401 
server: TwistedWeb/24.3.0
date: Sat, 26 Jul 2025 02:44:36 GMT
content-type: application/json
apigw-requestid: 18e4f871
content-length: 26

{"message":"Unauthorized"}%

Environment

- OS:
- LocalStack:
  LocalStack version:
  LocalStack Docker image sha:
  LocalStack build date:
  LocalStack build git hash:

- OS:macOS Sonoma v14.6.1
- LocalStack: localstack/localstack-pro
  LocalStack version: latest, 4.6
  LocalStack Docker image sha: sha256:5564ec44adbb363e77c4587a99e7fb0259e077f3afdb4dd5427b11b2ca3e4898

Anything else?

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    status: triage neededRequires evaluation by maintainerstype: bugBug report

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions