Configuration for AWS

Enable JWT Authentication in Cloud API Configuration for AWS.

When deploying the Cloud API on AWS using CloudFormation, ensure that JWT authentication is properly configured by setting the following parameters:

CloudFormation Parameters:

  1. Set authorization to jwt:

    • This specifies that JWT authentication will be used to secure the API.

  2. Set jwt_verify to 1:

    • Enables verification of the JWT token during API requests.

  3. Set jwt_secret_base64 to the Public Key (PEM Base64 Encoded):

  4. Set jwt_user_claim to upn or email:

    • Choose the claim used to identify the user. Typically, User Principal Name (upn) or email is selected based on your organization’s Entra ID configuration.

Obtain the API Gateway Endpoint

After deploying the Cloud API using CloudFormation, retrieve the API Gateway endpoint URL for the service:

  1. Navigate to the CloudFormation stack in your AWS Management Console.
  2. Locate the Outputs section of the deployed stack.
  3. Find the output parameter labeled ApiGatewayId.
  4. Use the ApiGatewayId and your AWS region to construct the endpoint URL for the Protegrity Cloud API:
    • Format: https://{ApiGatewayId}.execute-api.{Region}.amazonaws.com/pty
    • Example: If ApiGatewayId is abc123xyz and the region is us-east-1, the service endpoint URL will be:
    https://abc123xyz.execute-api.us-east-1.amazonaws.com/pty
  5. Record this endpoint URL for use in the Browser Protector configuration.
    • protector_endpoint_url: <>

Disable IAM Authentication for the /v1/unprotect Endpoint

By default, AWS API Gateway might enforce IAM authentication for API methods. Since authentication is already handled within the Cloud API protect Lambda function, IAM authentication for the /v1/unprotect endpoint must be disabled.

  1. Navigate to the API Gateway:
    Open the AWS Management Console and go to the API Gateway service.

  2. Locate the API Gateway:
    Find the API Gateway deployed for the Cloud API (use the ApiGatewayId obtained in Step 4).

  3. Select the /v1/unprotect Resource:
    Locate the /v1/unprotect resource in the API Gateway.

  4. Choose the POST Method:
    Under Method Execution, select the POST method.

  5. Set Authorization to None:
    In the Method Request settings, set Authorization to None.

  6. Save the Changes:
    Confirm and save the changes.


Last modified : January 13, 2026