Amazon API Gateway requires that you authenticate every request you send by signing the request.
To sign a request, you calculate a digital signature using a cryptographic hash function, which returns a hash value based on the input.
Amazon API Gateway supports authentication using AWS Signature Version 4 (Sig v4).
Great when you have pre-existing IAM identities.
A Lambda authorizer (formerly known as a custom authorizer) is an API Gateway feature that uses a Lambda function to control access to your API.
A Lambda authorizer is useful if you want to implement a custom authorization scheme that uses a bearer token authentication strategy such as OAuth or SAML, or that uses request parameters to determine the caller's identity.
When a client makes a request to one of your API's methods, API Gateway calls your Lambda authorizer, which takes the caller's identity as input and returns an IAM policy as output.
You can use caching to limit the number of calls you do to Lambda.
Great for 3rd part tokens.
Cognito User Pools
Only for authentication, not authorization.
A user pool is a user directory in Amazon Cognito.
With a user pool, your users can sign in to your web or mobile app through Amazon Cognito.
Your users can also sign in through social identity providers like Google, Facebook, Amazon, or Apple, and through SAML identity providers.