AWS API Gateway Authorizer: What security is gained by requiring both an OAuth token and an API key?

Question

I'm playing around with securing an AWS API Gateway with AWS Cognito User Pool tokens. The API Gateway authorizer settings allows me to require that an HTTP request contains both an x-api-key header and an authorization header (containing an JWT token). I've attached a picture of this.

It seems to me that requiring an API key along with an OAuth token is redudant. What practical security advantage might there be by requiring clients of this endpoint to provide both?

Answer 1

Api Key is more used along with Usage Plan to control

• which stages can a given client access.
• Set throttling limit. ex: 100 calls per minute.
• Set Quota limit. ex: 100K calls per day.

Api key doesn't actually contain any user specific details, its a static value typically created per application/client.

Personally I don't even consider this AWS Api Key as equivalent to old school Basic Auth header and never used for securing the api at all.

On the other hand Authentication Header is usual access_token and/or id_token, generated when a particular user is successfully authorized/authenticated against auth server and gains access to APIs.

From the Docs:

Don't rely on API keys as your only means of authentication and authorization for your APIs. For one thing, if you have multiple APIs in a usage plan, a user with a valid API key for one API in that usage plan can access all APIs in that usage plan. Instead, use an IAM role, a Lambda authorizer, or an Amazon Cognito user pool.