Authorization

Overview

Authorization determines what authenticated users can access and modify.

Authorization Layers

1. API Gateway Authorizer

Purpose: Validate API keys before Lambda execution

Implementation:

Lambda authorizer function
Validates Bearer token
Returns IAM policy
Includes user context

Flow:

Request → API Gateway → Authorizer → Lambda Function

2. Service-Level Authorization

Purpose: Validate resource ownership

Implementation:

Services check user ownership
Environment validation
Permission checks

Resource Ownership

Forms

Forms belong to users (userId)
Users can only access their own forms
Environment validation ensures isolation

Submissions

Submissions belong to form owners
Access controlled via form ownership
Environment-scoped queries

API Keys

Keys belong to users
Users can only manage their own keys
Environment-scoped keys

Authorization Checks

Form Access

// Service checks ownership
if (form.userId !== userId) {
  throw new Error('Forbidden: You do not have permission');
}

// Environment validation
if (environment && form.environment !== environment) {
  throw new Error('Forbidden: Form not found in environment');
}

API Key Validation

// Authorizer validates key
const key = await lookupKey(apiKey);
if (!key || key.userId !== userId) {
  return generatePolicy('Deny', resource);
}

Environment Isolation

Data Isolation

All data scoped by user and environment
Partition keys include environment
Queries filtered by environment

API Key Scoping

Keys are environment-specific
Cannot access other environments
Environment in key record

Permission Model

Current Model

Owner: Full access to own resources
No Sharing: Resources not shared between users
Environment Isolation: Complete isolation per environment

Future Enhancements

Organization-level sharing
Role-based access control
Team permissions

Error Responses

401 Unauthorized

Missing or invalid authentication
Token expired
Invalid API key

403 Forbidden

Authenticated but no permission
Wrong environment
Not resource owner

Next Steps

Security - Security overview
Data Protection - Encryption and PII
Best Practices - Security recommendations

PreviousAuthentication NextSecurity Best Practices

Last updated 2 months ago

Good morning

hashtagOverview

hashtagAuthorization Layers

hashtag1. API Gateway Authorizer

hashtag2. Service-Level Authorization

hashtagResource Ownership

hashtagForms

hashtagSubmissions

hashtagAPI Keys

hashtagAuthorization Checks

hashtagForm Access

hashtagAPI Key Validation

hashtagEnvironment Isolation

hashtagData Isolation

hashtagAPI Key Scoping

hashtagPermission Model

hashtagCurrent Model

hashtagFuture Enhancements

hashtagError Responses

hashtag401 Unauthorized

hashtag403 Forbidden

hashtagNext Steps