Skip to main content

Internal Auth

[API Docs] [SDK]

To facilitate backend microservices calling each other, we provide an internal identity provider called Internal Auth API

The API works by converting the caller's IAM role to a valid JWT token accepted by the API Gateway Authorizer.

API calls must be called using a signed AWS SigV4 request.


npm install --save @epilot/internal-auth

To be able to get internal tokens, your runtime role must have invoke permissions to this API.

# SAM example
Type: AWS::Serverless::Function
- Statement:
- Effect: Allow
Action: execute-api:Invoke
- arn:aws:execute-api:eu-central-1:*:*/*/GET/v1/internal-auth/auth # internal auth api
- arn:aws:execute-api:eu-central-1:*:*/*/GET/v?/mock-api/* # api you want to call

Call the API to obtain your token

import { getToken } from "@epilot/internal-auth";

const token = await getToken();

Example Token

"callerIdentity": "arn:aws:sts::912468240823:assumed-role/ep_prod_access_admin/awsmfa_20210225T193753",
"policies": [
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "*",
"Resource": "*"
"iss": "",
"iat": 1614278397,
"exp": 1614281997