Expose HTTP endpoints and webhooks on the gateway: path parameters, authentication modes, rate limits, and optional custom domains all terminate on your serverless functions.
The serverless API gateway exposes your functions as HTTP endpoints. Requests to /gw/{tenant}/your-path are routed to your functions.
How API gateway routing works
Open Gateway in the sidebar to define routes, methods, authentication, and templates. The default workspace API is served at /gw/<tenant-slug>/…, where <tenant-slug> is your workspace slug. Named HTTP APIs (each has a subdomain host label) are served at /gw/<label>/…, so several APIs can coexist in one workspace.
Installations that enable custom domains can bind a hostname to a named HTTP API, so public traffic does not have to use the default /gw/… prefix.
API gateway route configuration
- Path parameters —
/users/:idmatches/users/42. - Wildcards —
/site/**matches any sub-path. - Methods — GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS, or ANY (a single route can match every method). OPTIONS requests are answered automatically as CORS preflights rather than routed to your function.
- Auth — Public, API Key, or Bearer Token, configured per route.
Event Format
Choose between the Simple format (flat top-level fields) and the AWS API Gateway v2–compatible format:
// Your Lambda receives an event like (simple gateway format; body is always a string or null): { "httpMethod": "POST", "path": "/api/users", "headers": { "content-type": "application/json" }, "queryStringParameters": { "page": "1" }, "pathParameters": { "id": "123" }, "body": "{\"name\":\"Alice\"}" }
Response Transformation
In the Advanced Options for a route you can configure:
- Response Headers — static headers added to every response.
- Request Template — transforms the event before it reaches your function.
- Response Template — transforms the function's response before it is sent to the client.
- Rate Limit — the maximum number of requests per minute, counted per client IP per route (each source IP gets its own bucket in a fixed 60-second window); requests over the limit are rejected with
429.
Request validation
Attach an optional input schema to a route to validate request bodies. The schema is a JSON Schema subset (type, required, properties, items, enum, additionalProperties, plus length, item-count, and numeric bounds). When a schema is set, a body that does not match it is rejected with 400 before your function runs; leave the schema empty to skip validation.
Webhook signature verification
Verify incoming webhook signatures on a route without writing any code. Select a webhook mode and set a shared secret; the gateway HMAC-verifies the raw request body before your function is invoked and rejects an invalid signature with 403. The following modes are supported:
- GitHub —
X-Hub-Signature-256header (sha256=…HMAC). - Stripe —
Stripe-Signatureheader (t=…,v1=…). - Custom — a header you choose carrying a hex HMAC-SHA256 of the body.