Browse sections

Serverless API Gateway

Expose HTTP endpoints and webhooks on the gateway: path parameters, authentication modes, rate limits, and optional custom domains all terminate on your serverless functions.

The serverless API gateway exposes your functions as HTTP endpoints. Requests to /gw/{tenant}/your-path are routed to your functions.

How API gateway routing works

Open Gateway in the sidebar to define routes, methods, authentication, and templates. The default workspace API is served at /gw/<tenant-slug>/…, where <tenant-slug> is your workspace slug. Named HTTP APIs (each has a subdomain host label) are served at /gw/<label>/…, so several APIs can coexist in one workspace.

Installations that enable custom domains can bind a hostname to a named HTTP API, so public traffic does not have to use the default /gw/… prefix.

API gateway route configuration

  • Path parameters/users/:id matches /users/42.
  • Wildcards/site/** matches any sub-path.
  • Methods — GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS, or ANY (a single route can match every method). OPTIONS requests are answered automatically as CORS preflights rather than routed to your function.
  • Auth — Public, API Key, or Bearer Token, configured per route.

Event Format

Choose between the Simple format (flat top-level fields) and the AWS API Gateway v2–compatible format:

event
// Your Lambda receives an event like (simple gateway format; body is always a string or null):
{
  "httpMethod": "POST",
  "path": "/api/users",
  "headers": {
    "content-type": "application/json"
  },
  "queryStringParameters": {
    "page": "1"
  },
  "pathParameters": {
    "id": "123"
  },
  "body": "{\"name\":\"Alice\"}"
}

Response Transformation

In the Advanced Options for a route you can configure:

  • Response Headers — static headers added to every response.
  • Request Template — transforms the event before it reaches your function.
  • Response Template — transforms the function's response before it is sent to the client.
  • Rate Limit — the maximum number of requests per minute, counted per client IP per route (each source IP gets its own bucket in a fixed 60-second window); requests over the limit are rejected with 429.

Request validation

Attach an optional input schema to a route to validate request bodies. The schema is a JSON Schema subset (type, required, properties, items, enum, additionalProperties, plus length, item-count, and numeric bounds). When a schema is set, a body that does not match it is rejected with 400 before your function runs; leave the schema empty to skip validation.

Webhook signature verification

Verify incoming webhook signatures on a route without writing any code. Select a webhook mode and set a shared secret; the gateway HMAC-verifies the raw request body before your function is invoked and rejects an invalid signature with 403. The following modes are supported:

  • GitHubX-Hub-Signature-256 header (sha256=… HMAC).
  • StripeStripe-Signature header (t=…,v1=…).
  • Custom — a header you choose carrying a hex HMAC-SHA256 of the body.