{"@context":"https://schema.org","@graph":[{"@type":"WebPage","@id":"https://inquir.org/api-key-auth-serverless-functions#webpage","url":"https://inquir.org/api-key-auth-serverless-functions","name":"API key auth for serverless functions at the gateway","headline":"API key auth for serverless functions at the gateway","description":"API key authentication for serverless functions enforced at the gateway before handler code runs—no auth boilerplate per function, rotate keys without deploys, and scope permissions per route.","inLanguage":"en-US","isPartOf":{"@id":"https://inquir.org/#website"},"author":{"@type":"Organization","name":"Inquir"},"datePublished":"2025-01-01T00:00:00.000Z","dateModified":"2026-04-20T00:00:00.000Z","citation":"https://inquir.org/docs"},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://inquir.org"},{"@type":"ListItem","position":2,"name":"API key auth serverless functions","item":"https://inquir.org/api-key-auth-serverless-functions"}]},{"@type":"TechArticle","@id":"https://inquir.org/api-key-auth-serverless-functions#article","headline":"API key auth for serverless functions at the gateway","description":"API key authentication for serverless functions enforced at the gateway before handler code runs—no auth boilerplate per function, rotate keys without deploys, and scope permissions per route.","inLanguage":"en-US","author":{"@type":"Organization","name":"Inquir"},"datePublished":"2025-01-01T00:00:00.000Z","dateModified":"2026-04-20T00:00:00.000Z","isPartOf":{"@id":"https://inquir.org/api-key-auth-serverless-functions#webpage"}},{"@type":"FAQPage","@id":"https://inquir.org/api-key-auth-serverless-functions#faq","url":"https://inquir.org/api-key-auth-serverless-functions","isPartOf":{"@id":"https://inquir.org/api-key-auth-serverless-functions#webpage"},"mainEntity":[{"@type":"Question","name":"Can I use both API key auth and JWT auth?","acceptedAnswer":{"@type":"Answer","text":"Yes—enable API key auth at the gateway for service-to-service routes. For user-facing routes, validate JWTs inside the handler. Routes can use different auth models."}},{"@type":"Question","name":"What happens to requests with an invalid API key?","acceptedAnswer":{"@type":"Answer","text":"The gateway returns 403 before the function handler runs. The function is not invoked and does not incur invocation billing."}},{"@type":"Question","name":"How do I rotate a key if it is compromised?","acceptedAnswer":{"@type":"Answer","text":"Remove the compromised key from the gateway configuration and add a new one. Existing sessions with the old key fail immediately. Distribute the new key to legitimate callers via your secrets management process."}}]}]}