AWS HTTP APIs are the newer, faster, and cheaper way to build RESTful APIs on Amazon API Gateway. They offer up to 71% cost savings and 60% lower latency compared to REST APIs, with native JWT auth and simplified configuration.
HTTP APIs strip away complexity and cost while keeping the features most serverless applications actually need.
HTTP APIs cost $1.00 per million requests compared to $3.50 for REST APIs. At scale, this translates to hundreds or thousands of dollars in monthly savings.
HTTP APIs add roughly 10ms of overhead at p99, compared to tens of milliseconds for REST APIs. This makes serverless viable for latency-sensitive workloads.
Built-in JWT validation with any OpenID Connect provider. No custom Lambda authorizers needed for Cognito, Auth0, or Okta token verification.
Configure CORS headers at the API level instead of in every Lambda handler. Set allowed origins, methods, and headers once and they apply to all routes.
Define routes with HTTP method and path. No separate deployment resources or complex stage configurations. Catch-all routes supported for single-function APIs.
A cleaner, leaner event payload with optional simplified responses. Lambda functions can return a plain body string instead of the full status code wrapper.
HTTP APIs sit between clients and your backend services. They handle routing, authorization, and CORS so your Lambda functions focus purely on business logic.
A client sends an HTTP request. HTTP API validates any JWT token against your configured issuer and audience, rejecting unauthorized requests before they reach your backend.
The request is matched to a route by HTTP method and path. HTTP API forwards it to the integration target: a Lambda function, another HTTP endpoint, or a private VPC resource.
Your backend returns a response. HTTP API applies CORS headers automatically and sends the result to the client. The entire round-trip adds roughly 10ms of overhead.
HTTP APIs connect to several backend types, each suited to different use cases:
The most common integration. Run functions to generate API responses with automatic scaling and pay-per-invocation pricing.
Proxy requests to any public URL or internal service. Useful for migrating existing APIs behind a managed gateway.
Connect to ECS, EKS, EC2, or NLB targets inside your VPC via VPC Link for internal microservices.
Route directly to services like SQS, Step Functions, or EventBridge without a Lambda function in between.
AWS offers two API Gateway types. HTTP APIs are the newer, leaner option. REST APIs have more features but cost more and add more latency.
| Feature | REST API | HTTP API |
|---|---|---|
| Cost (per 1M requests) | $3.50 | $1.00 |
| Latency overhead | Higher (tens of ms) | ~10ms at p99 |
| JWT authorization | Via Lambda authorizer | Native support |
| CORS configuration | Manual per-method setup | API-level config |
| Request validation | Yes (JSON Schema) | No |
| WAF integration | Yes | No |
| Usage plans / API keys | Yes | No |
| Response caching | Yes | No |
| Private APIs (VPC endpoint) | Yes | No |
| Edge-optimized deployment | Yes | No |
| Catch-all routes | No | Yes |
| Payload v2.0 format | No | Yes (optional) |
For a deeper look at API Gateway as a whole, see our Ultimate Guide to Amazon API Gateway.
The Serverless Framework makes HTTP APIs the default for new projects. Define your routes in serverless.yml and the framework handles all the CloudFormation resources, permissions, and deployment stages:
service: my-http-api
provider:
name: aws
runtime: nodejs22.x
httpApi:
cors: true
authorizers:
myJwtAuth:
type: jwt
identitySource: $request.header.Authorization
issuerUrl: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_abc123
audience:
- my-app-client-id
functions:
listUsers:
handler: handler.listUsers
events:
- httpApi:
path: /users
method: get
getUser:
handler: handler.getUser
events:
- httpApi:
path: /users/{id}
method: get
authorizer:
name: myJwtAuth
createUser:
handler: handler.createUser
events:
- httpApi:
path: /users
method: post
authorizer:
name: myJwtAuthThe httpApi event type creates HTTP API routes automatically. CORS is configured once at the provider level. JWT authorizers are defined once and referenced by name on any route that needs protection.
At $1.00 per million requests (vs. $3.50 for REST APIs), HTTP APIs deliver a 71% cost reduction. For a service handling 100 million requests per month, that is $250 saved every month. At higher volumes the savings compound further, with tiered pricing dropping to $0.90 per million above 300 million requests.
HTTP APIs add roughly 10ms of overhead at p99, a 60% improvement over REST APIs. This makes API Gateway viable for latency-sensitive applications in ad-tech, financial services, and gaming that previously avoided serverless because of gateway overhead.
HTTP APIs require fewer CloudFormation resources per route, reducing stack complexity and deployment times. Auto-deploy stages, API-level CORS, and catch-all routing mean less boilerplate configuration. The Serverless Framework makes the experience even simpler by abstracting the remaining setup.
Native JWT authorization replaces the need for custom Lambda authorizers that extract tokens, verify signatures, and generate IAM policies. HTTP APIs handle all of that automatically, reducing auth code, latency, and Lambda invocation costs.
HTTP APIs trade advanced features for simplicity and cost savings. These gaps matter for specific use cases.
If you need to meter, throttle, or monetize API access per consumer, you must use REST APIs. HTTP APIs have no built-in mechanism for issuing or validating API keys.
REST APIs can validate incoming JSON payloads against a schema before invoking your Lambda function. With HTTP APIs, all validation must happen inside your function code.
REST APIs offer built-in response caching at the gateway layer. HTTP APIs have no caching. Use CloudFront, DynamoDB DAX, or application-level caching as alternatives.
AWS WAF (Web Application Firewall) can be attached to REST APIs but not HTTP APIs. For WAF protection, place CloudFront in front of your HTTP API and attach WAF to the distribution.
HTTP APIs are regional only. They do not support edge-optimized deployments or VPC endpoint policies for private API access. REST APIs are required for those patterns.
Backend integrations must respond within 30 seconds. For long-running operations, accept the request immediately, return a job ID, and process asynchronously.
HTTP APIs do not support wildcard custom domain names. Each subdomain must be configured individually, which limits multi-tenant architectures that rely on tenant-specific subdomains.
REST APIs offer Velocity Template Language (VTL) mappings to transform requests and responses at the gateway layer. HTTP APIs pass payloads through as-is, so all transformation logic must live in your function code.
HTTP APIs do not integrate with AWS X-Ray for distributed tracing. Observability is limited to CloudWatch access logs and metrics. For end-to-end tracing, instrument your Lambda functions directly.
HTTP APIs use simple, tiered request pricing with no minimum fees. They are significantly cheaper than REST APIs at every volume level.
1M
HTTP API calls / month
750K
connection minutes / month
| Volume | Price per Million |
|---|---|
| First 300M requests / month | $1.00 |
| Above 300M requests / month | $0.90 |
100M requests x $1.00/1M (HTTP API) = $100/month
100M requests x $3.50/1M (REST API) = $350/month
Savings: $250/month (71%). At 600M requests, HTTP API costs $570 vs. $2,100 for REST API.
See the official API Gateway pricing page for current regional rates.
Use HTTP APIs when you are building new serverless REST APIs, want the lowest possible cost and latency, need JWT-based authentication, or are migrating from REST APIs and do not rely on usage plans, caching, or WAF. HTTP APIs are the right default for most new projects.
Consider REST APIs instead when you need request validation, API key management, usage plans, response caching, WAF integration, edge-optimized endpoints, or private APIs. These features are only available on REST APIs.
Consider alternatives when you are building a GraphQL API (use AWS AppSync), need a simple single-function endpoint without a full gateway (use Lambda Function URLs), or need sub-millisecond routing (run your own reverse proxy).
Key quotas to plan around. Most soft limits can be raised through AWS Support.
| Limit | Value |
|---|---|
| Integration timeout | 30 seconds |
| Payload size | 10 MB |
| Routes per API | 300 |
| Stages per API | 10 |
| Authorizers per API | 10 |
| Auth endpoint JWKS timeout | 1,500 ms |
| Custom domains per account | 120 |
| Throttle rate | 10,000 requests/second (adjustable) |
| Burst limit | 5,000 requests |
Common questions about AWS HTTP APIs.
Deploy a fast, cheap HTTP API with Lambda in minutes
using the Serverless Framework.