TL;DR: API Gateway comes in two flavors: REST ($3.50 per million requests) and HTTP ($1.00 per million, ~50% lower latency, native JWT validation). The premium buys API keys, usage plans, VTL transformations, WAF integration, private endpoints — features most APIs never touch. If your API is "route HTTPS → validate token → invoke Lambda," you're paying 3.5× for nothing; migration is often an afternoon.
The numbers
- REST: ~$3.50/M requests · HTTP: ~$1.00/M — a 71% cut, plus ~30–50% lower gateway latency
- At 10M req/month the saving is ~$25 — nice; at 500M it's $1,250/month; a 2B-events/month webhook processor saved $5,600/month by flipping type
- The stacked win: REST + Lambda authorizer for JWT validation pays the higher request fee and an extra Lambda invocation per call; HTTP APIs validate OIDC JWTs natively — both line items drop at once
- Field example: a fintech migrated
80% of its REST estate (keeping WAF-fronted endpoints on REST) for **$180k/year**
Do this
-
Audit each REST API against the blocker list: API keys/usage plans, AWS WAF, private (VPC-only) endpoints, edge-optimized deployments, VTL request/response transformations, resource policies. Using none of them = eligible.
-
Check the auth path: Cognito/Auth0/Okta JWTs plug directly into HTTP APIs' native authorizer — no custom Lambda needed. "API keys" that are really bearer tokens count as JWT-compatible.
-
Migrate highest-volume eligible APIs first — the savings are linear in traffic. Move any gateway-level validation into the Lambda (usually a small refactor), create the HTTP API in IaC, repoint DNS, monitor a week, delete the REST API.
-
Segment, don't purify: the mature end-state is HTTP APIs for the 80%, REST for the 20% with named feature needs. Don't force either.
-
Make "HTTP API first" the default for new projects — only reach for REST when you can name the feature that requires it. That habit prevents this entire cost category.
Gotchas
- No API keys or usage plans on HTTP APIs — genuine partner-key requirements pin those endpoints to REST.
- No WAF attachment — security-mandated WAF means REST (or CloudFront-with-WAF in front of HTTP API, a different architecture).
- Regional only — no edge-optimized flavor; latency-sensitive global consumers may want CloudFront anyway.
- VTL logic must move into code — usually cleaner long-term, but it's a real refactor; budget it honestly.
- Throttling is coarser (no per-key limits) — rate-limit in the app or upstream if you need per-consumer control.
Skip this if
- The API genuinely uses REST-only features (keys, WAF, private endpoints, transformations) — that's what the premium is for.
- Traffic is tiny — the migration effort beats $2/month of savings; just default new APIs to HTTP.
- The endpoint doesn't need a gateway at all — a single-purpose webhook receiver is cheaper still on a free Lambda Function URL.