All cheat sheets
Serverless & AIcheat sheet

API Gateway HTTP APIs

HTTP APIs cost ~$1.00 per million requests versus REST's ~$3.50 — a 71% cut with lower latency and native JWT auth. Most REST APIs use none of the features that premium pays for; audit and migrate the eligible 80%.

Last reviewed: July 11, 2026

TL;DR: API Gateway comes in two flavors: REST ($3.50 per million requests) and HTTP ($1.00 per million, ~50% lower latency, native JWT validation). The premium buys API keys, usage plans, VTL transformations, WAF integration, private endpoints — features most APIs never touch. If your API is "route HTTPS → validate token → invoke Lambda," you're paying 3.5× for nothing; migration is often an afternoon.

The numbers

  • REST: ~$3.50/M requests · HTTP: ~$1.00/M — a 71% cut, plus ~30–50% lower gateway latency
  • At 10M req/month the saving is ~$25 — nice; at 500M it's $1,250/month; a 2B-events/month webhook processor saved $5,600/month by flipping type
  • The stacked win: REST + Lambda authorizer for JWT validation pays the higher request fee and an extra Lambda invocation per call; HTTP APIs validate OIDC JWTs natively — both line items drop at once
  • Field example: a fintech migrated 80% of its REST estate (keeping WAF-fronted endpoints on REST) for **$180k/year**

Do this

  1. Audit each REST API against the blocker list: API keys/usage plans, AWS WAF, private (VPC-only) endpoints, edge-optimized deployments, VTL request/response transformations, resource policies. Using none of them = eligible.

  2. Check the auth path: Cognito/Auth0/Okta JWTs plug directly into HTTP APIs' native authorizer — no custom Lambda needed. "API keys" that are really bearer tokens count as JWT-compatible.

  3. Migrate highest-volume eligible APIs first — the savings are linear in traffic. Move any gateway-level validation into the Lambda (usually a small refactor), create the HTTP API in IaC, repoint DNS, monitor a week, delete the REST API.

  4. Segment, don't purify: the mature end-state is HTTP APIs for the 80%, REST for the 20% with named feature needs. Don't force either.

  5. Make "HTTP API first" the default for new projects — only reach for REST when you can name the feature that requires it. That habit prevents this entire cost category.

Gotchas

  • No API keys or usage plans on HTTP APIs — genuine partner-key requirements pin those endpoints to REST.
  • No WAF attachment — security-mandated WAF means REST (or CloudFront-with-WAF in front of HTTP API, a different architecture).
  • Regional only — no edge-optimized flavor; latency-sensitive global consumers may want CloudFront anyway.
  • VTL logic must move into code — usually cleaner long-term, but it's a real refactor; budget it honestly.
  • Throttling is coarser (no per-key limits) — rate-limit in the app or upstream if you need per-consumer control.

Skip this if

  • The API genuinely uses REST-only features (keys, WAF, private endpoints, transformations) — that's what the premium is for.
  • Traffic is tiny — the migration effort beats $2/month of savings; just default new APIs to HTTP.
  • The endpoint doesn't need a gateway at all — a single-purpose webhook receiver is cheaper still on a free Lambda Function URL.

Run this audit with your AI assistant

Paste this into Claude, ChatGPT, or any agent that can run the AWS CLI with read-only credentials. It audits your account for exactly the waste this sheet describes — and changes nothing.

You are auditing an AWS account's API Gateway estate for REST → HTTP
API migration savings. Use the AWS CLI with READ-ONLY credentials. Do
not create, modify, or delete anything.

1. Inventory both flavors per region:
   - REST: aws apigateway get-rest-apis; per API: get-stages,
     get-usage-plans, get-api-keys (any keys/plans in use?),
     endpoint configuration (EDGE/REGIONAL/PRIVATE), and whether any
     stage has WAF (aws wafv2 list-web-acls --scope REGIONAL +
     associations) or resource policies.
   - HTTP: aws apigatewayv2 get-apis (already migrated share).
2. Volume per API: CloudWatch Count metric (30 days) → requests/mo.
   Cost now (≈$3.50/M REST) vs after (≈$1.00/M HTTP).
3. Eligibility per REST API — blockers that force staying on REST:
   API keys/usage plans in use, PRIVATE endpoint type, EDGE-optimized
   requirement, WAF association, resource policies, request/response
   VTL transformations (get-models / integration templates), canary
   stages relying on REST features.
4. Bonus finding: REST APIs using Lambda authorizers purely for JWT
   validation — HTTP APIs validate JWT natively, killing those
   authorizer invocations (extra Lambda savings + latency).

Report: per-API table (name | type | req/mo | $/mo now | eligible? |
blockers | $/mo after), total migration savings, and a migration
order starting with highest-volume eligible APIs. Change nothing.
Works with any assistant that can run shell commands.

Want the guided version?

The API Gateway HTTP APIs walkthrough covers this topic interactively — it asks about your setup, branches to what’s relevant, and quizzes you on the tricky parts. Free and anonymous.

Start the walkthrough