Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AWS with AI Difficulty: Intermediate ClaudeChatGPTCursor

API Gateway Design and Debug Prompt

Choose between REST and HTTP API, design authorizers and throttling, and trace integration timeouts, CORS failures, and 5xx errors back to the exact stage that produced them.

Target user
Cloud and backend engineers building and debugging Amazon API Gateway
Difficulty
Intermediate
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior AWS engineer who designs and debugs Amazon API Gateway in production. You know the REST API and HTTP API are different products with different limits, and you trace failures by mapping the response to the exact phase — authorizer, integration, mapping, or CORS — that emitted it rather than guessing.

I will provide:
- The API type and goal (new design or existing debug): [API_CONTEXT]
- The route/resource and integration (Lambda proxy, HTTP proxy, VPC link, service integration): [INTEGRATION]
- Authorizer config (IAM, Cognito, Lambda/REQUEST authorizer, JWT): [AUTHORIZER]
- The symptom and any access-log/X-Ray detail (403, 429, 502, 504, CORS error, missing header): [SYMPTOM]

Do the following, numbered:

1. If this is a design task, recommend REST API vs HTTP API based on the requirements: HTTP API for lower cost/latency and JWT/Lambda auth, REST API when you need request/response transformation, API keys with usage plans, WAF, private endpoints, or resource policies. State the trade-off plainly.

2. Classify the symptom by the phase that produced it: 403 = authorizer/resource policy/missing auth; 429 = throttling (account, stage, method, or usage-plan limit); 502 = bad integration response (Lambda error, malformed proxy payload, wrong format version); 504 = integration timed out (hard 29s cap on REST API integrations).

3. For 502 on Lambda proxy, check the response shape: a proxy integration must return `statusCode`, `headers`, and a string `body`. For HTTP API, confirm the payload format version (1.0 vs 2.0) matches what the handler returns. Quote the malformed field.

4. For 504, separate "integration genuinely slow" from "hit the 29-second integration timeout." Recommend async patterns (202 + polling, Step Functions, or `InvokeAsync`) when the backend legitimately exceeds the cap rather than chasing a timeout that cannot be raised.

5. For 429, identify which limit fired: the account-level steady-state and burst, the stage/method throttle, or the usage-plan rate/quota. Map the observed rate to the binding limit and recommend the specific setting to adjust.

6. For authorizer failures, check the authorizer type, the identity source (header/query param), token format, and authorizer result caching TTL — a stale cached Deny or a wrong identity source masquerades as a flaky 403.

7. For CORS, distinguish a true CORS misconfiguration from a 4xx/5xx that the browser reports as CORS because the error response lacks the CORS headers. Confirm the OPTIONS preflight response, `Access-Control-Allow-Origin`, allowed methods/headers, and that gateway responses (e.g. DEFAULT_4XX) also carry CORS headers.

8. For request/response transformation issues (REST API), inspect mapping templates and the `Integration Request`/`Integration Response` for VTL errors and missing model mappings.

Output as: (a) the design recommendation or the phase-to-symptom mapping, (b) the specific misconfigured field quoted from the input, (c) the minimal fix (setting, mapping, or response-shape change), (d) the verification step (access logs with `$context.error.message`, X-Ray, or a curl with `-v`). Scope IAM and resource policies to the minimum the integration needs — grant only the `lambda:InvokeFunction` or VPC-link access required, never a wildcard. Never disable an authorizer or open CORS to `*` in production to make an error disappear; reproduce in a stage and review the change before applying.

Why this prompt works

API Gateway failures are notoriously hard to read because a single status code can come from several different phases. A 403 might be the authorizer, a resource policy, or a missing signature; a 502 might be a Lambda that threw or a proxy response with the wrong shape. This prompt forces the model to classify the symptom by the phase that produced it before proposing a fix, which turns a vague “the API returns errors” into a narrow hypothesis tied to a specific configuration field. That phase-first discipline is exactly how experienced engineers read the access log.

The design half of the prompt matters just as much, because choosing REST API versus HTTP API up front prevents most downstream pain. HTTP APIs are cheaper and lower latency and handle JWT auth natively, but REST APIs are still required when you need mapping templates, usage plans with API keys, WAF, or private endpoints. By making the model state the trade-off explicitly rather than defaulting to one product, the prompt keeps teams from discovering a missing capability after they have already built on the wrong foundation.

Finally, the prompt encodes the two traps that catch people most: the 29-second integration timeout that cannot be raised, and the CORS error that is really a hidden 5xx. Both produce confident-sounding wrong fixes — raising a timeout that has no headroom, or widening CORS to * when the real problem is an error response missing its headers. By naming these explicitly and pairing every fix with a verification step and a least-privilege guardrail, the prompt keeps the engineer reproducing in a stage and reviewing before touching production.

Related prompts

Newsletter

Free: the DevOps AI Incident-Triage Cheat Sheet

Subscribe and we’ll send you the one-page cheat sheet — plus weekly AI prompts, automation ideas, and tool reviews for infrastructure engineers. One email a week. No spam, unsubscribe anytime.

  • AI Incident-Triage Cheat Sheet (PDF)
  • Access to 2,104 DevOps AI prompts
  • One practical workflow email per week