I have a (public) API Gateway that uses a custom Lambda authorizer that we need to both (a) authorize custom access token and (b) JWTs.

We now want to trigger another Lambda (via EventBridge Scheduler) to send a request to our backend via the API Gateway, but we’re having problems on deciding how to authorize or bypass those calls.

From our discussions we came up with following solutions:

• Set up a mirror API Gateway inside our VPC with no authorization and call that from the Lambda

• Roll our own “auth” via a rotating token that we store in the Secret Manager

Before going forward with one of those solutions, I want to make sure that we’re not missing something very easy and obvious to either bypass the custom authorization Lambda calls or authorize them (e.g. signing via aws-sig4?)