How to Build Custom APIs & Usage Plans with AWS API Gateway
By Braincuber Team
Published on March 21, 2026
We recently analyzed a hardware brand paying $2,400 monthly for Lambda executions because their 3PL partner was pinging their inventory endpoint 80 times a minute. If you expose a custom API to wholesale clients, fulfillment centers, or retail partners without throttling them, they will abuse it. Your infrastructure will scale beautifully to handle their terrible polling scripts, and you will foot the bill. You need a gatekeeper. AWS API Gateway allows you to build custom REST APIs, bind them directly to your Lambda functions, and strictly enforce "Usage Plans" with API keys. Here is how you lock down your data access so you don't fund your partner's bad code.
What You'll Learn:
- How to wire a Python Lambda function to a REST API route
- Enforcing strict throttling and hard quotas on specific B2B partners
- Generating dynamic API keys directly within AWS Console
- The fatal deployment mistake made when updating Method Requests
- How to test your secure endpoints using raw cURL commands
Why Raw Compute Needs a Gateway
Never expose a Lambda Function directly to the internet unless you want a massive AWS bill. A Gateway acts as the bouncer, checking IDs (Authentication) and counting drinks (Rate Limiting) before anyone gets in the club.
Usage Plan Extortion
If you build a genuinely valuable API, charge for it. API Gateway Usage plans allow you to build tiered SaaS models (e.g., 10k requests for $50/mo, 100k requests for $400/mo).
Throttling Protection
Spike traffic will drop your database connections. Setting a rate limit at the gateway level means AWS returns a 429 Too Many Requests error before your actual databases even notice the traffic.
Step-by-Step Security Implementation
Create The AWS Lambda Target
Navigate to AWS Lambda and hit "Create Function". Choose the Python runtime. Paste the strict JSON response format required by API Gateway. If you do not return a valid "statusCode" and stringified "body", the Gateway will throw an agonizing 502 Bad Gateway response.
import json
def lambda_handler(event, context):
body = { "status": "success", "data": "Secure inventory snapshot" }
return {
"statusCode": 200,
"body": json.dumps(body),
"headers": {
"Content-Type": "application/json"
}
}
Build the REST API Route
Navigate to API Gateway. Select Build under REST API. Choose New API, give it a name, and leave endpoint type as Edge-optimized. Once inside, click Actions -> Create Method. Select GET. Check the integration box for Lambda Function and type in the name of your Python function. Deploy the API to a new stage (e.g., 'prod'). Test the Invoke URL in your browser.
| Usage Plan Configuration | Business Implication |
|---|---|
| Rate (Requests per second) | Steady-state traffic allowance. Keeps your database CPU utilization low. |
| Burst limit | Allows concurrent request spikes before rejecting traffic. Great for BFCM surges. |
| Quota (Requests per month) | Protects your wallet. Once the partner hits the hard quota, the key goes dead until the 1st of the month. |
Attach the API Key
Go to Usage Plans. Create a plan with a strict throttling limit. Add your API stage to it. Next, click the API Keys tab and select 'Auto Generate'. Link this new API key to the usage plan. Now the critical part: Go back to your REST API Method Execution page. Change API Key Required to true.
The Silent Deployment Failure
Changing 'API Key Required' to true in the console does absolutely nothing to the live endpoint. You must manually go to Actions and Deploy API again. If you skip this, anyone can still access your API without a key, bypassing your entire usage plan.
Verify the Lock
To confirm your data is physically locked, open your terminal. Send a raw cURL command to the Invoke URL. You should immediately get slapped with a 403 Forbidden message. Only when you explicitly pass the key inside the x-api-key header will the Lambda execute.
curl --location --request GET 'https://abcdef123.execute-api.us-east-1.amazonaws.com/prod/inventory' --header 'x-api-key: aB1cD2eF3gH4iJ5kL6mN7oP' --header 'Content-Type: application/json'
Frequently Asked Questions
Why did I get a 502 Bad Gateway response when testing the API?
Your Lambda function is likely returning raw strings or improperly formatted JSON. AWS API Gateway mandates that you return a strict JSON payload containing a "statusCode" integer and a stringified "body" parameter.
Can I assign different limits to different B2B partners?
Yes. Create multiple Usage Plans (e.g., Basic, Premium, Enterprise) with different throttling rates and quotas. You then assign each wholesale partner's API key to their respective tier.
What header name must I use for the API key?
The API Gateway strictly looks for the literal string "x-api-key" within the request headers. Passing it as an authorization bearer token or query parameter will instantly result in a 403 Forbidden failure.
What happens when a usage plan quota is exceeded?
All subsequent requests from that specific API key will automatically be rejected by AWS with a 429 Too Many Requests status. Your Lambda functions will not be invoked, completely shielding your compute costs.
Why isn't my API Key requirement securing the endpoint?
Because you forgot to deploy it. In AWS API Gateway, flipping a toggle on the Method settings does not alter the live server. You must always manually click Deploy API to push architectural changes.
Is Your Backend Getting Hammered By Rogue Integrations?
I see D2C brands blowing $5,000 a month on cloud bills because they gave a 3PL partner an open REST endpoint. Instead of optimizing their code, the partner just writes a script to hit your database 100 times a second. We lock down bloated cloud architectures, implement strict usage plans, and cut server costs immediately. If you have open API endpoints, you are a target.