HTTP APIs vs REST APIs

In 2019, AWS added a second flavor of API Gateway — HTTP APIs. Same product, different defaults. Cheaper, faster, fewer features. Most new serverless projects should pick HTTP APIs by default; most exam questions expect you to know when not to.

This chapter is the comparison and the decision rule.

The Two Flavors

Both live under "API Gateway" in the Console, but they are separate services internally:

• REST APIs — the original, feature-complete API Gateway. The one we covered in the last two chapters;
• HTTP APIs — a stripped-down successor. Roughly 70% cheaper per million requests and noticeably lower latency. Pricing as of 2026: REST APIs at $3.50 per million requests, HTTP APIs at $1.00 per million. Over a high-volume API, the difference becomes real money.

What HTTP APIs Drop

HTTP APIs are lighter because they do not support:

• API keys and usage plans (no per-client throttling without external work);
• Request and response transformation via mapping templates;
• Mock integrations;
• AWS WAF integration directly (you wrap with CloudFront for that);
• Edge-optimized endpoints (only Regional);
• Lambda authorizer responses with full IAM policies (HTTP APIs use a simpler boolean response format);
• Caching at the API Gateway layer. If a project needs any of these, REST APIs are still the answer.

What HTTP APIs Add

In return, HTTP APIs offer:

• JWT authorizers as a built-in feature — no Lambda needed for OIDC providers like Auth0, Okta, or Cognito;
• Automatic CORS configuration — one toggle, no per-method setup;
• Simpler route syntax — ANY /users/{userId+} catches all methods and sub-paths;
• Better Lambda proxy integration with cleaner request and response formats;
• Lower latency in benchmarks, often by 50–100 ms.

When to Pick Which

A simple decision rule:

• New simple Lambda-backed API, no exotic requirements? → HTTP API;
• Already using Cognito or another OIDC provider? → HTTP API (built-in JWT support);
• Need per-client throttling via API keys? → REST API;
• Need mapping templates for request and response transformation? → REST API;
• Need a private API only accessible inside a VPC? → REST API (HTTP APIs only support Regional plus VPC link, not full private endpoints);
• Migrating from an old API Gateway REST API? → keep REST, no reason to rewrite.

WebSocket APIs

API Gateway also supports a third flavor — WebSocket APIs — for real-time bidirectional connections (chat apps, live dashboards, multiplayer games). The mental model is different:

• The API has three default routes — $connect, $disconnect, $default;
• You can add custom routes triggered by message content;
• You send messages back to clients via the @connections API using a connection ID;
• State (which user has which connection ID) is your responsibility, usually in DynamoDB. WebSocket APIs are uncommon on the exam — know they exist, know the three default routes.

Common Confusions on the Exam

Three traps to watch for:

• "Need to throttle a third-party developer to 100 requests per second" → REST API + usage plan, not HTTP API;
• "Need to integrate with Cognito for authentication" → both work, but HTTP API has built-in JWT support;
• "Need to call API Gateway from inside a VPC" → REST API supports VPC Link (private integration) and Private API endpoints; HTTP API supports VPC Link only. The default answer for new projects is HTTP API. The exam often picks REST API when there is a specific feature in the question that HTTP APIs do not support — read carefully.