For this exercise, take a closer look at the CreatePet method:

1. The request is validated in Method Request, and in this case, we can restrict this to accept only well-formed entities according to the JSON schema definition. This works for URL query parameters, headers, and the request body. Here, it is also possible to request authorization via IAM and to use an API key to sign requests:

2. The integration request can be made with one of the following:
   • Lambda function: This is one of the most used integrations in AWS because it allows you to design microservices architectures by using small services provided by AWS Lambda.
   • HTTP: Any kind of HTTP endpoint that can be reached by API Gateway can be invoked as part of the integration; this promotes hybrid environments or third-party service providers, for example, a payment external API.
   • Mock: Fast integration cycles can be achieved by mocking resources, and you can hardcode the responses associated with different HTTP status codes, for example, a 200 successful request and a 500 error.
   • AWS service: Fully fledged backends by mapping the HTTP verb to an action of another service, for example, receiving a PUT operation to a resource such as /payments and producing a PutMessage action in an SQS queue or a POST /user for a PutItem action in a DynamoDB table. This allows to abstract the code required to take a managed service action.
   • VPC Link: This is a private integration that will only work inside the VPC. The requests will be encapsulated and routed to a network load balancer.
     1. You can choose an integration response that responds with custom predefined objects or custom responses based on Apache Velocity templates; in this case, the response is returning a custom header to enable Cross-Origin Resource Sharing (CORS):

2. • 2. The method response is the last step on the request lifecycle, where we can provide an HTTP status independent from the integration type; in this case, the response uses a mocked NewPetResponse model for the HTTP 200 status:

We can add behavior for 400 and 500 HTTP codes with different models or JSON structures.

API Gateway is an excellent choice to expose functionality in a managed way, releasing from the controller logic, middleware, and authentication proxies. If custom authentication to the API is needed, such as JWT or a simple data source, you can use Authorizers:

This authorizer will intercept every call to perform custom validation for each request, and you can also use Cognito identity pools and Cognito federated identities.