I`m using Amazon Gateway API as proxy for underlying web service that is running on amazon VPC. This web service is running code for 400 tenants. The main point is to securely pass tenantId to this web service from the caller. The caller is some external system that will use this web service to import data for specific tenant.

To reach this aim I`m using Amazon Cognito app clients (one per each tenant). Each app client will have its own scope like (tenant1, tenant2, tenant3). 400 app clients and 400 scopes at the end.

At the same time on Amazon Gateway API I configured routes per each tenant (like api/tenant1/import, api/tenant2/import, api/tenat3/import) and set authorizer with appropriate rule (just check scope: tenant1 or tenant2 or tenant3 or etc.). Now web service has only 5 endpoints, that means that I have 2000 routes in Gateway API (that is hitting the limitations of AWS).

When the request will come to Amazon Gateway API, the authorizer will check this scope (on the concrete route) and pass request to underlying web service or just return unauthorized error.

Is there any way to not use so much routes, but somehow authorize request (check scope) and then pass tenantId to web service?