Missing Authentication Token
TL;DR — "Missing Authentication Token" means the request either carried no credentials or hit an endpoint/method AWS doesn't recognize — a request to a non-existent path or an unsupported HTTP method returns this rather than a 404. For DynamoDB it's almost always a wrong endpoint URL or a request that never got signed.
What it means
{"message":"Missing Authentication Token"}AWS's SigV4 troubleshooting guide is blunt about the first cause: if the API request isn't signed, you might receive Missing Authentication Token. Counter-intuitively, the same message also comes back from API-Gateway-style endpoints (HTTP 403) when the path or HTTP method doesn't match any route — AWS looks for auth on a request it can't route and reports the missing token instead of a "not found". When DynamoDB itself rejects a request whose authorization header is missing or malformed, the exception is MissingAuthenticationTokenException — HTTP 400, not retryable, with the message "Request must contain a valid (registered) AWS Access Key ID."
Why it happens
- Wrong endpoint URL — hitting
https://dynamodb.<region>.amazonaws.com/some/pathin a browser or with a plain GET, instead of a properly signed SDK call to the service root. - Unsigned request — a raw
curl/fetchwith no SigV4Authorizationheader (the SDK normally adds it). - Wrong HTTP method — DynamoDB's API expects
POSTto/with anX-Amz-Targetheader naming the operation; other shapes aren't recognized as signed operations. - A typo'd custom endpoint — pointing at a URL that doesn't correspond to the DynamoDB service.
- DynamoDB Local without an access key configured — the SDKs require an access key and region value to be set even locally (any values work; Local only uses them to name its database file).
How to fix it
- Use the AWS SDK, not a raw HTTP call. Let the SDK build the signed
POSTwith the correctX-Amz-Target— don't hand-craft URLs. - Point at the service root (
https://dynamodb.<region>.amazonaws.com), not a path, and set the client's region to match. - Confirm credentials are configured so the SDK actually signs the request (env vars, profile, or role).
- For DynamoDB Local, set the endpoint to
http://localhost:8000and configure a dummy access key/secret (letters and numbers only) so the SDK signs normally — Local doesn't validate them.
Related errors
- Unable to locate credentials — no credentials found by the SDK at all.
- The security token included in the request is invalid — credentials present but rejected.
- Could not connect to the endpoint URL — a malformed or unreachable endpoint.
- Learn: Connect to DynamoDB Local & LocalStack
References
- Troubleshoot Signature Version 4 signing for AWS API requests — IAM User Guide
- Error handling with DynamoDB — Amazon DynamoDB Developer Guide
- Create a signed AWS API request — IAM User Guide
- DynamoDB local usage notes — Amazon DynamoDB Developer Guide
Last verified 2026-07-13 against the official AWS documentation linked above.