Missing Authentication Token

TL;DR — "Missing Authentication Token" means the request either carried no credentials or hit an endpoint/method AWS doesn't recognize — a request to a non-existent path or an unsupported HTTP method returns this rather than a 404. For DynamoDB it's almost always a wrong endpoint URL or a request that never got signed.

What it means

{"message":"Missing Authentication Token"}

AWS's SigV4 troubleshooting guide is blunt about the first cause: if the API request isn't signed, you might receive Missing Authentication Token. Counter-intuitively, the same message also comes back from API-Gateway-style endpoints (HTTP 403) when the path or HTTP method doesn't match any route — AWS looks for auth on a request it can't route and reports the missing token instead of a "not found". When DynamoDB itself rejects a request whose authorization header is missing or malformed, the exception is MissingAuthenticationTokenException — HTTP 400, not retryable, with the message "Request must contain a valid (registered) AWS Access Key ID."

Why it happens

  • Wrong endpoint URL — hitting https://dynamodb.<region>.amazonaws.com/some/path in a browser or with a plain GET, instead of a properly signed SDK call to the service root.
  • Unsigned request — a raw curl/fetch with no SigV4 Authorization header (the SDK normally adds it).
  • Wrong HTTP method — DynamoDB's API expects POST to / with an X-Amz-Target header naming the operation; other shapes aren't recognized as signed operations.
  • A typo'd custom endpoint — pointing at a URL that doesn't correspond to the DynamoDB service.
  • DynamoDB Local without an access key configured — the SDKs require an access key and region value to be set even locally (any values work; Local only uses them to name its database file).

How to fix it

  1. Use the AWS SDK, not a raw HTTP call. Let the SDK build the signed POST with the correct X-Amz-Target — don't hand-craft URLs.
  2. Point at the service root (https://dynamodb.<region>.amazonaws.com), not a path, and set the client's region to match.
  3. Confirm credentials are configured so the SDK actually signs the request (env vars, profile, or role).
  4. For DynamoDB Local, set the endpoint to http://localhost:8000 and configure a dummy access key/secret (letters and numbers only) so the SDK signs normally — Local doesn't validate them.

References

Last verified 2026-07-13 against the official AWS documentation linked above.

Work with DynamoDB without the Console

DynoTable is a fast desktop client for DynamoDB — browse tables, run SQL-style queries, and edit items locally.