Query Parameters Unexpectedly Modified by API Gateway

  • Published on Nov 17, 2025
  • 1 minute(s) read
Prev Next

The Bug

When your Spring Boot Application is behind AWS API Gateway, you might notice that some query parameters don’t arrive as expected.

Request URL

Observed Parameters in Spring Boot

/hello?name=john=

[name=john]

/hello?name=stan=ley

[name=]

In other words, parts of your parameter values are truncated. This happens even though the request seems correct when you type it in the browser, test it with a tool like Postman, or even run the application locally without API Gateway. The issue occurs before the request reaches your application, as API Gateway parses and modifies query parameters containing certain characters like =.

The Solution

The most reliable way to avoid this behavior is URL-encoding the parameter values before they are sent to API Gateway.

For example:

Encoded Request URL

Observed Parameters in Spring Boot

/hello?name=john%3D

[name=john=]

Key points to remember:

  • Always URL-encode query parameters before sending them.

  • When values are correctly encoded, API Gateway preserves them without modification, and the backend receives the exact value sent by the client.

Important

  • OAuth2 flows caution: The state parameter can be properly URL-encoded when redirecting to the OAuth provider, but some providers return it not URL-encoded. In these cases, API Gateway may truncate = padding in Base64 values, causing Spring Boot to fail to find the corresponding authorization request authorization_request_not_found) even though it works locally.

  • Possible fixes:

    • Generate the state value in a URL-safe Base64 format to avoid =.        

    • Or, detect and correct the corrupted state parameter in your application before processing it.        

  • Note that some OAuth providers are stricter than others and require exact Base64 decoding, so this issue may appear only with certain providers.