Hi Robert Slotwinski,
Can you please clarify what your requirement is?
From my understanding, you want your clients to be always authenticated against “API Key” and you want the clients to be additionally authenticated against “Oauth” only if authorization header is sent by the client. Correct me if my undrstanding is wrong.
I suppose such an authentication scenario is not supported by API Gateway IAM (“Identify & Authorize Application”) policy. If you configure more than one policy in IAM policy (eg: API Key and Oauth as you did), you can either configure them with “AND” condition (evaluate both) or with “OR” condition (evaluate if at least one matches)
I suppose there is no way to mention “authenticate only if the relevant header is present” via IAM policy.
You can explore if Mashup of 2 different APIs (catering to your 2 different authentication requirements) can be used to achieve your usecase. API Mashup is supported in 10.3.
Another option is “Custom Extensions” policy which is more powerful and I believe this can be achieved using “Custom Extensions” but this is supported only from version 10.5.