Overview
A Lens table is private. Boards, reports, and tiles query it through the authenticated UI. A Lookup gives you the opposite: a public HTTPS endpoint that takes a few query parameters and returns a single matching row. You control which columns callers can filter on, which domains can call it, and how long edge caching keeps each row warm.
Typical uses are product-detail lookups for marketing tags, unit-conversion lookups in cart pages, store-finder data for landing pages, or any case where a tag needs a small slice of structured data at runtime without bundling the whole dataset or hitting a backend you'd otherwise have to build. The endpoint is fronted by CloudFront, so repeat calls within the cache window never reach a server at all.
Navigate to Lookups
Open Lens > Lookups in the left sidebar. The list shows every lookup in the current property with its source table, public key, last sync time, and recent request volume. Click Add Lookup to create a new one.
Pick a source table
The lookup mirrors rows from one Lens table into a fast key-value store optimized for single-row reads. Pick the table whose rows you want exposed. Tables larger than the lookup row cap are blocked because the mirror would be expensive to keep current; if your table is too big, build a Pivot or aggregated table that summarizes it first and point the lookup at that.
Choose lookup keys
Lookup keys are the columns callers must pass to find a row. For a product lookup that might be sku. For a unit-conversion table it might be item_cde plus from_uom_cde plus to_uom_cde. The order you pick determines the URL parameter order in the example shown below the picker.
Pick the smallest set that uniquely identifies a row. Each additional key narrows the lookup but also makes the URL longer and the caller's life harder. Columns not in the lookup-keys list become part of the returned row payload but cannot be used to filter.
Set the referrer allowlist
Add the domains allowed to call the endpoint, one per line. The Lambda checks the browser's Origin or Referer header on every request and returns 403 if it isn't on the list. Empty list means no enforcement, which is fine while you're testing but should always be tightened before a real client starts using the endpoint.
Allowlist entries are matched as hostnames, not URLs. Add www.veritiv.com, not https://www.veritiv.com/. Add each subdomain that needs to call you separately; there is no wildcard support, by design.
Pick a cache duration
Cache TTL controls how long CloudFront caches each unique row at the edge. The default is one hour. Longer values reduce origin load (and your costs) and make the average response faster for repeat callers; shorter values mean callers see data changes sooner after a source-table sync.
Cache TTL never affects the underlying table. It only changes how long a cached response stays valid for repeat callers within the TTL window. A sync to the source table doesn't invalidate already-cached rows; they age out on their own schedule.
Save and sync
Click Create Lookup. A public Key is generated and shown on the lookup's view page. Copy it from there. The first time you create the lookup, click Sync Now to mirror the source table into the lookup store so the endpoint can answer queries. From then on, the source table's scheduled sync keeps the lookup current automatically.
You can create as many lookups on the same table as you need, each with different keys, allowlists, and cache durations. Useful when one client needs name and price while another needs the full row, or when you want a public version for marketing tags and a tighter internal version for ops.
Rotate or disable a lookup
On the lookup view page, the public Key has a rotate button. Clicking it generates a new key and invalidates the old one immediately. Any tags still using the old key get 404s. Use this when you suspect a key has leaked or when ending a relationship with a partner who had access.
To disable a lookup without rotating, toggle Enabled off on the edit page. The endpoint returns 404 for the disabled lookup until you re-enable it. Config and stats are preserved.
Troubleshooting
Lookup returns 403 even with the right key
The referrer allowlist is the most likely cause. Open the lookup in edit mode and confirm the calling site's hostname is on the list. The Origin or Referer header the browser sends must match exactly (no scheme, no path). For local testing from a browser file:// origin, temporarily empty the allowlist.
Lookup returns 404 with found: false
The key resolved fine and the request was authorized, but no row matched the keys you sent. Either the row doesn't exist, the values you passed don't match the values in the table exactly (case-sensitive), or the lookup hasn't been synced since the row was added. Trigger a Sync Now and try again.
Activity dashboard shows all zeros
Metrics write asynchronously from the Lambda to DynamoDB. The dashboard reads back into the property's timezone. If everything reads zero and you know calls are happening, the most likely cause is the Lambda was deployed before its writer code was updated; ask support to verify.