diff --git a/packages/@aws-cdk/aws-appsync/README.md b/packages/@aws-cdk/aws-appsync/README.md
index 38cd003435f73..310212f41af81 100644
--- a/packages/@aws-cdk/aws-appsync/README.md
+++ b/packages/@aws-cdk/aws-appsync/README.md
@@ -64,6 +64,11 @@ export class ApiStack extends Stack {
           userPool,
           defaultAction: UserPoolDefaultAction.ALLOW,
         },
+        additionalAuthorizationModes: [
+          {
+            apiKeyDesc: 'My API Key',
+          },
+        ],
       },
       schemaDefinitionFile: './schema.graphql',
     });
diff --git a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
index 04dbb8a59065a..9f1492ceced48 100644
--- a/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
+++ b/packages/@aws-cdk/aws-appsync/lib/graphqlapi.ts
@@ -80,6 +80,13 @@ export interface AuthorizationConfig {
      * @default - API Key authorization
      */
     readonly defaultAuthorization?: AuthModes;
+
+    /**
+     * Additional authorization modes
+     *
+     * @default - No other modes
+     */
+    readonly additionalAuthorizationModes?: [AuthModes]
 }
 
 /**
@@ -267,6 +274,15 @@ export class GraphQLApi extends Construct {
         } else if (isApiKeyConfig(auth.defaultAuthorization)) {
             this.api.authenticationType = this.apiKeyDesc(auth.defaultAuthorization).authenticationType;
         }
+
+        this.api.additionalAuthenticationProviders = [];
+        for (const mode of (auth.additionalAuthorizationModes || [])) {
+            if (isUserPoolConfig(mode)) {
+                this.api.additionalAuthenticationProviders.push(this.userPoolDescFrom(mode));
+            } else if (isApiKeyConfig(mode)) {
+                this.api.additionalAuthenticationProviders.push(this.apiKeyDesc(mode));
+            }
+        }
     }
 
     private userPoolDescFrom(upConfig: UserPoolConfig): { authenticationType: string; userPoolConfig: CfnGraphQLApi.UserPoolConfigProperty } {