Get startedGet started for free

Authenticating end users with Amazon Cognito

1. Authenticating end users with Amazon Cognito

Welcome back. We have the compute tuned; now we control who can use it. In this video, you'll learn how Amazon Cognito authenticates end users. We'll separate user pools from identity pools, decode the three JSON Web Tokens, or JWTs, that Cognito issues, federate with social and enterprise identity providers, and wire Cognito to API Gateway as an authorizer. Let's get started.

2. Build your own login?

A new app needs sign-up, password resets, social logins, and corporate accounts. The team starts sketching a custom auth system, hashed-password tables, token logic, all of it. Stop. This is exactly what Amazon Cognito does, securely and at scale. This video shows how to use it instead of building it.

3. User pools vs identity pools

Cognito has two halves that people constantly confuse. A user pool is a managed user directory: it stores accounts, handles sign-up and sign-in, and issues tokens that prove who the user is. An identity pool does something different: it exchanges a successful login for temporary AWS credentials so the user can call AWS services directly. A user pool answers "who are you"; an identity pool answers "what AWS access do you get." Think of the user pool as the passport office that proves who you are, and the identity pool as the rental-car desk that takes that proven ID and hands you the keys. Many apps use both: the user pool authenticates, then the identity pool grants scoped AWS access.

4. The three Cognito tokens

A user pool issues three JSON Web Tokens. The ID token carries identity claims, like email and groups, describing who the user is. The access token represents authorization, what the user may call, and is the one you send to an API. The refresh token only obtains new tokens when they expire, so the user isn't prompted again. All three are JWTs your backend can validate.

5. Federated identity

Most users don't want yet another password, so Cognito supports federation: the user signs in with an external provider Cognito trusts. For consumer apps that's social logins like Google or Apple; for business apps, enterprise providers over SAML or OIDC, standard protocols for passing a verified login between systems, so employees use corporate accounts like Okta. Cognito acts as the broker, validating the external login and issuing its own standard tokens, so your code stays the same whichever provider the user chose.

6. Cognito as an API Gateway authorizer

You rarely validate tokens by hand. API Gateway integrates with a Cognito user pool as an authorizer. The client puts its token in the Authorization header, and the gateway checks its signature and expiry against the user pool before your backend runs. A missing, invalid, or expired token is rejected at the edge with a 401, so bad requests never reach or cost you a Lambda invocation, since Lambda runs your code without managing servers. Authentication lives at the gateway, and your code stays focused on business logic.

7. A typical sign-in to API-call flow

Here is the end-to-end flow. The user signs in to the Cognito user pool, directly or through a federated provider, and Cognito returns the three tokens. The client then calls your API with the access token in the Authorization header, because that token represents permission to call the API. API Gateway's Cognito authorizer validates it, and only then does your backend run. When the access token expires, the client quietly uses the refresh token to get a new one, so the user keeps working without logging in again. That is Cognito authentication in practice.

8. Common Cognito mistakes

A few mistakes show up again and again. The most common is sending the ID token to an API when the access token is what represents permission. Another is confusing the two pools, reaching for a user pool when the goal is temporary AWS credentials, an identity pool job. Tokens are also bearer credentials, meaning whoever holds one can use it, so storing them carelessly on the client is a real risk. Knowing which token and which pool to use prevents most Cognito bugs.

9. Let's practice!

Time to put Cognito to work. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.