Integrating Amazon Cognito authentication and authorization with web and mobile apps - Amazon Cognito

Integrating Amazon Cognito authentication and authorization with web and mobile apps

When you integrate your app with an Amazon Cognito app client, you can invoke API operations for authentication and authorization of your users. We recommend you use AWS Amplify to integrate Amazon Cognito with your web and mobile apps. AWS Amplify is a complete solution that lets frontend web and mobile developers easily build, connect, and host fullstack applications on AWS, with the flexibility to leverage the breadth of AWS services as your use cases evolve. Amplify Auth primarily makes use of Amazon Cognito to build authentication features.

A typical implementation of Amazon Cognito uses a mix of visual tools and APIs. The Amazon Cognito console is the visual interface for setup and management of your Amazon Cognito user pools and identity pools. The hosted UI is a ready-to-use web-based sign-in application for quick testing and deployment of Amazon Cognito user pools. Additionally, in most Amazon Cognito deployments you must add code in your apps to interact with your user pools and identity pools. For example, your app might invoke the hosted UI for user sign-in, then call the token endpoint from your app code to exchange your user's authorization code for tokens. Then your app must interpret and store your user's tokens, and present them in the appropriate context for authentication and authorization. Amplify adds guided integration tools with built-in functions for these processes.

You can also build your Amazon Cognito resources entirely in code. To get started with your own custom app code, visit the Amazon Cognito code examples for AWS SDKs. For integration with the Amazon Cognito as an OpenID Connect identity provider, use OpenID Connect developer tools.

Before you use Amazon Cognito authentication and authorization, choose an app platform and prepare your code to integrate with the service. For available platforms, see Authentication with AWS SDKs. The AWS CLI is a command-line SDK for Amazon Cognito and other AWS services, and is a valuable place to begin to familiarize yourself with the Amazon Cognito API.


Some components of Amazon Cognito can be configured only with the API. For example, you can only set a user pool custom SMS or email sender Lambda trigger with a request that updates the LambdaConfig property of the UserPool class in a CreateUserPool or UpdateUserPool API request.

The Amazon Cognito user pools API shares its namespace with several classes of API operations. One class configures user pools and their processes, identity providers and users. Another includes unauthenticated operations for your users in a public client to sign in, sign out, and manage their profiles. The final class of API operations performs user operations that you authorize with your own AWS credentials in a confidential server-side client. You must know your intended app architecture before you begin to implement app code. For more information, see Using the Amazon Cognito user pools API and user pool endpoints.

Authentication with AWS Amplify

AWS Amplify is a complete solution for building web and mobile applications. With Amplify, you can connect to existing resources with the Amplify libraries, or you can create and configure new resources with the Amplify command line interface (CLI). Amplify also has connected UI components like Authenticator for setup and customization of the sign-in and sign-up experience in your app.

To use Amplify authentication features in your front-end app, see the following documentation by platform.

The Amplify libraries are open source and are available on GitHub. To learn more about how Amplify Auth implements Amazon Cognito authentication, visit the following libraries.

Creating a user interface (UI) with Amplify

The Amazon Cognito user pools hosted UI can fulfill the essential needs of an authentication front-end for a web or mobile app. To customize your user interface (UI) beyond the parameters that the hosted UI accommodates, create a custom app. Amplify UI is a customizable collection of front-end components in a variety of languages.

A screenshot of an example Amplify Authenticator application.

To get started with your custom authentication component, visit the following documentation for the Authenticator component.

Authentication with AWS SDKs

To use a secure backend to build your own identity microservice that interacts with Amazon Cognito, connect to the Amazon Cognito user pools and Amazon Cognito identity pools API with an AWS SDK in the language of your choice.

For details on each API operation, see the Amazon Cognito user pools API Reference and the Amazon Cognito API Reference. These documents contain See also sections with resources for using a variety of SDKs in supported platforms.