Access token customization

Note

This page covers the additional capabilities that Amazon Cognito user pools advanced security features add to pre token generation Lambda triggers. For a full overview of pre token generation triggers, see Pre token generation Lambda trigger.

User pool access tokens grant permissions to applications: to access an API, to retrieve user attributes from the userInfo endpoint, or to establish group membership for an external system. In advanced scenarios, you might want to add to the default access-token data from the user pool directory with additional temporary parameters that your application determines at runtime. For example, you might want to verify a user's API permissions with Amazon Verified Permissions and adjust the scopes in the access token accordingly.

Advanced security features add to the existing functions of a pre token generation trigger. Without advanced security features, you can customize ID tokens with additional claims, roles, and group membership. With advanced security, you can additionally customize access tokens with claims, roles, group membership, and OAuth scopes. Access token customization isn't available to machine-to-machine (M2M) client credentials grants.

To customize access tokens

1. Activate advanced security features.

2. Create a Lambda function for your trigger. To use our example function, configure it for Node.js.

3. Populate your Lambda function with our example code or compose your own. You function must process a request object from Amazon Cognito and return the changes that you want to include.

4. Assign your new function as a version 2 pre token generation trigger.

For more information, see Customizing the access token.

Additional resources

• How to customize access tokens in Amazon Cognito user pools