Authorizing access to client or server resources with Amazon Verified Permissions

Your app can pass the tokens from a signed-in user to Amazon Verified Permissions. Verified Permissions is a scalable, fine-grained permissions management and authorization service for custom applications that you've built. An Amazon Cognito user pool can be an identity source to a Verified Permissions policy store. Verified Permissions makes authorization decisions for requested actions and resources, like GetPhoto for premium_badge.png, from the principal and their attributes in user pool tokens.

The following diagram shows how you application can pass a user's token to Verified Permissions in an authorization request.

A flow diagram of an application that authenticates with an Amazon Cognito user pool and
authorizes access to local resources with Amazon Verified Permissions.

Get started with Amazon Verified Permissions

After you integrate your user pool with Verified Permissions, you gain a central source of granular authorization for all of your Amazon Cognito apps. This removes the need for fine-grained security logic that you would otherwise have to code and replicate between all of your apps. For more information about authorization with Verified Permissions, see Authorization with Amazon Verified Permissions.

Verified Permissions authorization requests require AWS credentials. You can implement some of the following techniques to safely apply credentials to authorization requests.

Operate a web application that can store secrets in the server backend.
Acquire authenticated identity pool credentials.
Proxy user requests through an access-token-authorized API, and append AWS credentials to the request.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Accessing resources after sign-in

Accessing resources with API Gateway and AWS AppSync