Amazon Cognito
Developer Guide

What Is Amazon Cognito?

Amazon Cognito lets you easily add user sign-up and sign-in and manage permissions for your mobile and web apps. You can create your own user directory within Amazon Cognito. You can also choose to authenticate users through social identity providers such as Facebook, or Amazon; with SAML identity solutions; or by using your own identity system. In addition, Amazon Cognito enables you to save data locally on users' devices, allowing your applications to work even when the devices are offline. You can then synchronize data across users' devices so that their app experience remains consistent regardless of the device they use.

With Amazon Cognito, you can focus on creating great app experiences instead of worrying about building, securing, and scaling a solution to handle user management, authentication, and synchronization across devices.

What's New

Amazon Cognito User Pools now has a built-in, customizable UI to sign in users and provides built-in federation with Facebook, Google, Login with Amazon, and SAML identity providers. With these new features, you can easily integrate user sign-in into your app and offer your users multiple options for signing in. For more information, see Getting Started with User Pools App Integration and Federation.

Features of Amazon Cognito

Amazon Cognito User Pools: You can create and maintain a user directory and add sign-up and sign-in to your mobile app or web application using Amazon Cognito User Pools. You can also sign in users to a user pool through social identity providers such as Google, Facebook, and Amazon, and through SAML-based identity providers. User pools scale to hundreds of millions of users and provide simple, secure, and low-cost options for you as a developer. You can implement enhanced security features, such as email and phone number verification, and multi-factor authentication. In addition, Amazon Cognito User Pools lets you customize workflows through AWS Lambda; for example, by adding app-specific logic to user registration for fraud detection and user validation.

Amazon Cognito is compliant with SOC 1-3, PCI DSS, ISO 27001, and is HIPAA-BAA eligible.

For more information, see Amazon Cognito User Pools.

Amazon Cognito Federated Identities: Amazon Cognito Federated Identities enable you to create unique identities for your users and authenticate them with federated identity providers. With a federated identity, you can obtain temporary, limited-privilege AWS credentials to synchronize data with Amazon Cognito Sync. You can also use these credentials to securely access other AWS services such as Amazon DynamoDB, Amazon S3, and Amazon API Gateway. Amazon Cognito Federated Identities support federated identity providers—including Amazon, Facebook, Google, OpenID Connect providers, and SAML identity providers—as well as unauthenticated identities. This feature also supports developer authenticated identities, which let you register and authenticate users via your own backend authentication systems.

For more information, see Amazon Cognito Federated Identities.

Amazon Cognito Sync: Amazon Cognito Sync is an AWS service that supports offline access and cross-device syncing of application-related user data. You can use Amazon Cognito Sync to synchronize user profile data across mobile devices and the web without requiring your own backend. The client libraries cache data locally so your app can read and write data regardless of device connectivity status. When the device is online, you can synchronize data, and, if you set up push synchronization, notify other devices immediately that an update is available.

For more information, see Amazon Cognito Sync.

Accessing Amazon Cognito

Amazon Cognito can be accessed using the Amazon Cognito console, the AWS Command Line Interface, and the Amazon Cognito APIs.

Are You a First-Time Amazon Cognito User?

If you are a first-time user of Amazon Cognito, we recommend that you begin by reading the Getting Started with User Pools App Integration and Federation guide.

You can also find information and links to videos, articles, documentation, and sample apps on our Developer Resources Page.

Pricing for Amazon Cognito

For information on Amazon Cognito pricing, see the Amazon Cognito Pricing Page.

SDKs for Amazon Cognito

There are three types of SDKs for Amazon Cognito:

  • Dedicated SDKs and sample apps for integrating the Amazon Cognito User Pools hosted UI with your app. For information, see SDKs for Amazon Cognito User Pool App Integration and Federation.

  • Higher-level client SDKs for iOS, Android, and JavaScript.

  • Standard AWS SDKs, which cover a wider array of languages, including Java, C#, and Ruby.

The standard SDKs cover all of the APIs of the service, while the higher-level SDKs provide additional features that make it easier to perform some functions. One of the key differences between the two types of SDKs is in signing in users. Amazon Cognito uses a Secure Remote Password (SRP) protocol, which requires some calculations and a couple of requests between the client and the service APIs. In the higher-level SDKs, that process is handled for you. The standard SDKs expose the underlying APIs, but they currently do not include built-in support for SRP. For more information about authentication options, see User Pool Authentication Flow.

Use the following links for the SDKs for Amazon Cognito.

Standard AWS SDKs

You can download and find links for documentation for all of the SDKs at Tools for Amazon Web Services.

SDKs for Amazon Cognito User Pool App Integration and Federation

In addition to the Amazon Cognito SDKs, the Auth SDKs leverage Amazon Cognito's built-in hosted UI. You can find them in the following locations: