Amazon Cognito is a managed authentication and authorisation service for web and mobile applications. It supports both native identities, where users have registered for the service directly, and federated identities from a range of providers and your own trusted IdPs.


  • User Pools are directories of users which need access to applications and a means of authenticating them. Tokens provided by this service are used to access application resources. This is the level at which most applications will interact with Cognito.
  • Hosted UI refers to the built-in registration, login, and password reset flows.
  • Standard Tokens refer to OpenID Connect and OAuth 2.0 tokens issued by the user pools.
  • Identity Pools provide AWS STS tokens for users authenticated via user pools, allowing end users to access AWS services with their exchanged tokens.


  • Hosted UI for registration, login pages, and password recovery pages.
  • Storing user profile data, including custom attributes.
  • Authentication via JWT.
  • Email and phone number verification.
  • MFA over SMS and TOTP.
  • Customisable user flows using Lambda hooks.
  • Risk scoring of authentication events, actively scanning for compromised credentials and security auditing and reporting.
  • Migration of existing user data, one-time and just-in-time.

Use cases

  • Mobile applications.
  • Web applications, both client-side and server-side.

Note that in many cases Amplify Auth is a better fit for new mobile and web applications that don't require as much control over the authentication flow as it's much easier to integrate.

Authentication process

In the normal user authentication case a client must authenticate with a user pool, yielding an authentication token along with a refresh token. If authenticating with AWS services using this identity, these tokens must be exchanged with an identity pool for an STS token.

User pool

Four OAuth 2.0 flows are supported:

  • Authorisation Code
  • Implicit
  • Client Credentials
  • Resource Owner Password Credentials

User pool authentication flow

Challenges might be password-based or include MFA token requests.

Identity pool

Identity pool authentication flow

Identity providers

  • Google Account
  • Facebook
  • Amazon
  • Apple ID
  • OpenID Connect IdP
  • SAML 2.0 IdP

Cognito Sync

Cognito Sync allows you to synchronise application state across applications without the need to host your own backend service. It's implemented as a client library. New users are advised to use AppSync instead.

[SAML] Security Assertion Markup Language [SMS]: Short Message Service