Amazon Cognito

Amazon Cognito is an AWS service that provides authentication, authorization, and user management for web and mobile applications. It supports OAuth2, OIDC, SAML federation, and social identity providers. Cognito has two main components: User Pools for user authentication and app integration, and Federated Identities for granting temporary AWS credentials to authenticated users. It includes multi-factor authentication, advanced security features, and customizable authentication flows.

2 APIs 10 Features

AuthenticationAuthorizationIdentityIdentity ProviderOAuth2OIDC

APIs

Amazon Cognito Identity Provider

Control plane API for managing Cognito user pools, app clients, users, groups, identity providers, and resource servers. Supports user authentication flows including SRP, custom...

Amazon Cognito Identity (Federated Identities)

Federated identity service that issues temporary AWS credentials to authenticated and unauthenticated users from Cognito user pools, social identity providers (Facebook, Google,...

Features

User Pools

Fully managed user directories with sign-up, sign-in, and user profile management.

OAuth2 and OIDC

Standards-based OAuth2 authorization server and OpenID Connect identity provider for apps.

SAML Federation

Integrate enterprise identity providers via SAML 2.0 for single sign-on.

Social Identity Providers

Multi-Factor Authentication

Built-in MFA with SMS, TOTP, and email verification options.

Customizable Auth Flows

Lambda triggers for custom authentication challenges, pre-signup validation, and post-confirmation.

Advanced Security Features

Risk-based adaptive authentication with compromised credential detection and device tracking.

Federated Identities

Grant temporary AWS credentials to users authenticated via user pools or social providers.

Hosted UI

Pre-built customizable sign-in/sign-up pages with OAuth2 endpoint support.

Fine-Grained Authorization

Attribute-based access control with group-based IAM role assignment.

Use Cases

Web and Mobile App Authentication

Add user registration, login, and session management to web and mobile applications.

Enterprise SSO Integration

Connect enterprise SAML identity providers for single sign-on to AWS-hosted applications.

API Authorization

Use Cognito JWT tokens to authorize access to API Gateway, AppSync, and custom APIs.

B2C Identity Management

Manage consumer user accounts with self-service registration and profile management.

Temporary AWS Credentials

Issue scoped AWS credentials to authenticated users for direct service access.

GitHubOrganization

Sources

aid: aws-cognito
name: Amazon Cognito
description: 'Amazon Cognito is an AWS service that provides authentication, authorization, and user management for web and mobile applications. It supports OAuth2, OIDC, SAML federation, and social identity providers. Cognito has two main components: User Pools for user authentication and app integration, and Federated Identities for granting temporary AWS credentials to authenticated users. It includes multi-factor authentication, advanced security features, and customizable authentication flows.'
type: Index
image: https://kinlane-productions.s3.amazonaws.com/apis-json/apis-json-logo.jpg
tags:
- Authentication
- Authorization
- AWS
- Identity
- Identity Provider
- OAuth2
- OIDC
url: https://raw.githubusercontent.com/api-evangelist/aws-cognito/refs/heads/main/apis.yml
created: '2026-03-25'
modified: '2026-05-19'
specificationVersion: '0.19'
apis:
- aid: aws-cognito:aws-cognito-identity-provider
  name: Amazon Cognito Identity Provider
  description: Control plane API for managing Cognito user pools, app clients, users, groups, identity providers, and resource servers. Supports user authentication flows including SRP, custom, and hosted UI authentication.
  humanURL: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools.html
  baseURL: https://cognito-idp.{region}.amazonaws.com
  tags:
  - Authentication
  - AWS
  - Identity Provider
  - OAuth2
  - User Pools
  properties:
  - type: Documentation
    url: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools.html
  - type: APIReference
    url: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/Welcome.html
  - type: Authentication
    url: https://docs.aws.amazon.com/cognito/latest/developerguide/security-iam.html
  - type: OpenAPI
    url: openapi/aws-cognito-identity-provider-openapi.yaml
  - type: NaftikoCapability
    url: capabilities/identity-provider.yaml
  - url: graphql/aws-cognito-graphql.md
    type: GraphQL
- aid: aws-cognito:aws-cognito-identity
  name: Amazon Cognito Identity (Federated Identities)
  description: Federated identity service that issues temporary AWS credentials to authenticated and unauthenticated users from Cognito user pools, social identity providers (Facebook, Google, Apple), and SAML-based enterprise IdPs.
  humanURL: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
  baseURL: https://cognito-identity.{region}.amazonaws.com
  tags:
  - AWS
  - Credentials
  - Federation
  - Identity
  properties:
  - type: Documentation
    url: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
  - type: APIReference
    url: https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/Welcome.html
  - type: OpenAPI
    url: openapi/aws-cognito-identity-openapi.yaml
  - type: NaftikoCapability
    url: capabilities/identity.yaml
common:
- type: Website
  url: https://aws.amazon.com/cognito/
- type: Documentation
  url: https://docs.aws.amazon.com/cognito/
- type: GettingStarted
  url: https://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-with-cognito-user-pools.html
- type: Pricing
  url: https://aws.amazon.com/cognito/pricing/
- type: FAQ
  url: https://aws.amazon.com/cognito/faqs/
- type: GitHubOrganization
  url: https://github.com/aws-amplify
- type: Console
  url: https://console.aws.amazon.com/cognito/
- type: TermsOfService
  url: https://aws.amazon.com/service-terms/
- type: PrivacyPolicy
  url: https://aws.amazon.com/privacy/
- type: StatusPage
  url: https://health.aws.amazon.com/health/status
- type: Support
  url: https://aws.amazon.com/premiumsupport/
- type: Blog
  url: https://aws.amazon.com/blogs/security/tag/amazon-cognito/
- type: SpectralRules
  url: rules/aws-cognito-spectral-rules.yml
- type: Vocabulary
  url: vocabulary/aws-cognito-vocabulary.yaml
- type: Features
  data:
  - name: User Pools
    description: Fully managed user directories with sign-up, sign-in, and user profile management.
  - name: OAuth2 and OIDC
    description: Standards-based OAuth2 authorization server and OpenID Connect identity provider for apps.
  - name: SAML Federation
    description: Integrate enterprise identity providers via SAML 2.0 for single sign-on.
  - name: Social Identity Providers
    description: Sign in with Google, Facebook, Apple, and Amazon without custom backend code.
  - name: Multi-Factor Authentication
    description: Built-in MFA with SMS, TOTP, and email verification options.
  - name: Customizable Auth Flows
    description: Lambda triggers for custom authentication challenges, pre-signup validation, and post-confirmation.
  - name: Advanced Security Features
    description: Risk-based adaptive authentication with compromised credential detection and device tracking.
  - name: Federated Identities
    description: Grant temporary AWS credentials to users authenticated via user pools or social providers.
  - name: Hosted UI
    description: Pre-built customizable sign-in/sign-up pages with OAuth2 endpoint support.
  - name: Fine-Grained Authorization
    description: Attribute-based access control with group-based IAM role assignment.
- type: UseCases
  data:
  - name: Web and Mobile App Authentication
    description: Add user registration, login, and session management to web and mobile applications.
  - name: Enterprise SSO Integration
    description: Connect enterprise SAML identity providers for single sign-on to AWS-hosted applications.
  - name: API Authorization
    description: Use Cognito JWT tokens to authorize access to API Gateway, AppSync, and custom APIs.
  - name: B2C Identity Management
    description: Manage consumer user accounts with self-service registration and profile management.
  - name: Temporary AWS Credentials
    description: Issue scoped AWS credentials to authenticated users for direct service access.
- type: Integrations
  data:
  - name: Amazon API Gateway
    description: Validate Cognito JWTs for API Gateway authorizer integration.
  - name: AWS Amplify
    description: Pre-built Amplify Auth library for easy Cognito integration in React, Vue, and mobile apps.
  - name: AWS Lambda
    description: Trigger Lambda functions for custom authentication logic and user data enrichment.
  - name: Amazon DynamoDB
    description: Use Cognito identity IDs as DynamoDB partition keys for per-user data isolation.
  - name: AWS IAM
    description: Map Cognito groups to IAM roles for role-based access control to AWS services.
  - name: AWS AppSync
    description: Use Cognito user pools as authorization mode for GraphQL API access control.
- type: Integrations
  url: https://aws.amazon.com/marketplace
integrations:
- name: Sign in
- name: Agent Mode
- name: Why AWS Marketplace?
- name: Get started in AWS Marketplace
- name: Industry
- name: Resources
- name: Become a Channel Partner
- name: Sell in AWS Marketplace
- name: Manage Your Account
maintainers:
- FN: Kin Lane
  email: [email protected]

Amazon Cognito

APIs

Amazon Cognito Identity Provider

Amazon Cognito Identity (Federated Identities)

Features

Use Cases

Semantic Vocabularies

Aws Cognito Cognito Identity Context

Aws Cognito Cognito Idp Context

API Governance Rules

Amazon Cognito API Rules

Resources

Sources