Amazon Cognito
Has Demo
User authentication and authorization for your applications
💵 Cost: Cognito has a Free Tier of 10,000 MAUs/month (Essentials/Lite tiers). SAML/OIDC federation: only 50 MAUs free. Empty user pools cost nothing. See our Costs & Cleanup Guide for deletion steps.
What is Cognito?
Amazon Cognito handles user authentication so you do not have to build it yourself. It provides sign-up, sign-in, password reset, email verification, MFA, and social login (Google, Facebook, Apple).
Why Use Cognito?
Building secure authentication is hard. Cognito handles password hashing, token management, brute-force protection, and compliance requirements. You focus on your app, not auth infrastructure.
Cognito Components
| Component | Purpose |
|---|---|
| User Pool | User directory - stores usernames, passwords, attributes |
| App Client | Configuration for your application to interact with the pool |
| Identity Pool | Provides temporary AWS credentials to users (for S3 access, etc.) |
| Hosted UI | Pre-built login/signup pages (optional) |
Authentication Flow
Plain Text
1. User submits email + password
│
▼
2. Your app calls Cognito API
│
▼
3. Cognito validates credentials
│
▼
4. Cognito returns tokens:
├── ID Token (user info, for your backend)
├── Access Token (for API authorization)
└── Refresh Token (get new tokens without login)
│
▼
5. Your app stores tokens (secure cookie/localStorage)
│
▼
6. Include Access Token in API requests
│
▼
7. Your backend validates token with Cognito- Go to Cognito in the AWS Console
- Click Create user pool
- Choose email as sign-in option
- Configure password policy
- Enable email verification
- Create an app client (no client secret for public apps)
Sign Up
TypeScript
import { CognitoIdentityProviderClient, SignUpCommand } from "@aws-sdk/client-cognito-identity-provider"
const client = new CognitoIdentityProviderClient({
region: process.env.AWS_REGION
})
export async function signUp(email: string, password: string) {
const command = new SignUpCommand({
ClientId: process.env.COGNITO_CLIENT_ID,
Username: email,
Password: password,
UserAttributes: [
{ Name: "email", Value: email }
]
})
const response = await client.send(command)
return response.UserSub // User ID
}Sign In
TypeScript
import { InitiateAuthCommand } from "@aws-sdk/client-cognito-identity-provider"
export async function signIn(email: string, password: string) {
const command = new InitiateAuthCommand({
AuthFlow: "USER_PASSWORD_AUTH",
ClientId: process.env.COGNITO_CLIENT_ID,
AuthParameters: {
USERNAME: email,
PASSWORD: password
}
})
const response = await client.send(command)
return {
accessToken: response.AuthenticationResult?.AccessToken,
idToken: response.AuthenticationResult?.IdToken,
refreshToken: response.AuthenticationResult?.RefreshToken,
expiresIn: response.AuthenticationResult?.ExpiresIn
}
}Verify Token (Backend)
TypeScript
import { GetUserCommand } from "@aws-sdk/client-cognito-identity-provider"
export async function verifyToken(accessToken: string) {
try {
const command = new GetUserCommand({
AccessToken: accessToken
})
const response = await client.send(command)
return {
valid: true,
userId: response.Username,
email: response.UserAttributes?.find(a => a.Name === "email")?.Value
}
} catch (error) {
return { valid: false }
}
}Try the Demo
Check out the live Cognito demo to see sign up, sign in, and token verification in action.
Cognito Pricing
Pricing Updated (2024)
AWS introduced new pricing tiers: Lite, Essentials, and Plus. Verify current pricing at aws.amazon.com/cognito/pricing. Last verified: January 2026.
Feature Tiers
| Tier | Features | Best For |
|---|---|---|
| Lite | Basic password auth, social login, hosted UI | Simple apps, MVPs |
| Essentials (default) | Passwordless, passkeys, MFA with email, managed login | Most production apps |
| Plus | Threat protection, compromised credential detection, audit logs | High-security apps |
Free Tier (Essentials/Lite)
| Sign-in Method | Free MAUs/month | Beyond Free Tier |
|---|---|---|
| Direct or Social IdP | 10,000 MAUs | Tiered pricing from $0.0055/MAU |
| SAML/OIDC Federation | 50 MAUs | Higher per-MAU pricing |
Cost Tip
10,000 free MAUs covers most early-stage apps. Use Lite tier if you only need basic auth. Empty user pools cost nothing.