Amazon Cognito Identity Provider

UpFreeOpen Sourcecloud by Amazon Web Services★62· JavaScript· MIT

Amazon Cognito User Pools deliver managed user signup, login, password reset, and MFA for applications.

Visit site ↗Source ↗Health checked 9h ago

Use it when

50,000 free MAU per month — generous for small projects

Watch for

Hosted UI offers limited customization

First check

Create a User Pool and App Client in the AWS Console; choose sign-in methods (username / email / phone) and password policy. Front-ends typically use Amplify Auth or the cognito-identity-js SDK for signup/login.

Auth

api_key

CORS

HTTPS

Yes

Signup

Required

Latency

20 ms

Protocol

REST

Pricing

freemium

Stars

Uptime · 30-day window

Probes: 1Uptime: 100%Avg latency: 20ms

GitHub activity

★ 62JavaScriptMIT17 open issuesLast commit 110d ago

About this API

Cognito takes the perennial "user authentication" problem and turns it into a managed service: signup, login, email verification, forgotten password, MFA, token issuance and refresh — all maintained by AWS. For indie developers it is especially attractive — 50K MAU free is enough to run most projects for a long time without paying.

It has two parts: User Pool is the identity provider (manages users and passwords); Identity Pool exchanges user identities for temporary AWS credentials (so frontends can talk directly to S3, etc.). The two can be used independently or together. Social login (Google, Facebook, Apple, SAML, enterprise IdPs) plugs in via federation — "Sign in with Google" becomes a few lines of config. Lambda triggers are the advanced customization surface — pre-signup, post-confirm, custom challenge, and other hooks let you inject custom logic at key moments (allowlist email domains, sync users to your own DB, fire webhooks).

What you can build

1Add user signup/login without building auth from scratch
2Integrate social login (Google, Facebook, Apple)
3Extend user profiles with custom attributes
4Protect REST APIs via API Gateway integration

Strengths & limitations

Strengths

50,000 free MAU per month — generous for small projects
Native OAuth 2.0 / OIDC / SAML support
Lambda triggers allow deep customization of auth flows

Limitations

Hosted UI offers limited customization
Migrating existing users requires password hash import or migration Lambdas
Error messages can be opaque — debugging is mediocre

Example request

Generic template — replace <endpoint> with the real path from the docs.

curl https://github.com/mermade/aws2openapi/<endpoint> \
  -H "Authorization: Bearer $API_KEY"
# Some providers use X-Api-Key instead — verify in the docs.

Getting started

FAQ

How does the free tier work?+

First 50,000 MAU free (excluding federated identities); pricing tiers begin at ~$0.0055/MAU beyond.

Can I customize the hosted UI look?+

Only logo and basic colors. For full customization, build your own UI and call InitiateAuth / RespondToAuthChallenge directly.

Auth0 vs Cognito?+

Auth0 offers a better developer experience at higher cost; Cognito integrates well with AWS at lower cost. AWS-centric stacks typically pick Cognito.

Technical details

CORS: NoHTTPS: YesSignup: YesOpen source: Yes

Auth type: api_key
Pricing: freemium
Protocols: REST
SDKs: python, javascript, java, go, ruby, csharp
Response time: 20 ms
Last health check: 5/12/2026, 7:36:33 AM

Endpoints

Parsed from the OpenAPI spec. Showing 12 of 101 non-deprecated endpoints.

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AddCustomAttributes

X-Amz-Target:header*

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AdminAddUserToGroup

X-Amz-Target:header*

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AdminConfirmSignUp

X-Amz-Target:header*

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AdminCreateUser

X-Amz-Target:header*

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AdminDeleteUser

X-Amz-Target:header*

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AdminDeleteUserAttributes

X-Amz-Target:header*

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AdminDisableProviderForUser

X-Amz-Target:header*

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AdminDisableUser

X-Amz-Target:header*

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AdminEnableUser

X-Amz-Target:header*

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AdminForgetDevice

X-Amz-Target:header*

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AdminGetDevice

X-Amz-Target:header*

POST

/#X-Amz-Target=AWSCognitoIdentityProviderService.AdminGetUser

X-Amz-Target:header*

89 more endpoints not shown. See the OpenAPI spec for the full list.

More from Amazon Web Services

View all from Amazon Web Services →

Access Analyzer

★ 62

AWS IAM Access Analyzer API analyzes IAM resource policies for over-privileged access or external access — proactively surfaces security risks.

Amazon Chime

★ 62

Amazon Chime SDK API embeds real-time audio/video calling and chat into apps (meetings, messaging, PSTN calls).

Amazon CloudFront

★ 62

Amazon CloudFront is the AWS CDN and edge service — accelerates static and dynamic content delivery, a standard for web performance.

Amazon CloudSearch

★ 62

Amazon CloudSearch is AWS's managed search service (gradually superseded by OpenSearch Service).

Amazon CloudWatch Application Insights

★ 62

CloudWatch Application Insights API auto-detects application problems — intelligently identifies anomalies (slow SQL queries, memory leaks), reducing manual alarm configuration.

Amazon Cognito Identity

★ 62

AWS Cognito Identity Pools API issues temporary AWS credentials to frontend apps — identity federation, guest users, direct AWS resource access.

Amazon Connect Contact Lens

★ 62

Amazon Connect Contact Lens API uses AI to analyze Amazon Connect calls in real time — sentiment, keywords, compliance detection, auto-summary.

Amazon Connect Customer Profiles

★ 62

Amazon Connect Customer Profiles API merges contact-center customer info with multi-source CRM data into unified profiles.