What is the difference between a Cognito User Pool and an Identity Pool?

A User Pool provides user directories for sign-up and sign-in, managing user accounts, authentication, and attributes. An Identity Pool (Federated Identities) grants authenticated users temporary AWS credentials to access other AWS services.

Do I need both a User Pool and an Identity Pool?

You only need an Identity Pool if your authenticated users require access to other AWS services (e.g., S3, DynamoDB). If you only need user authentication and directory services, a User Pool is sufficient.

How do I get my App Client ID and User Pool ID?

After creating your User Pool in the AWS Cognito console, navigate to its settings. Under the 'App integration' tab, you'll find the App Client ID and User Pool ID listed under 'App clients and analytics'.

What is the AWS Cognito free tier?

The AWS Cognito free tier includes 50,000 monthly active users (MAUs) for User Pools and 50,000 MAUs for Identity Pools. After exceeding these limits, you pay based on usage.

How do I handle user confirmation after sign-up?

After a user signs up, Cognito typically sends a verification code via email or SMS. Your application needs to prompt the user for this code and then call the `ConfirmSignUpCommand` (via an SDK) to finalize the account creation.

Can I use social logins with AWS Cognito?

Yes, AWS Cognito User Pools support integration with social identity providers like Google, Facebook, and Apple, allowing users to sign in using their existing social accounts. This is configured within the User Pool's 'Federation' settings.

What SDKs are available for AWS Cognito?

AWS provides SDKs for various languages, including JavaScript, Python (Boto3), Java, .NET, Go, Ruby, PHP, and C++, enabling programmatic interaction with Cognito services.

AWS Cognito Getting Started: User Pools & Identity Pools (2026)

AWS Cognito getting started: To begin with AWS Cognito, create an AWS account, set up a User Pool for user directories, and optionally an Identity Pool for federated identities. Configure an App Client, retrieve its ID, and use the AWS SDK to perform your first user registration or sign-in operation.

Getting started overview

Getting started with AWS Cognito involves configuring user directories and managing access for your applications. Cognito is divided into two primary components: User Pools for user registration and sign-in, and Identity Pools (Federated Identities) for granting temporary AWS credentials to users who have authenticated through a User Pool or other identity providers. This guide focuses on the initial setup steps required to get a basic authentication flow working, enabling your application to interact with Cognito.

The process generally follows these steps:

Create an AWS Account: If you don't already have one, an AWS account is the prerequisite for accessing any AWS service.
Set up a User Pool: This acts as your user directory, managing user accounts, authentication, and directory functions.
Configure an App Client: An App Client within your User Pool allows your application to interact with the User Pool.
(Optional) Set up an Identity Pool: If your application needs to access other AWS services using temporary credentials, an Identity Pool is required.
Integrate with an SDK: Use an AWS SDK to connect your application to Cognito and perform authentication operations.

Understanding the distinction between User Pools and Identity Pools is central to effective Cognito implementation. User Pools handle the user lifecycle, while Identity Pools provide authorization to AWS resources post-authentication. For a deeper understanding of these components, refer to the AWS Cognito documentation.

Create an account and get keys

To begin using AWS Cognito, you must first have an AWS account. If you do not have one, navigate to the AWS Free Tier page and follow the steps to create an account. New accounts typically qualify for the AWS Cognito free tier, which includes 50,000 monthly active users (MAUs) for both User Pools and Identity Pools.

Setting up a User Pool

Sign in to the AWS Management Console: Go to console.aws.amazon.com and sign in with your AWS account credentials.
Navigate to Cognito: In the search bar, type Cognito and select the service.
Create a User Pool: On the Cognito dashboard, select User Pools from the left navigation pane, then click Create user pool.
Configure Sign-in Experience: Choose your desired authentication methods (e.g., email, username, phone number) and security requirements. For a basic setup, select Email as the sign-in option.
Configure Security Requirements: Define password policies and multi-factor authentication (MFA) settings. For initial testing, you might choose a simpler password policy.
Configure Sign-up Experience: Determine which attributes your users will provide during sign-up (e.g., email, name).
Configure Message Delivery: Set up email or SMS for verification codes. AWS SES (Simple Email Service) is commonly used for email.
Integrate Your App: This is where you create an App Client. Select Create an App Client. Provide an App client name (e.g., my-web-app). Ensure Enable secret generation is unchecked for client-side applications (like web or mobile) as the secret cannot be securely stored. For server-side applications, you might enable it. Configure callback URLs and sign-out URLs if you plan to use the Cognito Hosted UI.
Review and Create: Review your settings and click Create user pool.

After creating the User Pool, navigate to the App integration tab within your User Pool settings. Under App clients and analytics, you will find your App client ID. This ID is crucial for your application to interact with the User Pool.

(Optional) Setting up an Identity Pool

If your application needs to access AWS services (e.g., S3, DynamoDB) on behalf of authenticated users, an Identity Pool is necessary. This grants temporary AWS credentials.

Navigate to Cognito: From the AWS Management Console, go to Cognito.
Create a new Identity Pool: Select Identity Pools from the left navigation pane, then click Create identity pool.
Configure Identity Pool: Provide an Identity pool name. Expand the Authentication providers section. Select Cognito and enter your User Pool ID and App Client ID.
Configure Access to AWS Resources: Cognito will create two IAM roles: one for authenticated users and one for unauthenticated users. You can customize the permissions for these roles to grant access to specific AWS services. For example, to grant access to S3, you would edit the authenticated role's policy to include S3 read/write permissions.
Review and Create: Review your settings and click Create identity pool.

After creation, note the Identity Pool ID. This ID, along with your User Pool ID and App Client ID, will be used in your application's SDK configuration.

Your first request

To make your first request, you'll use an AWS SDK. For this example, we'll demonstrate a simple user registration and sign-in using the AWS SDK for JavaScript (v3) in a Node.js environment. Ensure you have Node.js and npm installed.

Prerequisites:

Node.js installed.
Your User Pool ID and App Client ID.
AWS Region (e.g., us-east-1).

Setup:

Create a new project directory:

mkdir cognito-quickstart
cd cognito-quickstart

Initialize npm and install SDK:

npm init -y
npm install @aws-sdk/client-cognito-identity-provider

Create a JavaScript file (e.g., index.js):

Code Example (User Registration and Sign-in):

import { CognitoIdentityProviderClient, SignUpCommand, InitiateAuthCommand } from "@aws-sdk/client-cognito-identity-provider";

const REGION = "YOUR_AWS_REGION"; // e.g., "us-east-1"
const USER_POOL_ID = "YOUR_USER_POOL_ID";
const CLIENT_ID = "YOUR_APP_CLIENT_ID";

const cognitoClient = new CognitoIdentityProviderClient({ region: REGION });

async function signUpAndSignIn(username, password, email) {
  try {
    // 1. Sign Up User
    const signUpCommand = new SignUpCommand({
      ClientId: CLIENT_ID,
      Username: username,
      Password: password,
      UserAttributes: [
        { Name: "email", Value: email },
      ],
    });
    const signUpResponse = await cognitoClient.send(signUpCommand);
    console.log("User signed up successfully:", signUpResponse);
    // Note: User typically needs to confirm their email/phone after sign-up.
    // For this example, we assume confirmation happens out-of-band or is not required for testing.

    // 2. Initiate Authentication (Sign In)
    const initiateAuthCommand = new InitiateAuthCommand({
      AuthFlow: "USER_PASSWORD_AUTH", // Or "USER_SRP_AUTH" for secure remote password protocol
      ClientId: CLIENT_ID,
      AuthParameters: {
        USERNAME: username,
        PASSWORD: password,
      },
    });
    const authResponse = await cognitoClient.send(initiateAuthCommand);
    console.log("User signed in successfully:", authResponse);
    console.log("Authentication Result:", authResponse.AuthenticationResult);
    return authResponse.AuthenticationResult;

  } catch (error) {
    console.error("Error during sign up or sign in:", error);
    throw error;
  }
}

// Replace with your desired user details
signUpAndSignIn("testuser123", "StrongPassword123!", "[email protected]");

Running the code:

node index.js

Upon successful execution, the console will log messages indicating user sign-up and sign-in success, including the AuthenticationResult which contains ID, access, and refresh tokens. These tokens are then used by your application to prove the user's identity and authorize access to resources.

Common next steps

After successfully performing a basic authentication flow, consider these common next steps:

User Confirmation: Implement the user confirmation flow (e.g., email or SMS verification codes) that follows a user's sign-up. This typically involves calling the ConfirmSignUpCommand from the SDK.
Hosted UI: For a quick and customizable authentication experience without building your own UI, integrate the Cognito Hosted UI. This provides sign-up, sign-in, and password recovery pages.
Social Identity Providers: Integrate with external identity providers like Google, Facebook, or Apple. This simplifies the sign-up process for users by allowing them to use existing social accounts. Google Sign-In is a common integration for web applications.
MFA and Adaptive Authentication: Enhance security by enabling Multi-Factor Authentication (MFA) and exploring Cognito's adaptive authentication features.
Attribute Customization: Customize user attributes and add custom attributes to store additional user-specific data in your User Pool.
Lambda Triggers: Use AWS Lambda functions as triggers for various User Pool events (e.g., pre-sign-up, post-confirmation) to customize authentication workflows and integrate with other services.
Token Management: Understand how to securely store and refresh ID, access, and refresh tokens in your application.
Authorization with Identity Pools: If not already done, set up an Identity Pool to grant authenticated users temporary AWS credentials for accessing other AWS services.

Troubleshooting the first call

Encountering issues during your first API call is common. Here's a quick reference table for common problems and their solutions:

Step	What to do	Where
Error: `UserNotFoundException` or `NotAuthorizedException`	Verify the username and password are correct. Check if the user is confirmed in the User Pool.	AWS Cognito Console > User Pools > Users tab
Error: `InvalidParameterException` (e.g., invalid email format, password policy violation)	Ensure user attributes (like email) meet format requirements and the password adheres to the User Pool's password policy.	Your application code / AWS Cognito Console > User Pool > Sign-up experience > Password policy
Error: `AccessDeniedException` or similar permissions error	If using Identity Pools, check the IAM roles associated with the Identity Pool for sufficient permissions to access the target AWS service.	AWS IAM Console > Roles > (Authenticated/Unauthenticated Role for your Identity Pool)
Error: `ClientId` or `UserPoolId` mismatch	Confirm that the User Pool ID and App Client ID in your code exactly match those from your Cognito User Pool configuration.	Your application code / AWS Cognito Console > User Pool > App integration > App clients and analytics
Region mismatch	Ensure the AWS region configured in your SDK client matches the region where your Cognito User Pool is deployed.	Your application code / AWS Cognito Console (top right region selector)
User not confirmed error	After sign-up, users often need to confirm their account via email or phone. If confirmation is required, the sign-in attempt will fail until confirmed. Implement the `ConfirmSignUpCommand`.	Your application code / AWS Cognito Console > User Pool > Users tab (check user status)
CORS errors in browser applications	Ensure your App Client settings in Cognito include the correct callback URLs and allowed OAuth flows for your web application's domain.	AWS Cognito Console > User Pool > App integration > App clients and analytics

For more detailed troubleshooting, consult the AWS Cognito Developer Guide, which provides comprehensive information on common errors and best practices.