Amazon Cognito

Simple and Secure User Sign-Up, Sign-In, and Access Control

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.

Spend your time creating great apps.

Let Amazon Cognito handle authentication.


Secure and scalable user directory

Amazon Cognito User Pools provide a secure user directory that scales to hundreds of millions of users. As a fully managed service, User Pools are easy to set up without any worries about standing up server infrastructure.

Read more about Cognito User Pools



Social and enterprise identity federation

With Amazon Cognito, your users can sign in through social identity providers such as Google, Facebook, and Amazon, and through enterprise identity providers such as Microsoft Active Directory via SAML.

Read more about federation



Standards-based authentication

Amazon Cognito User Pools is a standards-based Identity Provider and supports identity and access management standards, such as Oauth 2.0, SAML 2.0, and OpenID Connect.

Read more about standards-based authentication



Security for your apps and users

Amazon Cognito supports multi-factor authentication and encryption of data-at-rest and in-transit. Amazon Cognito is HIPAA eligible and PCI DSS, SOCISO/EIC 27001, ISO/EIC 27017, ISO/EIC 27018, and ISO 9001 compliant.

Read more about security and compliance



Access control for AWS resources

Amazon Cognito provides solutions to control access to backend resources from your app. You can define roles and map users to different roles so your app can access only the resources that are authorized for each user.

Read more about controlling access to AWS resources


Easy integration with your app

With a built-in UI and easy configuration for federating identity providers, you can integrate Amazon Cognito to add user sign-in, sign-up, and access control to your app in minutes. You can customize the UI to put your company branding front and center for all user interactions.

See how to quickly integrate Amazon Cognito with your app


It really is this easy

  • iOS Objective C
  • Android
  • iOS Swift
  • Web Apps
  • iOS Objective C
  • Sign in users and get back tokens using the SDKs and a few lines of code.
    // iOS Objective-C
    // AppDelegate.m
    - (BOOL)application:(UIApplication *)app openURL:(NSURL *)url options:(NSDictionary<UIApplicationOpenURLOptionsKey, id> *)options {
      return [[AWSCognitoAuth defaultCognitoAuth] application:app openURL:url options:options];
    // ViewController.m
    AWSCognitoAuth * cognitoAuth = [AWSCognitoAuth defaultCognitoAuth];
    [cognitoAuth getSession:self completion:^(AWSCognitoAuthUserSession * _Nullable session, NSError * _Nullable error) {
      if(error) {
        NSLog(@"Error: %@", error.userInfo[@"error"]);
      } else {
        //Do something with session
        NSLog(@"Claims: %@",;       
  • Android
  • Sign in users and get back tokens using the SDKs and a few lines of code.
    // 1) -- Create an instance of Auth --
    Auth.Builder builder = new Auth.Builder()
      .setAuthHandler(new callback());
      auth =;
    // 2) – Set up url redirect in your app manifest --
      <data android:host="YOUR_REDIRECT_URI_AUTHORITY"android:scheme="YOUR_REDIRECT_SCHEME"/>
    // 3) -- Get tokens for your user --
  • iOS Swift
  • Sign in users and get back tokens using the SDKs and a few lines of code.
    // iOS Swift
    // AppDelegate.swift
    func application(_ app: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any] = [:]) -> Bool {
      return AWSCognitoAuth.default().application(app, open: url, options: options)
    // ViewController.swift
    let cognitoAuth = AWSCognitoAuth.default()
    cognitoAuth.getSession(self)  { (session:AWSCognitoAuthUserSession?, error:Error?) in
      if(error != nil) {
        print((error! as NSError).userInfo["error"] as? String)
       }else {
       //Do something with session
  • Web Apps
  • Sign in users and get back tokens using the SDKs and a few lines of code.
    // Add amazon-cognito-auth-js SDK in your application.
    //1) -- Create an instance of Auth --
      var authData = {
      ClientId                       : '<add ClientId>',
      AppWebDomain       : '<add App Web Domain>',
      TokenScopesArray   : '<add scope array>',
      RedirectUriSignIn    : '<add redirect url when signed in>',
      RedirectUriSignOut : '<add redirect url when signed out>'
    var auth = new AWSCognito.CognitoIdentityServiceProvider.CognitoAuth(authData);
    // 2) -- Get tokens for your user --

Trusted by developers


Pay only for what you use. No minimums.

If you are using Amazon Cognito Identity to create a User Pool, you pay based on your monthly active users (MAUs) only. A user is counted as a MAU if, within a calendar month, there is an identity operation related to that user, such as sign-up, sign-in, token refresh, or password change. You are not charged for subsequent sessions or for inactive users within that calendar month.

Pricing Tier (MAUs) Price per MAU
First 50,000 Free
Next 50,000 $0.00550
Next 900,000 $0.00460
Next 9,000,000 $0.00325
Greater than 10,000,000 $0.00250

For users who sign in through SAML or OIDC federation, the price for MAUs above the 50 MAU free tier is $0.015 per MAU. Using the Federated Identities feature to get AWS credentials for authenticated or guest users is always free with Amazon Cognito. Read more about our pricing here.

Get started with AWS


Sign up for an AWS account

Instantly get access to the AWS Free Tier.

Learn with 10-minute Tutorials

Explore and learn with simple tutorials.

Start building with AWS

Begin building with step-by-step guides to help you launch your AWS project.
Secure, Scalable, Sign-Up in Minutes.