Amazon Cognito terms - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Cognito terms

Amazon Cognito provides credentials for web and mobile apps. It draws from and builds on terms that are common in identity and access management. Many guides to universal identity and access terms are available. Some examples are:

The following lists describe terms that are unique to Amazon Cognito or have a specific context in Amazon Cognito.


The terms in this list aren't specific to Amazon Cognito and are widely recognized among identity and access management practitioners. The following isn't an exhaustive list of terms, but a guide to their specific Amazon Cognito context in this guide.


Typically, a mobile application. In this guide, app is often a shorthand for a web application or mobile app that connects to Amazon Cognito.

Attribute-based access control (ABAC)

A model where an app determines access to resources based on the properties of a user, like their job title or department. Amazon Cognito tools to enforce ABAC include ID tokens in user pools and principal tags in identity pools.

Authorization server

A web-based system that generates JSON web tokens. The Amazon Cognito user pools federation endpoints are the authorization-server component of the two authentication and authorization methods in user pools. The other method is the user pools API.

Confidential app, server-side app

An application that users connect to remotely, with code on an application server and access to secrets. This is typically a web application.

Identity provider (IdP)

A service that stores and verifies user identities. Amazon Cognito can request authentication from external providers and be an IdP to apps.

JSON web token (JWT)

A JSON-formatted document that contains claims about an authenticated user. ID tokens authenticate users, access tokens authorize users, and refresh tokens update credentials. Amazon Cognito receives tokens from external providers and issues tokens to apps or Amazon STS.

Multi-factor authentication (MFA)

The requirement that users provide additional authentication after providing their username and password. Amazon Cognito user pools have MFA features for local users.

OAuth 2.0 (social) provider

An IdP to a user pool or identity pool that provides JWT access and refresh tokens. Amazon Cognito user pools automate interactions with social providers after users authenticate.

OpenID Connect (OIDC) provider

An IdP to a user pool or identity pool that extends the OAuth specification to provide ID tokens. Amazon Cognito user pools automate interactions with OIDC providers after users authenticate.

Public app

An application that is self-contained on a device, with code stored locally and no access to secrets. This is typically a mobile app.

Resource server

An API with access control. Amazon Cognito user pools also use resource server to describe the component that defines the configuration for interacting with an API.

Role-based access control (RBAC)

A model that grants access based on a user's functional designation. Amazon Cognito identity pools implement RBAC with differentiation between IAM roles.

Service provider (SP), relying party (RP)

An application that relies on an IdP to assert that users are trustworthy. Amazon Cognito acts as an SP to external IdPs, and as an IdP to app-based SPs.


An IdP to a user pool or identity pool that generates digitally signed assertion documents that your user passes to Amazon Cognito.

Universally Unique Identifier (UUID)

A 128-bit label that is applied to an object. Amazon Cognito UUIDs are unique per user pool or identity pool, but don't conform to a specific UUID format.

User directory

A collection of users and their attributes that serves that information to other systems. Amazon Cognito user pools are user directories, and also tools for consolidation of users from external user directories.

User pools

When you see the terms in the following list in this guide, they refer to a specific feature or configuration of user pools.

Amazon Cognito user pools API

A set of authentication and authorization API operations that you can add to your app with an Amazon SDK. The API can sign in local users and linked users.

Adaptive authentication

A feature of advanced security that detects potential malicious activity and applies additional security to user profiles.

Advanced security features

An optional component that adds tools for user security.

App client

A component that defines the settings for a user pool as an IdP to one app.

Callback URL, redirect URI

A setting in an app client and a parameter in requests to user pools federation endpoints. The callback URL is the initial destination for authenticated users in your app.

Compromised credentials

A feature of advanced security that detects user passwords that attackers might know, and applies additional security to user profiles.


The process that determines that the prerequisites have been met to permit a new user to sign in. Confirmation is typically done through email address or phone number verification.

Custom authentication

An extension of authentication processes with Lambda triggers that define additional user challenges and responses.

Device authentication

An authentication process that replaces MFA with sign-in that uses the ID of a trusted device.

External provider, third-party provider

An IdP that has a trust relationship with a user pool.

Federated user

A user in a user pool who was authenticated by an external provider.

Federation endpoints

A set of webpages on your user pool domain that host services for interaction with IdPs and apps.

Hosted UI

A set of interactive webpages on your user pool domain that host services for user authentication.

Lambda trigger

A function in Amazon Lambda that a user pool can automatically invoke at key points in user authentication processes. You can use Lambda triggers to customize authentication outcomes.

Local user

A user profile in the user pool user directory that wasn't created by authentication with an external provider.

Linked user

A user from an external provider whose identity is merged with a local user.

Token customization

The outcome of a pre token generation Lambda trigger that modifies a user's ID or access token at runtime.

User pool, Amazon Cognito identity provider, cognito-idp, Amazon Cognito user pools

An Amazon resource with authentication and authorization services for applications that work with OIDC IdPs.

User pool domain

A website name that you add to a user pool. The domain is the base URL for the hosted UI and federation endpoints.


The process of confirming that a user owns an email address or phone number. A user pool sends a code to a user who has entered a new email address or phone number. When they submit the code to Amazon Cognito, they verify their ownership of the message destination and can receive additional messages from the user pool. Also, see confirmation.

User profile, user account

An entry for a user in the user directory. All users have a profile in their user pool.

Identity pools

When you see the terms in the following list in this guide, they refer to a specific feature or configuration of identity pools.

Attributes for access control

An implementation of attribute-based access control in identity pools. Identity pools apply user attributes as tags to user credentials.

Basic (classic) authentication

An authentication process where you can customize the request for user credentials.

Developer authenticated identities

An authentication process that authorizes identity pool user credentials with developer credentials.

Developer credentials

The IAM API keys of an identity pool administrator.

Enhanced authentication

An authentication flow that selects an IAM role and applies principal tags according to the logic that you define in your identity pool.


A UUID that links an app user and their user credentials to their profile in an external user directory that has a trust relationship with an identity pool.

Identity pool, Amazon Cognito federated identities, Amazon Cognito identity, cognito-identity

An Amazon resource with authentication and authorization services for applications that use temporary Amazon credentials.

Unauthenticated identity

A user who has not signed in with an identity pool IdP. You can permit users to generate limited user credentials for a single IAM role before they authentication.

User credentials

Temporary Amazon API keys that users receive after identity pool authentication.