Step 2. Add an app client and set up the hosted UI - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 2. Add an app client and set up the hosted UI

After you create a user pool, you can create an app to use the built-in webpages for signing up and signing in your users.

To create an app in your user pool
  1. Go to the Amazon Cognito console. If prompted, enter your Amazon credentials.

  2. Choose User Pools.

  3. Choose an existing user pool from the list, or create a user pool. If you create a new user pool, you will be prompted to set up an app client and configure the hosted UI during the wizard.

  4. Choose the App integration tab for your user pool.

  5. Next to Domain, choose Actions, and then select either Create custom domain or Create Cognito domain. If you have already configured a user pool domain, choose Delete Cognito domain or Delete custom domain before creating your new custom domain.

  6. Enter an available domain prefix to use with a Cognito domain. For information on setting up a Custom domain, see Using Your Own Domain for the Hosted UI.

  7. Choose Create.

  8. Navigate back to the App integration tab for the same user pool and locate App clients. Choose Create an app client.

  9. Choose an Application type. Some recommended settings will be provided based on your selection. An app that uses the hosted UI is a Public client.

  10. Enter an App client name.

  11. For this exercise, choose Don't generate client secret. The client secret is used by confidential apps that authenticate users from a centralized application. In this exercise, you will present a hosted UI sign-in page to your users and will not require a client secret.

  12. Choose the Authentication flows you will allow with your app. Ensure that USER_SRP_AUTH has been selected.

  13. Customize token expiration, Advanced security configuration, and Attribute read and write permissions as needed. For more information, see Configuring App Client Settings.

  14. Add a callback URL for your app client. This is where you will be directed after hosted UI authentication. You do not need to add an Allowed sign-out URL until you are able to implement sign-out in your app.

    For an iOS or Android app, you can use a callback URL such as myapp://.

  15. Select the Identity providers for the app client. At minimum, enable Cognito user pool as a provider.


    To sign in with external identity providers (IdPs) such as Facebook, Amazon, Google, and Apple, as well as through OpenID Connect (OIDC) or SAML IdPs, first configure them as shown in Adding user pool sign-in through a third party, and then return to the App client settings page to enable them.

  16. Choose OAuth 2.0 Grant Types. Select Authorization code grant to return an authorization code that is then exchanged for user pool tokens. Because the tokens are never exposed directly to an end user, they are less likely to become compromised. However, a custom application is required on the backend to exchange the authorization code for user pool tokens. For security reasons, we recommend that you use the authorization code grant flow, together with Proof Key for Code Exchange (PKCE), for mobile apps.

    Select Implicit grant to have user pool JSON web tokens (JWT) returned to you from Amazon Cognito. You can use this flow when there's no backend available to exchange an authorization code for tokens. It's also helpful for debugging tokens.


    You can enable both the Authorization code grant and the Implicit code grant, and then use each grant as needed.

    Select Client credentials only if your app needs to request access tokens on its own behalf, not on behalf of a user.

  17. Unless you specifically want to exclude one, select all OpenID Connect scopes.

  18. Select any Custom scopes you have configured. Custom scopes are typically used with confidential clients.

  19. Choose Create.

To view your sign-in page

From your App client page, select View hosted UI to open a new browser tab to a sign-in page pre-populated with app client ID, scope, grant, and callback URL parameters.

You can view the hosted UI sign-in webpage manually with the following URL. Note the response_type. In this case, response_type=code for the authorization code grant.


You can view the hosted UI sign-in webpage with the following URL for the implicit code grant where response_type=token. After a successful sign-in, Amazon Cognito returns user pool tokens to your web browser's address bar.


You can find the JSON web token (JWT) identity token after the #idtoken= parameter in the response.

The following URL is a sample response from an implicit grant request. Your identity token string will be much longer.

Amazon Cognito user pools tokens are signed using an RS256 algorithm. You can decode and verify user pool tokens using Amazon Lambda, see Decode and verify Amazon Cognito JWT tokens on the Amazon GitHub website.

Your domain is shown on the Domain name page. Your app client ID and callback URL are shown on the General settings page. If the changes you made in the console do not appear immediately, wait a few minutes and then refresh your browser.

Next step

Step 3. Add social sign-in to a user pool (optional)