User pool endpoints and hosted UI reference - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

User pool endpoints and hosted UI reference

Amazon Cognito has two models of user pool authentication: with the user pools API and with the OAuth 2.0 authorization server. Use the API when you want to retrieve OpenID Connect (OIDC) tokens with an Amazon SDK in your application back end. Use the authorization server when you want to implement your user pool as an OIDC provider. The authorization server adds features like federated sign-in, API and M2M authorization with access token scopes, and the hosted UI. You can use the API and OIDC models each on their own or together, configured at the user pool level or at the app client level. This section is a reference for the implementation of the OIDC model. For more information about the two authentication models, see Using the user pools API and authorization server.

Amazon Cognito activates the public webpages listed here when you assign a domain to your user pool. Your domain serves as a central access point for all of your app clients. They include the hosted UI, where your users can sign up and sign in (the Login endpoint), and sign out (the Logout endpoint). For more information about these resources, see Managing the hosted UI and authorization server.

These pages also include the public web resources that allow your user pool to communicate with third-party SAML, OpenID Connect (OIDC) and OAuth 2.0 identity providers (IdPs). To sign in a user with a federated identity provider, your users must initiate a request to the interactive hosted UI Login endpoint or the OIDC Authorize endpoint. The Authorize endpoint redirects your users either to your hosted UI or your IdP sign-in page.

Your app can also sign in local users with the Amazon Cognito user pools API. A local user exists exclusively in your user pool directory without federation through an external IdP.

In addition to the hosted UI and federation endpoints, Amazon Cognito integrates with SDKs for Android, iOS, JavaScript, and more. The SDKs provide tools to perform user pool API operations with Amazon Cognito API service endpoints. For more information about service endpoints, see Amazon Cognito Identity endpoints and quotas.

Warning

Don't pin the end-entity or intermediate Transport Layer Security (TLS) certificates for Amazon Cognito domains. Amazon manages all certificates for all of your user pool endpoints and prefix domains. The certificate authorities (CAs) in the chain of trust that supports Amazon Cognito certificates dynamically rotate and renew. When you pin your app to an intermediate or leaf certificate, your app can fail without notice when Amazon rotates certificates.

Instead, pin your application to all available Amazon root certificates. For more information, see best practices and recommendations at Certificate pinning in the Amazon Certificate Manager User Guide.

Topics