Skip to main content

How to get the access token with Amazon Cognito


AWS Cognito is a serverless identity and access management server. We don't have to manage any server or database to handle user data and authentication, and authorization flows. In this article, we focus on how to create a Cognito user pool and retrieve an access token that can be used to access back-end data (we will not create a backend service though).

Cognito User Pools

Amazon Cognito User Pools makes it easy to create and maintain a user directory and add sign-up (user onboarding) and sign-in to your mobile or web application for authentication, authorization, and resource access and control.

Let's get started.

What we do

  • Create a Cognito user pool
  • Register a user and retrieve the authorization token
  • Retrieve access token

Create a Cognito user pool

Go to AWS Console > Amazon Cognito to navigate to the Cognito page.

Click on the "Create user pool".

Click Next to go to Step 2 to configure security requirements. For the purpose of the article, I choose a custom password policy so that I can enter a simpler password. I chose to disable MFA as well. However, that is a bad practice in a production environment.

Click Next to go to Step 3.

Click Next to go to Step 4.
I have selected the "Send email with Cognito" option to reduce the SES configuration effort. However, you better configure it for a production environment.

Click Next to go to Step 5.
  • Provide your desired name for the user pool
  • Tick the "Use the Cognito Hosted UI" to enable the Cognito-provided login page
  • Under the Domain, type anything you want

Under the Initial app client,
  • Provide a name for the client
  • Select "Generate a client secret"
  • Provide a callback URL. You can provide anything you want, which means, running the application is not necessary

Then review and create. You will see your user pool is created below.

Now, click on the user pool (webapp-user-pool) to get the information needed for our URLs. What we need is;
  • Domain
  • Client ID
  • Client secret

In "Client secret", click on "show client secret" to get your client's secret.

Register a user and get the code

Now, our user pool is created. Let's register a user and get the auth code.
Let's create the URL using postman. This is a redirection hence we copy this URL in the browser.
"webapp12" is the name given in the domain section.

Click on "sign up" to register a user. Once the registration is completed our callback URL will be called by Cognito. Copy the code part from it so that we can invoke the token endpoint.

Exchange the code for the access token

Let's use the postman to retrieve the access token using the code received from the login step.
curl -X POST \
	-d 'Content-Type=application/x-www-form-urlencoded

With that, we have successfully obtained the access token which can use to access secured back-end services.
However, this manual creation of the Cognito user pool is difficult to maintain. That is why we better use a CloudFormation template for this.


In this article, we learned how to create a Cognito user pool from the AWS console. After that, we use the token endpoint to retrieve an access token. In an upcoming article, let's see how we can create a Cognito user pool in infrastructure as code style.

Happy learning ☺