Menu
Sign In to the Console
Amazon Cognito
Developer Guide (Version Last Updated: 07/28/2016)

Specifying User Pool App Settings

An app is an entity within a user pool that has permission to call unauthenticated APIs (APIs that do not have an authenticated user), such as APIs to register, sign in, and handle forgotten passwords. To call these APIs, you need an app client ID and an optional client secret. It is the developer's responsibility to secure any app client IDs or secrets so that only authorized client apps can call these unauthenticated APIs.

You can create multiple apps for a user pool, and generally an app corresponds to the platform of an app. For example, you may create an app for a server-side application and a different Android app. Each app will have its own app client ID.

When you create an app, you can optionally choose to create a secret for that app. If a secret is created for the app, the secret must be provided to use the app. Browser-based applications written in JavaScript may not need an app with a secret.

Secrets cannot be changed after an app is created. You can create a new app with a new secret if you want to rotate the secret that you are using. You can also delete an app to block access from apps that use that app client ID.

To create an app

  1. On the Apps tab in Create a user pool, choose Add an app.

  2. Specify an App name.

  3. Specify the app's Refresh token expiration (days). The default value is 30. You can change it to any value between 1 and 3650.

  4. By default, Amazon Cognito User Pools will generate a client secret for your app. If you don't want that to happen, clear Generate client secret.

  5. If your app is a server app that requires developer credentials (using Signature Version 4) and doesn't use Secure Remote Protocol (SRP) authentication, check Enable sign-in API for server-based authentication (ADMIN_NO_SRP_AUTH) to enable server-side authentication. For more information, see Admin Authentication Flow.

  6. By default, Amazon Cognito User Pools will allow your app to read all attributes and write only the email attribute. If you want to set different permissions for your app, perform the following steps.

    1. Choose Set attribute read and write permissions.

    2. You can set read and write permissions in both of the following ways:

      • By choosing one or more scopes. Each scope is a set of standard attributes. For more information, see the list of standard OIDC scopes.

      • By choosing individual standard or custom attributes.

  7. Choose Create app.

  8. If you want to create another app, choose Add an app.

  9. Once you've created all the apps you want, choose Save changes.

You can change attribute permissions and scopes after you have created your user pool.

You can also use the CLI commands create-user-pool-client and update-user-pool-client to set and change permissions on a user pool.