{"name":"Amazon Cognito","slug":"cognito","category":"auth","type":"cloud","website":"https://aws.amazon.com/cognito/","pricing":"freemium","pricing_tiers":["Free up to 50k MAU","$0.0055/MAU after","SAML federation extra"],"open_source":false,"self_hosted":false,"sdk_languages":["javascript","typescript","python","java","swift","kotlin","go","ruby"],"frameworks":["langchain"],"agent_features":{"agent_sdk":false,"token_delegation":true,"human_in_the_loop":false,"fga":false,"mcp_support":null,"async_authorization":false},"compliance":["soc2","hipaa","gdpr","pci-dss","fedramp"],"best_for":"AWS-native agent stacks; teams already using API Gateway, Lambda, and IAM; compliance-heavy environments on AWS","limitations":"Poor developer experience; documentation is dense; no agent SDK, no FGA, no human-in-the-loop; locked to AWS","verified_by":"editorial","last_verified":"2026-04-17","source_urls":{"changelog":"https://aws.amazon.com/releasenotes/?tag=Cognito","pricing":"https://aws.amazon.com/cognito/pricing/","docs":"https://docs.aws.amazon.com/cognito/"},"feature_labels":{"agent_sdk":"Dedicated SDK for agentic workflows — agent sessions, token lifecycle, and authorization requests","token_delegation":"Issue scoped tokens an agent can use downstream without exposing user credentials","human_in_the_loop":"Pause agent execution and require explicit user approval before proceeding","fga":"Fine-Grained Authorization — relationship-based or attribute-based access control, not just role-based","mcp_support":"Native OAuth/OIDC authorization layer for Model Context Protocol servers","async_authorization":"Non-blocking approval workflows — agent continues and gets notified when approval is granted"},"comparisons":[{"slug":"auth0-vs-cognito","title":"Auth0 vs Amazon Cognito","vs":"auth0"},{"slug":"clerk-vs-cognito","title":"Clerk vs Amazon Cognito","vs":"clerk"},{"slug":"cognito-vs-descope","title":"Amazon Cognito vs Descope","vs":"descope"},{"slug":"cognito-vs-firebase-auth","title":"Amazon Cognito vs Firebase","vs":"firebase-auth"},{"slug":"cognito-vs-keycloak","title":"Amazon Cognito vs Keycloak","vs":"keycloak"},{"slug":"cognito-vs-ory","title":"Amazon Cognito vs Ory","vs":"ory"},{"slug":"cognito-vs-stytch","title":"Amazon Cognito vs Stytch","vs":"stytch"},{"slug":"cognito-vs-supabase-auth","title":"Amazon Cognito vs Supabase","vs":"supabase-auth"},{"slug":"cognito-vs-workos","title":"Amazon Cognito vs WorkOS","vs":"workos"}],"body":"# Amazon Cognito\n\nCognito is on this list because it's unavoidable for teams building on AWS. If your agent infrastructure runs on Lambda, API Gateway, and Bedrock, Cognito is the path of least resistance for auth — not because it's the best option, but because it integrates directly with IAM and AWS's security model.\n\nThe developer experience is a known pain point. Configuration is complex, documentation is dense, and the mental model (User Pools vs. Identity Pools vs. Federated Identities) is confusing compared to modern alternatives. But for teams where AWS is the non-negotiable platform, the integration benefits often outweigh the DX cost.\n\nFor agentic workloads, Cognito supports M2M via the client credentials grant and token delegation through standard OAuth flows. There's no dedicated agent SDK, no FGA, and no human-in-the-loop support — but agents can authenticate using standard OIDC tokens that API Gateway and Lambda can verify natively.\n\n**Agent-specific features:**\n- Client credentials grant for M2M / agent-to-service auth\n- JWT tokens verifiable by API Gateway and Lambda authorizers\n- OAuth 2.0 token delegation via Resource Server scopes\n- IAM integration for AWS resource access\n- Supports Bedrock agent authentication patterns"}