Amazon Cognito Identity

Name: Amazon Cognito Identity API
Brand: Amazon Cognito Identity
Availability: InStock

★ Only Publicly Available SpecIdentity AuthAuthenticationAWS Signature v4 (HMAC)23 EndpointsREST

For Agents

Issue scoped temporary AWS credentials to federated users and unauthenticated guests, and manage identity pools, identity-to-role mappings, and developer-authenticated identities.

Quickstart

Get started with Amazon Cognito Identity in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"issue temporary AWS credentials for a federated user"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Amazon Cognito Identity API.

Create identity pools that federate users from Cognito User Pools, SAML, OpenID Connect, Facebook, Google, and Apple

Issue temporary, scoped AWS credentials to identities via GetCredentialsForIdentity

Map federated identities to IAM roles using rule-based or token-based role resolution

Link multiple external logins to a single Cognito identity for cross-provider account linking

GET STARTED

Start building with Amazon Cognito Identity API

Explore with Jentic

View OpenAPI Spec

Use for: I need to issue temporary AWS credentials to a mobile app user, I want to federate Google sign-in into AWS access, Set up an identity pool that supports unauthenticated guest access, Get the IAM role mapping for a Cognito identity pool

Not supported: Does not handle user sign-up, password reset, MFA, or user directory storage - use for federated identity and AWS credential vending only; for full user pools use Amazon Cognito User Pools.

Jentic publishes the only available OpenAPI specification for Amazon Cognito Identity, keeping it validated and agent-ready.

Jentic publishes the only available OpenAPI specification for Amazon Cognito Identity, keeping it validated and agent-ready. Amazon Cognito Identity (Federated Identities) issues scoped, temporary AWS credentials to mobile and web clients so applications can call AWS services without embedding long-lived secrets. Identity pools federate users from public providers like Apple, Google, Facebook, SAML, and OpenID Connect, or from unauthenticated guests, and map them to IAM roles for fine-grained access. The service uniquely identifies devices and maintains stable identity IDs across sign-ins for the lifetime of the application.

Use Cases

Patterns agents use Amazon Cognito Identity API for, with concrete tasks.

★ Federated Mobile App Access to AWS

Mobile and single-page apps need to call AWS services such as S3, DynamoDB, or API Gateway without embedding long-lived AWS keys. Amazon Cognito Identity issues short-lived, scoped credentials after a user signs in with Google, Apple, Facebook, or a SAML provider, and maps them to an IAM role that limits what the app can do. Integration typically takes a day for a basic federated flow plus role policy tuning.

Create an identity pool that allows Google logins, then call GetId followed by GetCredentialsForIdentity to obtain temporary AWS credentials for a sample Google ID token.

Guest Access for Public-Facing Apps

Public sites and games need read-only access to AWS resources for unauthenticated visitors. Amazon Cognito Identity supports unauthenticated guest identities that map to a separate IAM role with restricted permissions, so guests can fetch assets or anonymous metrics without registering. The pool can be upgraded to authenticated when the user signs in.

Configure an identity pool with AllowUnauthenticatedIdentities=true and call GetId with no logins to obtain a guest IdentityId.

Developer-Authenticated Identities

Apps with their own user database can integrate it with AWS by using developer-authenticated identities. The backend authenticates the user, calls GetOpenIdTokenForDeveloperIdentity, and the client exchanges that token for AWS credentials. This keeps the existing login system while gaining IAM-based authorization for AWS calls.

Call GetOpenIdTokenForDeveloperIdentity with a custom user identifier and the developer provider name to mint an OpenID token mapped to an IAM role.

Agent-Driven Identity Pool Provisioning

An AI agent operating an AWS landing zone can create and configure identity pools on demand. Through Jentic, the agent searches for identity pool operations, loads the input schema, and creates pools wired to the correct IAM roles for new applications. Operations that previously required navigating the AWS console can be issued as structured calls.

Create an identity pool named 'agent-provisioned-pool', set its role mappings via SetIdentityPoolRoles, and verify the configuration via DescribeIdentityPool.

Key Endpoints

23 endpoints — jentic publishes the only available openapi specification for amazon cognito identity, keeping it validated and agent-ready.

METHOD

PATH

DESCRIPTION

POST

/#X-Amz-Target=AWSCognitoIdentityService.CreateIdentityPool

Create a new identity pool

POST

/#X-Amz-Target=AWSCognitoIdentityService.GetId

Generate or fetch an identity ID for a user

POST

/#X-Amz-Target=AWSCognitoIdentityService.GetCredentialsForIdentity

Issue temporary AWS credentials for an identity

POST

/#X-Amz-Target=AWSCognitoIdentityService.GetOpenIdTokenForDeveloperIdentity

Mint an OpenID token for a developer-authenticated user

POST

/#X-Amz-Target=AWSCognitoIdentityService.SetIdentityPoolRoles

Map identities to IAM roles for a pool

POST

/#X-Amz-Target=AWSCognitoIdentityService.DescribeIdentityPool

Retrieve identity pool configuration

POST

/#X-Amz-Target=AWSCognitoIdentityService.CreateIdentityPool

Create a new identity pool

POST

/#X-Amz-Target=AWSCognitoIdentityService.GetId

Generate or fetch an identity ID for a user

POST

/#X-Amz-Target=AWSCognitoIdentityService.GetCredentialsForIdentity

Issue temporary AWS credentials for an identity

POST

/#X-Amz-Target=AWSCognitoIdentityService.GetOpenIdTokenForDeveloperIdentity

Mint an OpenID token for a developer-authenticated user

POST

/#X-Amz-Target=AWSCognitoIdentityService.SetIdentityPoolRoles

Map identities to IAM roles for a pool

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

AWS SigV4 (HMAC) credentials for the Amazon Cognito Identity are stored encrypted in the Jentic vault. Agents receive scoped, short-lived access via Jentic's MAXsystem rather than holding the raw AWS access key ID and secret access key in their context.

Intent-based discovery

Agents search Jentic with intents like 'issue temporary AWS credentials for a federated user' and Jentic returns the matching Amazon Cognito Identity operation with its input schema, so the agent can call the correct endpoint without browsing the AWS service reference.

Time to first call

Direct integration: 2-4 days for SigV4 request signing, IAM policy setup, and error handling across Amazon Cognito Identity operations. Through Jentic: under 1 hour - search by intent, load the schema, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Amazon Cognito Sync

Cross-device data syncing that uses Cognito Identity IDs as the identity layer.

Choose Cognito Sync when an app already uses Cognito Identity and needs to persist small amounts of user data across the user's devices.

Alternative

Auth0 Authentication API

Hosted identity-as-a-service that issues JWTs rather than AWS credentials.

Choose Auth0 when the app needs identity that is not tied to AWS IAM and works equally well across multi-cloud backends.

Alternative

Okta API

Enterprise identity provider for SSO and lifecycle management.

Choose Okta for workforce identity and SSO; choose Cognito Identity for end-user federation into AWS.

FAQs

Specific to using Amazon Cognito Identity API through Jentic.

Why is there no official OpenAPI spec for Amazon Cognito Identity?

AWS does not publish an OpenAPI specification. Jentic generates and maintains this spec so that AI agents and developers can call Amazon Cognito Identity via structured tooling. It is validated against the live API and kept up to date. Get started at https://app.jentic.com/sign-up.

What authentication does the Amazon Cognito Identity API use?

It uses AWS Signature v4 (HMAC) signing with an AWS access key ID and secret access key. Through Jentic, those credentials are isolated in the Jentic vault and the agent never sees them; calls to operations like GetCredentialsForIdentity are signed on the agent's behalf.

Can I federate Google or Apple sign-in with the Amazon Cognito Identity API?

Yes. Configure the identity pool with the relevant provider in SupportedLoginProviders (for example accounts.google.com or appleid.apple.com), then call GetId with the provider's ID token in the Logins map to map the external user to a Cognito identity.

What are the rate limits for the Amazon Cognito Identity API?

AWS publishes per-account, per-region rate limits for Cognito Identity that vary by operation; GetCredentialsForIdentity and GetId are higher-throughput than administrative operations like CreateIdentityPool. Implement exponential backoff on ProvisionedThroughputExceededException and TooManyRequestsException.

How do I issue temporary AWS credentials with Amazon Cognito Identity through Jentic?

Search Jentic for 'issue temporary AWS credentials for a federated user', load the GetCredentialsForIdentity schema, and execute it with the IdentityId and Logins map. Jentic signs the SigV4 request and returns the temporary access key, secret, and session token.

Is the Amazon Cognito Identity API free?

Cognito Identity (Federated Identities) is free to use; you only pay for the AWS resources accessed using the issued credentials. Cognito User Pools, which is a separate service, has its own pricing.