Amazon Cognito authentication

Amazon Cognito authentication lets your users sign in through a Cognito user pool you manage in AWS. Once connected, you can offer “Continue with Cognito” in your WeWeb app.

What this integration supports

• Social sign in through a Cognito user pool (Hosted UI)
• Redirect to different pages for success, error, and first-time users

Setup in the AWS console

You will create (or use) a Cognito user pool, then register WeWeb’s callback URL in your app client settings.

1. Create a user pool and an app client

1. Open the Amazon Cognito console.
2. Create a User pool (or select an existing one).
3. Create an App client for your WeWeb project.
4. Copy the:
   • Client ID
   • Client secret (If your app client uses one)

2. Configure a hosted UI domain

In your user pool, configure a domain for the hosted UI. This is the domain Cognito uses for sign in, for example:

• https://<your-domain>.auth.<region>.amazoncognito.com

You will use this value as Cognito Domain URL in WeWeb.

3. Add your callback URL

In your app client settings:

1. Enable the OAuth flow for web sign in:
   • Allowed OAuth flows: Authorization code grant
   • Allowed OAuth scopes: openid, profile, email
2. Add the callback URL:
   • https://<your-domain>/api/auth/callback/cognito

If you use multiple environments, add a callback URL for each environment (preview, staging, production).

Connect Amazon Cognito in WeWeb

1. In the WeWeb editor, go to Data & API → Auth → Integrating providers.
2. Find Amazon Cognito and expand it.
3. Turn on the Enable toggle.
4. Fill in:
   • Client ID
   • Client Secret
   • Cognito Domain URL — For example https://<your-domain>.auth.<region>.amazoncognito.com
5. Click Save.

WeWeb stores these values as environment variables (for example PROVIDER_COGNITO_CLIENT_ID, PROVIDER_COGNITO_CLIENT_SECRET, PROVIDER_COGNITO_ISSUER).

Test sign in

1. In Interface, add a “Continue with Cognito” button.
2. Create a workflow on click and add Sign in with social provider.
3. Set:
   • Provider: cognito
   • Success page, Error page, And (optional) New user page
4. Preview your project and complete the Cognito sign-in flow.

For what to do after sign in (roles, private pages, and access checks), see Users and roles overview →.

Common pitfalls

Callback URL mismatch

If Cognito shows a callback or redirect error, the callback URL in your app client settings is usually wrong.

• In Cognito, confirm the callback URL exactly matches https:///api/auth/callback/cognito for the environment you are testing.
• Make sure you are not mixing preview and production domains.

Wrong Cognito domain URL

If the sign in page can’t load or you see “issuer” / “domain” errors, double-check the domain value you pasted into WeWeb.

• Use the hosted UI domain from your user pool (it usually ends with .amazoncognito.com).
• Include https:// in Cognito Domain URL.

OAuth flow or scopes not enabled

If Cognito blocks the sign in flow, your app client may not be configured for the authorization code flow.

• Enable Authorization code grant in your app client.
• Enable openid, profile, and email scopes.

Reference

WeWeb settings

Setting in WeWeb	Description	Where to find it in AWS
Client ID	Identifies your Cognito app client.	User pool → App client.
Client Secret	Secret used to securely complete sign in.	User pool → App client (if enabled).
Cognito Domain URL	Hosted UI domain used for sign in (issuer).	User pool → Domain (hosted UI domain).

FAQs

What provider value should I use in the workflow action?

Use cognito as the Provider value in the Sign in with social provider action.

Do I need a user pool or an identity pool?

Use a user pool. This provider is for signing in users through the user pool hosted UI.

Can I use different user pools per environment?

Yes. Configure different Client ID, Client Secret, and Cognito Domain URL values per WeWeb environment.

Continue learning

Now that users can sign in, learn how to control access with roles and protected pages.

Users and roles overview →