Amazon Cognito

Amazon Cognito

Amazon Cognito is a user authentication and identity management service from AWS. Scripts load the Cognito SDK to handle user registration, login, multi-factor authentication, and OAuth federation with social identity providers. Stores JWT tokens and session cookies in the browser to maintain authenticated state across page navigation and app sessions.

Back to Vendor Library

Overview

Amazon Cognito is a user identity and authentication service from AWS that handles registration, login, session management, and federated authentication for web and mobile applications. When detected on a website, it indicates the site uses Cognito to manage user accounts, authenticate sessions, and potentially federate login through social identity providers like Google, Facebook, or Apple.

What This Script Does

Amazon Cognito loads the AWS Amplify authentication libraries or the standalone Cognito Identity SDK, typically from cognito-idp.{region}.amazonaws.com and cognito-identity.{region}.amazonaws.com endpoints. The SDK manages the complete authentication lifecycle:

  1. User registration — Collects username, password, and required attributes; sends them to Cognito User Pools for account creation with server-side password hashing
  2. Authentication — Handles Secure Remote Password (SRP) protocol exchange for login, returning JWT tokens (ID token, access token, refresh token)
  3. Session management — Stores JWT tokens in the browser, typically using localStorage under keys prefixed with CognitoIdentityServiceProvider.{clientId} containing the ID token, access token, refresh token, and user metadata
  4. Token refresh — Automatically refreshes expired access tokens using the stored refresh token, maintaining seamless authenticated sessions
  5. MFA — Supports TOTP and SMS-based multi-factor authentication flows
  6. Federation — Redirects to external identity providers (Google, Facebook, Apple, SAML) and processes OAuth callback tokens

Storage used includes:

  • localStorage entries under CognitoIdentityServiceProvider.* — storing JWT tokens (ID, access, refresh) and last authenticated user metadata; tokens typically expire in 1 hour (access/ID) with refresh tokens valid for 30 days
  • localStorage entries under aws.cognito.identity-* — storing Cognito Identity Pool credentials for AWS service access

Cognito does not set advertising cookies, track browsing behavior, or share data with third parties. All data processing is scoped to the website's own user authentication and session management. Network requests go only to AWS Cognito service endpoints within the configured AWS region.

Consent & Compliance

Amazon Cognito is classified as essential. It is an authentication and identity management service — core infrastructure required for users to log in, maintain sessions, and access protected content.

Under the GDPR, processing authentication data has a clear legal basis in contract performance (Article 6(1)(b)). Users who create accounts and log in are explicitly engaging with the service, and processing their credentials and session data is necessary to deliver that service. User pool data (email, phone, custom attributes) must be covered in the website's privacy notice.

Under the ePrivacy Directive, the JWT tokens and session data stored in localStorage are strictly necessary for a service explicitly requested by the user (logging in and maintaining their session). Article 5(3) exempts such storage from consent requirements.

Under CCPA/CPRA, Cognito processes personal information (user credentials, identity tokens) solely for authentication purposes. AWS acts as a service provider under the website operator's DPA. No personal information is sold or shared for advertising.

Should You Block This Without Consent?

No. Amazon Cognito is authentication infrastructure. Blocking it would prevent users from logging in, registering accounts, and maintaining sessions — fundamentally breaking the website's user access system. It stores only authentication tokens, performs no tracking, and has no advertising function.

Visit website

Consent Categories

Essential

Also Known As

AWS CognitoCognito user poolsCognito identity poolsAWS authenticationAmazon user auth

Industries

E-commerce and Shopping

Tracked Domains (2)

amazonaws.comEssential
cognito-identity.amazonaws.comEssential

Frequently Asked Questions

Does Amazon Cognito require cookie consent?

No. Amazon Cognito is essential authentication infrastructure. It stores JWT tokens in localStorage for session management — processing users explicitly trigger by logging in. GDPR Article 6(1)(b) covers it under contract performance; ePrivacy exempts its session storage as strictly necessary.

What does Amazon Cognito store in the browser?

Cognito stores JWT tokens in localStorage under keys prefixed with CognitoIdentityServiceProvider.[clientId], including ID token, access token (1-hour expiry), and refresh token (30-day expiry). Identity pool credentials are stored under aws.cognito.identity-* keys. No advertising cookies are set.

How does ConsentStack treat Amazon Cognito?

ConsentStack classifies Amazon Cognito as essential and never blocks it. Authentication tokens stored by Cognito are exempt from consent requirements because they are strictly necessary for users to access the service they requested. ConsentStack does not interfere with Cognito login flows.

Related Vendors

Firebase
Firebase
Firebase is Google's mobile and web application development platform offering authentication, real-time database, cloud functions, and analytics. Web SDK scripts initialize Firebase services and may track app events via Firebase Analytics, which is powered by Google Analytics 4. Widely used in single-page apps and PWAs for backend infrastructure and usage tracking.
Google
Google
Google is the dominant provider of web analytics, advertising, and infrastructure tools. Scripts like Google Analytics, Tag Manager, Ads, and reCAPTCHA collect behavioral data, manage tag firing, serve targeted ads, and detect bots. Sets persistent cookies to track users and correlate activity across sites.
Google Tag Manager
Google Tag Manager
Google Tag Manager is a tag management system that lets marketers deploy and update analytics and marketing scripts without code changes. The GTM container script loads synchronously in the page head and injects configured tags, triggers, and variables on behalf of other vendors. No data collection of its own — acts as a loader for other scripts.
Google Fonts
Google Fonts
Google Fonts is a free font hosting service that serves hundreds of typeface families via a global CDN. Stylesheets and font files load from fonts.googleapis.com and fonts.gstatic.com to deliver web fonts to visitors. No advertising or tracking functionality is included.
reCAPTCHA
reCAPTCHA
Google reCAPTCHA is a bot detection and spam prevention service protecting web forms, login pages, and checkout flows. Scripts analyze user behavior, mouse movements, and browser fingerprints to distinguish humans from bots. The invisible reCAPTCHA v3 scores interactions without requiring user challenges.
Sign in with Google
Sign in with Google
Sign in with Google is an OAuth-based authentication service that enables users to log into websites using their Google account credentials. Scripts load the Google Identity Services library, display sign-in buttons, and handle token exchange for secure authentication. Stores session tokens and authentication cookies to maintain login state across page visits.

Manage consent for Amazon Cognito

ConsentStack automatically detects and manages Amazon Cognito trackers so your site stays compliant with global privacy regulations.

Get started free