{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"redocly_category":"Journeys","product":"Identity Management","type":"markdown"},"seo":{"title":"Cognito Password Authentication","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"cognito-password-authentication","__idx":0},"children":["Cognito Password Authentication"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge-wrapper"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Client SDK"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Backend API"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Mobile approve"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["SSO"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Sub-journey"]}]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Authenticates the user with AWS Cognito using username and password"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"description","__idx":1},"children":["Description"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This step authenticates the user by validating their credentials against AWS Cognito–an external identity provider. It is used for Just-In-Time (JIT) migration scenarios where users are gradually migrated from Cognito to Mosaic as they log in."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before using this step, configure a ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/external-connections/external_idp"},"children":["Cognito connection"]}," in Integration Hub."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The user's credentials must be obtained before initiating this step, such as using a ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/get_info_from_client"},"children":["Collect information"]}," form. If the authentication succeeds, the journey continues to the next step. The authentication result, including user information from Cognito, is stored in the output variable and can be used in subsequent steps (e.g., to create a user in Mosaic)."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If the authentication fails (e.g., incorrect password), the journey proceeds to the failure branch (if specified); otherwise, the journey is aborted and an error is sent to the client."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"configuration","__idx":2},"children":["Configuration"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Cognito integration"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["The Cognito connector to use for authentication, as configured in Integration Hub."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Username"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Expression that yields the user's username."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Password"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Expression that yields the user's password."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Scope"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["OAuth scopes to request from Cognito. Default: ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["openid profile email"]},"."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Output variable"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Name of the variable that stores the authentication result returned by Cognito."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Error output variable"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Name of the variable that stores any errors returned by the step."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Failure behavior"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Determines the behavior in case of failure, which either aborts the journey or proceeds to a failure branch of the control flow (default)."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Journey event data"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This step can be configured to record step input and output data, or a custom payload, which is then surfaced in journey events in Journey Analytics for diagnostic purposes. For details, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/getting-started/event_reporting"},"children":["Additional data reporting"]},"."]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"example","__idx":3},"children":["Example"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Consider a migration journey that collects username and password using a ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/get_info_from_client"},"children":["Collect information"]}," step. In this example, the form collects ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["username"]}," and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["password"]},", and the input is stored in ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["loginData"]},"."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The Cognito Password Authentication step validates these credentials against Cognito. If successful, the output variable (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["cognito_output"]},") contains user information, including ID token and ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["user_info"]},", that can be used to create or update a user in Mosaic using the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/journeys/create_user"},"children":["Create user"]}," step."]}]},"headings":[{"value":"Cognito Password Authentication","id":"cognito-password-authentication","depth":1},{"value":"Description","id":"description","depth":2},{"value":"Configuration","id":"configuration","depth":2},{"value":"Example","id":"example","depth":2}],"frontmatter":{"markdown":{"toc":{"depth":2}},"seo":{"title":"Cognito Password Authentication"}},"lastModified":"2026-05-26T08:58:26.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/orchestration/journeys/authenticate_cognito_password","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}