Open source · v2.0 · Terraform-ready

    Authentication,
    without the boilerplate.

    A serverless auth & user-management API on AWS Cognito - mandatory MFA, self-service recovery and the full user lifecycle, deployed with Terraform in minutes.

    50K MAU free tierMFA enforced by default100% infrastructure as code
    bash ~ deploy-cognito-api
    $ export AWS_PROFILE=MyAwsDevProfile
    $ git clone https://github.com/TocConsulting/cognito-api.git
    Cloning into 'cognito-api'...
    remote: Enumerating objects: 247, done.
    remote: Counting objects: 100% (247/247), done.
    remote: Compressing objects: 100% (180/180), done.
    remote: Total 247 (delta 119), reused 187 (delta 59)
    Receiving objects: 100% (247/247), 58.25 KiB | 1.21 MiB/s, done.
    Resolving deltas: 100% (119/119), done.
    $ cd terraform
    $ ENVIRONMENT=dev make test
    Running tests for dev environment...
    All tests passed!
    $ ENVIRONMENT=dev make plan
    Planning Terraform deployment for dev environment...
    Plan: 365 to add, 0 to change, 0 to destroy.
    $ ENVIRONMENT=dev make apply
    Applying Terraform deployment for dev environment...
    Apply complete! Resources: 365 added, 0 changed, 0 destroyed.

    Key Features

    CognitoAPI is an authentication and user management solution that lets you build applications without thinking about the authentication part

    Mandatory MFA

    TOTP multi-factor authentication is enforced at enrollment - no app ships without a second factor.

    Self-service recovery

    Forgot-password and lost-authenticator (MFA reset) flows built in - users recover without ever disabling MFA.

    Complete user lifecycle

    Create, confirm, sign in, manage, recover and delete - every user-management operation, end to end.

    AWS Cognito backend

    Built on AWS Cognito and a thin Lambda + API Gateway layer - secure, managed, and store-nothing by design.

    Cost effective

    AWS Cognito is free for the first 50K monthly active users - perfect for bootstrapping your product.

    Fully automated

    Nothing to click. Deploy with Terraform - simple, reproducible, and CORS pre-configured for any frontend.

    Architecture Overview

    Secure Serverless Architecture

    API Gateway – Provides a secure and robust REST API interface with proper CORS support

    Lambda Functions – Python functions that handle authentication logic and Cognito interactions

    Cognito User Pool – Manage user identities and JWT-based authentication

    Terraform – Infrastructure as Code for consistent, repeatable deployments

    Request flow

    Store-nothing
    Client
    Your web/mobile app or the React example - sends JSON over HTTPS.
    HTTPS
    Route 53 + ACM
    Custom domain with a TLS certificate, validated and renewed automatically.
    API Gateway (REST)
    23 endpoints. CORS, with WAF + throttling recommended in front for production.
    invokes
    AWS Lambda - Python
    One focused handler per endpoint, 2 shared layers (jsonschema, PyJWT). No servers to manage.
    boto3
    Cognito User Pool
    Identities, mandatory TOTP MFA, and JWT issuance (ID / access / refresh).
    Lambda triggers
    Custom-auth (MFA reset) + custom-message (branded emails).
    Amazon SES
    Temporary passwords & one-time recovery codes.
    Identity Pool
    Optional exchange of JWTs for scoped AWS credentials.

    Observability via CloudWatch logs + lambda warmers · least-privilege IAM role per function · 100% provisioned with Terraform (remote state in S3, locked with DynamoDB).

    Ready to simplify your AWS Cognito integration?

    Deploy the CognitoAPI with Terraform and integrate with any front-end application easily.