B2B Authentication Solution for APIs using AWS Cognito UserPools

Ashan Fernando
Nov 16, 2017 · 2 min read

Have you ever came across the need to implement a B2B authentication solution in AWS for your API?

I have seen most of the people goes with API Keys for Authentication. This is a bad practice since API Keys are there for difference purposes such as Usage Planning, Throttling, Monitoring & etc.

I came across the same situation some time ago and evaluated AWS Cognito UserPools for B2B authentication. Since AWS Cognito UserPools designed for B2C authentication, it wasn’t straight forward at all.

Step 1: Build a simple Developer Portal

Using AWS Serverless Stack, implement a simple Developer Portal allowing a Developer to Register an API Clients and Admin User where a the user will be created in the AWS Cognito User Pool using the Cognito Identity Admin Auth SDK. After creating the User, generate a Refresh token and save it, linked to the User in DynamoDB. This Refresh Token will act as the long term credentials used by the API Client to generate temporal credentials (ID Tokens) that can be used to consume the required API.

Since Refresh Tokens are revokable, Admin User created in Cognito can login to the Developer Portal and revoke its access and generate a new one.

Note: For additional security you can use AWS Key Management Service (KMS) to encrypt and store the Refresh Token in DynamoDB.

Step 2. Store and use Refresh Token in Consumer Application Backend

After generating a Refresh Token, store it in your API Consumer Backend and use it to generate temporal ID Tokens to consume the required API.

Note: Since ID Tokens have a finite time period before they expire, it is required to implement a token refresh endpoint, that is also needs to be implemented by the Developer Portal API (In Step 1)

Step 3. Consuming the API

Using the ID Token, your API Consumer can now invoke the required API Backend where, the ID Token JWT can be validated using standard JWT verification libraries.

If you are implementing the API using AWS Serverless Stack, you can use a Custom Authorizer Lambda function to verify the ID Token.


We have built 150+ leading products. Tell us your idea, together we can shape up a great product out of it!

Ashan Fernando

Written by

AWS Certified Solutions Architect (Professional). For more details find me in Linkedin https://www.linkedin.com/in/ashan256/


We have built 150+ leading products. Tell us your idea, together we can shape up a great product out of it!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade