Authenticating with AWS Cognito for Vapor

What's New



Major release changes

  • Uses soto-cognito-authentication-kit v4.0.0
  • Uses soto v6.0.0

Soto Cognito Authentication

Swift 5.1

This is the Vapor wrapper for Soto Cognito Authentication Kit. It provides application storage for configurations and authentication calls on request. Documentation on Soto Cognito Authentication Kit can be found here

Using with Vapor


Store your CognitoConfiguration on the Application object. In configure.swift add the following with your configuration details

let awsClient = AWSClient(httpClientProvider: .shared(app.http.client.shared))
let awsCognitoConfiguration = CognitoConfiguration(
    userPoolId: String = "eu-west-1_userpoolid",
    clientId: String = "23432clientId234234",
    clientSecret: String = "1q9ln4m892j2cnsdapa0dalh9a3aakmpeugiaag8k3cacijlbkrp",
    cognitoIDP: CognitoIdentityProvider = CognitoIdentityProvider(client: awsClient, region: .euwest1),
    adminClient: true
app.cognito.authenticatable = CognitoAuthenticatable(configuration: awsCognitoConfiguration)

The CognitoIdentity configuration can be setup in a similar way.

let awsCognitoIdentityConfiguration = CognitoIdentityConfiguration(
    identityPoolId: String = "eu-west-1_identitypoolid",
    userPoolId: String = "eu-west-1_userpoolid",
    region: .euwest1,
    cognitoIdentity: CognitoIdentity = CognitoIdentity(client: awsClient, region: .euwest1)
let app.cognito.identifiable = CognitoIdentifiable(configuration: awsCognitoIdentityConfiguration)

Accessing functionality

Functions like createUser, signUp, authenticate with username and password and responseToChallenge are all accessed through request.application.cognito.authenticatable. The following login route will return the full response from CognitoAuthenticable.authenticate.

    func login(_ req: Request) throws -> EventLoopFuture<CognitoAuthenticateResponse> {
        let user = try req.content.decode(User.self)
        return req.application.cognito.authenticatable.authenticate(
            username: user.username,
            password: user.password,
            context: req,

If id, access or refresh tokens are provided in the 'Authorization' header as Bearer tokens the following functions in Request can be used to verify them authenticate(idToken:), authenticate(accessToken:), refresh. as in the following

func authenticateAccess(_ req: Request) throws -> Future<> {
    req.cognito.authenticateAccess().flatMap { _ in


Three authenticators are available. See the Vapor docs for more details on authentication in Vapor.CognitoBasicAuthenticator will do username, password authentication and returns a CognitoAuthenticateResponse. CognitoAccessAuthenticator will do access token authentication and returns an CognitoAccessToken which holds all the information that could be extracted from the access token. CognitoIdAuthenticator<Payload> does id token authentication and extracts information from the id token into your own Payload type. The standard list of claims that can be found in an id token are detailed in the [OpenID spec] ( Your Payload type needs to decode using these tags, the username tag "cognito:username" and any custom tags you may have setup for the user pool. Below is an example of using the id token authenticator.

First create a User type to store your id token payload in.

struct User: Content & Authenticatable {
    let username: String
    let email: String

    private enum CodingKeys: String, CodingKey {
        case username = "cognito:username"
        case email = "email"

Add a route using the authenticator. The CognitoIdAuthenticator authenticates the request, the guardMiddleware ensures the user is authenticated. The actual function accesses the User type via req.auth.require.

    .get("user") { (req) throws -> EventLoopFuture<User> in
    let user = try req.auth.require(User.self)


  • Swift Tools 5.2.0
View More Packages from this Author


Last updated: Fri Mar 24 2023 18:21:15 GMT-0500 (GMT-05:00)