Securing API Gateway endpoints using Cognito


I’m using cognito as a authentication layer for a mobile app and I’m wondering if someone can recommend me a good example for implementing an authorizer function for API Gateway endpoints using the serverless framework.
By the way, the app uses facebook login and a regular email-password login (so cognito federated identities and cognito user pool is needed).

Thank you in advance!


Not sure if this is going to help you or not, but i have a full-on auth workflow (signin/login/reset password/) running in serverless. I originally used as a base for my methods. The version i used was outdated (not sure if its been updated since i got it), so i updated the lambda handlers to how i wanted them but kept the main logic. On my lambdas that require aws authentication i call sts to get temporary credentials and pass these credentials into the call to API Gateway. That library doesnt use facebook auth, it uses its own system. I still plan on adding facebook as an option, just havnt gotten there yet. The concepts remain the same though

If you have specific questions I would be happy to help. Its quite a process to get everything to work and to understand everything but i find that if you just start youll eventually get there :slight_smile:


We use Cognito as auth layer for our web app. You can see it here:

This is authorizer function: (I found it in some aws article, it is simply copied from it.)

And configuration in serverless.yml looks like:

    handler: authorizer.authorizer

    handler: auth.profile
          authorizer: authorizer
          method: get
          path: auth/profile

I know that APIG supports “Cognito User Pool Authorizer” without need of special lambda function and Serverless should support authorizer definition by ARN (see but I haven’t tried it yet. So if you try, I will be happy to hear if it works. ;o)


(Here’s the article I refered to:

1 Like

Due to cognito documentation is terrible bad we spent to many time researching (our clients are mobile apps and website) and currently we are not planning to use cognito data sync
I finally ended implementing JWT for my endpoints by using a lambda custom authorizer.
In less than 2 days the authorization system was working.
The login endpoint had 900 milliseconds as a response time when used cognito, now it is 70 milliseconds by using JWT.
However we are using cognito for uploading data to S3. This has been solved by creating a endpoint that returns a token a the cognito identityId to clients.

Yup, it seems Cognito has out grown what it was initially designed for as a mobile solution. I see you already figured it out, but for anyone else looking to use Cognito as authenticators, here’s a quick step by step tutorial with the example serverless.yml config -

1 Like

Can you please tell me how did you do your authorization system using serverless?
I tried implementing my own solution but I didn’t know what to do with bcrypt lib that I use to hash password.

@SamiSammour my post is more than 1 year old but at the time I used the node.js aws template called “custom authorizer” (it was available in create a lambda function web section).
In this case authorizers didn’t work as passwords. You should use tokens (google for JWT) so you don’t need that bcrypt lib in this case (you will use it only one time in login api endpoint).
If you read about api gateway authorizers you will understand the whole thing. Authorizers are “attached” to the endpoints that require the user to be authenticated. I’m pretty sure nowadays should exist npm libraries that implements custom authorizer for aws serverless.