Pro Cognito

LocalStack Pro contains basic support for authentication via AWS Cognito. You can create Cognito user pools, sign up and confirm users, and use the COGNITO_USER_POOLS authorizer integration with API Gateway.

For example, if you happen to use Serverless to deploy your application, take this snippet of a serverless.yml configuration:

service: test

  - serverless-deployment-bucket
  - serverless-pseudo-parameters
  - serverless-localstack

    stages: [local]

    handler: http.request
      - http:
          path: v1/request
            arn: arn:aws:cognito-idp:us-east-1:#{AWS::AccountId}:userpool/UserPool

      Type: AWS::Cognito::UserPool

This configuration can be directly deployed using serverless deploy --stage local. The example contains a Lambda function http_request which is connected to an API Gateway endpoint. Once deployed, the v1/request API Gateway endpoint will be secured against the Cognito user pool "UserPool". You can then register users against that local pool, using the same API calls as for AWS. In order to make request against the secured API Gateway endpoint, use the local Cognito API to retrieve identity credentials which can be sent along as Authentication HTTP headers (where test-1234567 is the name of the access key ID generated by Cognito):

Authentication: AWS4-HMAC-SHA256 Credential=test-1234567/20190821/us-east-1/cognito-idp/aws4_request ...

OAuth Flows via Cognito Login Form

In order to access the local Cognito login form, try accessing the following URL in your browser. Please replace <client_id> with the ID of an existing user pool ID, and <redirect_uri> with the redirect URL of your application (e.g.,


The login form should look similar to the screenshot below:

Cognito Login

After successful login, the page will redirect to the specified redirect URI, with a path parameter ?code=<code> appended, e.g., This authentication code can then be used to obtain a token via the Cognito OAuth2 TOKEN endpoint documented here.