How to Simulate AWS Cognito Login in Postman

Michelle Austria — Wed, 11 Mar 2026 11:33:16 +0000

When you're testing a backend system protected by AWS Cognito, one of the first practical challenges is getting a valid auth token without going through the frontend app. You need to call the Cognito identity provider directly — and that means setting up your Postman request correctly from the start.

This post walks through the exact setup, from IAM credentials to a working 200 OK with an AccessToken in hand.

Prerequisites

Before you start, make sure you have the following:

Access to the AWS Console with permissions to view Cognito and IAM
The AWS region where your Cognito User Pool is deployed (e.g., us-east-2)
An IAM user with programmatic access — you will need the Access Key ID and Secret Access Key
Your Cognito App Client ID, found under User Pool > App clients
A test user account in the User Pool with known credentials
USER_PASSWORD_AUTH enabled on the App Client (covered below)

A Note on USER_PASSWORD_AUTH

Cognito supports multiple authentication flows. The USER_PASSWORD_AUTH flow accepts a username and password directly in the request body, which is exactly what you need for direct API testing via Postman.

The default flow, USER_SRP_AUTH, uses a challenge-response mechanism that is harder to replicate manually. USER_PASSWORD_AUTH skips that and authenticates in a single call.

Only enable this on your development and staging environments. Do not enable it in production.

To verify or enable it in the AWS Console:

Navigate to Cognito > User Pools > [Your Pool] > App clients
Select your client and open the Authentication flows section
Enable ALLOW_USER_PASSWORD_AUTH if it is not already checked
Save the changes

Step 1: Get Your IAM Credentials

The Cognito IDP endpoint requires your requests to be signed with valid AWS credentials. Postman handles the signing automatically once you provide your keys — you just need to supply them.

Go to IAM > Users > [Your User] > Security credentials
Under Access keys, create or retrieve your Access Key ID and Secret Access Key
Store these in Postman Vault rather than pasting them directly into environment variables that sync to the Postman cloud (covered in the next step)

Step 2: Store Credentials in Postman Vault

Postman Vault stores sensitive values locally on your machine and does not sync them to Postman's servers. It is the right place for credentials you do not want shared across a team or exposed in collection exports.

Open Vault from the bottom toolbar in Postman
Add two entries:
- access_key → your Access Key ID
- secret_key → your Secret Access Key
Reference them in your requests as {{vault:access_key}} and {{vault:secret_key}}

Step 3: Configure the Authorization Tab

Create a new POST request targeting the Cognito IDP endpoint for your region:

POST https://cognito-idp.us-east-2.amazonaws.com/

Go to the Authorization tab and fill in the following. Postman will use these details to sign the request before it is sent — you do not need to construct the signature manually.

Field	Value
Auth Type	AWS Signature
Add auth to	Request Headers
AccessKey	`{{vault:access_key}}`
SecretKey	`{{vault:secret_key}}`
AWS Region	`us-east-2` (match your region)
Service Name	`cognito-idp`
Session Token	leave blank

Step 4: Add the Required Headers

Navigate to the Headers tab and add the following:

Key	Value
Content-Type	`application/x-amz-json-1.1`
X-Amz-Target	`AWSCognitoIdentityProviderService.InitiateAuth`
X-Amz-User-Agent	`aws-amplify/5.0.4 auth framework/5`

X-Amz-Target tells the Cognito endpoint which operation you are calling. Without it, the request will fail with a 400 error.

Step 5: Build the Request Body

Switch to the Body tab, select raw, and set the format to JSON:

{
  "AuthFlow": "USER_PASSWORD_AUTH",
  "ClientId": "your_app_client_id_here",
  "AuthParameters": {
    "USERNAME": "testuser@yourdomain.com",
    "PASSWORD": "YourTestPassword"
  }
}

Replace ClientId with the App Client ID from your Cognito User Pool and supply valid credentials for a test user in that pool.

Step 6: Send the Request

Click Send. A successful response will return 200 OK with an AuthenticationResult object:

{
  "AuthenticationResult": {
    "AccessToken": "eyJraW...",
    "ExpiresIn": 3600,
    "IdToken": "eyJraW...",
    "RefreshToken": "eyJjb...",
    "TokenType": "Bearer"
  },
  "ChallengeParameters": {}
}

The token you need for downstream API calls is either the AccessToken or IdToken, depending on how your backend validates tokens. Use it as a Bearer token in the Authorization header of your next requests.

If you want to inspect the token claims — for example, checking user groups or custom attributes — paste it into jwt.io to decode the payload locally.

Common Mistakes and Troubleshooting

UnrecognizedClientException or InvalidSignatureException
IAM credentials are wrong or expired, or the AWS Region / Service Name in the Authorization tab does not match the endpoint. Confirm that Service Name is exactly cognito-idp.

InvalidParameterException: USER_PASSWORD_AUTH flow not enabled
The App Client does not have that flow enabled. Go back to Cognito App Client settings and add it.

NotAuthorizedException: Incorrect username or password
Wrong credentials, or the user does not exist in the pool. Check under Cognito > Users.

400 Bad Request with no body
The X-Amz-Target header is missing or incorrect.

MissingAuthenticationTokenException
The Authorization tab is not configured or the Vault values are not resolving. Red-highlighted vault references in Postman indicate an unresolved secret.

UserNotConfirmedException
The test user has not been confirmed. Confirm the account via the AWS Console under Cognito > Users > [User] > Confirm.

What This Validates as a QA Engineer

Testing the Cognito auth endpoint directly gives you more than just a token. It confirms:

The App Client ID is correct and the auth flow is properly configured
The test user account is confirmed and active
Token expiry (ExpiresIn: 3600) aligns with your session management expectations
The response structure matches what your frontend or API consumer expects

Once this works manually in Postman, the same InitiateAuth call can be automated in JMeter using an HTTP Sampler, with the AccessToken extracted via JSON Extractor and passed into subsequent requests as a variable.

Summary

Step	Action
1	Enable `USER_PASSWORD_AUTH` on the Cognito App Client (dev/staging only)
2	Retrieve IAM Access Key and Secret Key
3	Store credentials in Postman Vault
4	Set Auth Type to AWS Signature in the Authorization tab
5	Add `Content-Type`, `X-Amz-Target`, and `X-Amz-User-Agent` headers
6	Build the JSON body with `AuthFlow`, `ClientId`, and `AuthParameters`
7	Send and extract the token from `AuthenticationResult`

Forem: Michelle Austria