When you're testing a backend system protected by AWS Cognito, one of the first practical challenges is getting a valid auth token without going through the frontend app. You need to call the Cognito identity provider directly — and that means setting up your Postman request correctly from the start.
This post walks through the exact setup, from IAM credentials to a working 200 OK with an AccessToken in hand.
Prerequisites
Before you start, make sure you have the following:
- Access to the AWS Console with permissions to view Cognito and IAM
- The AWS region where your Cognito User Pool is deployed (e.g.,
us-east-2) - An IAM user with programmatic access — you will need the Access Key ID and Secret Access Key
- Your Cognito App Client ID, found under User Pool > App clients
- A test user account in the User Pool with known credentials
-
USER_PASSWORD_AUTHenabled on the App Client (covered below)
A Note on USER_PASSWORD_AUTH
Cognito supports multiple authentication flows. The USER_PASSWORD_AUTH flow accepts a username and password directly in the request body, which is exactly what you need for direct API testing via Postman.
The default flow, USER_SRP_AUTH, uses a challenge-response mechanism that is harder to replicate manually. USER_PASSWORD_AUTH skips that and authenticates in a single call.
Only enable this on your development and staging environments. Do not enable it in production.
To verify or enable it in the AWS Console:
- Navigate to Cognito > User Pools > [Your Pool] > App clients
- Select your client and open the Authentication flows section
- Enable
ALLOW_USER_PASSWORD_AUTHif it is not already checked - Save the changes
Step 1: Get Your IAM Credentials
The Cognito IDP endpoint requires your requests to be signed with valid AWS credentials. Postman handles the signing automatically once you provide your keys — you just need to supply them.
- Go to IAM > Users > [Your User] > Security credentials
- Under Access keys, create or retrieve your Access Key ID and Secret Access Key
- Store these in Postman Vault rather than pasting them directly into environment variables that sync to the Postman cloud (covered in the next step)
Step 2: Store Credentials in Postman Vault
Postman Vault stores sensitive values locally on your machine and does not sync them to Postman's servers. It is the right place for credentials you do not want shared across a team or exposed in collection exports.
- Open Vault from the bottom toolbar in Postman
- Add two entries:
-
access_key→ your Access Key ID -
secret_key→ your Secret Access Key
-
- Reference them in your requests as
{{vault:access_key}}and{{vault:secret_key}}
Step 3: Configure the Authorization Tab
Create a new POST request targeting the Cognito IDP endpoint for your region:
POST https://cognito-idp.us-east-2.amazonaws.com/
Go to the Authorization tab and fill in the following. Postman will use these details to sign the request before it is sent — you do not need to construct the signature manually.
| Field | Value |
|---|---|
| Auth Type | AWS Signature |
| Add auth to | Request Headers |
| AccessKey | {{vault:access_key}} |
| SecretKey | {{vault:secret_key}} |
| AWS Region |
us-east-2 (match your region) |
| Service Name | cognito-idp |
| Session Token | leave blank |
Step 4: Add the Required Headers
Navigate to the Headers tab and add the following:
| Key | Value |
|---|---|
| Content-Type | application/x-amz-json-1.1 |
| X-Amz-Target | AWSCognitoIdentityProviderService.InitiateAuth |
| X-Amz-User-Agent | aws-amplify/5.0.4 auth framework/5 |
X-Amz-Target tells the Cognito endpoint which operation you are calling. Without it, the request will fail with a 400 error.
Step 5: Build the Request Body
Switch to the Body tab, select raw, and set the format to JSON:
{
"AuthFlow": "USER_PASSWORD_AUTH",
"ClientId": "your_app_client_id_here",
"AuthParameters": {
"USERNAME": "testuser@yourdomain.com",
"PASSWORD": "YourTestPassword"
}
}
Replace ClientId with the App Client ID from your Cognito User Pool and supply valid credentials for a test user in that pool.
Step 6: Send the Request
Click Send. A successful response will return 200 OK with an AuthenticationResult object:
{
"AuthenticationResult": {
"AccessToken": "eyJraW...",
"ExpiresIn": 3600,
"IdToken": "eyJraW...",
"RefreshToken": "eyJjb...",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
The token you need for downstream API calls is either the AccessToken or IdToken, depending on how your backend validates tokens. Use it as a Bearer token in the Authorization header of your next requests.
If you want to inspect the token claims — for example, checking user groups or custom attributes — paste it into jwt.io to decode the payload locally.
Common Mistakes and Troubleshooting
UnrecognizedClientException or InvalidSignatureException
IAM credentials are wrong or expired, or the AWS Region / Service Name in the Authorization tab does not match the endpoint. Confirm that Service Name is exactly cognito-idp.
InvalidParameterException: USER_PASSWORD_AUTH flow not enabled
The App Client does not have that flow enabled. Go back to Cognito App Client settings and add it.
NotAuthorizedException: Incorrect username or password
Wrong credentials, or the user does not exist in the pool. Check under Cognito > Users.
400 Bad Request with no body
The X-Amz-Target header is missing or incorrect.
MissingAuthenticationTokenException
The Authorization tab is not configured or the Vault values are not resolving. Red-highlighted vault references in Postman indicate an unresolved secret.
UserNotConfirmedException
The test user has not been confirmed. Confirm the account via the AWS Console under Cognito > Users > [User] > Confirm.
What This Validates as a QA Engineer
Testing the Cognito auth endpoint directly gives you more than just a token. It confirms:
- The App Client ID is correct and the auth flow is properly configured
- The test user account is confirmed and active
- Token expiry (
ExpiresIn: 3600) aligns with your session management expectations - The response structure matches what your frontend or API consumer expects
Once this works manually in Postman, the same InitiateAuth call can be automated in JMeter using an HTTP Sampler, with the AccessToken extracted via JSON Extractor and passed into subsequent requests as a variable.
Summary
| Step | Action |
|---|---|
| 1 | Enable USER_PASSWORD_AUTH on the Cognito App Client (dev/staging only) |
| 2 | Retrieve IAM Access Key and Secret Key |
| 3 | Store credentials in Postman Vault |
| 4 | Set Auth Type to AWS Signature in the Authorization tab |
| 5 | Add Content-Type, X-Amz-Target, and X-Amz-User-Agent headers |
| 6 | Build the JSON body with AuthFlow, ClientId, and AuthParameters
|
| 7 | Send and extract the token from AuthenticationResult
|
Top comments (0)