amazon-web-servicesamazon-cognito

Are the Cognito User pool id and Client Id sensitive?


Does anyone know if the User Pool Id and Client Id are sensitive? Currently I have them sitting on the frontend and was just wondering if this is dangerous. If it is, how can they be exploited?


Solution

  • No, they are not. They are supposed to be public. The only way they can be exploited is that someone can use them to make a large amount of SignUp calls to your userpool. But as long as these registrations are not verified, these won't be converted into active users (unless you have enabled auto-verification of users). This is not an AWS specific issue. Fake registrations are a big headache and one will face this issue even if there is no SignUp api being used and a PHP backend is used for registration. The only way to face this is email/phone verification.

    Of course, if you have disabled SignUp in your userpool i.e. only Admins can create users then this is not an issue at all.