---
title: Amazon Cognito
description: >-
  Configure Amazon Cognito as a third-party identity provider for Shopify
  customer accounts and set up custom claims for customer data enrichment.
api_name: customer-authentication
source_url:
  html: >-
    https://shopify.dev/docs/api/customer-authentication/provider-guides/amazon-cognito
  md: >-
    https://shopify.dev/docs/api/customer-authentication/provider-guides/amazon-cognito.md
---

# Amazon Cognito

This guide covers how to configure [Amazon Cognito](https://aws.amazon.com/cognito/) as a third-party identity provider for Shopify customer accounts, including how to add custom claims to your ID tokens for [customer data enrichment](https://shopify.dev/docs/api/customer-authentication/claim-import).

***

## Prerequisites

* A [Shopify Plus](https://www.shopify.com/plus) plan with [new customer accounts](https://help.shopify.com/en/manual/customers/customer-accounts/new-customer-accounts) enabled.
* An AWS account with a [Cognito User Pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools.html) created.
* An [App Client](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html) configured in the User Pool with a client secret generated.

***

## Connect Amazon Cognito to Shopify

To connect Amazon Cognito as your store's identity provider, you'll add your Cognito credentials to the Shopify admin and configure your Cognito App Client to accept Shopify's callback URL.

### Step 1: Add your Cognito credentials in the Shopify admin

To connect Cognito to Shopify, add your Discovery URL, Client ID, and Client Secret in the Shopify admin under **Settings** > **Customer accounts** > **Third-party identity provider**.

You can find these values in the Amazon Cognito console:

* **Discovery URL:** `https://cognito-idp.{region}.amazonaws.com/{user-pool-id}/.well-known/openid-configuration`.
* **Client ID:** Found in your App Client settings.
* **Client Secret:** Found in your App Client settings.

For full setup instructions, refer to [Connect a third-party identity provider](https://help.shopify.com/en/manual/customers/customer-accounts/new-customer-accounts/identity-provider/connect).

### Step 2: Add your Shopify callback URL

To complete the connection, add your Shopify callback URL to the **Allowed callback URLs** field in your App Client settings under **Hosted UI**. This lets Cognito redirect customers back to your store after they authenticate.

You can find your Shopify callback URL in the Shopify admin on the same Third-party identity provider settings page from Step 1.

For full setup instructions, refer to [Connect a third-party identity provider](https://help.shopify.com/en/manual/customers/customer-accounts/new-customer-accounts/identity-provider/connect).

***

## Standard claims

Cognito includes standard OIDC claims like `email` and `email_verified` by default. To include name and phone claims, make sure the corresponding attributes are configured in your User Pool:

1. In the Cognito console, go to your **User Pool > Sign-up experience > Required attributes**.
2. Ensure `given_name`, `family_name`, and `phone_number` are included as user attributes.
3. In your App Client settings under **Hosted UI**, add `profile` and `phone` to the **OpenID Connect scopes**.

If users were created before these attributes were added, their existing profiles need to be updated with the missing values.

***

## Add custom Shopify claims

To import tags and addresses, you need to add custom claims to the ID token using a [Pre Token Generation Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html).

### Create a Pre Token Generation trigger

A Pre Token Generation trigger is a Lambda function that Cognito runs every time it creates an ID token. You can use it to add custom Shopify claims to the token:

1. In the Cognito console, go to your **User Pool > User pool properties > Lambda triggers**.
2. Under **Pre token generation**, select or create a Lambda function.
3. Set the **Trigger event version** to **Basic features + claim and scope customization (v2\_0)**.

**Important:**

You must use the **v2\_0** trigger event version. The v1 trigger event only supports overriding existing claims and suppressing claims — it cannot add new custom claims to the ID token.

You can call DynamoDB, an external API, or any other data source from within the Lambda function. The following example reads from [custom attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes) on the Cognito user profile:

```javascript
export const handler = async (event) => {
  const customClaims = {};
  const userAttributes = event.request.userAttributes;


  // Tags: comma-separated string
  if (userAttributes["custom:shopify_tags"]) {
    customClaims["urn:shopify:customer:tags"] = userAttributes["custom:shopify_tags"];
  }


  // Addresses: parse the JSON string into an array
  if (userAttributes["custom:shopify_addresses"]) {
    try {
      customClaims["urn:shopify:customer:addresses"] =
        JSON.parse(userAttributes["custom:shopify_addresses"]);
    } catch (e) {
      // Log the error but don't block sign-in
      console.error("Failed to parse shopify_addresses:", e.message);
    }
  }


  event.response = {
    claimsAndScopeOverrideDetails: {
      idTokenGeneration: {
        claimsToAddOrOverride: customClaims,
      },
    },
  };


  return event;
};
```

For the full list of supported claims and address field formats, refer to the [claim import reference](https://shopify.dev/docs/api/customer-authentication/claim-import).

### Set up custom user attributes

If you're storing Shopify data in Cognito custom attributes:

1. In the Cognito console, go to your **User Pool > Sign-up experience > Custom attributes**.
2. Add custom attributes such as `custom:shopify_tags` (String) and `custom:shopify_addresses` (String).
3. In your App Client settings, ensure the custom attributes are marked as readable.

**Note:**

Cognito custom attributes have a 2048-character limit. If your address data exceeds this limit, fetch it from an external data source (such as DynamoDB) within the Lambda function instead of storing it as a user attribute.

***

## Enable enrichment in Shopify

After configuring your identity provider to include custom claims, you need to tell Shopify to read and import them. In the Shopify admin under your identity provider settings, enable **Sync customer data** and configure the update trigger and overwrite rules. For details on these options, refer to [claim import configuration](https://shopify.dev/docs/api/customer-authentication/claim-import#configuration).

***

## Verify

After configuring your claims, verify that they're included in the ID token and that Shopify imports them correctly:

1. Use the [Cognito Hosted UI](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html) to sign in as a test user and decode the returned ID token at [jwt.io](https://jwt.io) to confirm your custom claims are present.
2. Authenticate on your store through Cognito.
3. In the Shopify admin, go to **Customers** and open the customer record to confirm the imported data.

***

## Troubleshooting

| Symptom | Cause | Fix |
| - | - | - |
| Custom claims not appearing in ID token | Lambda trigger event version set to v1 | Change the trigger event version to **v2\_0** in the User Pool Lambda trigger configuration |
| Lambda function not invoked | Trigger not assigned to the correct User Pool | Verify the Pre Token Generation trigger is configured under your User Pool's Lambda triggers |
| `custom:` attribute value is null | Attribute not readable by the App Client | In your App Client settings, ensure the custom attribute has read access |
| Address data truncated | Cognito custom attribute 2048-character limit | Fetch address data from an external source (DynamoDB, API) in the Lambda instead of storing it as a user attribute |
| Standard claims (name, phone) not imported | Scopes not configured on App Client | Add `profile` and `phone` to the OpenID Connect scopes in your App Client's Hosted UI settings |

***

## Resources

* [AWS: Pre token generation Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html)
* [AWS: Use Amazon Cognito to add claims to an identity token](https://aws.amazon.com/blogs/security/use-amazon-cognito-to-add-claims-to-an-identity-token-for-fine-grained-authorization/)
* [AWS: User pool custom attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes)
* [AWS: App client settings](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html)
* [Shopify: Claim import reference](https://shopify.dev/docs/api/customer-authentication/claim-import)

***