Retrieving AWS Cognito Tokens Using TypeScript

Vinod Kumar
2 min readJun 1, 2023


AWS Cognito is a powerful authentication and user management service provided by Amazon Web Services (AWS). It offers a range of features for managing user sign-up, sign-in, and token-based authentication. In this article, we will explore how to retrieve tokens from AWS Cognito using TypeScript. We will cover the necessary prerequisites and provide a TypeScript code snippet that demonstrates the token retrieval process.


Before we dive into the code, make sure you have the following prerequisites in place

1. Create an App Client with a secret in your AWS Cognito User Pool.

2. Create a user with a password in the User Pool. After creation, confirmation status will be in “FORCE_CHANGE_PASSWORD”.

3. Set the user’s status to “CONFIRMED” using the below AWS CLI command.

aws cognito-idp admin-set-user-password \
--user-pool-id xxx \
--username xxx \
--password xxx \

Retrieving Tokens using TypeScript

Now, let’s take a look at the TypeScript code snippet that retrieves tokens from AWS Cognito:

import crypto from 'crypto';
import {
} from '@aws-sdk/client-cognito-identity-provider';

const clientSecret = 'xxx';
const clientId = 'xxx';
const region = 'xxx';
const username = 'xxx';
const password = 'xxx';

function calculateSecretHash(
clientSecret: string,
username: string,
clientId: string
): string {
const message = username + clientId;
const hmac = crypto.createHmac('sha256', clientSecret);
return hmac.digest('base64');

async function getToken(): Promise<string | undefined> {
const client = new CognitoIdentityProviderClient({ region });

try {
const secretHash = calculateSecretHash(clientSecret, username, clientId);
const initiateAuthCommand = new InitiateAuthCommand({
AuthParameters: {
USERNAME: username,
PASSWORD: password,
SECRET_HASH: secretHash,
ClientId: clientId,

const authResult: InitiateAuthCommandOutput = await client.send(initiateAuthCommand);
if (authResult.AuthenticationResult?.AccessToken) {
return authResult.AuthenticationResult.AccessToken;
} else {
throw new Error('Failed to retrieve bearer token.');
} catch (error) {
throw error;



Let’s walk through the code step by step:

1. Import necessary modules and libraries: We import the required modules and libraries, including `crypto` for generating a secret hash and the AWS SDK’s `CognitoIdentityProviderClient` and `InitiateAuthCommand` for interacting with AWS Cognito.

2. Define the necessary variables: Set the values for `clientSecret`, `clientId`, `region`, `username`, and `password`. These values should correspond to your AWS Cognito setup.

3. Implement the `calculateSecretHash` function: This function calculates the secret hash required for the authentication process. It uses the client secret, username, and client ID to generate the hash using the `crypto` module.

4. Implement the `getToken` function: This function handles the token retrieval process. It creates a new instance of the `CognitoIdentityProviderClient` and initiates the authentication using the `InitiateAuthCommand`. The function checks if the authentication was successful and returns the access token if available.

5. Call the `getToken` function: Finally, we call the `getToken` function to retrieve the access token.



Vinod Kumar

Software Developer. Love to do backend of things. Enjoy acquiring new knowledge.