Ryan Warner

AWS Amplify Auth

June 16, 2022

When you call Auth.signIn() and Auth.signOut() what is Amplify abstracting away from us? How is Amplify managing our authentication state?

Amplify is doing this by manipulating values in local storage or cookies. When you successfully authenticate, 6 values get set in local storage. Then, when you sign out, these values get destroyed.

Storage values

Upon successful authentication, the library adds 6 values to local storage (or cookies if you customize the config).

There are 6 token types:

  • accessToken — "The purpose of the access token is to authorize API operations in the context of the user in the user pool." (Source)
  • clockDrift — "The saved computer's clock drift or undefined to force calculation." I don't understand how this is applied. Something to do with expiry?
  • idToken — "contains claims about the identity of the authenticated user, such as name, email, and phone_number" (Source)
  • refreshToken — Credentials used to obtain access tokens. When an access token expires, the refresh token is used to get a new one without asking the user to sign in again. From the AWS docs, "You can use the refresh token to retrieve new ID and access tokens."
  • userData — Contains information about the user such as name, email, and username.
  • LastAuthUser — "needed for computing other key names"

Naming convention

Each of these token types is used as part of the naming convention.

The docs define the shape of the storage keys as:


Here's an example:


In this example,

  • CognitoIdentityServiceProvider is the ProviderPrefix.
  • 2agop4ldjtnjhng1of7752uh73 is the user pool client ID.
  • 554a1dff-ab1e-4cf8-d95f-1c10b4d7700 is the username.
  • accessToken is the token type.
© Ryan Warner 2023