Hello,

I hope you're doing well.

Thank you for reaching out to us with your concern.

I understand that you have two app clients in your Cognito with no secrets.

Basically, when you create an app client in Amazon Cognito, you can pre-populate options based on the standard OAuth client types public client and confidential client. For detailed information, please refer to [1] in the reference section below.

When you create a new Amplify application with Cognito auth using the Amplify CLI's amplify add auth command, it sets up two app clients by default to support different authentication flows. One is for the client-side (mobile app), and the other is for server-side (backend).

The client-side app client is the one you'll use in your front-end code, and it typically does not have a client secret. The client secret is used for server-to-server authentication, which is a native app client. In your case, you need to have two app clients:

“Web app client” – an app client without a client secret “Native app client” – an app client with a client secret

For more information on how to Use existing Cognito resources for your Amplify API, please refer to [2] in the reference section below.

To conclude, please make sure your Cognito User Pool has at least two app clients with the following configuration:

one app client without a client secret one app client with a client secret

Reference

[1] https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html [2] https://aws.amazon.com/blogs/mobile/use-existing-cognito-resources-for-your-amplify-api-storage-and-more/