Cognito add Custom Claims to Tokens


I'm working with Cognito and I have a role-based authorization flow in my backend application. I would like to add the role of a customer to the token, so that I can easily manage the guards of the API endpoints. I found out Cognito doesn't provide such a customization out of the box, and the suggestion is to use a Lambda function that will do the trick. I spinned up a Lambda and I'm sending the role I want to include in the token (by updating userAttributes, which is weird because I can only do it after user is authenticated) but it doesn't seem to do the trick. Is there a way to achieve such a thing? If so, how can I do it? Thanks in advance!

asked 10 months ago605 views
1 Answer

I believe what you are trying to do is trigger the lambda function before the user is authenticated, which requires a pre-authentication trigger. In your Lambda function, you can update the user attributes before the token is generated. Use the event.request.userAttributes parameter to access the user attributes. Update the cognito:groups attribute with the desired role value. I’ve included a link that describes the pre-authentication triggers, as well as the documentation for user-identity-pool integration with lambda triggers.

Pre Authenitcation Lambda Triggers & Identity Pools (

Hope this helps!

answered 10 months ago
  • Thanks for your answer, Aafant!

    A couple of things: I'm using amazon-cognito-identity-js lib to handle the cognito stuff in my NestJS app. There is a method called updateAttributes that can only be invoked by an authenticated user, so I first authenticate the user, then I call the updateAttributes and authenticate the user again (this is very confusing, but was the only way I found to update the userAttributes). Also, the Lambda is triggered automatically by the authenticateUser. I'm logging the event.request.userAttributes and I'm able to see the attribute I want to set. Everything seems to be okay, but the token is not getting the custom claims. By the way, I followed this tutorial from AWS:

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions