AWS Auth Stack with three layers: Amazon Cognito as identity provider, Lambda@Edge for token validation at the edge, API Gateway as authorization gate.

01The promise

"I'll just quickly build the login."

That’s the sentence that starts every other SaaS disaster. Authentication looks simple. User has an email and a password, a bit of session management, done. Three days of work, you think.

In reality, you’ve just entered one of the hardest areas of software. And it’s not cryptography that sinks you. It’s the ten things you haven’t thought of yet.

02What you actually need

The list that turns three days of work into three months.

For “login” to run safely in production, you need:

  • Password hashing with bcrypt or Argon2, not SHA-256
  • Session management with secure, HttpOnly, SameSite cookies
  • JWT issuance, key rotation, and a refresh token flow
  • Brute-force protection, rate limiting, and account lockout
  • Password reset with a secure email flow and expiry
  • Email verification at sign-up
  • MFA with TOTP, SMS, and backup codes
  • Passkey support, expected since 2024
  • Social login via Google, Apple, and other IdPs
  • “Sign out of all devices” as a self-service
  • Audit log for compliance and forensics
  • FADP and GDPR-compliant data handling

Every single item has a list of vulnerabilities you will not see until they’re exploited. Every one costs weeks. That’s not the product you wanted to build.

03The AWS stack, three layers

Three services, each for a clear job.

  • Layer 1 · Amazon CognitoIdentity provider for sign-up, login, MFA, passkeys. OAuth2 and OIDC out of the box. User Pools for the user database, Identity Pools for AWS credentials. Hosted UI optional, custom UI possible.
  • Layer 2 · Lambda@EdgeToken validation before the request reaches the backend. Cognito JWTs are checked at the CloudFront edge, invalid tokens rejected immediately. The origin never sees an unauthenticated request.
  • Layer 3 · API GatewayAuthorization at the API layer. The Cognito Authorizer is natively integrated. Rate limiting, throttling, WAF integration come for free.

Defense in depth, not as a buzzword, but as clean separation of concerns: identity at Cognito, network-level blocking at the edge, API-level authorization in the gateway.

04In production at SCMC

Swiss cybersecurity platform. FADP-compliant. Live since November 2025.

I built this stack for SCMC.ch. FADP compliance was must-have, not nice-to-have. After more than five months in production:

  • No auth session bugs in production
  • Passkeys from day one
  • Audit log comes from CloudTrail and Cognito events, not from my own code
  • Feature development instead of security firefighting

05The rule

Never build what you can buy. Especially not for security.

The only legitimate exception: you are an identity provider vendor yourself. Keycloak, Auth0, Okta, Clerk, Supabase Auth, Firebase Auth are all massive multi-year investments. You don’t build that on the side.

On AWS and you are not an identity company? The answer is Cognito. Self-hosting or on-prem needed? Then Keycloak: OAuth2, SAML, passkeys, LDAP, all RFC-compliant. Either way, do not build it yourself.

Your weeks belong in the product only you can build.

Your edge lies in the product, not in the login.