AWS has quietly changed prices for its Cognito authentication service, effective December 1 – although you’d be forgiven for missing it.
The new prices were introduced alongside a new three-tiered pricing structure. (Existing users keep their pricing until Nov. 30, 2025.)
For basic "login" deployments with over 10,000 users, prices have increased. For those using "advanced security features", they have fallen.
What is Cognito?
Cognito is a “customer identity and access management” service; in short, it lets developers easily create a way to authenticate application users.
Amazon says that it processes 100 billion+ authentications per month.
The price changes were introduced at the bottom of a blog post in late November that focused more on new Cognito features, but which also pointed (some 800 words in…) to “More options on pricing tiers.”
These are now served as “lite” (the default), “essentials”, and “plus”.
Cognito also has a bunch of new features (if not the cross-region replication that many users have been begging for) but if you are above 10,000 monthly active users (MAUs) pricing has increased significantly.
Essentials and Lite have a free tier. The free tier does not automatically expire at the end of your 12-month AWS Free Tier term, and it is available to both existing and new AWS customers indefinitely” said AWS.
“For users who sign in directly via Amazon Cognito or through a social identity provider, Amazon Cognito user pools has a free tier of 10,000 monthly active user (MAU) per month per customer…
See also: Okta breach looks worse as BeyondTrust, Cloudflare, 1Password report impact, flag concerns
"For users federated through SAML 2.0 or an OpenID Connect (OIDC) identity provider, Amazon Cognito user pools has a free tier of 50 MAUs per month per customer regardless of your user pool pricing tier configuration” with the cloud provider adding that there is no free tier for app clients or token requests when Cognito is used for a machine-to-machine use case" - AWS
The move has triggered much end-user talk on Reddit and Hackernews (where opinions are mixed both on Cognito performance and the price increase; it has always been cheap, if flawed, was a common view).
A snapshot of one:
“Exporting user activity logs etc [only available via Cognito's new "Plus" tier] should not be a premium feature - what the actual fuck AWS? Please don’t let this be a trend on AWS where we artificially gimp services just to create pricing tiers.. that’s the kind of shit azure does on everything and is frustrating af”
Many commenters and developers have also pointed to the burgeoning number of open source alternatives in the authentication space.
As Dan Moore, head of developer relations for one alternative, FusionAuth, noted, there have been "tons and tons of startups entering the auth and adjacent spaces since the Auth0 acquisition by Okta in 2021” and shares some interesting views on why that has been the case on Substack here.
See also: UK spooks promise progress on £2.6 billion cryptographic key overhaul
(Moore names the likes of WorkOS; PropelAuth; Frontegg; Clerk; Permit.io; Aserto; Cerbos etc. The likes of Ping Identity also have some overlap here; ditto Supabase and Pocketbase, although most of these providers have very different capabilities; users looking to roll their own solutions can also explore his FusionAuth, as well as Ory and Zitadel.)
Moore noted: "Hyperscaler solutions are usually the default for folks building in the cloud. It's just so easy. But when limits are reached, customers look elsewhere. These limits are typically functionality rather than cost...Surprisingly, no hyperscaler has adopted and then offered any of the more modern open source auth solutions..."
Customers wanting higher Cognito request-per-second (RPS) rates will get slapped with increased costs on top of the new base prices for monthly active users and any other features including Advanced Security Features. Prices are per 1 RPS of incremental capacity over default quotas per month.
Each API category is charged separately and looks like this.
Yes, that can rack up, fast for big users.
