Is native Sign in with Apple supported with Cognito User Pools?

Yes — via custom authentication. Pro implements the pattern AWS docs rarely show end-to-end: native Apple sheet → backend → Cognito AdminInitiateAuth → Cognito JWTs. You do not need Hosted UI or Cognito’s Apple identity provider for this starter.

Does native Apple sign-in create Cognito users?

Yes. First visit: SignUp with a stable synthetic email-shaped username from Apple’s sub, auto-confirmed by pre-sign-up trigger. Return visits: custom auth only. Sign-in and sign-up share one code path.

Can I use the same API Gateway JWT authorizer for Apple and email users?

Yes. Every path returns Cognito-issued id tokens. API Gateway validates the same issuer and client id whether the user signed in with email, Apple, or Google.

How is Google configured?

Create an iOS OAuth client in Google Cloud Console, then run ./mvp configure-google YOUR_CLIENT_ID. No Hosted UI domain or Cognito Google IdP required for this template.

Is token refresh included?

Pro refreshes Cognito id tokens with REFRESH_TOKEN_AUTH (industry-standard mobile pattern), stores tokens in Keychain, retries transient failures, and revokes refresh tokens on sign-out.

Is this in the free Core zip?

No. Core is email/password only (MIT on GitHub). Native Apple + Google auth, Cursor workflows for social login, and the full guides ship in MVP Stack Pro ($199 one-time). Pro Continuity ($149/year) is optional for updates, support, and private repo access.

Pro · Native social auth

Sign in with Apple & Google — native sheets, Cognito JWTs, zero Hosted UI

The pain point every iOS + AWS developer hits: Cognito docs push web OAuth, but your users expect the system Apple button. Pro ships the full native path — custom auth, token refresh, and the traps already solved.

Developers have asked for a native Sign in with Apple experience with Cognito User Pools for years — without Hosted UI and without guessing whether user creation still works. The official paths still push federated IdP setup, redirect URLs, and Amplify flows that fight a SwiftUI app.

Get MVP Stack Pro Compare Core vs Pro

The problem

Why native Apple + Cognito breaks teams for weeks

Hosted UI is not native

Cognito’s default social path opens a web view or Safari redirect. Users expect ASAuthorizationController — the system Apple sheet.

Apple IdP + Services ID maze

Console wiring for team keys, Services IDs, return URLs, and Cognito’s Apple identity provider — easy to misconfigure and hard to debug.

Apple JWT ≠ Cognito JWT

Your API Gateway authorizer expects Cognito id tokens. Passing Apple’s identity token directly gives you 401s after a “successful” login.

Email-alias pools vs Apple sub

Many pools use email as username. Apple’s stable id is sub — not a valid email-shaped Cognito username without a deliberate mapping strategy.

Amplify doesn’t own the social session

Native sign-in bypasses Amplify sign-in. Without a token store and refresh flow, sessions die when the id token expires (~1 hour).

Pro approach

Native UX on the phone. Cognito JWTs on the wire.

Native provider sheet

Apple: ASAuthorizationController. Google: GIDSignIn. Users never leave your app for a Cognito web page.

./mvp deploy

CDK deploys Cognito custom auth Lambda triggers + POST /auth/apple and /auth/google. Apple works when your Xcode bundle ID matches — no Apple IdP in the Cognito console.

Server verifies, Cognito issues tokens

Go Lambda runs AdminInitiateAuth + custom challenge. Triggers validate the Apple/Google JWT (JWKS, sub, bundle/client id). Response: standard Cognito id, access, and refresh tokens.

Same authorizer as email users

iOS stores tokens in Keychain, refreshes silently, revokes on sign-out. GET /me and /todos use the same Bearer JWT flow as password sign-in.

Compare

What Pro skips vs the usual Cognito social setup

Usual Cognito path	MVP Stack Pro
Cognito Hosted UI + redirect URLs	Native Apple / Google sheets in SwiftUI
Configure Apple IdP in Cognito console	Custom auth triggers — deploy and match bundle ID
Amplify federated sign-in assumptions	CognitoTokenStore + REFRESH_TOKEN_AUTH refresh
Forum threads on “does native Apple bypass user creation?”	SignUp + custom auth documented — one path for sign-up and sign-in
Profile shows @users.signin.apple usernames	Real name/email display pattern included

Sign in with Apple

Works after ./mvp deploy — match AppleBundleId to Xcode
Stable username: {appleSub}@users.signin.apple
Identity JWT verified in Lambda against Apple JWKS
Hide My Email handled — profile shows real display data where available

Sign in with Google

Backend ready on deploy; button appears after ./mvp configure-google
iOS OAuth client ID only — no CDK parameter for Google
Same custom auth + Cognito token model as Apple

FAQ

Native Apple & Google auth with Cognito

Common questions from iOS developers integrating social login with User Pools.

Is native Sign in with Apple supported with Cognito User Pools?: Yes — via custom authentication. Pro implements the pattern AWS docs rarely show end-to-end: native Apple sheet → backend → Cognito AdminInitiateAuth → Cognito JWTs. You do not need Hosted UI or Cognito’s Apple identity provider for this starter.
Does native Apple sign-in create Cognito users?: Yes. First visit: SignUp with a stable synthetic email-shaped username from Apple’s sub, auto-confirmed by pre-sign-up trigger. Return visits: custom auth only. Sign-in and sign-up share one code path.
Can I use the same API Gateway JWT authorizer for Apple and email users?: Yes. Every path returns Cognito-issued id tokens. API Gateway validates the same issuer and client id whether the user signed in with email, Apple, or Google.
How is Google configured?: Create an iOS OAuth client in Google Cloud Console, then run ./mvp configure-google YOUR_CLIENT_ID. No Hosted UI domain or Cognito Google IdP required for this template.
Is token refresh included?: Pro refreshes Cognito id tokens with REFRESH_TOKEN_AUTH (industry-standard mobile pattern), stores tokens in Keychain, retries transient failures, and revokes refresh tokens on sign-out.
Is this in the free Core zip?: No. Core is email/password only (MIT on GitHub). Native Apple + Google auth, Cursor workflows for social login, and the full guides ship in MVP Stack Pro ($199 one-time). Pro Continuity ($149/year) is optional for updates, support, and private repo access.

Full implementation guides ship inside the Pro zip — docs/SIGN_IN_WITH_APPLE_COGNITO.md, docs/GOOGLE_SIGN_IN_WITH_COGNITO.md

Start shipping iOS MVPs faster.

Clone the core tonight. Pro is $199 one-time; add Continuity if you want updates and repo access.

View on GitHub Get Pro

MIT core on GitHub → START_HERE.md → deploy in ~45 min