---
title: "Signed-in user data access"
section: "build-a-backend/data/customize-authz"
platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
gen: 2
last-updated: "2024-06-19T16:13:00.000Z"
url: "https://docs.amplify.aws/react/build-a-backend/data/customize-authz/signed-in-user-data-access/"
---

The `authenticated` authorization strategy restricts record access to only signed-in users authenticated through IAM, Cognito, or OpenID Connect, applying the authorization rule to all users. It provides a simple way to make data private to all authenticated users.

## Add signed-in user authorization rule

You can use the `authenticated` authorization strategy to restrict a record's access to every signed-in user.

<Callout>
**Note:** If you want to restrict a record's access to a specific user, see [Per-user/per-owner data access](/[platform]/build-a-backend/data/customize-authz/per-user-per-owner-data-access/). The `authenticated` authorization strategy detailed on this page applies the authorization rule for data access to **every** signed-in user.
</Callout>

In the example below, anyone with a valid JWT token from the Cognito user pool is allowed access to all Todos.

```ts title="amplify/data/resource.ts"
const schema = a.schema({
  Todo: a
    .model({
      content: a.string(),
    })
    .authorization(allow => [allow.authenticated()]),
});
```

<!-- Platform: javascript, angular, react-native, react, nextjs, vue, android -->
In your application, you can perform CRUD operations against the model using `client.models.<model-name>` with the `userPool` auth mode.

```ts
import { generateClient } from 'aws-amplify/data';
import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition

const client = generateClient<Schema>();

const { errors, data: newTodo } = await client.models.Todo.create(
  {
    content: 'My new todo',
  },
  // highlight-start
  {
    authMode: 'userPool',
  }
  // highlight-end
);
```
<!-- /Platform -->

<!-- Platform: flutter -->
In your application, you can perform CRUD operations against the model with the `userPools` auth mode.
  
```dart
try {
  final todo = Todo(content: 'My new todo');
  final request = ModelMutations.create(
    todo,  
    authorizationMode: APIAuthorizationType.userPools,
  );
  final createdTodo = await Amplify.API.mutations(request: request).response;

  if (createdTodo == null) {
    safePrint('errors: ${response.errors}');
    return;
  }
  safePrint('Mutation result: ${createdTodo.name}');

} on APIException catch (e) {
  safePrint('Failed to create todo', e);
}
```
<!-- /Platform -->

<!-- Platform: swift -->
In your application, you can perform CRUD operations against the model with the `amazonCognitoUserPools` auth mode.

```swift
do {
    let todo = Todo(content: "My new todo")
    let createdTodo = try await Amplify.API.mutate(request: .create(
        todo,
        authMode: .amazonCognitoUserPools)).get()
} catch {
    print("Failed to create todo", error) 
}
```
<!-- /Platform -->

## Use identity pool for signed-in user authentication

You can also override the authorization provider. In the example below, `identityPool` is specified as the provider which allows you to use an "Unauthenticated Role" from the Cognito identity pool for public access instead of an API key. Your Auth resources defined in `amplify/auth/resource.ts` generates scoped down IAM policies for the "Unauthenticated role" in the Cognito identity pool automatically.

```ts title="amplify/data/resource.ts"
const schema = a.schema({
  Todo: a
    .model({
      content: a.string(),
    })
    .authorization(allow => [allow.authenticated('identityPool')]),
});
```

<!-- Platform: javascript, angular, react-native, react, nextjs, vue, android -->
In your application, you can perform CRUD operations against the model using `client.models.<model-name>` with the `iam` auth mode.

> **Info:** The user must be logged in for the Amplify Library to use the authenticated role from your Cognito identity pool.

```ts
import { generateClient } from 'aws-amplify/data';
import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition

const client = generateClient<Schema>();

const { errors, data: newTodo } = await client.models.Todo.create(
  {
    content: 'My new todo',
  },
  // highlight-start
  {
    authMode: 'identityPool',
  }
  // highlight-end
);
```
<!-- /Platform -->

<!-- Platform: flutter -->
In your application, you can perform CRUD operations against the model with the `iam` auth mode.

```dart
try {
  final todo = Todo(content: 'My new todo');
  final request = ModelMutations.create(
    todo,  
    authorizationMode: APIAuthorizationType.iam,
  );
  final createdTodo = await Amplify.API.mutations(request: request).response;

  if (createdTodo == null) {
    safePrint('errors: ${response.errors}');
    return;
  }
  safePrint('Mutation result: ${createdTodo.name}');

} on APIException catch (e) {
  safePrint('Failed to create todo', e);
}
```
<!-- /Platform -->

<!-- Platform: swift -->
In your application, you can perform CRUD operations against the model with the `awsIAM` auth mode.

> **Info:** The user must be logged in for the Amplify Library to use the authenticated role from your Cognito identity pool.

```swift
do {
    let todo = Todo(content: "My new todo")
    let createdTodo = try await Amplify.API.mutate(request: .create(
        todo,
        authMode: .awsIAM)).get()
} catch {
    print("Failed to create todo", error)
}
```
<!-- /Platform -->

In addition, you can also use OpenID Connect with `authenticated` authorization. See [OpenID Connect as an authorization provider](/[platform]/build-a-backend/data/customize-authz/using-oidc-authorization-provider/).
