Page updated Nov 20, 2023

Configure custom identity and group claims

Amplify Data supports using custom identity and group claims if you do not wish to use the default Amazon Cognito-provided cognito:groups or the double-colon-delimited claims, sub::username, from your JWT token. This can be helpful if you are using tokens from a 3rd party OIDC system or if you wish to populate a claim with a list of groups from an external system, such as when using a Pre Token Generation Lambda Trigger which reads from a database.

To use custom claims specify identityClaim or groupClaim as appropriate. In the example below, the identityClaim is specified and the record owner will check against this user_id claim. Similarly, if the user_groups claim contains a "Moderator" string then access will be granted.

import { a, defineData, type ClientSchema } from "@aws-amplify/backend"; const schema = a.schema({ Post: a .model({ id:, owner: a.string(), postname: a.string(), content: a.string(), }) .authorization([ a.allow.owner().identityClaim("user_id"), a.allow.specificGroups(["Moderator"]).withClaimIn("user_groups"), ]), }); export type Schema = ClientSchema<typeof schema>; export const data = defineData({ schema });
1import { a, defineData, type ClientSchema } from "@aws-amplify/backend";
3const schema = a.schema({
4 Post: a
5 .model({
6 id:,
7 owner: a.string(),
8 postname: a.string(),
9 content: a.string(),
10 })
11 .authorization([
12 a.allow.owner().identityClaim("user_id"),
13 a.allow.specificGroups(["Moderator"]).withClaimIn("user_groups"),
14 ]),
17export type Schema = ClientSchema<typeof schema>;
19export const data = defineData({ schema });