Amplify has re-imagined the way frontend developers build fullstack applications. Develop and deploy without the hassle.

Fullstack TypeScript

Write your app's data model, auth, storage, and functions in TypeScript; Amplify will do the rest.

Built with the AWS CDK

Use any cloud resource your app needs. Never worry about scale.

Back to Gen 1 DocsLearn more

Choose your framework/language

Edit on GitHub

Page updated May 2, 2024

Signed-in user data access

The authenticated authorization strategy restricts record access to only signed-in users authenticated through IAM, Cognito, or OpenID Connect, applying the authorization rule to all users. It provides a simple way to make data private to all authenticated users.

Add signed-in user authorization rule

You can use the authenticated authorization strategy to restrict a record's access to every signed-in user.

Note: If you want to restrict a record's access to a specific user, see Per-user/per-owner data access. The authenticated authorization strategy detailed on this page applies the authorization rule for data access to every signed-in user.

In the example below, anyone with a valid JWT token from the Cognito user pool is allowed access to all Todos.

amplify/data/resource.ts
1const schema = a.schema({
2  Todo: a
3    .model({
4      content: a.string(),
5    })
6    .authorization(allow => [allow.authenticated()]),
7});

In your application, you can perform CRUD operations against the model using client.models.<model-name> with the userPool auth mode.

1import { generateClient } from 'aws-amplify/data';
2import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition
3

4const client = generateClient<Schema>();
5

6const { errors, data: newTodo } = await client.models.Todo.create(
7  {
8    content: 'My new todo',
9  },
13);

Use identity pool for signed-in user authentication

You can also override the authorization provider. In the example below, identityPool is specified as the provider which allows you to use an "Unauthenticated Role" from the Cognito identity pool for public access instead of an API key. Your Auth resources defined in amplify/auth/resource.ts generates scoped down IAM policies for the "Unauthenticated role" in the Cognito identity pool automatically.

amplify/data/resource.ts
1const schema = a.schema({
2  Todo: a
3    .model({
4      content: a.string(),
5    })
6    .authorization(allow => [allow.authenticated('identityPool')]),
7});

In your application, you can perform CRUD operations against the model using client.models.<model-name> with the iam auth mode.

The user must be logged in for the Amplify Library to use the authenticated role from your Cognito identity pool.

1import { generateClient } from 'aws-amplify/data';
2import type { Schema } from '../amplify/data/resource'; // Path to your backend resource definition
3

4const client = generateClient<Schema>();
5

6const { errors, data: newTodo } = await client.models.Todo.create(
7  {
8    content: 'My new todo',
9  },
13);

In addition, you can also use OpenID Connect with authenticated authorization. See OpenID Connect as an authorization provider.

PREVIOUS
Multi-user data access
NEXT
User group-based data access
Site color mode

Amplify open source software, documentation and community are supported by Amazon Web Services.

© 2024, Amazon Web Services, Inc. and its affiliates.

All rights reserved. View the site terms and privacy policy.

Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.