Cognito and authentication

Related: secrets-and-configuration · test-account-and-integration-tests · troubleshooting-decisions

Dev app client

SettingValue
AWS accountvillaws (394922924679)
User poolvillaMembers2ap-southeast-1_bul3MgmNE
App clientvilla-backend-sdk-dev
Client ID6k932iah7v1hgnd33a53c3v1mj
Regionap-southeast-1

Required app client settings

  • **ALLOW_USER_PASSWORD_AUTH** (Username and password) — required for SDK login()
  • Client secret from **Show client secret** — not the Client Secret ID (...--1779672734505)

    • Auth flows in the SDK

    Login (existing user)

    tokens = client.login(username, password)
jwt = tokens.id_token  # use as Bearer for Villa APIs

    Auth flow: USER_PASSWORD_AUTH + SECRET_HASH when client has a secret.

    Register (new user — no IAM admin)

    client.register(username, password, email=username)
client.auth.confirm_sign_up(username, code)  # after email code
tokens = client.login(username, password)

    Same path end users take in a chat app. See test-account-and-integration-tests for one-time admin confirm of the shared test user.

    Verify ID token

    verified = client.verify_id_token(tokens.id_token)
assert client.is_id_token_valid()

    Checks JWKS signature, exp, iss, aud, token_use=id.

    CLI: villa auth verify-token --token "$ID_TOKEN"

    JWT on API calls

    Villa backend expects:

    Authorization: Bearer <Cognito IdToken>

    After client.login(), the SDK attaches this automatically on VillaClient HTTP calls (orders, validation, payments).

    Implementation files

  • villa_backend_sdk/auth/service.py — login, sign_up, confirm
  • villa_backend_sdk/auth/token_verifier.py — JWT verification
  • villa_backend_sdk/client.py — facade: login(), verify_id_token()