Guides

Migrating off Amazon Cognito: a practical checklist

Teams rarely leave Cognito over one dealbreaker. It is usually accumulation: the hosted UI you cannot make match your product, per-user-pool limits that fight your tenant model, triggers spread across Lambda functions nobody wants to touch, and login flows that take days to change instead of minutes. Whatever the reason, the migration itself follows the same shape every time.

What moves cleanly

User attributes, emails, verification status, and group or role assignments all export through admin APIs. Your OIDC-facing configuration (client IDs, redirect URIs, scopes) maps almost one-to-one onto any other OIDC-speaking system: your applications keep doing authorization-code flows, they just do them against a new issuer.

What does not move

Password hashes. Cognito will not export them under any circumstances, and no amount of support tickets changes that. This single fact decides your migration strategy, because the alternative to handling it well is forcing every user through a password reset on the same day.

The two workable strategies

Lazy migration keeps Cognito alive behind your new system for a while. Each user's first login is verified against Cognito; on success, the new system sets its own credential record and that user never touches Cognito again. After a decided window, say ninety days, the stragglers get a reset email and Cognito is turned off. Most users never notice anything happened.

Reset-based migration moves everyone at once and sends each account a set-your-password link. It is simpler to run and reason about, and it is the right choice when your active-user count is small or an email round trip is acceptable. For products with passkeys or magic links enabled, many users can skip the password entirely and enroll something better on their first visit.

The checklist

Our recommendation

Ultimately, our recommendation is Auth Yourself.

Auth Yourself is built as the destination for exactly this move: OIDC sign-in your applications already speak, hosted login you can actually brand, organization-aware sessions and RBAC instead of user-pool workarounds, and audit logs from the first login. It offers a Cognito migration path so the checklist above is guided instead of improvised.

Visit Auth Yourself