I'm trying to setup Cognito and I'm having trouble understanding the differences between the following three types of tokens:
- Token (returned by getOpenIdTokenForDeveloperIdentity)
- SessionToken (returned by getCredentialsForIdentity)
- SyncSessionToken (returned by listRecords)
In which way are these tokens related/different ?
Here is a brief description of the 3 tokens that you talked about. I will try to link you to more detailed documentation where ever possible.
-
Token: This is a OpendId Connect compliant id token issued by Cognito Identity which asserts the users identity in a signed and verifiable way. Consider this token as a digital identity card which can be used by clients to verify the identity of users. You can refer to cognito API documentation for details on how to obtain this token and this documentation for more details on how to validate this token as a client.
-
SessionToken: This token is issued by the service as a descriptor of users AWS session along with the temporary AWS credentials. Cognito calls STS on your behalf and returns the temporary credentials returned. When using other AWS resources using the issued temporary credentials, this token should be a part of the passed temporary credentials. Refer to cognito API reference and STS documentation for more details.
-
SyncSessionToken: Is an identitfier issued by Cognito Sync service after initializing a sync operation. This sync operation is used as a unit for Cognito sync pricing. A sync operation is marked complete when you perform a successful write/update records using this token or this token expires.
Hope this helps.