AWS Cognito handles user authentication and authorization with two components: User Pools (user directory and sign-in) and Identity Pools (federated access to AWS services). Pricing is based on Monthly Active Users (MAUs), and the generous free tier covers many startups entirely. But as you scale past 50,000 MAUs or use advanced features, costs require careful planning.
TL;DR: Cognito's free tier covers 50,000 MAUs for User Pools (direct sign-in) and 50 MAUs for SAML/OIDC federation. Beyond that, Essentials tier costs $0.015/MAU (first 10K beyond free) scaling down to $0.0025/MAU at high volume. Social login (Google, Facebook, Apple) MAUs cost the same as direct MAUs. Identity Pools are free. For most apps under 50K users, Cognito costs $0/month.
Cognito User Pool Pricing
Essentials Tier (Default)
| MAU Bracket | Cost per MAU |
|---|---|
| First 50,000 | Free |
| 50,001 - 100,000 | $0.015 |
| 100,001 - 1,000,000 | $0.010 |
| 1,000,001 - 10,000,000 | $0.005 |
| Over 10,000,000 | $0.0025 |
Plus Tier (Advanced Security)
| MAU Bracket | Cost per MAU |
|---|---|
| First 50,000 | Free |
| 50,001 - 100,000 | $0.050 |
| 100,001 - 1,000,000 | $0.035 |
| 1,000,001 - 10,000,000 | $0.020 |
| Over 10,000,000 | $0.015 |
Plus tier includes: advanced threat protection, compromised credential detection, and adaptive authentication. See the Cognito developer guide for full feature details.
SAML/OIDC Federation
| MAU Bracket | Cost per MAU |
|---|---|
| First 50 | Free |
| Beyond 50 | $0.015 per MAU |
SAML federation has a much smaller free tier (50 vs 50,000). Enterprise SSO gets expensive quickly.
Identity Pool Pricing
| Component | Cost |
|---|---|
| Identity Pool MAUs | Free |
| Token vending | Free |
| AWS STS calls | Standard STS pricing |
Identity Pools themselves are free. You only pay for the downstream AWS services accessed via temporary credentials.
Real-World Cost Examples
| Scenario | Monthly Cost |
|---|---|
| Startup: 10,000 MAUs, direct sign-in | Free |
| Growing app: 75,000 MAUs, Essentials | $375 (25K x $0.015) |
| SaaS: 500,000 MAUs, Essentials | $4,750 |
| Enterprise: 200 SAML users | $2.25 (150 x $0.015) |
| Large consumer app: 5M MAUs, Essentials | $29,250 |
What Counts as a MAU?
A Monthly Active User is any user who has an identity operation within the month:
- Sign-in (including token refresh)
- Sign-up
- Password change
- Account attribute update
- Admin operations on the user
Inactive users stored in the pool cost nothing. Only users who actually perform an action count.
Cost Optimization Tips
1. Extend Token Lifetimes
Each token refresh counts toward MAU. Extend ID token lifetime to 1 hour (default) and refresh token to 30 days. Fewer refreshes mean fewer MAU activations for bots and crawlers.
2. Use Essentials Unless You Need Plus
Plus tier costs 3x more than Essentials. Only upgrade if you need compromised credential detection, risk-based authentication, or advanced threat protection.
3. Stay Under 50,000 MAUs
The free tier is generous. For internal tools, limit to necessary users. For public apps, consider whether anonymous access (Identity Pools, free) can replace authenticated access for some features.
4. Combine Social and Direct Sign-In
Social login (Google, Facebook, Apple Sign-In) MAUs count the same as direct MAUs and share the 50,000 free tier. No extra charge for social providers.
Related Guides
- AWS API Gateway Pricing Guide
- AWS Lambda Pricing Guide
- AWS Credits for Startups
- AWS CloudWatch Pricing: Metrics, Logs, and Costs
FAQ
How does Cognito compare to Auth0 pricing?
Cognito is significantly cheaper at scale. Auth0 charges $23/month for 1,000 MAUs on their Professional plan. Cognito's first 50,000 MAUs are free. At 100,000 MAUs, Cognito costs approximately $750/month vs Auth0 at $2,300+/month.
Do inactive users cost anything?
No. Users stored in Cognito User Pools who don't sign in or perform any action during the month incur zero charges. You can have millions of inactive users at no cost.
Is Cognito Identity Pools really free?
Yes. Identity Pools (federated identities for AWS access) have no per-MAU charge. You only pay for the AWS services accessed via the temporary credentials that Identity Pools vend.
Lower Your Cognito Costs with Wring
Wring helps you access AWS credits and volume discounts to lower your Cognito costs. Through group buying power, Wring negotiates better rates so you pay less per monthly active user.
