Skip to content

Authentication

Production /query/* requires a valid Amazon Cognito ID token when the Graph Query Lambda has COGNITO_USER_POOL_ID set.

Use X-Helix-Authorization, not Authorization:

http
X-Helix-Authorization: Bearer <cognito-id-token>

CloudFront uses Authorization for SigV4 signing to the Lambda Function URL origin.

Obtain a token (CLI)

bash
aws cognito-idp initiate-auth \
  --client-id "<CognitoUserPoolClientId>" \
  --auth-flow USER_PASSWORD_AUTH \
  --auth-parameters USERNAME=<email>,PASSWORD='<password>' \
  --region us-east-1 \
  --query 'AuthenticationResult.IdToken' \
  --output text

Pool and client ids are published to SSM after deploy — see Other AWS Apps Integration. Stack outputs: CognitoUserPoolClientId, CognitoUserPoolId on HelixPlatform.

UI

The React app uses Amplify/Cognito via AuthProvider — same pool as the API.

Local API

When COGNITO_USER_POOL_ID is unset (npm run dev:api), auth middleware is skipped.

Errors

StatusMeaning
401Missing or invalid token
502Lambda error (check CloudWatch)

Helix Flowgraph — Igentify