Authentication
Production /query/* requires a valid Amazon Cognito ID token when the Graph Query Lambda has COGNITO_USER_POOL_ID set.
Header
Use X-Helix-Authorization, not Authorization:
http
X-Helix-Authorization: Bearer <cognito-id-token>CloudFront uses Authorization for SigV4 signing to the Lambda Function URL origin.
Obtain a token (CLI)
bash
aws cognito-idp initiate-auth \
--client-id "<CognitoUserPoolClientId>" \
--auth-flow USER_PASSWORD_AUTH \
--auth-parameters USERNAME=<email>,PASSWORD='<password>' \
--region us-east-1 \
--query 'AuthenticationResult.IdToken' \
--output textPool and client ids are published to SSM after deploy — see Other AWS Apps Integration. Stack outputs: CognitoUserPoolClientId, CognitoUserPoolId on HelixPlatform.
UI
The React app uses Amplify/Cognito via AuthProvider — same pool as the API.
Local API
When COGNITO_USER_POOL_ID is unset (npm run dev:api), auth middleware is skipped.
Errors
| Status | Meaning |
|---|---|
401 | Missing or invalid token |
502 | Lambda error (check CloudWatch) |