In this tutorial, we will cover how to create Lambda functions for custom authentication flows. This is useful if you want to:
- Automatically log in a user once they sign up.
- Create passwordless flows.
The approach we will follow with these Lambda functions assume that this is a first-time login in a signup flow or that you have a custom flow that authenticates the user. If you don’t have any scenarios yet, have a look at our templates.
1. Create Lambda functions
Go to your Lambda console, where we will create 3 Lambda functions:

1.1 Define auth challenge function
Create the first function, name it “defineCustomAuthChallenge” and add the following code:
1.2 Create auth challenge function
Create the second function, name it “createCustomAuthChallenge” and add the following code:
1.3 Verify auth challenge response function
Create the third function, name it “verifyCustomAuthChallenge” and add the following code:
As we are using JSON Web Tokens (JWT) to communicate with Amazon Cognito, we need to create a secret key to sign the JWT. Go to Configuration -> Environment variables -> Edit and add a variable with Key “JWT_SECRET_KEY” and a long random string as Value.

2. Add Lambda triggers to your Cognito user pool
Add a Lambda trigger under your User pool properties

Click on Add Lambda trigger
- Select “Custom authentication”
- Select “Define auth challenge”
- Select “defineCustomAuthChallenge” lambda function

Create 2 additional Lambda triggers with the 2 remaining Lambdas functions:
- Create auth challenge -> createCustomAuthChallenge
- Verify auth challenge response -> verifyCustomAuthChallenge
3. Create custom JWTs to log in users
Once your Lambda triggers are created, you login users by generating custom JWTs in your backend with the following information:
- Secret or private key: the same secret from the "Verify auth challenge response" Lambda function.
- Subject: the sub of the user (eg. 05975eb2-136b-44af-9834-b3d2b7e22ae5)
And using the Amplify SDK with the following methods:
In Arengu, and if you've started from a template, you will only need to add the secret to the "Sign JSON web token" action:

And configure the Ending screen settings, that will automatically use the Amplify SDK if it's configured in your site:
