What is the identity in the AppSync resolver context

The $ctx.identity contains information about the caller user and it varies depending on the authorization type

Author's image
Tamás Sallai
2 mins

Caller identity

AppSync supports different authorization methods and it makes the user information available for the resolvers. This is the $ctx.identity object and it is the basis for resolver-based access control and personalized responses.

Its structure depends on the authorization method used by the caller and it can be one of:

  • Cognito User Pool
  • IAM
  • OpenID Connect
  • Api key
  • Custom Lambda function

To make it easier to identify the authorization type used, AppSync also provides the $util.authType() function:

Returns a String describing the multi-auth type being used by a request, returning back either “IAM Authorization”, “User Pool Authorization”, “Open ID Connect Authorization”, or “API Key Authorization”.

In this article, we’ll see example for each of the possible cases and look into what are the useful attributes.

Cognito User pool

	"claims": {
		"sub": "af08acd8-f118-4016-a35d-2e47d43015a3",
		"cognito:groups": [
		"email_verified": true,
		"iss": "https://cognito-idp.eu-central-1.amazonaws.com/...",
		"cognito:username": "user1",
		"origin_jti": "c98cc3d8-0e89-490e-91b2-e0c209452d4e",
		"aud": "10f1mu8jtpi9asm1drp3a0cclo",
		"event_id": "d29a170c-4474-41e9-ae56-867eaa584604",
		"token_use": "id",
		"auth_time": 1664354661,
		"exp": 1664358261,
		"iat": 1664354661,
		"jti": "bf352d13-d551-4655-adeb-7fbb9506533f",
		"email": "user1@example.com"
	"defaultAuthStrategy": "DENY",
	"groups": [
	"issuer": "https://cognito-idp.eu-central-1.amazonaws.com/...",
	"sourceIp": [
	"sub": "af08acd8-f118-4016-a35d-2e47d43015a3",
	"username": "user1"

The most important value is the sub which is the ID of the cognito user. Usually, this is the value that uniquely identifies the user and should be used for all references.

Then the username is what is set for the user but it is rarely used.

The more interesting part it the groups that helps with determining access.

Finally, the claims has all the user attributes, such as the email if set for the user.


	"accountId": "278868411450",
	"cognitoIdentityAuthProvider": null,
	"cognitoIdentityAuthType": null,
	"cognitoIdentityId": null,
	"cognitoIdentityPoolId": null,
	"sourceIp": [
	"userArn": "arn:aws:iam::278868411450:user/sandbox_admin",
	"username": "AIDAUB3O2IQ5MG6P2QH3Z"

The userArn is the unique identifier of the user, along with the username. In my experience, they are hardly used as access is determined by IAM policies and not resolvers.

OpenID Connect

	"claims": {
		"sub": "auth0|6335d8ca3f650861f5576bd0",
		"aud": "5Ed5N95aZN7WWvWv968mVHEvloJ7uepj",
		"iss": "https://dev-at4in79i.us.auth0.com/",
		"exp": 1664509575,
		"iat": 1664473575,
		"sid": "sBczu6aN3Q_TD73W7mjOZj_4cLl68gWp"
	"issuer": "https://dev-at4in79i.us.auth0.com/",
	"sub": "auth0|6335d8ca3f650861f5576bd0"

The sub is the identifier of the user. Then the claims has whatever the provider returned.

API key


Plain and simple, there is no information.

Custom Lambda function


The function returns a resolverContext field and that is directly available in the identity.

18 October 2022
In this article