Overview
The Alchemer AWS integration uses Cognito OAuth 2.0 with the login method to authenticate. To connect, you configure an app client in Amazon Cognito, then enter that app client's details in Alchemer. When you authenticate, you are redirected to the Cognito login page to sign in and grant the required scopes.
AWS API Credentials
What You Need
- An AWS account with access to Amazon Cognito
- A Cognito user pool with a configured domain
- A resource server that defines the alchemer/read and alchemer/write scopes
- An app client (with a client secret) that produces your Client ID and Client Secret
How to Set Up Cognito OAuth 2.0 in AWS
Complete these steps in the Amazon Cognito console to produce the four values you will enter in Alchemer: Client ID, Client Secret, Authorize URL, and Token URL.
1. Create or open a user pool
- In the Amazon Cognito console, open an existing user pool or create a new one.
- Note the AWS Region of the user pool (for example, us-east-2). The Region is part of your Authorize and Token URLs.
2. Add a Cognito domain
- Go to App integration → Domain and create a Cognito hosted domain (or use an existing one).
- Your domain has the form <domain-prefix>.auth.<region>.amazoncognito.com. This domain is the base of your Authorize and Token URLs.
3. Create a resource server with custom scopes
- Go to App integration → Resource servers and select Create resource server.
- Set the resource server identifier to alchemer.
- Add two custom scopes:
- Scope name read (creates the full scope alchemer/read)
- Scope name write (creates the full scope alchemer/write)
4. Create an app client
- Go to App integration → App clients and create an app client.
- Enable Generate a client secret so the client produces both a Client ID and a Client Secret.
- Under the hosted UI / OAuth 2.0 settings:
- Enable the Authorization code grant OAuth grant type.
- Under allowed custom scopes, select alchemer/read and alchemer/write.
- Add the callback URL used by the Alchemer integration to Allowed callback URLs.
https://auth.tray.io/oauth2/token(US) orhttps://auth.eu1.tray.io/oauth2/token(EU)
5. Copy your credentials and URLs
- From the app client, copy the Client ID and Client Secret.
- Build your two URLs from your Cognito domain by appending the OAuth endpoints:
- Authorize URL: <domain-prefix>.auth.<region>.amazoncognito.com/oauth2/authorize
- Token URL: <domain-prefix>.auth.<region>.amazoncognito.com/oauth2/token
Need more help? Refer to Amazon Cognito's app integration documentation.
Authenticate AWS in Alchemer
After configuring your Cognito app client, add its details to the Alchemer AWS integration. Credentials are securely stored in Alchemer and can be reused across all AWS integration actions.
How to Authenticate
1. Start a New Authentication
-
Inside any AWS integration action, select New Authentication.
2. Enter Your AWS Cognito Credentials
Provide the following four values from your Cognito app client:
- Client ID – the app client ID from Cognito.
- Client Secret – the app client secret from Cognito.
- Authorize URL – your Cognito authorize endpoint.
- Alchemer already includes the https:// prefix, so enter only the portion that comes after it, using this format:
- <domain-prefix>.auth.<region>.amazoncognito.com/oauth2/authorize
- Example: us-east-123abc456.auth.us-east-2.amazoncognito.com/oauth2/authorize
- Token URL – your Cognito token endpoint.
- Alchemer already includes the https:// prefix, so enter only the portion that comes after it, using this format:
- <domain-prefix>.auth.<region>.amazoncognito.com/oauth2/token
- Example: us-east-123abc456.auth.us-east-2.amazoncognito.com/oauth2/token
3. Log In and Grant the Required Scopes
-
A pop-out window will appear and redirect you to the Cognito login page. Sign in with your credentials.
- When prompted, approve the requested scopes: alchemer/read and alchemer/write.
- Note: If the pop-out appears, then disappears, and the authentication is made, that means you were already logged in. There is no need to do anything else.
4. Save Your Authentication
-
Select Create.
-
Once created:
- The authentication is saved and reused for all AWS actions.
- You only need to update it if your Cognito app client credentials change.