AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-05-01 · Documentation medium

File: cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md

Summary

Added documentation for passing client metadata in M2M requests

Security assessment

Documents security-related feature allowing client metadata in machine-to-machine authentication flows for Lambda triggers, enabling enhanced security controls.

Diff

diff --git a/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md b/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md
index 6b1c600b1..8f79d99d0 100644
--- a//cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md
+++ b//cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md
@@ -63,0 +64,2 @@ The access token from a client credentials grant is a verifiable statement of th
+You can pass [client metadata](./cognito-user-pools-working-with-lambda-triggers.html#working-with-lambda-trigger-client-metadata) in M2M requests. Client metadata is additional information from a user or application environment that can contribute to the outcomes of a [Pre token generation Lambda trigger](./user-pool-lambda-pre-token-generation.html). Instead of in the body of an API request like with other Lambda triggers, you pass client metadata in `x-www-form-urlencoded` in the POST body of a request to the [Token endpoint](./token-endpoint.html). For an example request, see [Client credentials with basic authorization](./token-endpoint.html#exchanging-client-credentials-for-an-access-token-in-request-body).
+