aws-amplify Authentication...how to access tokens on successful Auth.signIn?
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
In Amplify, signing in and fetching tokens are related but not identical steps. The sign-in call tells you whether authentication succeeded and whether more steps are required. The actual tokens are typically read from the current auth session after sign-in completes.
The Modern Pattern
In current Amplify JavaScript usage, the usual flow is:
- call
signIn - inspect the returned next-step state
- if the user is fully signed in, call
fetchAuthSession - read the tokens from the session
The key idea is that the sign-in result describes auth flow state, while the session object exposes the actual token set.
Why Tokens Are Not Always Returned Directly From Sign-In
Amplify auth flows can include more than one step:
- normal username and password sign-in
- password change challenge
- MFA confirmation
- new-password-required flow
- custom challenge flow
Because of that, the sign-in call cannot always just hand you final tokens immediately. Sometimes the user is not fully authenticated yet.
That is why the sign-in result includes state such as isSignedIn and nextStep. Tokens are meaningful only once the sign-in flow has actually finished.
Legacy Auth.signIn Code
Older Amplify examples often used the Auth namespace directly and then called Auth.currentSession() after a successful sign-in.
That pattern belongs to older Amplify APIs. If you are maintaining legacy code, it can still explain the examples you see online. For newer code, signIn plus fetchAuthSession is the clearer mental model.
Which Token Do You Actually Need
Amplify sessions can expose several token-related values. The most common ones are:
- access token for authorizing API calls
- ID token for identity claims
- refresh token handling managed by the auth session lifecycle
Do not treat them as interchangeable. If your backend expects a bearer token for an API request, that is usually the access token, not the ID token.
A Practical Usage Example
After sign-in, you might attach the access token to a request.
This is a good example of why session access is a separate step. You often need the auth state in one place and the token later in another place.
Common Pitfalls
The most common mistake is assuming a successful signIn call always means tokens are ready immediately, even when the auth flow still has a next step.
Another mistake is mixing modern Amplify modular APIs with older Auth.currentSession() examples without realizing they are from different API styles.
A third pitfall is using the ID token when the backend really expects the access token.
Summary
- In Amplify, sign-in success and token retrieval are usually separate steps.
- For modern modular APIs, call
signIn, thenfetchAuthSessiononceisSignedInis true. - Legacy code often used
Auth.signInfollowed byAuth.currentSession(). - Tokens are available from the auth session, not always from the sign-in return value itself.
- Make sure you use the correct token type for the backend you are calling.

