Fix OAuth Errors on AWS Cognito

Last updated: April 2026

Common Cognito OAuth errors and the console settings to address them.

redirect_uri_mismatch

AWS Console → Cognito → User Pools → Your Pool → App clients → Your client → Edit → Callback URLs. Add the exact URI.

https://yourapp.com/callback
http://localhost:3000/callback

Enable PKCE

AWS Console → Cognito → App clients → Auth flows → Enable ALLOW_USER_SRP_AUTH. PKCE is supported in the Authorization Code grant.

# Amplify config
Auth.configure({
  oauth: {
    domain: 'your-domain.auth.region.amazoncognito.com',
    scope: ['openid', 'email'],
    redirectSignIn: 'https://yourapp.com/callback',
    redirectSignOut: 'https://yourapp.com/logout',
    responseType: 'code',
  }
});

invalid_grant

Cognito authorization codes expire after 5 minutes. Exchange immediately. For refresh tokens, check: App clients → Refresh token expiration.

Token endpoint 400 error

# Verify the token endpoint URL format:
https://your-domain.auth.{region}.amazoncognito.com/oauth2/token
# Not the user pool endpoint