Bastionary vs AWS Cognito.
Auth that doesn't require an AWS certification.

Cognito is tempting — it's already in your AWS account, it has a free tier for lower-volume use, and it's "managed." But Cognito has two separate concepts (User Pools vs Identity Pools) that confuse everyone the first time, its hosted UI is barely customizable, it includes provider-specific JWT claims that can require custom mapping code alongside standard OIDC libraries, and the moment you need multi-tenancy or enterprise SSO you're writing Lambda triggers. Bastionary is standard OIDC that works with every library, every framework, and every team.

Free tier. Painful ceiling.

• User Pools vs Identity Pools: Cognito has two separate systems — User Pools for authentication, Identity Pools for AWS resource authorization. Developers regularly confuse them. You often need both wired together via a Lambda trigger to do something basic like "assign a role on signup."
• Provider-specific JWT claims: Cognito tokens are standard JWTs signed with RS256, and AWS recommends using sub as the primary user identifier. However, Cognito also includes provider-specific claims like cognito:groups and username that don't map directly to standard OIDC claims. Any library or middleware that assumes generic OIDC claim names will need explicit claim mapping.
• Hosted UI limitations: Customizing the Cognito hosted UI means editing HTML/CSS in the AWS console with a live preview that takes 5 minutes to refresh. Custom domains require ACM certificates in us-east-1 specifically (even for non-US deployments). Full custom UI means implementing the auth flow yourself.
• Lambda trigger hell: Enterprise features — custom auth flows, SAML attribute mapping, pre-token generation — all require Lambda triggers. That's IAM permissions, function deployment, CloudWatch logs, cold start latency, and function versioning for every auth customization.
• Multi-tenancy is DIY: Cognito has no built-in tenant concept. Every company deploying B2B SaaS on Cognito either creates one User Pool per tenant (operational nightmare at scale) or rolls their own tenant partitioning inside a shared pool using custom attributes and Lambda triggers.
• Pricing at scale: Cognito's pricing model has changed over time and now uses tiered plans (Lite, Essentials, Plus) with current free-tier thresholds and per-MAU rates documented by AWS. Verify current pricing at aws.amazon.com/cognito/pricing — the gap between the free tier and paid tiers for enterprise features is material for most scaling teams.

What each does out of the box.

Who should use each.

Cognito is the right choice if you're deep in the AWS ecosystem, your team knows IAM well, your user base is under 50K MAU with no near-term scaling plans, and you don't need multi-tenancy, custom auth flows, or non-AWS deployments. The free tier is genuinely useful for simple consumer apps with standard flows.

Bastionary is the right choice if you need standard OIDC that works with any library without surprises, are building B2B SaaS with multiple tenants, need billing/licensing/auth in one system, want to avoid AWS lock-in, or have already hit the Cognito Lambda trigger wall.