I think the author is confused. The previous "basic tier" is actually the "lite" tier. The prices are the same, but the number of "free" MAUs is reduced. The "advanced" and "essentials" tier include what seems to be new or expanded features like fully customizable logins and passwordless login options, so you have to pay more to access these features, but it looks like everything Cognito previously provided is in the "lite" tier.
Disclosure: I work for a competitor of Cognito, FusionAuth.
I agree, the author is totally confused.
Lite is equivalent was available before, and there's been a lot of improvements to essentials and plus (passkeys, more customization options). It is a bit weird that you have to be in the Plus plan to export user activity logs, but pricing is difficult. Depending on the number of users you had, lite can cost quite a bit more (5x for 60k users).
It's pretty clear that while there are increased features, if all you need is login, the pricing has increased significantly if you are above 10k MAU. If you are under 10k users, it's a wash, of course.
This spreadsheet ignores quota increase, SAML users, and M2M tokens, which are all charged separately.
However, you can see the plus tier, which includes what was previously "Advanced security features" has gotten significantly cheaper (pricing for that feature sourced from https://medium.com/@demandapi/aws-cognito-advantages-pricing... ). So bravo to them for lowering that.
There's also complexity in switching tiers, since if you switch from Plus to Lite in the middle of the month, you'll be charged Plus for all users who logged in before the switch and Lite for all after. That's incidental, but still added complexity.
And, as a sibling comment notes, there's legacy pricing for anyone who has a user pool with at least 1 MAU in the last 12 months. This legacy pricing lasts until Nov 30, 2025, which gives folks a chance to migrate or adjust business models.
Post also doesn’t mention this from the pricing that means existing customers in free tier aren’t being suddenly charged:
Note:
1. Customers with existing user pools created on or before 10:00am Pacific Time, November 22, 2024 will continue having a free tier of first 50,000 MAUs. Advanced Security Features (ASF) will continue to be priced separately and will not have a free tier, just like it has been priced previously.
2. Additionally, customers are eligible to create new user pools with Lite tier in their existing accounts and count those MAUs against the free tier of first 50,000 MAUs. To be eligible, customers' accounts must have had at least 1 MAU in the last 12 months on or before 10:00am Pacific Time, November 22, 2024.
Not at all. I appreciate the reporting because I do use Cognito and did miss this update. Amazon took something that used to be pretty flat and simple and has now made it "tired" in a way that most of their other services aren't.
I'm not wild about it. Particularly because the web console now has a bunch of "upgrade your user pool tier" buttons littered all over the interface. You end up with a very hazy sense of what is covered and included and what isn't.
Here's the simple thing to know about AWS. They sell two great products (EC2 and S3) below market value so that you get locked in and their sales teams can upsell you on everything else. If you are a customer and are tempted to try out their alphabet soup of managed services because it all seems so convenient – don't.
Anyone with more cash than sense, which is a lot of people. Every business I've worked for hooked up a credit card to AWS and never asked questions, until millions of wasted dollars later. Gotta love daddy corps with billions in reserve, and VC money that pours in like rain. I've been rebuffed multiple times trying to get them to buy SPs and RIs.
(That majority of the customers might stand for less than the turnover of the minority that enjoys discounts. But that does not help you if you belong to the majority.)
Lots of comments about EC2's price. My personal experience is that we do not just pay for the computing power of EC2 but the productivity it offers: it's just magical that one can launch an availability group across multiple zones, set up its autoscaling rules, and let it run wild. Netflix used to build its platform on top of EC2s, and the result was that a single engineer can carry a pager for multiple services 24x7, stateful included, and still enjoyed great work-life balance. It's also amazing how hard it is for companies to replicate their own EC2 in their own data centers.
EC2? It has not been under market value for a decade now. It used to take 12-24 months of on demand pricing to buy the hardware outright in the 00s. Today it's under 6 months for every instance type. With GPU instances being measured in weeks.
Speaking great products, DynamoDB is pretty good too, to the point that there's no open-source equivalent to it yet. Cassandra probably comes the closest, but it does not have true GSIs, no cross-table transactions, no easy and robust CDCs like DynamoDB streams, and its CAS is dog slow.
SQS is great too. To many people it's reliable and durable, and implements a pretty robust competitive consumer pattern.
Okay! Apart from sanitation, medicine, education, wine, public order, irrigation, roads, the fresh-water system and public health, what have the Romans ever done for us!?
Amazon just prices S3 and EC2 at not-insane rates because they shadow charge you for I/O and network traffic at 10x a competitive rate, things that people don't actually look at when evaluating cloud providers.
Had some pretty negative experiences with pricing/"enterprise" sales tactics by Okta (which now owns Auth0, and they used the same tactics on both products). I will take AWS pricing shenanigans over that any day.
Given the choice between a crummy API and being driven bankrupt by a SaaS vendor, I prefer a crummy API. I suppose your calculus might look different if you have a lot of money or an employer with great negotiating leverage.
okta is not "active-active" in a multi-region sense, they run in a single active AWS single Region per-tenant. You can pay extra to have a faster failover in a region level failure scenario:
Okta has been plagued by security issues [1], never heard of Ping Identity, Azure only makes sense if you get a sweetheart deal and are willing to deal with Azure's crap, and I'd never recommend anyone to use anything Google any more.
Ping is one of the oldest players in the business, they were founded in 2002 and had one of the earliest identity PaaS in the market (at least as far back as 2012). Haven't used their products much though.
I don't understand why AWS doesn't put more effort into Cognito without messing with pricing. It is such an effective loss-leader. If you're someone who will go past the free tiers for Cognito, the rest of your AWS spend will almost certainly be a lot more. Take advantage of that and stop measuring the Cognito team's success by their revenue and profitability. Usage alone should be the goal. You're still billed for all the lambda processing that happens on various Cognito hooks. You're still billed for all the API requests these Cognito users make.
The auth service space is so strange. Almost every vendor is ridiculously expensive for any B2C use-case. Cognito, with its free tier of 50k MAU, was one of the few relatively cheap options. Even the "open source core" offerings in the space are crazy if you use their hosted version. And their self-hosted versions inevitably end up requiring you to run Postgres, Redis cluster, a background job running task, etc. If you're not getting Cognito for cheap, you're better off just using libraries to roll your own auth service/module instead of going for any off the shelf auth SaaS or self-hosted solution.
> I don't understand why AWS doesn't put more effort into Cognito without messing with pricing. It is such an effective loss-leader
AWS team\org business priorities, like P&L computation, changed pretty drastically in 2022-23.
Historically there were a lot of services built, run, and measured on the idea of solving customers diverse needs and making AWS a better place to run your business. This isnt a “loss leader” per se, but 1) profitability may not be your highest business prioirty 2) customers & shareholders valued growth & diversity of offerings above almost everything else 3) business units would set forward looking pricing based on marginal rates 2-3 years out under better utilization models 4) services would not-uncommonoly use “attribution” or “flow through” revenue models for P&L. Eg autoscaling doesnt have a meaningfully price, but it drives (hypothetically) 3% of EC2 instance hours. Autoscaling than books a portion of the 3% of instance hour revenue to their profit center. Cognito (or Route 53 or SSM where I worked) would use this sort of P&L model.
Circa 2022 AMZn shareholders, amazon execs, and the market more broadly turned to Revenue and Profit as the goal, no longer growth per se. This drastically changed a lot of internal business models. No more “free rides”, book revenue, define and execute a plan to be a many million dollar direct revenue business, the old “growth and better together” story wasnt selling.
And i dont think thats a bad thing per se, as a shareholder. I appreciate the focus on proving your value via pricing and usage. But there will be some sad “abandonware” and service shutdowns over the next few years.
Wow I just got done integrating NextAuth. I will totally switch to this if you can support my mobile API. My nextjs app has some API routes used by my native iOS app. It was a bit of a hassle with NextAuth and I was surprised at the lack of support and demand for it (am I crazy for using next for a mobile API? I don't think so). If you support that use case (I didn't see anything in the docs), that would be great. I'm already done with the iOS portion, which basically stores the
Looks really nice! Really need Remix and Tan-Stack support though - these are taking a lot of market share from Next.js because they have less confused models.
I think it shouldn't be too hard. I could even add Remix support for you if you wanted to do a contract (I am not able to do major open source work for free right now.)
- Clerk: ok for small scale applications but they're a small company 'moving fast and breaking things'. It's not stable enough for a enterprise grade product that needs robustness.
- Auth0: Good but can get expensive
- WorkOS: Good for B2B, especially if 'directory syncing' is important for your usecase
pocketbase, lucia auth, there are so many options that won't meter you for MAU for a user table in your database.
authentication is critical, you shouldn't be outsourcing this stuff anyhow. learn how to harden your box, use cloudflare tunnel and dont store passwords in plaintext.
its really not hard to do and constantly being gaslighted into paying someone to do it for you because everybody else is doing it is just irresponsible.
Very much agree with your attitude here. What happens is that nice to have features like email reset/email magic login/social logins/etc accumulate and you don't want to be on the hook for implementing them all yourself, especially with other priorities. Ofc there are open solutions for most of these in most popular languages, but I've found even those take non-trivial amounts of time to setup right and test, and often aren't exactly what you want, or have unnecessary complexity.
I respect your view. I'm not involved with Lucia btw but i do feel v2 covers a lot of those edge case you described and for almost all sub 100k concurrent sessions I find pocketbase deliver here (if anybody is interested).
I guess one clear difference is the lack of a marketing department from something well funded. I recall another HN comment here that said the best business model is to take something people can do already and mark it up by selling the pain points, that could be whats also helping all these auth as a service vendors.
And nobody saw this coming with the surge to “cloud”. /s
I don’t like AWS but god damn they are good marketers and had some good leadership that actually was ahead of the curve. Instead of min/maxing the quarterly earning calls.
Convince a nepo C-level executive of your offerings, wave your massive AWS dick while presenting your deck, throw in a few credits, keep it “cheap” for a number of years. Once the competition fizzes out, or you buy them up. Then nix those teaser rates and jack it up 100X over a decade.
Let me ask you, non-combatively: do you think they can keep this up?
Their stock is bumping along at $200. If they can keep people coming in and staying, then the stock can go brrrr for decades. But if they cant, eg the trickle of CTOs repatriating workloads to prem becomes a roar, it wont, and AWS will turn into IBM.
You clearly have strong opinions on how AWS operates, but their stock holders are happy bunnies. What's your prediction?
I think the author is confused. The previous "basic tier" is actually the "lite" tier. The prices are the same, but the number of "free" MAUs is reduced. The "advanced" and "essentials" tier include what seems to be new or expanded features like fully customizable logins and passwordless login options, so you have to pay more to access these features, but it looks like everything Cognito previously provided is in the "lite" tier.
Disclosure: I work for a competitor of Cognito, FusionAuth.
I agree, the author is totally confused.
Lite is equivalent was available before, and there's been a lot of improvements to essentials and plus (passkeys, more customization options). It is a bit weird that you have to be in the Plus plan to export user activity logs, but pricing is difficult. Depending on the number of users you had, lite can cost quite a bit more (5x for 60k users).
The simple pricing, which was one of the key benefits of Cognito, has become more complex. I put together a spreadsheet to show the price changes here: https://docs.google.com/spreadsheets/d/1Nm5BUOjFlqqvaeDTERJm...
It's pretty clear that while there are increased features, if all you need is login, the pricing has increased significantly if you are above 10k MAU. If you are under 10k users, it's a wash, of course.
This spreadsheet ignores quota increase, SAML users, and M2M tokens, which are all charged separately.
However, you can see the plus tier, which includes what was previously "Advanced security features" has gotten significantly cheaper (pricing for that feature sourced from https://medium.com/@demandapi/aws-cognito-advantages-pricing... ). So bravo to them for lowering that.
There's also complexity in switching tiers, since if you switch from Plus to Lite in the middle of the month, you'll be charged Plus for all users who logged in before the switch and Lite for all after. That's incidental, but still added complexity.
And, as a sibling comment notes, there's legacy pricing for anyone who has a user pool with at least 1 MAU in the last 12 months. This legacy pricing lasts until Nov 30, 2025, which gives folks a chance to migrate or adjust business models.
Post also doesn’t mention this from the pricing that means existing customers in free tier aren’t being suddenly charged:
Note:
1. Customers with existing user pools created on or before 10:00am Pacific Time, November 22, 2024 will continue having a free tier of first 50,000 MAUs. Advanced Security Features (ASF) will continue to be priced separately and will not have a free tier, just like it has been priced previously.
2. Additionally, customers are eligible to create new user pools with Lite tier in their existing accounts and count those MAUs against the free tier of first 50,000 MAUs. To be eligible, customers' accounts must have had at least 1 MAU in the last 12 months on or before 10:00am Pacific Time, November 22, 2024.
My apologies, you are correct. I have edited the post and corrected the values.
Not at all. I appreciate the reporting because I do use Cognito and did miss this update. Amazon took something that used to be pretty flat and simple and has now made it "tired" in a way that most of their other services aren't.
I'm not wild about it. Particularly because the web console now has a bunch of "upgrade your user pool tier" buttons littered all over the interface. You end up with a very hazy sense of what is covered and included and what isn't.
Anyways.. thanks for the update!
[dead]
Here's the simple thing to know about AWS. They sell two great products (EC2 and S3) below market value so that you get locked in and their sales teams can upsell you on everything else. If you are a customer and are tempted to try out their alphabet soup of managed services because it all seems so convenient – don't.
> below market value
Unless you would like your data to egress from an AWS datacenter, in which case they are a very, very long way above market value.
> two great products
RDS is also pretty great, and KMS is a pretty good way to store a private key per environment.
EC2 sold below market rate ? S3 I could argue somehow (unconvincingly). But what's the argument for EC2 ?
Lots of competitors have S3 equivalents with complete coverage of the S3 API interface; it's a pure commodity at this point.
Who’s actually paying list price?
Anyone with more cash than sense, which is a lot of people. Every business I've worked for hooked up a credit card to AWS and never asked questions, until millions of wasted dollars later. Gotta love daddy corps with billions in reserve, and VC money that pours in like rain. I've been rebuffed multiple times trying to get them to buy SPs and RIs.
The majority of the customers.
(That majority of the customers might stand for less than the turnover of the minority that enjoys discounts. But that does not help you if you belong to the majority.)
Everybody who isn’t big enough to have an EDP in place.
Even then, you give some of the discount back as AWS Enterprise Support charges :)
[dead]
Lots of comments about EC2's price. My personal experience is that we do not just pay for the computing power of EC2 but the productivity it offers: it's just magical that one can launch an availability group across multiple zones, set up its autoscaling rules, and let it run wild. Netflix used to build its platform on top of EC2s, and the result was that a single engineer can carry a pager for multiple services 24x7, stateful included, and still enjoyed great work-life balance. It's also amazing how hard it is for companies to replicate their own EC2 in their own data centers.
EC2? It has not been under market value for a decade now. It used to take 12-24 months of on demand pricing to buy the hardware outright in the 00s. Today it's under 6 months for every instance type. With GPU instances being measured in weeks.
S3? Laughs in egress costs.
AWS considered harmful.
Speaking great products, DynamoDB is pretty good too, to the point that there's no open-source equivalent to it yet. Cassandra probably comes the closest, but it does not have true GSIs, no cross-table transactions, no easy and robust CDCs like DynamoDB streams, and its CAS is dog slow.
SQS is great too. To many people it's reliable and durable, and implements a pretty robust competitive consumer pattern.
SQS, SNS and Lambda are great as well
Those all do what they say on the tin (and do it well enough), but the vendor lockin is very real.
Okay! Apart from sanitation, medicine, education, wine, public order, irrigation, roads, the fresh-water system and public health, what have the Romans ever done for us!?
What else is left?
DynamoDB
We LOVE Lambda and SQS.
Gotta love Step Functions, Lambda, and also Kinesis Firehose!
SES is imo their top tier service!
... ?
Compared to Hetzner? Come on.
Amazon just prices S3 and EC2 at not-insane rates because they shadow charge you for I/O and network traffic at 10x a competitive rate, things that people don't actually look at when evaluating cloud providers.
I have no idea why anyone would use Cognito unless they don’t care about availability.
Almost every other SaaS vendor supports multi-region active-active and Cognito does not.
> Almost every other SaaS vendor supports multi-region active-active and Cognito does not.
Who are we talking about here? Google and Azure?
auth0, okta, ping identity, azure, google
Had some pretty negative experiences with pricing/"enterprise" sales tactics by Okta (which now owns Auth0, and they used the same tactics on both products). I will take AWS pricing shenanigans over that any day.
I'll take the scummy sales tactics over the cognito API any day of the week
Given the choice between a crummy API and being driven bankrupt by a SaaS vendor, I prefer a crummy API. I suppose your calculus might look different if you have a lot of money or an employer with great negotiating leverage.
okta is not "active-active" in a multi-region sense, they run in a single active AWS single Region per-tenant. You can pay extra to have a faster failover in a region level failure scenario:
https://support.okta.com/help/s/article/overview-of-enhanced...
Okta has been plagued by security issues [1], never heard of Ping Identity, Azure only makes sense if you get a sweetheart deal and are willing to deal with Azure's crap, and I'd never recommend anyone to use anything Google any more.
[1] https://www.flyingpenguin.com/?p=54722
Ping Identity run the largest enterprise identity platforms on the planet after merging with ForgeRock last year. Think HSBC, JP Morgan Chase-scale.
Ping is one of the oldest players in the business, they were founded in 2002 and had one of the earliest identity PaaS in the market (at least as far back as 2012). Haven't used their products much though.
What is active-active?
Being live in more than one region at the same time
I don't understand why AWS doesn't put more effort into Cognito without messing with pricing. It is such an effective loss-leader. If you're someone who will go past the free tiers for Cognito, the rest of your AWS spend will almost certainly be a lot more. Take advantage of that and stop measuring the Cognito team's success by their revenue and profitability. Usage alone should be the goal. You're still billed for all the lambda processing that happens on various Cognito hooks. You're still billed for all the API requests these Cognito users make.
The auth service space is so strange. Almost every vendor is ridiculously expensive for any B2C use-case. Cognito, with its free tier of 50k MAU, was one of the few relatively cheap options. Even the "open source core" offerings in the space are crazy if you use their hosted version. And their self-hosted versions inevitably end up requiring you to run Postgres, Redis cluster, a background job running task, etc. If you're not getting Cognito for cheap, you're better off just using libraries to roll your own auth service/module instead of going for any off the shelf auth SaaS or self-hosted solution.
> I don't understand why AWS doesn't put more effort into Cognito without messing with pricing. It is such an effective loss-leader
AWS team\org business priorities, like P&L computation, changed pretty drastically in 2022-23.
Historically there were a lot of services built, run, and measured on the idea of solving customers diverse needs and making AWS a better place to run your business. This isnt a “loss leader” per se, but 1) profitability may not be your highest business prioirty 2) customers & shareholders valued growth & diversity of offerings above almost everything else 3) business units would set forward looking pricing based on marginal rates 2-3 years out under better utilization models 4) services would not-uncommonoly use “attribution” or “flow through” revenue models for P&L. Eg autoscaling doesnt have a meaningfully price, but it drives (hypothetically) 3% of EC2 instance hours. Autoscaling than books a portion of the 3% of instance hour revenue to their profit center. Cognito (or Route 53 or SSM where I worked) would use this sort of P&L model.
Circa 2022 AMZn shareholders, amazon execs, and the market more broadly turned to Revenue and Profit as the goal, no longer growth per se. This drastically changed a lot of internal business models. No more “free rides”, book revenue, define and execute a plan to be a many million dollar direct revenue business, the old “growth and better together” story wasnt selling.
And i dont think thats a bad thing per se, as a shareholder. I appreciate the focus on proving your value via pricing and usage. But there will be some sad “abandonware” and service shutdowns over the next few years.
There are so many better Auth providers out there now - and some of them are free for the first 10k or so users (workOs has the first 1M users free!)
which do you recommend?
I'm biased but Stack Auth [0] is fully open-source, self-hostable, and we offer reasonably priced managed hosting, if that floats your boat.
[0] https://github.com/stack-auth/stack
Wow I just got done integrating NextAuth. I will totally switch to this if you can support my mobile API. My nextjs app has some API routes used by my native iOS app. It was a bit of a hassle with NextAuth and I was surprised at the lack of support and demand for it (am I crazy for using next for a mobile API? I don't think so). If you support that use case (I didn't see anything in the docs), that would be great. I'm already done with the iOS portion, which basically stores the
Looks really nice! Really need Remix and Tan-Stack support though - these are taking a lot of market share from Next.js because they have less confused models.
I think it shouldn't be too hard. I could even add Remix support for you if you wanted to do a contract (I am not able to do major open source work for free right now.)
I've used a few:
- Cognito: bad
- Clerk: ok for small scale applications but they're a small company 'moving fast and breaking things'. It's not stable enough for a enterprise grade product that needs robustness.
- Auth0: Good but can get expensive
- WorkOS: Good for B2B, especially if 'directory syncing' is important for your usecase
https://better-auth.com :)
pocketbase, lucia auth, there are so many options that won't meter you for MAU for a user table in your database.
authentication is critical, you shouldn't be outsourcing this stuff anyhow. learn how to harden your box, use cloudflare tunnel and dont store passwords in plaintext.
its really not hard to do and constantly being gaslighted into paying someone to do it for you because everybody else is doing it is just irresponsible.
Very much agree with your attitude here. What happens is that nice to have features like email reset/email magic login/social logins/etc accumulate and you don't want to be on the hook for implementing them all yourself, especially with other priorities. Ofc there are open solutions for most of these in most popular languages, but I've found even those take non-trivial amounts of time to setup right and test, and often aren't exactly what you want, or have unnecessary complexity.
I respect your view. I'm not involved with Lucia btw but i do feel v2 covers a lot of those edge case you described and for almost all sub 100k concurrent sessions I find pocketbase deliver here (if anybody is interested).
I guess one clear difference is the lack of a marketing department from something well funded. I recall another HN comment here that said the best business model is to take something people can do already and mark it up by selling the pain points, that could be whats also helping all these auth as a service vendors.
Please don’t roll your own Auth - there are too many examples where this went wrong.
Go with a proven, vetted, and trusted open source solution.
They increased prices, but looks like they finally are revamping the service. This is probably the biggest update in years.
Here's some reddit discussion on the same topic, which started with a link to the announcement blog: https://www.reddit.com/r/aws/comments/1gxgowz/improve_your_a...
Makes sense to me. These customers have margins and Amazon has an opportunity.
Cant find the pricing change announcement, mind to share a link to it?
It’s mentioned in the blog the article links to.
https://aws.amazon.com/blogs/aws/improve-your-app-authentica...
Ah thanks, found at the bottom of the article.
Step 1 lock em in
Step 2 jack up the prices
"The greatest trick aws ever played was convincing engineers that rolling your own infra is bad and scary."
Drug dealer pricing? You start free and once you are on the hook exorbitant increases will come.
Drug dealers are sensitive to the price their market can bare, they don't let you use unlimited drugs then charge you at the end of the month.
They would if supply was unlimited and cheap but they had monopoly power of the market.
Oh, hello Purdue Pharma!
And nobody saw this coming with the surge to “cloud”. /s
I don’t like AWS but god damn they are good marketers and had some good leadership that actually was ahead of the curve. Instead of min/maxing the quarterly earning calls.
Convince a nepo C-level executive of your offerings, wave your massive AWS dick while presenting your deck, throw in a few credits, keep it “cheap” for a number of years. Once the competition fizzes out, or you buy them up. Then nix those teaser rates and jack it up 100X over a decade.
Now AWS is pumping for the next millenia.
Let me ask you, non-combatively: do you think they can keep this up?
Their stock is bumping along at $200. If they can keep people coming in and staying, then the stock can go brrrr for decades. But if they cant, eg the trickle of CTOs repatriating workloads to prem becomes a roar, it wont, and AWS will turn into IBM.
You clearly have strong opinions on how AWS operates, but their stock holders are happy bunnies. What's your prediction?
AWS is the new IBM.
The question is if we're living in the new 1970s or 2000s.