# Kanject.Identity.Server

A Cognito-backed authorization server — fine-grained permissions and roles on top of your Cognito user pool, with token issue/validate helpers and a permission-sync pipeline, deployed natively on AWS.

> **Private beta:** Kanject.Identity.Server isn't generally available yet — there's no public package or `kanject baas deploy` for it. [Request beta access](https://www.kanject.com/baas/identity-server/) to get early access. Need auth *today*? [Kanject.Identity](https://www.kanject.com/docs/baas-identity/) (the Cognito user surface) is GA.

## What it does

- **Permission & role model** — system modules and group permissions your services enforce.
- **Cognito token helpers** — issue and validate tokens against your Cognito user pool.
- **Authorization pipeline** — `UseServerlessAuthorization()` wires permission checks into requests.
- **Permission sync** — the authorization state is synced to DynamoDB for fast lookups.
- **Pairs with Identity** — builds on the same Cognito surface as `Kanject.Identity`.

## Preview API

*Preview — the module is in private beta; the API may change before GA.*

```csharp
using Kanject.Identity.Server.Extensions;

// A Cognito-backed authorization server: fine-grained permissions and roles
// on top of your Cognito user pool, plus token issue/validate helpers.
builder.Services.AddCognitoAuthenticationTokenHelper(options =>
{
    // Cognito token configuration — region, user pool, client.
});
builder.Services.AddAuthorizationServer();

// Wires permission sync + authorization into the request pipeline.
app.UseServerlessAuthorization();
```

## Related modules

- **[Identity](https://www.kanject.com/docs/baas-identity/)** — The GA Cognito surface — your user store.
- **[NotificationHub](https://www.kanject.com/docs/baas-notifications/)** — Verification and consent flows.
- **[Insights](https://www.kanject.com/docs/baas-insights/)** — Auth usage tracking.

---
_Source: https://www.kanject.com/docs/baas-identity-server/ · Kanject Docs_
