Migrate to Kinde from AWS Cognito

Migrate your users from AWS Cognito to Kinde. The main constraint is that Cognito does not allow password export, so a direct password migration is not possible — drip-feed migration is the recommended path.

What you need

Link to this section

• A Kinde account with Admin access
• Kinde account configured to match your current auth provider — see before you migrate
• AWS CLI installed and configured with access to your Cognito User Pool

Key considerations

Link to this section

• No native export UI — Cognito doesn’t have a one-click export. You’ll need to use the AWS CLI or write a script to paginate through the user pool.
• Passwords cannot be exported — Cognito does not provide access to hashed passwords. Users imported from Cognito will need to reset their password or sign in via a new method — unless you use drip-feed migration.
• Drip-feed migration is the recommended approach — using Kinde’s user:existing_password_provided workflow, you can validate each user’s password against Cognito on first login and migrate them seamlessly with no password reset required.

Export users from Cognito

Link to this section

1. Export user data

Link to this section

Cognito has no UI export. Use the AWS CLI to list users from your User Pool:

aws cognito-idp list-users \
  --user-pool-id YOUR_USER_POOL_ID \
  --region YOUR_AWS_REGION \
  --query 'Users[*].{email:Attributes[?Name==`email`].Value|[0], sub:Username, name:Attributes[?Name==`name`].Value|[0]}' \
  --output json > cognito-users.json

For large user pools, use --pagination-token to page through results, or use a script to loop until all users are retrieved.

2. Prepare your CSV

Link to this section

Convert the JSON output to a Kinde-compatible CSV. The id field should be the Cognito sub (the user’s UUID in Cognito).

id,email,first_name,last_name,email_verified
{sub},{email},{given_name},{family_name},TRUE

For the full list of supported CSV fields — including organizations, roles, and permissions — see Prepare your CSV in the bulk import guide.

Choose your migration method

Link to this section

Drip-feed via Kinde Workflow (recommended)

Link to this section

Migrate users with no downtime and no password resets. On first login, a Kinde workflow validates the user’s password against Cognito using the ADMIN_USER_PASSWORD_AUTH flow. If valid, the user is created in Kinde and their password is set.

Before you start:

1. Bulk import user email addresses (without passwords) to seed Kinde with your user list.
2. Ensure ADMIN_USER_PASSWORD_AUTH is enabled on your Cognito App Client.
3. Enable Enumeration protection in Kinde: Settings > Attack protection > Enumeration protection.

The drip-feed migration tutorial includes the Cognito-specific workflow code.

Bulk import (with password reset)

Link to this section

If drip-feed is not an option, import users by email only. Users will be prompted to set a new password or sign in via a passwordless method on first sign-in.

1. Export emails and user details using the CLI command above.
2. Prepare your CSV (no password columns) - see the bulk import guide
3. Enable passwordless sign-in or password authentication in Kinde.
4. Go to Kinde > Users, select Import users, then select Custom CSV.
5. Follow the on-screen prompts to upload your file.
6. Review any errors reported after import. Fix the CSV and re-import to resolve them.

Next steps

Link to this section

• If using drip-feed, monitor the workflow logs to confirm users are migrating successfully.
• Once migration traffic from Cognito drops to zero, disable the workflow and decommission your Cognito User Pool.
• For users who never log in during the migration period, decide whether to keep them (force a password reset via the API) or remove inactive accounts.

Get support

Link to this section

If you need help with your migration, contact Kinde support.