Authentication / Authorization

Out-of-the-box FormKiQ supports using JSON Web Tokens (JWT) through Amazon Cognito and AWS Identity and Access Management (IAM) to handle authentication to the platform. This provides the utmost in flexibilty when building customer facing and backend processing systems.

Authorization is handled through role-based access control assigned to each user.

FormKiQ Enterprise users have additional authentication options like Security Assertion Markup Language (SAML).


FormKiQ uses Amazon API Gateway to handle and secure all API traffic.

FormKiQ deploys two APIs; one is secured using Amazon Cognito JWT authorizer and the other one is secured using AWS Identity and Access Management (IAM). Both URLs can be found in the CloudFormation outputs of your FormKiQ stack.

CloudFormation Outputs API Urls

The HttpApiUrl is secured using the JWT authorizers and access is typically granted through a username and password.

The IamApiUrl is secured using AWS Identity and Access Management (IAM) and is used for backend processing. When IAM authorization is used, clients must use Signature Version 4 to sign their requests with AWS credentials.

Examples of how to use the APIs can be found in FormKiQ Tutorials

Web Console

FormKiQ comes with a fully-functional console for interacting with documents, built using React. This console can be referenced when creating custom applications that will interact with the FormKiQ Document API. The console URL can be found in the CloudFormation outputs.

CloudFormation Outputs Console Url

Console access is controlled through the Amazon Cognito JWT authorizer. By default the AdminEmail configured during the CloudFormation creation is created as an administrator user.

Additional users can be added manually through the Cognito Console.

Add User(s)

To add a new user, start by visiting the Cognito Console. You should find the Cognito User pool with the configured AppEnvironment in the name.

Cognito Home
If you do not see a Cognito User pool, check that the region you are in matches the region where you have installed FormKiQ.
Cognito Users Tab

Clicking the Cognito Users tab, you should see the administrator user that was created during the installation process.

To add a new user, click the Create user button.

Cognito Create User

On the Create User page,

  • enter the Email Address of the user to create

  • select Send an email invitation

  • click Mark email address as verified

  • select Generate a password

Click the Create user button to finish creating the new user. The user receive an email at the specified email address, with a link to finalize setting up their account.

Cognito User List

The user is now created with read / write access to the default site id.

Group Permissions

FormKiQ starts with three default groups.

  • Admins - Group for administrators of FormKiQ

  • default - Read / Write permission for the default site id

  • default_read - Read permission for the default site id

Cognito Group List

By default if a user belongs to no groups, it will be given the "default" group permissions. By clicking on any of the groups users can be easily added or removed.