You can use Cognito federated identities for corporate or social credentials to exchange them for temporary tokens that are used to access AWS service APIs. Developers can build custom user interfaces and work with authenticated and unauthenticated roles, so users can use your app once they have authenticated parts of your app anonymously:

Cognito user pools have support for OAuth 2.0, which is an open standard protocol for authentication, and the user pool can interact with multiple Identity Providers (IdP) to exchange credentials and gain temporary access tokens to invoke services such as S3:

In this example, the mobile client logs in with federated credentials, and this assertion is used to invoke the Cognito authentication flow, and the mobile app SDK will assume the web identity with STS and will return temporary user credentials to invoke S3 APIs.

Cognito can also synchronize data between devices providing the same experience when the user switches from a web experience to mobile, and with AppSync, you can have offline capabilities and events listening in the background. Let's assume that the customer has upgraded the subscription plan via web and they must immediately gain access to premium features in the mobile app. With the Cognito and AppSync SDKs, this is possible in a smooth way.