fetchAuthSession always made a call even with localStorage

[djanito]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Vue

Amplify APIs

REST API

Amplify Version

v6

Amplify Categories

auth

Backend

Other

Environment information

  System:
    OS: Windows 10 10.0.19045
    CPU: (12) x64 13th Gen Intel(R) Core(TM) i5-1345U
    Memory: 7.23 GB / 31.69 GB
  Binaries:
    Node: 22.9.0 - C:\Program Files\nodejs\node.EXE
    npm: 11.4.0 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: Chromium (128.0.2739.67)
    Internet Explorer: 11.0.19041.4355
  npmPackages:
    @aws-sdk/client-cognito-identity-provider: ^3.810.0 => 3.817.0
    @datadog/browser-rum: ^6.6.4 => 6.7.0
    @eslint/compat: ^1.2.9 => 1.2.9
    @eslint/js: ^9.26.0 => 9.27.0
    @iconify/json: ^2.2.338 => 2.2.341
    @iconify/vue: ^4.3.0 => 4.3.0
    @iconify/vue/offline:  undefined ()
    @intlify/unplugin-vue-i18n: ^6.0.8 => 6.0.8
    @pinia/testing: ^1.0.1 => 1.0.1
    @primeuix/themes: ^1.1.1 => 1.1.1
    @primevue/auto-import-resolver: ^4.3.4 => 4.3.4
    @primevue/core: ^4.3.4 => 4.3.4
    @primevue/forms: ^4.3.4 => 4.3.4
    @rushstack/eslint-patch: ^1.11.0 => 1.11.0
    @tailwindcss/vite: ^4.1.6 => 4.1.7
    @types/lodash: ^4.17.16 => 4.17.17
    @types/node: ^22.15.18 => 22.15.21
    @types/uuid: ^10.0.0 => 10.0.0 (9.0.8)
    @typescript-eslint/eslint-plugin: ^8.32.1 => 8.32.1
    @typescript-eslint/parser: ^8.32.1 => 8.32.1
    @typescript-eslint/types: ^8.32.1 => 8.32.1
    @vitejs/plugin-vue: ^5.2.4 => 5.2.4
    @vitejs/plugin-vue-jsx: ^4.1.2 => 4.2.0
    @vitest/coverage-v8: ^3.1.3 => 3.1.4
    @vue/eslint-config-prettier: ^10.2.0 => 10.2.0
    @vue/eslint-config-typescript: ^14.5.0 => 14.5.0
    @vue/test-utils: ^2.4.6 => 2.4.6
    @vue/tsconfig: ^0.7.0 => 0.7.0
    amazon-quicksight-embedding-sdk: ^2.10.1 => 2.10.1
    autoprefixer: ^10.4.21 => 10.4.21
    aws-amplify: ^6.14.4 => 6.14.4
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/adapter-core/internals:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/internals:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    eslint: ^9.26.0 => 9.27.0
    eslint-config-prettier: ^10.1.5 => 10.1.5
    eslint-plugin-prettier: ^5.4.0 => 5.4.0
    eslint-plugin-vue: ^10.1.0 => 10.1.0
    happy-dom: ^17.4.7 => 17.4.7
    husky: ^9.1.7 => 9.1.7
    lint-staged: ^15.5.2 => 15.5.2
    lodash: ^4.17.21 => 4.17.21
    moment: ^2.30.1 => 2.30.1
    moment-timezone: ^0.5.48 => 0.5.48
    npm-run-all: ^4.1.5 => 4.1.5
    pinia: ^3.0.2 => 3.0.2
    pinia-plugin-persistedstate: ^4.3.0 => 4.3.0
    prettier: ^3.5.3 => 3.5.3
    primeicons: ^7.0.0 => 7.0.0
    primevue: ^4.3.4 => 4.3.4
    rollup-plugin-visualizer: ^5.14.0 => 5.14.0
    sass: ^1.88.0 => 1.89.0
    swiper: ^11.2.6 => 11.2.8
    tailwindcss: ^4.1.6 => 4.1.7
    typescript: ~5.8.3 => 5.8.3
    typescript-eslint: ^8.32.1 => 8.32.1
    unplugin-auto-import: ^19.2.0 => 19.3.0
    unplugin-icons: ^22.1.0 => 22.1.0
    unplugin-vue-components: ^28.5.0 => 28.7.0
    uuid: ^11.1.0 => 11.1.0 (9.0.1)
    vite: ^6.3.5 => 6.3.5
    vitest: ^3.1.3 => 3.1.4
    vue: ^3.5.14 => 3.5.15
    vue-content-loader: ^2.0.1 => 2.0.1
    vue-eslint-parser: ^10.1.3 => 10.1.3
    vue-i18n: ^11.1.3 => 11.1.4 (10.0.7)
    vue-router: ^4.5.1 => 4.5.1
    vue-tsc: ^2.2.10 => 2.2.10
    vuedraggable: ^4.1.0 => 4.1.0
    worker-loader: ^3.0.8 => 3.0.8
    yorkie: ^2.0.0 => 2.0.0
    yup: ^1.6.1 => 1.6.1
  npmGlobalPackages:
    @vue/cli: 5.0.8
    npm-check-updates: 18.0.1
    npm: 11.4.0
    uv: 1.4.0

Describe the bug

Hello,

I have an api gateway that is secured with a custom authorizer that requires an accessToken. That's why I tried to setup a bearer token auth using Amplify.

I just saw that cognito auth information (idToken, accessToken etc..) are stored by default in the localStorage. However, for each call made to my API, it triggers a call to the cognito endpoint to get accessToken.

I don't understand the purpose of the localStorage in that case if it triggers a new call each time.

What should I do to optimize my calls and avoid that while still getting new token when the previous one is expired. I'm also using Pinia but I don't know if it can help.

Expected behavior

I want fetchAuthSession to look first in the storage to get the information, check if expired and if yes, then trigger a new call.

Reproduction steps

1. Just do npm run dev
2. Check local storage to see if cognito date are stored on localStorage
3. Navigate through my website and see a request to https://cognito-identity.eu-west-1.amazonaws.com/ for each call to my API

Code Snippet

// Put your code below this line.

Log output

No response

aws-exports.js

No response

Manual configuration

{
    Auth: {
      Cognito: {
        userPoolId: import.meta.env.VITE_APP_COGNITO_USER_POOL_ID,
        userPoolClientId: import.meta.env.VITE_APP_COGNITO_USER_POOL_CLIENT_ID,
        identityPoolId: import.meta.env.VITE_APP_COGNITO_IDENTITY_POOL_ID,
        signUpVerificationMethod: 'code',
        loginWith: {
          oauth: {
            domain: import.meta.env.VITE_APP_COGNITO_OAUTH_DOMAIN,
            scopes: ['aws.cognito.signin.user.admin', 'email', 'profile', 'openid'],
            redirectSignIn: [import.meta.env.VITE_APP_REDIRECT_SIGN_IN],
            redirectSignOut: [import.meta.env.VITE_APP_REDIRECT_SIGN_OUT],
            responseType: 'code'
          }
        }
      }
    },
    API: {
      REST: {
        api: {
          endpoint: API_ENDPOINT,
          region: import.meta.env.VITE_APP_CONTROL_TOWER_API_REGION
        }
      }
    }
  },
  {
    API: {
      REST: {
        headers: async () => {
          return {
            Authorization: `Bearer ${(await fetchAuthSession()).tokens?.accessToken?.toString()}`
          };
        }
      }
    }
  }
}

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[nadetastic]

Hi @djanito thank you for opening this issue. Just to confirm, you have setup a Rest API and as part of the config you are calling fetchAuthSession to include the accessToken, however this appears to be making a network request each time.

fetchAuthSession should make an network call only if the token is expired, otherwise it will retrieve it from the token store. Can you confirm if the token is expired whenever you see the network call happening?

[Xarno]

Yes i can confirm the same behavior. I wanted to reduce an api call to fetch user information, because they are already in the idToken, from the signIn() request. fetchAuthSession() is still doing a network request.
FetchAuthSession wants to do this, and that will always execute a network request:

amplify-js/packages/core/src/singleton/Auth/index.ts

Lines 71 to 80 in 2b4282a

	// getCredentialsAndIdentityId will throw if cannot get credentials (network or service error)
	credentialsAndIdentityId =
	await this.authOptions?.credentialsProvider?.getCredentialsAndIdentityId(
	{
	authConfig: this.authConfig,
	tokens,
	authenticated: true,
	forceRefresh: options.forceRefresh,
	},
	);

The getTokens() function in the same class is not exported, neither is any other function to get hold of the tokens. Why?

I don't need AWS API permissions on my cognito users, so i have not setup any identity providers. Resulting in this error, as noticed by the comment in code above. But I would be fine to just get the tokens.

__type	"NotAuthorizedException"
message	"Identity pool - eu-central-1:5666bba2-035b-4d80-9155-26f5ad05b7dd does not have identity providers configured."

I added a permission less identity provider now to my userpool, as it looks like there is no way to keep the tokens fresh without calling fetchAuthSession().

[pranavosu]

Hey @Xarno, you can try to get the tokens from from the cognitoUserPoolsTokenProvider. I think fetchAuthSession always tries to get the latest AWS creds in addition to your JWTs, since an identity pool is set up.

    import { cognitoUserPoolsTokenProvider } from 'aws-amplify/auth/cognito';

    const { accessToken } = await cognitoUserPoolsTokenProvider.authTokenStore.loadTokens();

    const jwtToken = accessToken.toString();