In the Cognito User Pool console under User pool properties > Lambda triggers, attach your Lambda function to the Pre token generation trigger.
Your Lambda handler receives an event object; read event.request.userAttributes and event.request.groupConfiguration to access user data available at token time.
Modify event.response.claimsOverrideDetails to add, suppress, or override claims; use claimsToAddOrOverride for additions and claimsToSuppress for removals.
Return the modified event object from your handler; Cognito uses the response to shape the final token claims.
Test end-to-end by authenticating a user and decoding the resulting ID or access token to confirm custom claims appear as expected.
Monitor Lambda execution duration closely — Cognito enforces a hard 5-second timeout on all Lambda triggers and this limit is not configurable.
Known gotchas
The Lambda timeout Cognito enforces is exactly 5 seconds and cannot be changed regardless of your Lambda function's own configured timeout; any downstream call (DynamoDB, external API) must complete well within that window.
Suppressing a required claim (such as sub) will cause token issuance to fail; only suppress claims your application does not depend on.
The pre-token-generation trigger fires for both new tokens and token refreshes, so ensure idempotent logic that handles both trigger sources.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp