Dual-Token Authentication for Nakama Game Servers with Cognito
A dual-token architecture pairs AWS Cognito with Nakama game servers, using CloudFront, ALB, and NLB layers to validate player identity independently of game sessions.
A proposed architecture for AWS-hosted Nakama game servers links Amazon Cognito's managed identity service with Nakama's own session-token system without interrupting gameplay. Cognito issues a JWT via an SRP-based flow that never exposes the password to the network, while a server-side Go hook validates that token and maps its sub claim to a Nakama user ID. Both tokens are verified independently on every request, keeping the two systems decoupled at runtime.
On the infrastructure side, Nakama sits behind a default-closed routing layer: CloudFront acts as the single HTTPS entry point, AWS WAF filters traffic at the edge, an Application Load Balancer enforces an explicit route allow-list for HTTP, and a Network Load Balancer passes WebSocket traffic straight through via TCP passthrough. Nakama itself runs on Amazon ECS with Fargate. Because the ALB operates at Layer 7 with path-based rules while the NLB operates at Layer 4 and forwards raw TCP streams untouched, the two load balancers can't be merged into one.
The Go hook validates each Cognito JWT in five steps — format, RS256-only algorithm, JWKS signature check, expiry, and issuer/audience matching — ensuring client-supplied identity claims are never trusted outright, which closes off player impersonation. Combined with Terraform-defined infrastructure, this separation lets identity and game-session management scale and operate independently of one another.