# API Key Management

All FinOps Center APIs are managed by Cognito

#### **FinOps Center AppSync API Credential Management** 

* **Amazon Cognito Federated Identities** issue short-lived **AWS credentials** using STS under an IAM role.
* **Amazon Cognito User Pools** issue **JWT tokens** that are used to authenticate AppSync requests.
* Because Cognito-issued credentials are **automatically rotated and expire frequently (typically after 1 hour)**, long-term key rotation is not required for day-to-day operations.