What is a Cognito App Client Secret
Yes, you are right. It is something like a password. As for why it is used, this is not a Cognito specific property but a part of the OAuth2 standard. Indeed, using app secret in public apps running on browsers makes no sense. In general, when developing a public app, client secret is not used. If you do, you are responsible for securely storing it.
Coming to Cognito, like you said, its JS SDK does not use client secret (as it should be). However, if you use AWS CLI or boto3, you can use client secret. In this case, if your app client has a secret, you are supposed to calculate a hash using this secret and some other parameters (username + clientid I think) and pass it as a parameter.
But in terms of security, it does not really make a difference.
App Client ID
and App Client Secret
are necessary when you're using machine to machine communication, in this kind of communication you don't have a user and password. There's a grant type for that: Client Credentials
. To understand this a little bit better you can check https://auth0.com/docs/api-auth/which-oauth-flow-to-use