Authenticating AppSync mutation using AWS Cognito User pool on Graphql playground

Question

A very basic scenario where I want to test an AppSync mutation on Graphql playground which was working fine with API key authentication.

I have attached an additional authorization provider besides the API key authentication.

Mutation:

type Mutation {
  createPitch(gameID: ID!, pitchID: Int!, pitchEvent: PitchInput!): Pitch
    @aws_api_key
  predictPitch(userID: String!, gamePitchID: String!, prediction: PredictionInput): Prediction
    @aws_cognito_user_pools
}

Invoking predictPitch mutation on graphql playground:

mutation PredictPitch($prediction:PredictionInput) {
  predictPitch(userID: "12345", gamePitchID: "29fb2xx-xxxxx-xxxxx-1", 
  prediction: $prediction ) {
    gameID
    gamePitchID
  }
}

query variables:

{
  "prediction": {
    "gameID": "29",
    "hitterGuess": "Miss",
    "pitcherGuess": "Fastball"
  }
}

Headers:

{
  "X-API-KEY": "da2-o6fs2lq47vbehexxxxxxxx",
  "Authorization": "Bearer xxxx-the-pretty-long-jwt-token-from-cognito login"
}

I have tried Authorization header alone and in conjunction with x-api-key. Nothing worked so far. I am pretty sure I am missing a very tiny bit.

{
  "error": {
    "errors": [
      {
        "errorType": "UnauthorizedException",
        "message": "Valid authorization header not provided."
      }
    ]
  }
}

NOTE: The JWT token AccessToken is generated via aws-cli aws cognito-idp admin-initiate-auth.

Answer 1

I had to add @aws_cognito_user_pools on type Prediction along with my mutation.

type Prediction @aws_cognito_user_pools {
   gameID
   gamePitchID
}

Also, from Cognito I had to use idToken like so:

{
   "Authorization": "xxxxxxxxxx"
}

Do notice the Bearer is missing.