What kind of permissions do I need to give/set to allow a cognito identity pool unauthenticated access to a protected api endpoint? How would I do that using the Auth construct. Would it be something like below. I know there is a way to do this to allow for rate limiting and support user sessions.

const apiAuth = new sst.Auth(this, 'auth', {
      cognito: {
        userPool: myUserPool,
        userPoolClient: myUserPoolClient,
      },
      identityPool: {
        allowUnauthenticatedIdentities: false,
        identityPoolName: `api-identity-pool-${scope.stage}`,
      }
    });

   const api = new sst.Api(this, 'api', { ...with JWT or Cognito Authorizer.. });

   apiAuth.attachUnauthPermissions([api]);

apiAuth.attachUnauthPermissions()

is used to grant unauthenticated users access to and IAM authorized Api endpoint

oh okay so we need an IAM authenticator not a cognito authenticator?

Yup, b/c for JWT, the client side is responsible of building the token. And the JWT authorizer is just going to validate the token, it treats the auth and unauth users the same.

JWT

I see. The

sst.Auth

construct is meant to be used for APIs with IAM auth.

oh okay, so we shouldn't use Auth for cognito JWT access?

So Auth creates a User Pool and an Identity Pool. The Identity Pool is for IAM auth, so you probably dont need it.

okay so I have 2 clients, 1 that is auth only, and the other is unauth only access, the auth only would just use my userpool, and the unauth-only client would need the identity pool. But would it need the userpool as part of the construct? ie do I have to pass

cognito: true

Yeah you do.