User Pool = authentication (who is this person?). Handles sign up, sign in, password reset, MFA, and issues JWTs. Think of it as a user directory with OAuth 2.0 / OIDC built in. Identity Pool = authorization (what can they access?). Exchanges tokens for temporary AWS credentials with specific IAM permissions. Most apps only need User Pools.