Looks like everybody can retrieve user_pool_id and client_id from the app and then use it. Like generate a lot of users or use my cognito pool to signin users in other app. Is i
