Class: AWS.CognitoIdentityServiceProvider
- Inherits:
-
AWS.Service
- Object
- AWS.Service
- AWS.CognitoIdentityServiceProvider
- Identifier:
- cognitoidentityserviceprovider
- API Version:
- 2016-04-18
- Defined in:
- (unknown)
Overview
Constructs a service interface object. Each API operation is exposed as a function on service.
Service Description
With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To authenticate users from third-party identity providers (IdPs) in this API, you can link IdP users to native user profiles. Learn more about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
This API reference provides detailed information about API operations and object types in Amazon Cognito.
Along with resource management operations, the Amazon Cognito user pools API includes classes of operations and authorization models for client-side and server-side authentication of users. You can interact with operations in the Amazon Cognito user pools API as any of the following subjects.
-
An administrator who wants to configure user pools, app clients, users, groups, or other user pool functions.
-
A server-side app, like a web application, that wants to use its Amazon Web Services privileges to manage, authenticate, or authorize a user.
-
A client-side app, like a mobile app, that wants to make unauthenticated requests to manage, authenticate, or authorize a user.
For more information, see Using the Amazon Cognito user pools API and user pool endpoints in the Amazon Cognito Developer Guide.
With your Amazon Web Services SDK, you can build the logic to support operational flows in every use case for this API. You can also make direct REST API requests to Amazon Cognito user pools service endpoints. The following links can get you started with the CognitoIdentityProvider
client in other supported Amazon Web Services SDKs.
To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services SDKs.
Sending a Request Using CognitoIdentityServiceProvider
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
cognitoidentityserviceprovider.adminForgetDevice(params, function (err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
Locking the API Version
In order to ensure that the CognitoIdentityServiceProvider object uses this specific API, you can
construct the object by passing the apiVersion
option to the constructor:
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider({apiVersion: '2016-04-18'});
You can also set the API version globally in AWS.config.apiVersions
using
the cognitoidentityserviceprovider service identifier:
AWS.config.apiVersions = {
cognitoidentityserviceprovider: '2016-04-18',
// other service API versions
};
var cognitoidentityserviceprovider = new AWS.CognitoIdentityServiceProvider();
Constructor Summary collapse
-
new AWS.CognitoIdentityServiceProvider(options = {}) ⇒ Object
constructor
Constructs a service object.
Property Summary collapse
-
endpoint ⇒ AWS.Endpoint
readwrite
An Endpoint object representing the endpoint URL for service requests.
Properties inherited from AWS.Service
Method Summary collapse
-
addCustomAttributes(params = {}, callback) ⇒ AWS.Request
Adds additional user attributes to the user pool schema.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- adminAddUserToGroup(params = {}, callback) ⇒ AWS.Request
Adds a user to a group.
- adminConfirmSignUp(params = {}, callback) ⇒ AWS.Request
This IAM-authenticated API operation confirms user sign-up as an administrator.
- adminCreateUser(params = {}, callback) ⇒ AWS.Request
Creates a new user in the specified user pool.
If
MessageAction
isn't set, the default is to send a welcome message via email or phone (SMS).Note: This action might generate an SMS text message.- adminDeleteUser(params = {}, callback) ⇒ AWS.Request
Deletes a user as an administrator.
- adminDeleteUserAttributes(params = {}, callback) ⇒ AWS.Request
Deletes the user attributes in a user pool as an administrator.
- adminDisableProviderForUser(params = {}, callback) ⇒ AWS.Request
Prevents the user from signing in with the specified external (SAML or social) identity provider (IdP).
- adminDisableUser(params = {}, callback) ⇒ AWS.Request
Deactivates a user and revokes all access tokens for the user.
- adminEnableUser(params = {}, callback) ⇒ AWS.Request
Enables the specified user as an administrator.
- adminForgetDevice(params = {}, callback) ⇒ AWS.Request
Forgets the device, as an administrator.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- adminGetDevice(params = {}, callback) ⇒ AWS.Request
Gets the device, as an administrator.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- adminGetUser(params = {}, callback) ⇒ AWS.Request
Gets the specified user by user name in a user pool as an administrator.
- adminInitiateAuth(params = {}, callback) ⇒ AWS.Request
Initiates the authentication flow, as an administrator.
Note: This action might generate an SMS text message.- adminLinkProviderForUser(params = {}, callback) ⇒ AWS.Request
Links an existing user account in a user pool (
DestinationUser
) to an identity from an external IdP (SourceUser
) based on a specified attribute name and value from the external IdP.- adminListDevices(params = {}, callback) ⇒ AWS.Request
Lists devices, as an administrator.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- adminListGroupsForUser(params = {}, callback) ⇒ AWS.Request
Lists the groups that a user belongs to.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- adminListUserAuthEvents(params = {}, callback) ⇒ AWS.Request
A history of user activity and any risks detected as part of Amazon Cognito advanced security.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- adminRemoveUserFromGroup(params = {}, callback) ⇒ AWS.Request
Removes the specified user from the specified group.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- adminResetUserPassword(params = {}, callback) ⇒ AWS.Request
Resets the specified user's password in a user pool as an administrator.
- adminRespondToAuthChallenge(params = {}, callback) ⇒ AWS.Request
Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge.
- adminSetUserMFAPreference(params = {}, callback) ⇒ AWS.Request
The user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred.
- adminSetUserPassword(params = {}, callback) ⇒ AWS.Request
Sets the specified user's password in a user pool as an administrator.
- adminSetUserSettings(params = {}, callback) ⇒ AWS.Request
This action is no longer supported. You can use it to configure only SMS MFA.
- adminUpdateAuthEventFeedback(params = {}, callback) ⇒ AWS.Request
Provides feedback for an authentication event indicating if it was from a valid user.
- adminUpdateDeviceStatus(params = {}, callback) ⇒ AWS.Request
Updates the device status as an administrator.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- adminUpdateUserAttributes(params = {}, callback) ⇒ AWS.Request
Note: This action might generate an SMS text message.- adminUserGlobalSignOut(params = {}, callback) ⇒ AWS.Request
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user.
- associateSoftwareToken(params = {}, callback) ⇒ AWS.Request
Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response.
- changePassword(params = {}, callback) ⇒ AWS.Request
Changes the password for a specified user in a user pool.
Authorize this action with a signed-in user's access token.
- confirmDevice(params = {}, callback) ⇒ AWS.Request
Confirms tracking of the device.
- confirmForgotPassword(params = {}, callback) ⇒ AWS.Request
Allows a user to enter a confirmation code to reset a forgotten password.
Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation.- confirmSignUp(params = {}, callback) ⇒ AWS.Request
This public API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool via the SignUp API operation.
- createGroup(params = {}, callback) ⇒ AWS.Request
Creates a new group in the specified user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- createIdentityProvider(params = {}, callback) ⇒ AWS.Request
Adds a configuration and trust relationship between a third-party identity provider (IdP) and a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- createResourceServer(params = {}, callback) ⇒ AWS.Request
Creates a new OAuth2.0 resource server and defines custom scopes within it.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- createUserImportJob(params = {}, callback) ⇒ AWS.Request
Creates a user import job.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- createUserPool(params = {}, callback) ⇒ AWS.Request
Note: This action might generate an SMS text message.- createUserPoolClient(params = {}, callback) ⇒ AWS.Request
Creates the user pool client.
When you create a new user pool client, token revocation is automatically activated.
- createUserPoolDomain(params = {}, callback) ⇒ AWS.Request
Creates a new domain for a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- deleteGroup(params = {}, callback) ⇒ AWS.Request
Deletes a group.
Calling this action requires developer credentials.
.- deleteIdentityProvider(params = {}, callback) ⇒ AWS.Request
Deletes an IdP for a user pool.
.
- deleteResourceServer(params = {}, callback) ⇒ AWS.Request
Deletes a resource server.
.
- deleteUser(params = {}, callback) ⇒ AWS.Request
Allows a user to delete their own user profile.
Authorize this action with a signed-in user's access token.
- deleteUserAttributes(params = {}, callback) ⇒ AWS.Request
Deletes the attributes for a user.
Authorize this action with a signed-in user's access token.
- deleteUserPool(params = {}, callback) ⇒ AWS.Request
Deletes the specified Amazon Cognito user pool.
.
- deleteUserPoolClient(params = {}, callback) ⇒ AWS.Request
Allows the developer to delete the user pool client.
.
- deleteUserPoolDomain(params = {}, callback) ⇒ AWS.Request
Deletes a domain for a user pool.
.
- describeIdentityProvider(params = {}, callback) ⇒ AWS.Request
Gets information about a specific IdP.
.
- describeResourceServer(params = {}, callback) ⇒ AWS.Request
Describes a resource server.
.
- describeRiskConfiguration(params = {}, callback) ⇒ AWS.Request
Describes the risk configuration.
.
- describeUserImportJob(params = {}, callback) ⇒ AWS.Request
Describes the user import job.
.
- describeUserPool(params = {}, callback) ⇒ AWS.Request
Returns the configuration information and metadata of the specified user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- describeUserPoolClient(params = {}, callback) ⇒ AWS.Request
Client method for returning the configuration information and metadata of the specified user pool app client.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- describeUserPoolDomain(params = {}, callback) ⇒ AWS.Request
Gets information about a domain.
.
- forgetDevice(params = {}, callback) ⇒ AWS.Request
Forgets the specified device.
- forgotPassword(params = {}, callback) ⇒ AWS.Request
Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password.
- getCSVHeader(params = {}, callback) ⇒ AWS.Request
Gets the header information for the comma-separated value (CSV) file to be used as input for the user import job.
.
- getDevice(params = {}, callback) ⇒ AWS.Request
Gets the device.
- getGroup(params = {}, callback) ⇒ AWS.Request
Gets a group.
Calling this action requires developer credentials.
.- getIdentityProviderByIdentifier(params = {}, callback) ⇒ AWS.Request
Gets the specified IdP.
.
- getLogDeliveryConfiguration(params = {}, callback) ⇒ AWS.Request
Gets the logging configuration of a user pool.
.
- getSigningCertificate(params = {}, callback) ⇒ AWS.Request
This method takes a user pool ID, and returns the signing certificate.
- getUICustomization(params = {}, callback) ⇒ AWS.Request
Gets the user interface (UI) Customization information for a particular app client's app UI, if any such information exists for the client.
- getUser(params = {}, callback) ⇒ AWS.Request
Gets the user attributes and metadata for a user.
Authorize this action with a signed-in user's access token.
- getUserAttributeVerificationCode(params = {}, callback) ⇒ AWS.Request
Generates a user attribute verification code for the specified attribute name.
- getUserPoolMfaConfig(params = {}, callback) ⇒ AWS.Request
Gets the user pool multi-factor authentication (MFA) configuration.
.
- globalSignOut(params = {}, callback) ⇒ AWS.Request
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user.
- initiateAuth(params = {}, callback) ⇒ AWS.Request
Initiates sign-in for a user in the Amazon Cognito user directory.
- listDevices(params = {}, callback) ⇒ AWS.Request
Lists the sign-in devices that Amazon Cognito has registered to the current user.
- listGroups(params = {}, callback) ⇒ AWS.Request
Lists the groups associated with a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- listIdentityProviders(params = {}, callback) ⇒ AWS.Request
Lists information about all IdPs for a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- listResourceServers(params = {}, callback) ⇒ AWS.Request
Lists the resource servers for a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- listTagsForResource(params = {}, callback) ⇒ AWS.Request
Lists the tags that are assigned to an Amazon Cognito user pool.
A tag is a label that you can apply to user pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
You can use this action up to 10 times per second, per account.
.- listUserImportJobs(params = {}, callback) ⇒ AWS.Request
Lists user import jobs for a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- listUserPoolClients(params = {}, callback) ⇒ AWS.Request
Lists the clients that have been created for the specified user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- listUserPools(params = {}, callback) ⇒ AWS.Request
Lists the user pools associated with an Amazon Web Services account.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- listUsers(params = {}, callback) ⇒ AWS.Request
Lists users and their basic details in a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- listUsersInGroup(params = {}, callback) ⇒ AWS.Request
Lists the users in the specified group.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- resendConfirmationCode(params = {}, callback) ⇒ AWS.Request
Resends the confirmation (for confirmation of registration) to a specific user in the user pool.
Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation.- respondToAuthChallenge(params = {}, callback) ⇒ AWS.Request
Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge.
- revokeToken(params = {}, callback) ⇒ AWS.Request
Revokes all of the access tokens generated by, and at the same time as, the specified refresh token.
- setLogDeliveryConfiguration(params = {}, callback) ⇒ AWS.Request
Sets up or modifies the logging configuration of a user pool.
- setRiskConfiguration(params = {}, callback) ⇒ AWS.Request
Configures actions on detected risks.
- setUICustomization(params = {}, callback) ⇒ AWS.Request
Sets the user interface (UI) customization information for a user pool's built-in app UI.
You can specify app UI customization settings for a single client (with a specific
clientId
) or for all clients (by setting theclientId
toALL
).- setUserMFAPreference(params = {}, callback) ⇒ AWS.Request
Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred.
- setUserPoolMfaConfig(params = {}, callback) ⇒ AWS.Request
Sets the user pool multi-factor authentication (MFA) configuration.
Note: This action might generate an SMS text message.- setUserSettings(params = {}, callback) ⇒ AWS.Request
This action is no longer supported. You can use it to configure only SMS MFA.
- signUp(params = {}, callback) ⇒ AWS.Request
Registers the user in the specified user pool and creates a user name, password, and user attributes.
Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation.- startUserImportJob(params = {}, callback) ⇒ AWS.Request
Starts the user import.
.
- stopUserImportJob(params = {}, callback) ⇒ AWS.Request
Stops the user import job.
.
- tagResource(params = {}, callback) ⇒ AWS.Request
Assigns a set of tags to an Amazon Cognito user pool.
- untagResource(params = {}, callback) ⇒ AWS.Request
Removes the specified tags from an Amazon Cognito user pool.
- updateAuthEventFeedback(params = {}, callback) ⇒ AWS.Request
Provides the feedback for an authentication event, whether it was from a valid user or not.
- updateDeviceStatus(params = {}, callback) ⇒ AWS.Request
Updates the device status.
- updateGroup(params = {}, callback) ⇒ AWS.Request
Updates the specified group with the specified attributes.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- updateIdentityProvider(params = {}, callback) ⇒ AWS.Request
Updates IdP information for a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation.- updateResourceServer(params = {}, callback) ⇒ AWS.Request
Updates the name and scopes of resource server.
- updateUserAttributes(params = {}, callback) ⇒ AWS.Request
With this operation, your users can update one or more of their attributes with their own credentials.
- updateUserPool(params = {}, callback) ⇒ AWS.Request
Note: This action might generate an SMS text message.- updateUserPoolClient(params = {}, callback) ⇒ AWS.Request
Updates the specified user pool app client with the specified attributes.
- updateUserPoolDomain(params = {}, callback) ⇒ AWS.Request
Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool.
You can use this operation to provide the Amazon Resource Name (ARN) of a new certificate to Amazon Cognito.
- verifySoftwareToken(params = {}, callback) ⇒ AWS.Request
Use this API to register a user's entered time-based one-time password (TOTP) code and mark the user's software token MFA status as "verified" if successful.
- verifyUserAttribute(params = {}, callback) ⇒ AWS.Request
Verifies the specified user attributes in the user pool.
If your user pool requires verification before Amazon Cognito updates the attribute value, VerifyUserAttribute updates the affected attribute to its pending value.
Methods inherited from AWS.Service
makeRequest, makeUnauthenticatedRequest, waitFor, setupRequestListeners, defineService
Constructor Details
new AWS.CognitoIdentityServiceProvider(options = {}) ⇒ Object
Constructs a service object. This object has one method for each API operation.
Property Details
Method Details
addCustomAttributes(params = {}, callback) ⇒ AWS.Request
Adds additional user attributes to the user pool schema.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminAddUserToGroup(params = {}, callback) ⇒ AWS.Request
Adds a user to a group. A user who is in a group can present a preferred-role claim to an identity pool, and populates a
cognito:groups
claim to their access and identity tokens.Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminConfirmSignUp(params = {}, callback) ⇒ AWS.Request
This IAM-authenticated API operation confirms user sign-up as an administrator. Unlike ConfirmSignUp, your IAM credentials authorize user account confirmation. No confirmation code is required.
This request sets a user account active in a user pool that requires confirmation of new user accounts before they can sign in. You can configure your user pool to not send confirmation codes to new users and instead confirm them with this API operation on the back end.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminCreateUser(params = {}, callback) ⇒ AWS.Request
Creates a new user in the specified user pool.
If
MessageAction
isn't set, the default is to send a welcome message via email or phone (SMS).Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.This message is based on a template that you configured in your call to create or update a user pool. This template includes your custom sign-up instructions and placeholders for user name and temporary password.
Alternatively, you can call
AdminCreateUser
withSUPPRESS
for theMessageAction
parameter, and Amazon Cognito won't send any email.In either case, the user will be in the
FORCE_CHANGE_PASSWORD
state until they sign in and change their password.Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminDeleteUser(params = {}, callback) ⇒ AWS.Request
Deletes a user as an administrator. Works on any user.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminDeleteUserAttributes(params = {}, callback) ⇒ AWS.Request
Deletes the user attributes in a user pool as an administrator. Works on any user.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminDisableProviderForUser(params = {}, callback) ⇒ AWS.Request
Prevents the user from signing in with the specified external (SAML or social) identity provider (IdP). If the user that you want to deactivate is a Amazon Cognito user pools native username + password user, they can't use their password to sign in. If the user to deactivate is a linked external IdP user, any link between that user and an existing user is removed. When the external user signs in again, and the user is no longer attached to the previously linked
DestinationUser
, the user must create a new user account. See AdminLinkProviderForUser.The
ProviderName
must match the value specified when creating an IdP for the pool.To deactivate a native username + password user, the
ProviderName
value must beCognito
and theProviderAttributeName
must beCognito_Subject
. TheProviderAttributeValue
must be the name that is used in the user pool for the user.The
ProviderAttributeName
must always beCognito_Subject
for social IdPs. TheProviderAttributeValue
must always be the exact subject that was used when the user was originally linked as a source user.For de-linking a SAML identity, there are two scenarios. If the linked identity has not yet been used to sign in, the
ProviderAttributeName
andProviderAttributeValue
must be the same values that were used for theSourceUser
when the identities were originally linked usingAdminLinkProviderForUser
call. (If the linking was done withProviderAttributeName
set toCognito_Subject
, the same applies here). However, if the user has already signed in, theProviderAttributeName
must beCognito_Subject
andProviderAttributeValue
must be the subject of the SAML assertion.Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminDisableUser(params = {}, callback) ⇒ AWS.Request
Deactivates a user and revokes all access tokens for the user. A deactivated user can't sign in, but still appears in the responses to
GetUser
andListUsers
API requests.Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminEnableUser(params = {}, callback) ⇒ AWS.Request
Enables the specified user as an administrator. Works on any user.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminForgetDevice(params = {}, callback) ⇒ AWS.Request
Forgets the device, as an administrator.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminGetDevice(params = {}, callback) ⇒ AWS.Request
Gets the device, as an administrator.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminGetUser(params = {}, callback) ⇒ AWS.Request
Gets the specified user by user name in a user pool as an administrator. Works on any user.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminInitiateAuth(params = {}, callback) ⇒ AWS.Request
Initiates the authentication flow, as an administrator.
Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminLinkProviderForUser(params = {}, callback) ⇒ AWS.Request
Links an existing user account in a user pool (
DestinationUser
) to an identity from an external IdP (SourceUser
) based on a specified attribute name and value from the external IdP. This allows you to create a link from the existing user account to an external federated user identity that has not yet been used to sign in. You can then use the federated user identity to sign in as the existing user account.For example, if there is an existing user with a username and password, this API links that user to a federated user identity. When the user signs in with a federated user identity, they sign in as the existing user account.
Note: The maximum number of federated identities linked to a user is five.Because this API allows a user with an external federated identity to sign in as an existing user in the user pool, it is critical that it only be used with external IdPs and provider attributes that have been trusted by the application owner.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminListDevices(params = {}, callback) ⇒ AWS.Request
Lists devices, as an administrator.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminListGroupsForUser(params = {}, callback) ⇒ AWS.Request
Lists the groups that a user belongs to.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminListUserAuthEvents(params = {}, callback) ⇒ AWS.Request
A history of user activity and any risks detected as part of Amazon Cognito advanced security.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminRemoveUserFromGroup(params = {}, callback) ⇒ AWS.Request
Removes the specified user from the specified group.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminResetUserPassword(params = {}, callback) ⇒ AWS.Request
Resets the specified user's password in a user pool as an administrator. Works on any user.
To use this API operation, your user pool must have self-service account recovery configured. Use AdminSetUserPassword if you manage passwords as an administrator.
Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.Deactivates a user's password, requiring them to change it. If a user tries to sign in after the API is called, Amazon Cognito responds with a
PasswordResetRequiredException
error. Your app must then perform the actions that reset your user's password: the forgot-password flow. In addition, if the user pool has phone verification selected and a verified phone number exists for the user, or if email verification is selected and a verified email exists for the user, calling this API will also result in sending a message to the end user with the code to change their password.Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminRespondToAuthChallenge(params = {}, callback) ⇒ AWS.Request
Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge. An
AdminRespondToAuthChallenge
API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.For more information about custom authentication challenges, see Custom authentication challenge Lambda triggers.
Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminSetUserMFAPreference(params = {}, callback) ⇒ AWS.Request
The user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminSetUserPassword(params = {}, callback) ⇒ AWS.Request
Sets the specified user's password in a user pool as an administrator. Works on any user.
The password can be temporary or permanent. If it is temporary, the user status enters the
FORCE_CHANGE_PASSWORD
state. When the user next tries to sign in, the InitiateAuth/AdminInitiateAuth response will contain theNEW_PASSWORD_REQUIRED
challenge. If the user doesn't sign in before it expires, the user won't be able to sign in, and an administrator must reset their password.Once the user has set a new password, or the password is permanent, the user status is set to
Confirmed
.AdminSetUserPassword
can set a password for the user profile that Amazon Cognito creates for third-party federated users. When you set a password, the federated user's status changes fromEXTERNAL_PROVIDER
toCONFIRMED
. A user in this state can sign in as a federated user, and initiate authentication flows in the API like a linked native user. They can also modify their password and attributes in token-authenticated API requests likeChangePassword
andUpdateUserAttributes
. As a best security practice and to keep users in sync with your external IdP, don't set passwords on federated user profiles. To set up a federated user for native sign-in with a linked native user, refer to Linking federated users to an existing user profile.Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminSetUserSettings(params = {}, callback) ⇒ AWS.Request
This action is no longer supported. You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token MFA. To configure either type of MFA, use AdminSetUserMFAPreference instead.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminUpdateAuthEventFeedback(params = {}, callback) ⇒ AWS.Request
Provides feedback for an authentication event indicating if it was from a valid user. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminUpdateDeviceStatus(params = {}, callback) ⇒ AWS.Request
Updates the device status as an administrator.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminUpdateUserAttributes(params = {}, callback) ⇒ AWS.Request
Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.Updates the specified user's attributes, including developer attributes, as an administrator. Works on any user. To delete an attribute from your user, submit the attribute in your API request with a blank value.
For custom attributes, you must prepend the
custom:
prefix to the attribute name.In addition to updating user attributes, this API can also be used to mark phone and email as verified.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
adminUserGlobalSignOut(params = {}, callback) ⇒ AWS.Request
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation with your administrative credentials when your user signs out of your app. This results in the following behavior.
-
Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints.
Amazon Cognito returns an
Access Token has been revoked
error when your app attempts to authorize a user pools API request with a revoked access token that contains the scopeaws.cognito.signin.user.admin
. -
Amazon Cognito no longer accepts a signed-out user's ID token in a GetId request to an identity pool with
ServerSideTokenCheck
enabled for its user pool IdP configuration in CognitoIdentityProvider. -
Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.
Other requests might be valid until your user's token expires.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
associateSoftwareToken(params = {}, callback) ⇒ AWS.Request
Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response. You can authorize an
AssociateSoftwareToken
request with either the user's access token, or a session string from a challenge response that you received from Amazon Cognito.Note: Amazon Cognito disassociates an existing software token when you verify the new token in a VerifySoftwareToken API request. If you don't verify the software token and your user pool doesn't require MFA, the user can then authenticate with user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito generates anMFA_SETUP
orSOFTWARE_TOKEN_SETUP
challenge each time your user signs in. Complete setup withAssociateSoftwareToken
andVerifySoftwareToken
. After you set up software token MFA for your user, Amazon Cognito generates aSOFTWARE_TOKEN_MFA
challenge when they authenticate. Respond to this challenge with your user's TOTP.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.changePassword(params = {}, callback) ⇒ AWS.Request
Changes the password for a specified user in a user pool.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.confirmDevice(params = {}, callback) ⇒ AWS.Request
Confirms tracking of the device. This API call is the call that begins device tracking. For more information about device authentication, see Working with user devices in your user pool.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.confirmForgotPassword(params = {}, callback) ⇒ AWS.Request
Allows a user to enter a confirmation code to reset a forgotten password.
Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.confirmSignUp(params = {}, callback) ⇒ AWS.Request
This public API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool via the SignUp API operation. After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.
Local users who signed up in your user pool are the only type of user who can confirm sign-up with a code. Users who federate through an external identity provider (IdP) have already been confirmed by their IdP. Administrator-created users, users created with the AdminCreateUser API operation, confirm their accounts when they respond to their invitation email message and choose a password. They do not receive a confirmation code. Instead, they receive a temporary password.
Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.createGroup(params = {}, callback) ⇒ AWS.Request
Creates a new group in the specified user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
createIdentityProvider(params = {}, callback) ⇒ AWS.Request
Adds a configuration and trust relationship between a third-party identity provider (IdP) and a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
createResourceServer(params = {}, callback) ⇒ AWS.Request
Creates a new OAuth2.0 resource server and defines custom scopes within it.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
createUserImportJob(params = {}, callback) ⇒ AWS.Request
Creates a user import job.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
createUserPool(params = {}, callback) ⇒ AWS.Request
Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.Creates a new Amazon Cognito user pool and sets the password policy for the pool.
If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
createUserPoolClient(params = {}, callback) ⇒ AWS.Request
Creates the user pool client.
When you create a new user pool client, token revocation is automatically activated. For more information about revoking tokens, see RevokeToken.
If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
createUserPoolDomain(params = {}, callback) ⇒ AWS.Request
Creates a new domain for a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
deleteGroup(params = {}, callback) ⇒ AWS.Request
Deletes a group.
Calling this action requires developer credentials.
deleteUser(params = {}, callback) ⇒ AWS.Request
Allows a user to delete their own user profile.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.deleteUserAttributes(params = {}, callback) ⇒ AWS.Request
Deletes the attributes for a user.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.deleteUserPoolClient(params = {}, callback) ⇒ AWS.Request
Allows the developer to delete the user pool client.
describeIdentityProvider(params = {}, callback) ⇒ AWS.Request
Gets information about a specific IdP.
describeUserPool(params = {}, callback) ⇒ AWS.Request
Returns the configuration information and metadata of the specified user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
describeUserPoolClient(params = {}, callback) ⇒ AWS.Request
Client method for returning the configuration information and metadata of the specified user pool app client.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
forgetDevice(params = {}, callback) ⇒ AWS.Request
Forgets the specified device. For more information about device authentication, see Working with user devices in your user pool.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.forgotPassword(params = {}, callback) ⇒ AWS.Request
Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password. For the
Username
parameter, you can use the username or user alias. The method used to send the confirmation code is sent according to the specified AccountRecoverySetting. For more information, see Recovering User Accounts in the Amazon Cognito Developer Guide. To use the confirmation code for resetting the password, call ConfirmForgotPassword.If neither a verified phone number nor a verified email exists, this API returns
InvalidParameterException
. If your app client has a client secret and you don't provide aSECRET_HASH
parameter, this API returnsNotAuthorizedException
.To use this API operation, your user pool must have self-service account recovery configured. Use AdminSetUserPassword if you manage passwords as an administrator.
Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.getCSVHeader(params = {}, callback) ⇒ AWS.Request
Gets the header information for the comma-separated value (CSV) file to be used as input for the user import job.
getDevice(params = {}, callback) ⇒ AWS.Request
Gets the device. For more information about device authentication, see Working with user devices in your user pool.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.getGroup(params = {}, callback) ⇒ AWS.Request
Gets a group.
Calling this action requires developer credentials.
getLogDeliveryConfiguration(params = {}, callback) ⇒ AWS.Request
Gets the logging configuration of a user pool.
getSigningCertificate(params = {}, callback) ⇒ AWS.Request
This method takes a user pool ID, and returns the signing certificate. The issued certificate is valid for 10 years from the date of issue.
Amazon Cognito issues and assigns a new signing certificate annually. This process returns a new value in the response to
GetSigningCertificate
, but doesn't invalidate the original certificate.getUICustomization(params = {}, callback) ⇒ AWS.Request
Gets the user interface (UI) Customization information for a particular app client's app UI, if any such information exists for the client. If nothing is set for the particular client, but there is an existing pool level customization (the app
clientId
isALL
), then that information is returned. If nothing is present, then an empty shape is returned.getUser(params = {}, callback) ⇒ AWS.Request
Gets the user attributes and metadata for a user.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.getUserAttributeVerificationCode(params = {}, callback) ⇒ AWS.Request
Generates a user attribute verification code for the specified attribute name. Sends a message to a user with a code that they must return in a VerifyUserAttribute request.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.getUserPoolMfaConfig(params = {}, callback) ⇒ AWS.Request
Gets the user pool multi-factor authentication (MFA) configuration.
globalSignOut(params = {}, callback) ⇒ AWS.Request
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation when your user signs out of your app. This results in the following behavior.
-
Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints.
Amazon Cognito returns an
Access Token has been revoked
error when your app attempts to authorize a user pools API request with a revoked access token that contains the scopeaws.cognito.signin.user.admin
. -
Amazon Cognito no longer accepts a signed-out user's ID token in a GetId request to an identity pool with
ServerSideTokenCheck
enabled for its user pool IdP configuration in CognitoIdentityProvider. -
Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.
Other requests might be valid until your user's token expires.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.initiateAuth(params = {}, callback) ⇒ AWS.Request
Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user with a federated IdP with
InitiateAuth
. For more information, see Adding user pool sign-in through a third party.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.listDevices(params = {}, callback) ⇒ AWS.Request
Lists the sign-in devices that Amazon Cognito has registered to the current user. For more information about device authentication, see Working with user devices in your user pool.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.listGroups(params = {}, callback) ⇒ AWS.Request
Lists the groups associated with a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
listIdentityProviders(params = {}, callback) ⇒ AWS.Request
Lists information about all IdPs for a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
listResourceServers(params = {}, callback) ⇒ AWS.Request
Lists the resource servers for a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
listTagsForResource(params = {}, callback) ⇒ AWS.Request
Lists the tags that are assigned to an Amazon Cognito user pool.
A tag is a label that you can apply to user pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
You can use this action up to 10 times per second, per account.
listUserImportJobs(params = {}, callback) ⇒ AWS.Request
Lists user import jobs for a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
listUserPoolClients(params = {}, callback) ⇒ AWS.Request
Lists the clients that have been created for the specified user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
listUserPools(params = {}, callback) ⇒ AWS.Request
Lists the user pools associated with an Amazon Web Services account.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
listUsers(params = {}, callback) ⇒ AWS.Request
Lists users and their basic details in a user pool.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
listUsersInGroup(params = {}, callback) ⇒ AWS.Request
Lists the users in the specified group.
Note: Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.Learn more
resendConfirmationCode(params = {}, callback) ⇒ AWS.Request
Resends the confirmation (for confirmation of registration) to a specific user in the user pool.
Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.respondToAuthChallenge(params = {}, callback) ⇒ AWS.Request
Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge. A
RespondToAuthChallenge
API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.For more information about custom authentication challenges, see Custom authentication challenge Lambda triggers.
Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.revokeToken(params = {}, callback) ⇒ AWS.Request
Revokes all of the access tokens generated by, and at the same time as, the specified refresh token. After a token is revoked, you can't use the revoked token to access Amazon Cognito user APIs, or to authorize access to your resource server.
Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.setLogDeliveryConfiguration(params = {}, callback) ⇒ AWS.Request
Sets up or modifies the logging configuration of a user pool. User pools can export user notification logs and advanced security features user activity logs.
setRiskConfiguration(params = {}, callback) ⇒ AWS.Request
Configures actions on detected risks. To delete the risk configuration for
UserPoolId
orClientId
, pass null values for all four configuration types.To activate Amazon Cognito advanced security features, update the user pool to include the
UserPoolAddOns
keyAdvancedSecurityMode
.setUICustomization(params = {}, callback) ⇒ AWS.Request
Sets the user interface (UI) customization information for a user pool's built-in app UI.
You can specify app UI customization settings for a single client (with a specific
clientId
) or for all clients (by setting theclientId
toALL
). If you specifyALL
, the default configuration is used for every client that has no previously set UI customization. If you specify UI customization settings for a particular client, it will no longer return to theALL
configuration.Note: To use this API, your user pool must have a domain associated with it. Otherwise, there is no place to host the app's pages, and the service will throw an error.setUserMFAPreference(params = {}, callback) ⇒ AWS.Request
Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in. If an MFA type is activated for a user, the user will be prompted for MFA during all sign-in attempts unless device tracking is turned on and the device has been trusted. If you want MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users and turn on Adaptive Authentication for the user pool.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.setUserPoolMfaConfig(params = {}, callback) ⇒ AWS.Request
Sets the user pool multi-factor authentication (MFA) configuration.
Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.setUserSettings(params = {}, callback) ⇒ AWS.Request
This action is no longer supported. You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token MFA. To configure either type of MFA, use SetUserMFAPreference instead.
Authorize this action with a signed-in user's access token. It must include the scope
aws.cognito.signin.user.admin
.Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.signUp(params = {}, callback) ⇒ AWS.Request
Registers the user in the specified user pool and creates a user name, password, and user attributes.
Note: Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.Note: This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in. If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.tagResource(params = {}, callback) ⇒ AWS.Request
Assigns a set of tags to an Amazon Cognito user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
Each tag consists of a key and value, both of which you define. A key is a general category for more specific values. For example, if you have two versions of a user pool, one for testing and another for production, you might assign an
Environment
tag key to both user pools. The value of this key might beTest
for one user pool, andProduction
for the other.Tags are useful for cost tracking and access control. You can activate your tags so that they appear on the Billing and Cost Management console, where you can track the costs associated with your user pools. In an Identity and Access Management policy, you can constrain permissions for user pools based on specific tags or tag values.
You can use this action up to 5 times per second, per account. A user pool can have as many as 50 tags.
- adminAddUserToGroup(params = {}, callback) ⇒ AWS.Request