Amazon Cognito
Developer Guide

AWS Lambda Trigger Common Parameters

The event information passed to the invoked Lambda function contains the parameters that were passed from the Amazon Cognito service. The general format of the event is shown next. The request and the response parameters depend on the Lambda trigger.

{ "version": number, "triggerSource": "string", "region": AWSRegion, "userPoolId": "string", "callerContext": { "awsSdkVersion": "string", "clientId": "string" }, "request": { "userAttributes": { "string": "string", .... } }, "response": {} }

The version number of your Lambda function.


The name of the event that triggered the Lambda function. The following table shows the triggerSource values and the triggering event for each value.

triggerSource value Triggering event
CustomMessage_SignUp Custom message – To send the confirmation code post sign-up.
CustomMessage_AdminCreateUser Custom message – To send the temporary password to a new user.
CustomMessage_ResendCode Custom message – To resend the confirmation code to an existing user.
CustomMessage_ForgotPassword Custom message – To send the confirmation code for Forgot Password request.
CustomMessage_UpdateUserAttribute Custom message – When a user's email or phone number is changed, this trigger sends a verification code automatically to the user. Cannot be used for other attributes.
CustomMessage_VerifyUserAttribute Custom message – This trigger sends a verification code to the user when they manually request it for a new email or phone number.
CustomMessage_Authentication Custom message – To send MFA code during authentication.
PreSignUp_AdminCreateUser Pre sign-up when an admin creates a new user.
PreSignUp_SignUp Pre sign-up.
PreAuthentication_Authentication Pre authentication.
PostAuthentication_Authentication Post authentication.
PostConfirmation_ConfirmSignUp Post sign-up confirmation.
PostConfirmation_ConfirmForgotPassword Post Forgot Password confirmation.
DefineAuthChallenge_Authentication Define Auth Challenge.
CreateAuthChallenge_Authentication Create Auth Challenge.
VerifyAuthChallengeResponse_Authentication Verify Auth Challenge Response.
TokenGeneration_HostedAuth Called during authentication from the Amazon Cognito hosted UI.
TokenGeneration_Authentication Called after user authentication flows have completed.
TokenGeneration_NewPasswordChallenge Called after the user is created by an admin. This flow is invoked when the user has to change a temporary password.
TokenGeneration_AuthenticateDevice Called at the end of the authentication of a user device.
TokenGeneration_RefreshTokens Called when a user tries to refresh the identity and access tokens.
UserMigration_Authentication User migration at the time of sign in.
UserMigration_ForgotPassword User migration during forgot-password flow.

The AWS Region, as an AWSRegion instance.


The user pool ID for the user pool.


The caller context, which consists of the following:


The AWS SDK version number.


The ID of the client associated with the user pool.


The request from the Amazon Cognito service. This request must include:


One or more pairs of user attribute names and values. Each pair is in the form "name": "value".


The response from your Lambda trigger. The return parameters depend on the triggering event.