Sign In to the Console
Amazon Cognito
Developer Guide

AWS Documentation » Amazon Cognito » Developer Guide » Amazon Cognito User Pools » Customizing User Pool Workflows with Lambda Triggers » Post Authentication Lambda Trigger
The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Post Authentication Lambda Trigger

Amazon Cognito invokes this trigger after signing in a user, allowing you to add custom logic after authentication.

Post Authentication Lambda Flows

Client Authentication Flow

Post authentication Lambda trigger - client flow

Server Authentication Flow

Post authentication Lambda trigger - server flow

For more information, see User Pool Authentication Flow.

Post Authentication Lambda Trigger Parameters

These are the parameters required by this Lambda function in addition to the common parameters.

JSON
JSON
{
    "request":
        {
            "userAttributes": {
                "string": "string",
                ....
            }
            "newDeviceUsed": boolean
        },
    "response": {}
}

Post Authentication Request Parameters

newDeviceUsed

This flag indicates if the user has signed in on a new device. It is set only if the remembered devices value of the user pool is set to Always or User Opt-In.

userAttributes

One or more name-value pairs representing user attributes.

Post Authentication Response Parameters

No additional return information is expected in the response.

Authentication Tutorials

The post authentication Lambda function is triggered just after Amazon Cognito signs in a new user. See these sign-in tutorials for JavaScript, Android, and iOS.

Platform Tutorial
JavaScript Identity SDK Sign in users with JavaScript
Android Identity SDK Sign in users with Android
iOS Identity SDK Sign in users with iOS

Post Authentication Example

This post authentication sample Lambda function sends data from a successful sign-in to CloudWatch Logs.

Node.jsPython
Node.js
exports.handler = (event, context, callback) => {

    // Send post authentication data to Cloudwatch logs
    console.log ("Authentication successful");
    console.log ("Trigger function =", event.triggerSource);
    console.log ("User pool = ", event.userPoolId);
    console.log ("App client ID = ", event.callerContext.clientId);
    console.log ("User ID = ", event.userName);

    // Return to Amazon Cognito
    callback(null, event);
};
Python
from __future__ import print_function
def lambda_handler(event, context):

    # Send post authentication data to Cloudwatch logs
    print ("Authentication successful")
    print ("Trigger function =", event['triggerSource'])
    print ("User pool = ", event['userPoolId'])
    print ("App client ID = ", event['callerContext']['clientId'])
    print ("User ID = ", event['userName'])

    # Return to Amazon Cognito
    return event

Amazon Cognito passes event information to your Lambda function. The function then returns the same event object back to Amazon Cognito, with any changes in the response. In the Lambda console, you can set up a test event with data that’s relevant to your Lambda trigger. The following is a test event for this code sample:

JSON
JSON
{
  "triggerSource": "testTrigger",
  "userPoolId": "testPool",
  "userName": "testName",
  "callerContext": {
      "clientId": "12345"
  },
  "response": {}
}