Post Authentication Lambda Trigger
Amazon Cognito invokes this trigger after signing in a user, allowing you to add custom logic after authentication.
Topics
Post Authentication Lambda Flows
Client Authentication Flow

Server Authentication Flow

For more information, see User Pool Authentication Flow.
Post Authentication Lambda Trigger Parameters
These are the parameters required by this Lambda function in addition to the common parameters.
Post Authentication Request Parameters
- newDeviceUsed
-
This flag indicates if the user has signed in on a new device. It is set only if the remembered devices value of the user pool is set to
Always
orUser Opt-In
. - userAttributes
-
One or more name-value pairs representing user attributes.
- clientMetadata
-
One or more key-value pairs that you can provide as custom input to the Lambda function that you specify for the post authentication trigger. You can pass this data to your Lambda function by using the ClientMetadata parameter in the AdminRespondToAuthChallenge and RespondToAuthChallenge API actions.
Post Authentication Response Parameters
No additional return information is expected in the response.
Authentication Tutorials
The post authentication Lambda function is triggered just after Amazon Cognito signs in a new user. See these sign-in tutorials for JavaScript, Android, and iOS.
Platform | Tutorial |
---|---|
JavaScript Identity SDK | Sign in users with JavaScript |
Android Identity SDK | Sign in users with Android |
iOS Identity SDK | Sign in users with iOS |
Post Authentication Example
This post authentication sample Lambda function sends data from a successful sign-in to CloudWatch Logs.
Amazon Cognito passes event information to your Lambda function. The function then returns the same event object back to Amazon Cognito, with any changes in the response. In the Lambda console, you can set up a test event with data that’s relevant to your Lambda trigger. The following is a test event for this code sample: