Pre authentication Lambda trigger
Amazon Cognito invokes this trigger when a user attempts to sign in so that you can create custom validation that accepts or denies the authentication request.
Triggers depend on the user existing in the user pool before Amazon Cognito activates the trigger.
Topics
Pre authentication Lambda flows
Client authentication flow

Server authentication flow

The request includes client validation data from the ClientMetadata
values that your app passes to the user pool InitiateAuth and AdminInitiateAuth API
operations.
For more information, see User pool authentication flow.
Pre authentication Lambda trigger parameters
These are the parameters that Amazon Cognito passes to this Lambda function along with the event information in the common parameters.
Pre authentication request parameters
- userAttributes
-
One or more name-value pairs that represent user attributes.
- userNotFound
-
When you set
PreventUserExistenceErrors
toENABLED
for your user pool client, Amazon Cognito populates this Boolean. - validationData
-
One or more key-value pairs that contain the validation data in the user's sign-in request. To pass this data to your Lambda function, use the ClientMetadata parameter in the InitiateAuth and AdminInitiateAuth API actions.
Pre authentication response parameters
Amazon Cognito does not expect any additional return information in the response. Your function can return an error to reject the sign-in attempt, or use API operations to query and modify your resources.
Authentication tutorials
Amazon Cognito activates the pre-authentication Lambda function before Amazon Cognito signs in a new user. See these sign-in tutorials for JavaScript, Android, and iOS.
Platform | Tutorial |
---|---|
JavaScript Identity SDK | Sign in users with JavaScript |
Android Identity SDK | Sign in users with Android |
iOS Identity SDK | Sign in users with iOS |
Pre authentication example
This sample function prevents users from a specific user pool app client from signing in to the user pool.
Amazon Cognito passes event information to your Lambda function. The function then returns the same event object to Amazon Cognito, with any changes in the response. In the Lambda console, you can set up a test event with data that is relevant to your Lambda trigger. The following is a test event for this code sample: