Amazon.CognitoIdentityProvider.Model

The data type for AccountRecoverySetting.

Account takeover actions type.

Account takeover action type.

Configuration for mitigation actions and notification for different levels of risk detected for a potential account takeover.

Container for the parameters to the AddCustomAttributes operation. Adds additional user attributes to the user pool schema.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response from the server for the request to add custom attributes.

Container for the parameters to the AdminAddUserToGroup operation. Adds a user to a group. A user who is in a group can present a preferred-role claim to an identity pool, and populates a cognito:groups claim to their access and identity tokens.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the AdminAddUserToGroup operation.

Container for the parameters to the AdminConfirmSignUp operation. This IAM-authenticated API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool. After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.

Local users who signed up in your user pool are the only type of user who can confirm sign-up with a code. Users who federate through an external identity provider (IdP) have already been confirmed by their IdP. Administrator-created users confirm their accounts when they respond to their invitation email message and choose a password.

Represents the response from the server for the request to confirm registration.

The configuration for creating a new user profile.

Container for the parameters to the AdminCreateUser operation. Creates a new user in the specified user pool.

If MessageAction isn't set, the default is to send a welcome message via email or phone (SMS).

This message is based on a template that you configured in your call to create or update a user pool. This template includes your custom sign-up instructions and placeholders for user name and temporary password.

Alternatively, you can call AdminCreateUser with SUPPRESS for the MessageAction parameter, and Amazon Cognito won't send any email.

In either case, the user will be in the FORCE_CHANGE_PASSWORD state until they sign in and change their password.

Represents the response from the server to the request to create the user.

Container for the parameters to the AdminDeleteUserAttributes operation. Deletes the user attributes in a user pool as an administrator. Works on any user.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response received from the server for a request to delete user attributes.

Container for the parameters to the AdminDeleteUser operation. Deletes a user as an administrator. Works on any user.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the AdminDeleteUser operation.

Container for the parameters to the AdminDisableProviderForUser operation. Prevents the user from signing in with the specified external (SAML or social) identity provider (IdP). If the user that you want to deactivate is a Amazon Cognito user pools native username + password user, they can't use their password to sign in. If the user to deactivate is a linked external IdP user, any link between that user and an existing user is removed. When the external user signs in again, and the user is no longer attached to the previously linked DestinationUser, the user must create a new user account. See AdminLinkProviderForUser.

The ProviderName must match the value specified when creating an IdP for the pool.

To deactivate a native username + password user, the ProviderName value must be Cognito and the ProviderAttributeName must be Cognito_Subject. The ProviderAttributeValue must be the name that is used in the user pool for the user.

The ProviderAttributeName must always be Cognito_Subject for social IdPs. The ProviderAttributeValue must always be the exact subject that was used when the user was originally linked as a source user.

For de-linking a SAML identity, there are two scenarios. If the linked identity has not yet been used to sign in, the ProviderAttributeName and ProviderAttributeValue must be the same values that were used for the SourceUser when the identities were originally linked using AdminLinkProviderForUser call. (If the linking was done with ProviderAttributeName set to Cognito_Subject, the same applies here). However, if the user has already signed in, the ProviderAttributeName must be Cognito_Subject and ProviderAttributeValue must be the subject of the SAML assertion.

This is the response object from the AdminDisableProviderForUser operation.

Container for the parameters to the AdminDisableUser operation. Deactivates a user and revokes all access tokens for the user. A deactivated user can't sign in, but still appears in the responses to GetUser and ListUsers API requests.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response received from the server to disable the user as an administrator.

Container for the parameters to the AdminEnableUser operation. Enables the specified user as an administrator. Works on any user.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response from the server for the request to enable a user as an administrator.

Container for the parameters to the AdminForgetDevice operation. Forgets the device, as an administrator.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the AdminForgetDevice operation.

Container for the parameters to the AdminGetDevice operation. Gets the device, as an administrator.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Gets the device response, as an administrator.

Container for the parameters to the AdminGetUser operation. Gets the specified user by user name in a user pool as an administrator. Works on any user.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response from the server from the request to get the specified user as an administrator.

Container for the parameters to the AdminInitiateAuth operation. Initiates the authentication flow, as an administrator.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.

Initiates the authentication response, as an administrator.

Container for the parameters to the AdminLinkProviderForUser operation. Links an existing user account in a user pool (DestinationUser) to an identity from an external IdP (SourceUser) based on a specified attribute name and value from the external IdP. This allows you to create a link from the existing user account to an external federated user identity that has not yet been used to sign in. You can then use the federated user identity to sign in as the existing user account.

For example, if there is an existing user with a username and password, this API links that user to a federated user identity. When the user signs in with a federated user identity, they sign in as the existing user account.

This is the response object from the AdminLinkProviderForUser operation.

Container for the parameters to the AdminListDevices operation. Lists devices, as an administrator.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Lists the device's response, as an administrator.

Container for the parameters to the AdminListGroupsForUser operation. Lists the groups that a user belongs to.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the AdminListGroupsForUser operation.

Container for the parameters to the AdminListUserAuthEvents operation. A history of user activity and any risks detected as part of Amazon Cognito advanced security.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the AdminListUserAuthEvents operation.

Container for the parameters to the AdminRemoveUserFromGroup operation. Removes the specified user from the specified group.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the AdminRemoveUserFromGroup operation.

Container for the parameters to the AdminResetUserPassword operation. Resets the specified user's password in a user pool as an administrator. Works on any user.

To use this API operation, your user pool must have self-service account recovery configured. Use AdminSetUserPassword if you manage passwords as an administrator.

Deactivates a user's password, requiring them to change it. If a user tries to sign in after the API is called, Amazon Cognito responds with a PasswordResetRequiredException error. Your app must then perform the actions that reset your user's password: the forgot-password flow. In addition, if the user pool has phone verification selected and a verified phone number exists for the user, or if email verification is selected and a verified email exists for the user, calling this API will also result in sending a message to the end user with the code to change their password.

Represents the response from the server to reset a user password as an administrator.

Container for the parameters to the AdminRespondToAuthChallenge operation. Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge. An AdminRespondToAuthChallenge API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.

For more information about custom authentication challenges, see Custom authentication challenge Lambda triggers.

Responds to the authentication challenge, as an administrator.

Container for the parameters to the AdminSetUserMFAPreference operation. The user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the AdminSetUserMFAPreference operation.

Container for the parameters to the AdminSetUserPassword operation. Sets the specified user's password in a user pool as an administrator. Works on any user.

The password can be temporary or permanent. If it is temporary, the user status enters the FORCE_CHANGE_PASSWORD state. When the user next tries to sign in, the InitiateAuth/AdminInitiateAuth response will contain the NEW_PASSWORD_REQUIRED challenge. If the user doesn't sign in before it expires, the user won't be able to sign in, and an administrator must reset their password.

Once the user has set a new password, or the password is permanent, the user status is set to Confirmed.

AdminSetUserPassword can set a password for the user profile that Amazon Cognito creates for third-party federated users. When you set a password, the federated user's status changes from EXTERNAL_PROVIDER to CONFIRMED. A user in this state can sign in as a federated user, and initiate authentication flows in the API like a linked native user. They can also modify their password and attributes in token-authenticated API requests like ChangePassword and UpdateUserAttributes. As a best security practice and to keep users in sync with your external IdP, don't set passwords on federated user profiles. To set up a federated user for native sign-in with a linked native user, refer to Linking federated users to an existing user profile.

This is the response object from the AdminSetUserPassword operation.

Container for the parameters to the AdminSetUserSettings operation. This action is no longer supported. You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token MFA. To configure either type of MFA, use AdminSetUserMFAPreference instead.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response from the server to set user settings as an administrator.

Container for the parameters to the AdminUpdateAuthEventFeedback operation. Provides feedback for an authentication event indicating if it was from a valid user. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the AdminUpdateAuthEventFeedback operation.

Container for the parameters to the AdminUpdateDeviceStatus operation. Updates the device status as an administrator.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

The status response to the request to update the device, as an administrator.

Container for the parameters to the AdminUpdateUserAttributes operation.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.

Updates the specified user's attributes, including developer attributes, as an administrator. Works on any user. To delete an attribute from your user, submit the attribute in your API request with a blank value.

For custom attributes, you must prepend the custom: prefix to the attribute name.

In addition to updating user attributes, this API can also be used to mark phone and email as verified.

Represents the response from the server for the request to update user attributes as an administrator.

Container for the parameters to the AdminUserGlobalSignOut operation. Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation with your administrative credentials when your user signs out of your app. This results in the following behavior.

• Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints.

  Amazon Cognito returns an Access Token has been revoked error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope aws.cognito.signin.user.admin.

• Amazon Cognito no longer accepts a signed-out user's ID token in a GetId request to an identity pool with ServerSideTokenCheck enabled for its user pool IdP configuration in CognitoIdentityProvider.

• Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.

Other requests might be valid until your user's token expires.

The global sign-out response, as an administrator.

This exception is thrown when a user tries to confirm the account with an email address or phone number that has already been supplied as an alias for a different user profile. This exception indicates that an account with this email address or phone already exists in a user pool that you've configured to use email address or phone number as a sign-in alias.

The Amazon Pinpoint analytics configuration necessary to collect metrics for a user pool.

In Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.

An Amazon Pinpoint analytics endpoint.

An endpoint uniquely identifies a mobile device, email address, or phone number that can receive messages from Amazon Pinpoint analytics. For more information about Amazon Web Services Regions that can contain Amazon Pinpoint resources for use with Amazon Cognito user pools, see Using Amazon Pinpoint analytics with Amazon Cognito user pools.

Container for the parameters to the AssociateSoftwareToken operation. Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response. You can authorize an AssociateSoftwareToken request with either the user's access token, or a session string from a challenge response that you received from Amazon Cognito.

Amazon Cognito disassociates an existing software token when you verify the new token in a VerifySoftwareToken API request. If you don't verify the software token and your user pool doesn't require MFA, the user can then authenticate with user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito generates an MFA_SETUP or SOFTWARE_TOKEN_SETUP challenge each time your user signs. Complete setup with AssociateSoftwareToken and VerifySoftwareToken.

After you set up software token MFA for your user, Amazon Cognito generates a SOFTWARE_TOKEN_MFA challenge when they authenticate. Respond to this challenge with your user's TOTP.

This is the response object from the AssociateSoftwareToken operation.

Specifies whether the attribute is standard or custom.

The authentication result.

The authentication event type.

The challenge response type.

Container for the parameters to the ChangePassword operation. Changes the password for a specified user in a user pool.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

The response from the server to the change password request.

The CloudWatch logging destination of a user pool detailed activity logging configuration.

The delivery details for an email or SMS message that Amazon Cognito sent for authentication or verification.

This exception is thrown when a verification code fails to deliver successfully.

This exception is thrown if the provided code doesn't match what the server was expecting.

Paginators for the CognitoIdentityProvider service

The compromised credentials actions type.

The compromised credentials risk configuration type.

This exception is thrown if two or more modifications are happening concurrently.

Container for the parameters to the ConfirmDevice operation. Confirms tracking of the device. This API call is the call that begins device tracking. For more information about device authentication, see Working with user devices in your user pool.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Confirms the device response.

Container for the parameters to the ConfirmForgotPassword operation. Allows a user to enter a confirmation code to reset a forgotten password.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

The response from the server that results from a user's request to retrieve a forgotten password.

Container for the parameters to the ConfirmSignUp operation. This public API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool via the SignUp API operation. After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.

Local users who signed up in your user pool are the only type of user who can confirm sign-up with a code. Users who federate through an external identity provider (IdP) have already been confirmed by their IdP. Administrator-created users, users created with the AdminCreateUser API operation, confirm their accounts when they respond to their invitation email message and choose a password. They do not receive a confirmation code. Instead, they receive a temporary password.

Represents the response from the server for the registration confirmation.

Contextual user data type used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

Container for the parameters to the CreateGroup operation. Creates a new group in the specified user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the CreateGroup operation.

Container for the parameters to the CreateIdentityProvider operation. Adds a configuration and trust relationship between a third-party identity provider (IdP) and a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the CreateIdentityProvider operation.

Container for the parameters to the CreateResourceServer operation. Creates a new OAuth2.0 resource server and defines custom scopes within it.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the CreateResourceServer operation.

Container for the parameters to the CreateUserImportJob operation. Creates a user import job.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response from the server to the request to create the user import job.

Container for the parameters to the CreateUserPoolClient operation. Creates the user pool client.

When you create a new user pool client, token revocation is automatically activated. For more information about revoking tokens, see RevokeToken.

Represents the response from the server to create a user pool client.

Container for the parameters to the CreateUserPoolDomain operation. Creates a new domain for a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the CreateUserPoolDomain operation.

Container for the parameters to the CreateUserPool operation.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.

Creates a new Amazon Cognito user pool and sets the password policy for the pool.

Represents the response from the server for the request to create a user pool.

The configuration for a custom domain that hosts the sign-up and sign-in webpages for your application.

The properties of a custom email sender Lambda trigger.

The properties of a custom SMS sender Lambda trigger.

Container for the parameters to the DeleteGroup operation. Deletes a group.

Calling this action requires developer credentials.

This is the response object from the DeleteGroup operation.

Container for the parameters to the DeleteIdentityProvider operation. Deletes an IdP for a user pool.

This is the response object from the DeleteIdentityProvider operation.

Container for the parameters to the DeleteResourceServer operation. Deletes a resource server.

This is the response object from the DeleteResourceServer operation.

Container for the parameters to the DeleteUserAttributes operation. Deletes the attributes for a user.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Represents the response from the server to delete user attributes.

Container for the parameters to the DeleteUserPoolClient operation. Allows the developer to delete the user pool client.

This is the response object from the DeleteUserPoolClient operation.

Container for the parameters to the DeleteUserPoolDomain operation. Deletes a domain for a user pool.

This is the response object from the DeleteUserPoolDomain operation.

Container for the parameters to the DeleteUserPool operation. Deletes the specified Amazon Cognito user pool.

This is the response object from the DeleteUserPool operation.

Container for the parameters to the DeleteUser operation. Allows a user to delete their own user profile.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

This is the response object from the DeleteUser operation.

Container for the parameters to the DescribeIdentityProvider operation. Gets information about a specific IdP.

This is the response object from the DescribeIdentityProvider operation.

Container for the parameters to the DescribeResourceServer operation. Describes a resource server.

This is the response object from the DescribeResourceServer operation.

Container for the parameters to the DescribeRiskConfiguration operation. Describes the risk configuration.

This is the response object from the DescribeRiskConfiguration operation.

Container for the parameters to the DescribeUserImportJob operation. Describes the user import job.

Represents the response from the server to the request to describe the user import job.

Container for the parameters to the DescribeUserPoolClient operation. Client method for returning the configuration information and metadata of the specified user pool app client.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response from the server from a request to describe the user pool client.

Container for the parameters to the DescribeUserPoolDomain operation. Gets information about a domain.

This is the response object from the DescribeUserPoolDomain operation.

Container for the parameters to the DescribeUserPool operation. Returns the configuration information and metadata of the specified user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response to describe the user pool.

The device-remembering configuration for a user pool. A DescribeUserPool request returns a null value for this object when the user pool isn't configured to remember devices. When device remembering is active, you can remember a user's device with a ConfirmDevice API request. Additionally. when the property DeviceOnlyRememberedOnUserPrompt is true, you must follow ConfirmDevice with an UpdateDeviceStatus API request that sets the user's device to remembered or not_remembered.

To sign in with a remembered device, include DEVICE_KEY in the authentication parameters in your user's InitiateAuth request. If your app doesn't include a DEVICE_KEY parameter, the response from Amazon Cognito includes newly-generated DEVICE_KEY and DEVICE_GROUP_KEY values under NewDeviceMetadata. Store these values to use in future device-authentication requests.

The device verifier against which it is authenticated.

The device type.

A container for information about a domain.

This exception is thrown when the provider is already supported by the user pool.

The email configuration of your user pool. The email configuration type sets your preferred sending method, Amazon Web Services Region, and sender for messages from your user pool.

Amazon Cognito can send email messages with Amazon Simple Email Service resources in the Amazon Web Services Region where you created your user pool, and in alternate Regions in some cases. For more information on the supported Regions, see Email settings for Amazon Cognito user pools.

This exception is thrown when there is a code mismatch and the service fails to configure the software token TOTP multi-factor authentication (MFA).

Specifies the user context data captured at the time of an event request.

Specifies the event feedback type.

The event risk type.

This exception is thrown if a code has expired.

This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.

Container for the parameters to the ForgetDevice operation. Forgets the specified device. For more information about device authentication, see Working with user devices in your user pool.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

This is the response object from the ForgetDevice operation.

Container for the parameters to the ForgotPassword operation. Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password. For the Username parameter, you can use the username or user alias. The method used to send the confirmation code is sent according to the specified AccountRecoverySetting. For more information, see Recovering User Accounts in the Amazon Cognito Developer Guide. To use the confirmation code for resetting the password, call ConfirmForgotPassword.

If neither a verified phone number nor a verified email exists, this API returns InvalidParameterException. If your app client has a client secret and you don't provide a SECRET_HASH parameter, this API returns NotAuthorizedException.

To use this API operation, your user pool must have self-service account recovery configured. Use AdminSetUserPassword if you manage passwords as an administrator.

The response from Amazon Cognito to a request to reset a password.

Container for the parameters to the GetCSVHeader operation. Gets the header information for the comma-separated value (CSV) file to be used as input for the user import job.

Represents the response from the server to the request to get the header information of the CSV file for the user import job.

Container for the parameters to the GetDevice operation. Gets the device. For more information about device authentication, see Working with user devices in your user pool.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Gets the device response.

Container for the parameters to the GetGroup operation. Gets a group.

Calling this action requires developer credentials.

This is the response object from the GetGroup operation.

Container for the parameters to the GetIdentityProviderByIdentifier operation. Gets the specified IdP.

This is the response object from the GetIdentityProviderByIdentifier operation.

Container for the parameters to the GetLogDeliveryConfiguration operation. Gets the detailed activity logging configuration for a user pool.

This is the response object from the GetLogDeliveryConfiguration operation.

Container for the parameters to the GetSigningCertificate operation. This method takes a user pool ID, and returns the signing certificate. The issued certificate is valid for 10 years from the date of issue.

Amazon Cognito issues and assigns a new signing certificate annually. This process returns a new value in the response to GetSigningCertificate, but doesn't invalidate the original certificate.

Response from Amazon Cognito for a signing certificate request.

Container for the parameters to the GetUICustomization operation. Gets the user interface (UI) Customization information for a particular app client's app UI, if any such information exists for the client. If nothing is set for the particular client, but there is an existing pool level customization (the app clientId is ALL), then that information is returned. If nothing is present, then an empty shape is returned.

This is the response object from the GetUICustomization operation.

Container for the parameters to the GetUserAttributeVerificationCode operation. Generates a user attribute verification code for the specified attribute name. Sends a message to a user with a code that they must return in a VerifyUserAttribute request.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

The verification code response returned by the server response to get the user attribute verification code.

Container for the parameters to the GetUserPoolMfaConfig operation. Gets the user pool multi-factor authentication (MFA) configuration.

This is the response object from the GetUserPoolMfaConfig operation.

Container for the parameters to the GetUser operation. Gets the user attributes and metadata for a user.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Represents the response from the server from the request to get information about the user.

Container for the parameters to the GlobalSignOut operation. Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation when your user signs out of your app. This results in the following behavior.

• Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints.

  Amazon Cognito returns an Access Token has been revoked error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope aws.cognito.signin.user.admin.

• Amazon Cognito no longer accepts a signed-out user's ID token in a GetId request to an identity pool with ServerSideTokenCheck enabled for its user pool IdP configuration in CognitoIdentityProvider.

• Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.

Other requests might be valid until your user's token expires.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

The response to the request to sign out all devices.

This exception is thrown when Amazon Cognito encounters a group that already exists in the user pool.

The group type.

The HTTP header.

A container for information about an IdP.

Container for the parameters to the InitiateAuth operation. Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user with a federated IdP with InitiateAuth. For more information, see Adding user pool sign-in through a third party.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

Initiates the authentication response.

This exception is thrown when Amazon Cognito encounters an internal error.

This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.

This exception is thrown when Amazon Cognito encounters an invalid Lambda response.

This exception is thrown when the specified OAuth flow is not valid.

This exception is thrown when the Amazon Cognito service encounters an invalid parameter.

This exception is thrown when Amazon Cognito encounters an invalid password.

This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.

This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust cognito-idp.amazonaws.com or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.

This exception is thrown when the user pool configuration is not valid.

Specifies the configuration for Lambda triggers.

This exception is thrown when a user exceeds the limit for a requested Amazon Web Services resource.

Container for the parameters to the ListDevices operation. Lists the sign-in devices that Amazon Cognito has registered to the current user. For more information about device authentication, see Working with user devices in your user pool.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Represents the response to list devices.

Container for the parameters to the ListGroups operation. Lists the groups associated with a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the ListGroups operation.

Container for the parameters to the ListIdentityProviders operation. Lists information about all IdPs for a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the ListIdentityProviders operation.

Container for the parameters to the ListResourceServers operation. Lists the resource servers for a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the ListResourceServers operation.

Container for the parameters to the ListTagsForResource operation. Lists the tags that are assigned to an Amazon Cognito user pool.

A tag is a label that you can apply to user pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.

You can use this action up to 10 times per second, per account.

This is the response object from the ListTagsForResource operation.

Container for the parameters to the ListUserImportJobs operation. Lists user import jobs for a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response from the server to the request to list the user import jobs.

Container for the parameters to the ListUserPoolClients operation. Lists the clients that have been created for the specified user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response from the server that lists user pool clients.

Container for the parameters to the ListUserPools operation. Lists the user pools associated with an Amazon Web Services account.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

Represents the response to list user pools.

Container for the parameters to the ListUsersInGroup operation. Lists the users in the specified group.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the ListUsersInGroup operation.

Container for the parameters to the ListUsers operation. Lists users and their basic details in a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

The response from the request to list users.

The logging parameters of a user pool.

The logging parameters of a user pool.

The message template structure.

This exception is thrown when Amazon Cognito can't find a multi-factor authentication (MFA) method.

This data type is no longer supported. Applies only to SMS multi-factor authentication (MFA) configurations. Does not apply to time-based one-time password (TOTP) software token MFA configurations.

The new device metadata type.

This exception is thrown when a user isn't authorized.

The notify configuration type.

The notify email type.

The minimum and maximum values of an attribute that is of the number data type.

The password policy type.

This exception is thrown when a password reset is required.

This exception is thrown when a precondition is not met.

The properties of a pre token generation Lambda trigger.

A container for IdP details.

A container for information about an IdP for a user pool.

A map containing a priority as a key, and recovery method name as a value.

Container for the parameters to the ResendConfirmationCode operation. Resends the confirmation (for confirmation of registration) to a specific user in the user pool.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

The response from the server when Amazon Cognito makes the request to resend a confirmation code.

This exception is thrown when the Amazon Cognito service can't find the requested resource.

A resource server scope.

A container for information about a resource server for a user pool.

Container for the parameters to the RespondToAuthChallenge operation. Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge. A RespondToAuthChallenge API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.

For more information about custom authentication challenges, see Custom authentication challenge Lambda triggers.

The response to respond to the authentication challenge.

Container for the parameters to the RevokeToken operation. Revokes all of the access tokens generated by, and at the same time as, the specified refresh token. After a token is revoked, you can't use the revoked token to access Amazon Cognito user APIs, or to authorize access to your resource server.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

This is the response object from the RevokeToken operation.

The risk configuration type.

The type of the configuration to override the risk decision.

A list of the user attributes and their properties in your user pool. The attribute schema contains standard attributes, custom attributes with a custom: prefix, and developer attributes with a dev: prefix. For more information, see User pool attributes.

Developer-only attributes are a legacy feature of user pools, are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead.

This exception is thrown when the specified scope doesn't exist.

Container for the parameters to the SetLogDeliveryConfiguration operation. Sets up or modifies the detailed activity logging configuration of a user pool.

This is the response object from the SetLogDeliveryConfiguration operation.

Container for the parameters to the SetRiskConfiguration operation. Configures actions on detected risks. To delete the risk configuration for UserPoolId or ClientId, pass null values for all four configuration types.

To activate Amazon Cognito advanced security features, update the user pool to include the UserPoolAddOns keyAdvancedSecurityMode.

This is the response object from the SetRiskConfiguration operation.

Container for the parameters to the SetUICustomization operation. Sets the user interface (UI) customization information for a user pool's built-in app UI.

You can specify app UI customization settings for a single client (with a specific clientId) or for all clients (by setting the clientId to ALL). If you specify ALL, the default configuration is used for every client that has no previously set UI customization. If you specify UI customization settings for a particular client, it will no longer return to the ALL configuration.

This is the response object from the SetUICustomization operation.

Container for the parameters to the SetUserMFAPreference operation. Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in. If an MFA type is activated for a user, the user will be prompted for MFA during all sign-in attempts unless device tracking is turned on and the device has been trusted. If you want MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users and turn on Adaptive Authentication for the user pool.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

This is the response object from the SetUserMFAPreference operation.

Container for the parameters to the SetUserPoolMfaConfig operation. Sets the user pool multi-factor authentication (MFA) configuration.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.

This is the response object from the SetUserPoolMfaConfig operation.

Container for the parameters to the SetUserSettings operation. This action is no longer supported. You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token MFA. To configure either type of MFA, use SetUserMFAPreference instead.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

The response from the server for a set user settings request.

Container for the parameters to the SignUp operation. Registers the user in the specified user pool and creates a user name, password, and user attributes.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

The response from the server for a registration request.

The SMS configuration type is the settings that your Amazon Cognito user pool must use to send an SMS message from your Amazon Web Services account through Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an Identity and Access Management (IAM) role in your Amazon Web Services account.

The SMS text message multi-factor authentication (MFA) configuration type.

The type used for enabling SMS multi-factor authentication (MFA) at the user level. Phone numbers don't need to be verified to be used for SMS MFA. If an MFA type is activated for a user, the user will be prompted for MFA during all sign-in attempts, unless device tracking is turned on and the device has been trusted. If you would like MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users and turn on Adaptive Authentication for the user pool.

The type used for enabling software token MFA at the user pool level.

This exception is thrown when the software token time-based one-time password (TOTP) multi-factor authentication (MFA) isn't activated for the user pool.

The type used for enabling software token MFA at the user level. If an MFA type is activated for a user, the user will be prompted for MFA during all sign-in attempts, unless device tracking is turned on and the device has been trusted. If you want MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users and turn on Adaptive Authentication for the user pool.

Container for the parameters to the StartUserImportJob operation. Starts the user import.

Represents the response from the server to the request to start the user import job.

Container for the parameters to the StopUserImportJob operation. Stops the user import job.

Represents the response from the server to the request to stop the user import job.

The constraints associated with a string attribute.

Container for the parameters to the TagResource operation. Assigns a set of tags to an Amazon Cognito user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.

Each tag consists of a key and value, both of which you define. A key is a general category for more specific values. For example, if you have two versions of a user pool, one for testing and another for production, you might assign an Environment tag key to both user pools. The value of this key might be Test for one user pool, and Production for the other.

Tags are useful for cost tracking and access control. You can activate your tags so that they appear on the Billing and Cost Management console, where you can track the costs associated with your user pools. In an Identity and Access Management policy, you can constrain permissions for user pools based on specific tags or tag values.

You can use this action up to 5 times per second, per account. A user pool can have as many as 50 tags.

This is the response object from the TagResource operation.

The data type TokenValidityUnits specifies the time units you use when you set the duration of ID, access, and refresh tokens.

This exception is thrown when the user has made too many failed attempts for a given action, such as sign-in.

This exception is thrown when the user has made too many requests for a given operation.

A container for the UI customization information for a user pool's built-in app UI.

Exception that is thrown when the request isn't authorized. This can happen due to an invalid access token in the request.

This exception is thrown when Amazon Cognito encounters an unexpected exception with Lambda.

This exception is thrown when the specified identifier isn't supported.

Exception that is thrown when you attempt to perform an operation that isn't enabled for the user pool client.

Exception that is thrown when an unsupported token is passed to an operation.

The request failed because the user is in an unsupported state.

Container for the parameters to the UntagResource operation. Removes the specified tags from an Amazon Cognito user pool. You can use this action up to 5 times per second, per account.

This is the response object from the UntagResource operation.

Container for the parameters to the UpdateAuthEventFeedback operation. Provides the feedback for an authentication event, whether it was from a valid user or not. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

This is the response object from the UpdateAuthEventFeedback operation.

Container for the parameters to the UpdateDeviceStatus operation. Updates the device status. For more information about device authentication, see Working with user devices in your user pool.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

The response to the request to update the device status.

Container for the parameters to the UpdateGroup operation. Updates the specified group with the specified attributes.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the UpdateGroup operation.

Container for the parameters to the UpdateIdentityProvider operation. Updates IdP information for a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

• Signing Amazon Web Services API Requests

• Using the Amazon Cognito user pools API and user pool endpoints

This is the response object from the UpdateIdentityProvider operation.

Container for the parameters to the UpdateResourceServer operation. Updates the name and scopes of resource server. All other fields are read-only.

If you don't provide a value for an attribute, it is set to the default value.

This is the response object from the UpdateResourceServer operation.

Container for the parameters to the UpdateUserAttributes operation. With this operation, your users can update one or more of their attributes with their own credentials. You authorize this API request with the user's access token. To delete an attribute from your user, submit the attribute in your API request with a blank value. Custom attribute values in this request must include the custom: prefix.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Represents the response from the server for the request to update user attributes.

Container for the parameters to the UpdateUserPoolClient operation. Updates the specified user pool app client with the specified attributes. You can get a list of the current user pool app client settings using DescribeUserPoolClient.

If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

You can also use this operation to enable token revocation for user pool clients. For more information about revoking tokens, see RevokeToken.

Represents the response from the server to the request to update the user pool client.

Container for the parameters to the UpdateUserPoolDomain operation. Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool.

You can use this operation to provide the Amazon Resource Name (ARN) of a new certificate to Amazon Cognito. You can't use it to change the domain for a user pool.

A custom domain is used to host the Amazon Cognito hosted UI, which provides sign-up and sign-in pages for your application. When you set up a custom domain, you provide a certificate that you manage with Certificate Manager (ACM). When necessary, you can use this operation to change the certificate that you applied to your custom domain.

Usually, this is unnecessary following routine certificate renewal with ACM. When you renew your existing certificate in ACM, the ARN for your certificate remains the same, and your custom domain uses the new certificate automatically.

However, if you replace your existing certificate with a new one, ACM gives the new certificate a new ARN. To apply the new certificate to your custom domain, you must provide this ARN to Amazon Cognito.

When you add your new certificate in ACM, you must choose US East (N. Virginia) as the Amazon Web Services Region.

After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new certificate to your custom domain.

For more information about adding a custom domain to your user pool, see Using Your Own Domain for the Hosted UI.

The UpdateUserPoolDomain response output.

Container for the parameters to the UpdateUserPool operation.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito Developer Guide.

Updates the specified user pool with the specified attributes. You can get a list of the current user pool settings using DescribeUserPool.

Represents the response from the server when you make a request to update the user pool.

The settings for updates to user attributes. These settings include the property AttributesRequireVerificationBeforeUpdate, a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see Verifying updates to email addresses and phone numbers.

Contextual data, such as the user's device fingerprint, IP address, or location, used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

This exception is thrown when you're trying to modify a user pool while a user import job is in progress for that pool.

The user import job type.

This exception is thrown when the Amazon Cognito service encounters a user validation exception with the Lambda service.

The username configuration type.

This exception is thrown when Amazon Cognito encounters a user name that already exists in the user pool.

This exception is thrown when a user isn't confirmed successfully.

This exception is thrown when a user isn't found.

This exception is thrown when user pool add-ons aren't enabled.

User pool add-ons. Contains settings for activation of advanced security features. To log user security information but take no action, set to AUDIT. To configure automatic security responses to risky traffic to your user pool, set to ENFORCED.

For more information, see Adding advanced security to a user pool.

The description of the user pool client.

Contains information about a user pool client.

A user pool description.

The policy associated with a user pool.

This exception is thrown when a user pool tag can't be set or updated.

A container for information about the user pool.

A user profile in a Amazon Cognito user pool.

The template for verification messages.

Container for the parameters to the VerifySoftwareToken operation. Use this API to register a user's entered time-based one-time password (TOTP) code and mark the user's software token MFA status as "verified" if successful. The request takes an access token or a session string, but not both.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

This is the response object from the VerifySoftwareToken operation.

Container for the parameters to the VerifyUserAttribute operation. Verifies the specified user attributes in the user pool.

If your user pool requires verification before Amazon Cognito updates the attribute value, VerifyUserAttribute updates the affected attribute to its pending value. For more information, see UserAttributeUpdateSettingsType.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

A container representing the response from the server from the request to verify user attributes.

Paginator for the AdminListGroupsForUser operation

Paginator for the AdminListUserAuthEvents operation

Paginators for the CognitoIdentityProvider service

Paginator for the ListGroups operation

Paginator for the ListIdentityProviders operation

Paginator for the ListResourceServers operation

Paginator for the ListUserPoolClients operation

Paginator for the ListUserPools operation

Paginator for the ListUsersInGroup operation

Paginator for the ListUsers operation