Icon

AWS Cognito Identity Provider (User Pools) (version v1.*.*)

add_custom_attributes

Adds additional user attributes to the user pool schema.

Parameters

$body

Represents the request to add custom attributes.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool where you want to add custom attributes.",
"CustomAttributes" : [ {
"DeveloperOnlyAttribute" : "Specifies whether the attribute type is developer only.",
"Mutable" : "Specifies whether the value of the attribute can be changed. \nFor any user pool attribute that's mapped to an identity provider attribute, you must set this parameter to true. Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see Specifying Identity Provider Attribute Mappings for Your User Pool.",
"AttributeDataType" : "The attribute data type.",
"StringAttributeConstraints" : {
"MinLength" : "The minimum length.",
"MaxLength" : "The maximum length."
},
"Required" : "Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.",
"NumberAttributeConstraints" : {
"MinValue" : "The minimum value of an attribute that is of the number data type.",
"MaxValue" : "The maximum value of an attribute that is of the number data type."
},
"Name" : "A schema attribute of the name type."
} ]
}

admin_add_user_to_group

Adds the specified user to the specified group.
Calling this action requires developer credentials.

Parameters

$body

Type: object

{
"GroupName" : "The group name.",
"UserPoolId" : "The user pool ID for the user pool.",
"Username" : "The username for the user."
}

admin_confirm_sign_up

Confirms user registration as an admin without using a confirmation code. Works on any user.
Calling this action requires developer credentials.

Parameters

$body

Represents the request to confirm user registration.

Type: object

{
"UserPoolId" : "The user pool ID for which you want to confirm user registration.",
"Username" : "The user name for which you want to confirm user registration.",
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nIf your user pool configuration includes triggers, the AdminConfirmSignUp API action invokes the AWS Lambda function that is specified for the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. In this payload, the clientMetadata attribute provides the data that you assigned to the ClientMetadata parameter in your AdminConfirmSignUp request. In your function code in AWS Lambda, you can process the ClientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. "
}

admin_create_user

Creates a new user in the specified user pool.
If MessageAction is not set, the default is to send a welcome message via email or phone (SMS).
This message is based on a template that you configured in your call to or . This template includes your custom sign-up instructions and placeholders for user name and temporary password.
Alternatively, you can call AdminCreateUser with “SUPPRESS” for the MessageAction parameter, and Amazon Cognito will not send any email.
In either case, the user will be in the FORCE_CHANGE_PASSWORD state until they sign in and change their password.
AdminCreateUser requires developer credentials.

Parameters

$body

Represents the request to create a user in the specified user pool.

Type: object

{
"ValidationData" : [ {
"Value" : "The value of the attribute.",
"Name" : "The name of the attribute."
} ],
"UserPoolId" : "The user pool ID for the user pool where the user will be created.",
"Username" : "The username for the user. Must be unique within the user pool. Must be a UTF-8 string between 1 and 128 characters. After the user is created, the username cannot be changed.",
"MessageAction" : "Set to \"RESEND\" to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to \"SUPPRESS\" to suppress sending the message. Only one value can be specified.",
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the pre sign-up trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"TemporaryPassword" : "The user's temporary password. This password must conform to the password policy that you specified when you created the user pool. \nThe temporary password is valid only once. To complete the Admin Create User flow, the user must enter the temporary password in the sign-in page along with a new password to be used in all future sign-ins. \nThis parameter is not required. If you do not specify a value, Amazon Cognito generates one for you. \nThe temporary password can only be used until the user account expiration limit that you specified when you created the user pool. To reset the account after that time limit, you must call AdminCreateUser again, specifying \"RESEND\" for the MessageAction parameter.",
"DesiredDeliveryMediums" : [ "string. Possible values: SMS | EMAIL" ],
"UserAttributes" : [ {
"Value" : "The value of the attribute.",
"Name" : "The name of the attribute."
} ],
"ForceAliasCreation" : "This parameter is only used if the phone_number_verified or email_verified attribute is set to True. Otherwise, it is ignored. \nIf this parameter is set to True and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. \nIf this parameter is set to False, the API throws an AliasExistsException error if the alias already exists. The default value is False."
}

admin_delete_user

Deletes a user as an administrator. Works on any user.
Calling this action requires developer credentials.

Parameters

$body

Represents the request to delete a user as an administrator.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool where you want to delete the user.",
"Username" : "The user name of the user you wish to delete."
}

admin_delete_user_attributes

Deletes the user attributes in a user pool as an administrator. Works on any user.
Calling this action requires developer credentials.

Parameters

$body

Represents the request to delete user attributes as an administrator.

Type: object

{
"UserAttributeNames" : [ "string" ],
"UserPoolId" : "The user pool ID for the user pool where you want to delete user attributes.",
"Username" : "The user name of the user from which you would like to delete attributes."
}

admin_disable_provider_for_user

Disables the user from signing in with the specified external (SAML or social) identity provider. If the user to disable is a Cognito User Pools native username + password user, they are not permitted to use their password to sign-in. If the user to disable is a linked external IdP user, any link between that user and an existing user is removed. The next time the external user (no longer attached to the previously linked DestinationUser) signs in, they must create a new user account. See .
This action is enabled only for admin access and requires developer credentials.
The ProviderName must match the value specified when creating an IdP for the pool.
To disable a native username + password user, the ProviderName value must be Cognito and the ProviderAttributeName must be Cognito_Subject, with the ProviderAttributeValue being the name that is used in the user pool for the user.
The ProviderAttributeName must always be Cognito_Subject for social identity providers. The ProviderAttributeValue must always be the exact subject that was used when the user was originally linked as a source user.
For de-linking a SAML identity, there are two scenarios. If the linked identity has not yet been used to sign-in, the ProviderAttributeName and ProviderAttributeValue must be the same values that were used for the SourceUser when the identities were originally linked in the call. (If the linking was done with ProviderAttributeName set to Cognito_Subject, the same applies here). However, if the user has already signed in, the ProviderAttributeName must be Cognito_Subject and ProviderAttributeValue must be the subject of the SAML assertion.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID for the user pool.",
"User" : {
"ProviderName" : "The name of the provider, for example, Facebook, Google, or Login with Amazon.",
"ProviderAttributeName" : "The name of the provider attribute to link to, for example, NameID.",
"ProviderAttributeValue" : "The value of the provider attribute to link to, for example, xxxxx_account."
}
}

admin_disable_user

Disables the specified user.
Calling this action requires developer credentials.

Parameters

$body

Represents the request to disable any user as an administrator.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool where you want to disable the user.",
"Username" : "The user name of the user you wish to disable."
}

admin_enable_user

Enables the specified user as an administrator. Works on any user.
Calling this action requires developer credentials.

Parameters

$body

Represents the request that enables the user as an administrator.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool where you want to enable the user.",
"Username" : "The user name of the user you wish to enable."
}

admin_forget_device

Forgets the device, as an administrator.
Calling this action requires developer credentials.

Parameters

$body

Sends the forgot device request, as an administrator.

Type: object

{
"UserPoolId" : "The user pool ID.",
"Username" : "The user name.",
"DeviceKey" : "The device key."
}

admin_get_device

Gets the device, as an administrator.
Calling this action requires developer credentials.

Parameters

$body

Represents the request to get the device, as an administrator.

Type: object

{
"UserPoolId" : "The user pool ID.",
"Username" : "The user name.",
"DeviceKey" : "The device key."
}

admin_get_user

Gets the specified user by user name in a user pool as an administrator. Works on any user.
Calling this action requires developer credentials.

Parameters

$body

Represents the request to get the specified user as an administrator.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool where you want to get information about the user.",
"Username" : "The user name of the user you wish to retrieve."
}

admin_initiate_auth

Initiates the authentication flow, as an administrator.
Calling this action requires developer credentials.

Parameters

$body

Initiates the authorization request, as an administrator.

Type: object

{
"AuthParameters" : "The authentication parameters. These are inputs corresponding to the AuthFlow that you are invoking. The required values depend on the value of AuthFlow: \n For USER_SRP_AUTH: USERNAME (required), SRP_A (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY \n For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: REFRESH_TOKEN (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY \n For ADMIN_NO_SRP_AUTH: USERNAME (required), SECRET_HASH (if app client is configured with client secret), PASSWORD (required), DEVICE_KEY \n For CUSTOM_AUTH: USERNAME (required), SECRET_HASH (if app client is configured with client secret), DEVICE_KEY ",
"UserPoolId" : "The ID of the Amazon Cognito user pool.",
"AuthFlow" : "The authentication flow for this call to execute. The API action will depend on this value. For example: \n REFRESH_TOKEN_AUTH will take in a valid refresh token and return new tokens. \n USER_SRP_AUTH will take in USERNAME and SRP_A and return the SRP variables to be used for next challenge execution. \n USER_PASSWORD_AUTH will take in USERNAME and PASSWORD and return the next challenge or tokens. \nValid values include: \n USER_SRP_AUTH: Authentication flow for the Secure Remote Password (SRP) protocol. \n REFRESH_TOKEN_AUTH/REFRESH_TOKEN: Authentication flow for refreshing the access token and ID token by supplying a valid refresh token. \n CUSTOM_AUTH: Custom authentication flow. \n ADMIN_NO_SRP_AUTH: Non-SRP authentication flow; you can pass in the USERNAME and PASSWORD directly if the flow is enabled for calling the app client. \n USER_PASSWORD_AUTH: Non-SRP authentication flow; USERNAME and PASSWORD are passed directly. If a user migration Lambda trigger is set, this flow will invoke the user migration Lambda if the USERNAME is not found in the user pool. ",
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminInitiateAuth API action, Amazon Cognito invokes the AWS Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers: \n Pre signup \n Pre authentication \n User migration \nWhen Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminInitiateAuth request. In your function code in AWS Lambda, you can process the validationData value to enhance your workflow for your specific needs. \nWhen you use the AdminInitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it does not provide the ClientMetadata value as input: \n Post authentication \n Custom message \n Pre token generation \n Create auth challenge \n Define auth challenge \n Verify auth challenge \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"ClientId" : "The app client ID.",
"ContextData" : {
"HttpHeaders" : [ {
"headerName" : "The header name",
"headerValue" : "The header value."
} ],
"ServerPath" : "Your server path where this API is invoked. ",
"ServerName" : "Your server endpoint where this API is invoked.",
"IpAddress" : "Source IP address of your user.",
"EncodedData" : "Encoded data containing device fingerprinting details, collected using the Amazon Cognito context data collection library."
},
"AnalyticsMetadata" : {
"AnalyticsEndpointId" : "The endpoint ID."
}
}

Links an existing user account in a user pool (DestinationUser) to an identity from an external identity provider (SourceUser) based on a specified attribute name and value from the external identity provider. This allows you to create a link from the existing user account to an external federated user identity that has not yet been used to sign in, so that the federated user identity can be used to sign in as the existing user account.
For example, if there is an existing user with a username and password, this API links that user to a federated user identity, so that when the federated user identity is used, the user signs in as the existing user account.
Because this API allows a user with an external federated identity to sign in as an existing user in the user pool, it is critical that it only be used with external identity providers and provider attributes that have been trusted by the application owner.
See also .
This action is enabled only for admin access and requires developer credentials.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID for the user pool.",
"SourceUser" : {
"ProviderName" : "The name of the provider, for example, Facebook, Google, or Login with Amazon.",
"ProviderAttributeName" : "The name of the provider attribute to link to, for example, NameID.",
"ProviderAttributeValue" : "The value of the provider attribute to link to, for example, xxxxx_account."
},
"DestinationUser" : {
"ProviderName" : "The name of the provider, for example, Facebook, Google, or Login with Amazon.",
"ProviderAttributeName" : "The name of the provider attribute to link to, for example, NameID.",
"ProviderAttributeValue" : "The value of the provider attribute to link to, for example, xxxxx_account."
}
}

admin_list_devices

Lists devices, as an administrator.
Calling this action requires developer credentials.

Parameters

$body

Represents the request to list devices, as an administrator.

Type: object

{
"UserPoolId" : "The user pool ID.",
"Username" : "The user name.",
"Limit" : "The limit of the devices request.",
"PaginationToken" : "The pagination token."
}

admin_list_groups_for_user

Lists the groups that the user belongs to.
Calling this action requires developer credentials.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID for the user pool.",
"Username" : "The username for the user."
}

admin_list_user_auth_events

Lists a history of user activity and any risks detected as part of Amazon Cognito advanced security.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID.",
"Username" : "The user pool username or an alias."
}

admin_remove_user_from_group

Removes the specified user from the specified group.
Calling this action requires developer credentials.

Parameters

$body

Type: object

{
"GroupName" : "The group name.",
"UserPoolId" : "The user pool ID for the user pool.",
"Username" : "The username for the user."
}

admin_reset_user_password

Resets the specified user's password in a user pool as an administrator. Works on any user.
When a developer calls this API, the current password is invalidated, so it must be changed. If a user tries to sign in after the API is called, the app will get a PasswordResetRequiredException exception back and should direct the user down the flow to reset the password, which is the same as the forgot password flow. In addition, if the user pool has phone verification selected and a verified phone number exists for the user, or if email verification is selected and a verified email exists for the user, calling this API will also result in sending a message to the end user with the code to change their password.
Calling this action requires developer credentials.

Parameters

$body

Represents the request to reset a user's password as an administrator.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool where you want to reset the user's password.",
"Username" : "The user name of the user whose password you wish to reset.",
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminResetUserPassword API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminResetUserPassword request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. "
}

admin_respond_to_auth_challenge

Responds to an authentication challenge, as an administrator.
Calling this action requires developer credentials.

Parameters

$body

The request to respond to the authentication challenge, as an administrator.

Type: object

{
"UserPoolId" : "The ID of the Amazon Cognito user pool.",
"ChallengeResponses" : "The challenge responses. These are inputs corresponding to the value of ChallengeName, for example: \n SMS_MFA: SMS_MFA_CODE, USERNAME, SECRET_HASH (if app client is configured with client secret). \n PASSWORD_VERIFIER: PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, TIMESTAMP, USERNAME, SECRET_HASH (if app client is configured with client secret). \n ADMIN_NO_SRP_AUTH: PASSWORD, USERNAME, SECRET_HASH (if app client is configured with client secret). \n NEW_PASSWORD_REQUIRED: NEW_PASSWORD, any other required attributes, USERNAME, SECRET_HASH (if app client is configured with client secret). \nThe value of the USERNAME attribute must be the user's actual username, not an alias (such as email address or phone number). To make this easier, the AdminInitiateAuth response includes the actual username value in the USERNAMEUSER_ID_FOR_SRP attribute, even if you specified an alias in your call to AdminInitiateAuth.",
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminRespondToAuthChallenge API action, Amazon Cognito invokes any functions that are assigned to the following triggers: pre sign-up, custom message, post authentication, user migration, pre token generation, define auth challenge, create auth challenge, and verify auth challenge response. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminRespondToAuthChallenge request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"ClientId" : "The app client ID.",
"ContextData" : {
"HttpHeaders" : [ {
"headerName" : "The header name",
"headerValue" : "The header value."
} ],
"ServerPath" : "Your server path where this API is invoked. ",
"ServerName" : "Your server endpoint where this API is invoked.",
"IpAddress" : "Source IP address of your user.",
"EncodedData" : "Encoded data containing device fingerprinting details, collected using the Amazon Cognito context data collection library."
},
"AnalyticsMetadata" : {
"AnalyticsEndpointId" : "The endpoint ID."
},
"ChallengeName" : "The challenge name. For more information, see .",
"Session" : "The session which should be passed both ways in challenge-response calls to the service. If InitiateAuth or RespondToAuthChallenge API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call."
}

admin_set_user_mfa_preference

Sets the user's multi-factor authentication (MFA) preference, including which MFA options are enabled and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are enabled. If multiple options are enabled and no preference is set, a challenge to choose an MFA option will be returned during sign in.

Parameters

$body

Type: object

{
"SMSMfaSettings" : {
"Enabled" : "Specifies whether SMS text message MFA is enabled.",
"PreferredMfa" : "Specifies whether SMS is the preferred MFA method."
},
"UserPoolId" : "The user pool ID.",
"Username" : "The user pool username or alias.",
"SoftwareTokenMfaSettings" : {
"Enabled" : "Specifies whether software token MFA is enabled.",
"PreferredMfa" : "Specifies whether software token MFA is the preferred MFA method."
}
}

admin_set_user_password

Sets the specified user's password in a user pool as an administrator. Works on any user.
The password can be temporary or permanent. If it is temporary, the user status will be placed into the FORCE_CHANGE_PASSWORD state. When the user next tries to sign in, the InitiateAuth/AdminInitiateAuth response will contain the NEW_PASSWORD_REQUIRED challenge. If the user does not sign in before it expires, the user will not be able to sign in and their password will need to be reset by an administrator.
Once the user has set a new password, or the password is permanent, the user status will be set to Confirmed.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID for the user pool where you want to set the user's password.",
"Permanent" : " True if the password is permanent, False if it is temporary.",
"Username" : "The user name of the user whose password you wish to set.",
"Password" : "The password for the user."
}

admin_set_user_settings

This action is no longer supported. You can use it to configure only SMS MFA. You can't use it to configure TOTP software token MFA. To configure either type of MFA, use the AdminSetUserMFAPreference action instead.

Parameters

$body

You can use this parameter to set an MFA configuration that uses the SMS delivery medium.

Type: object

{
"UserPoolId" : "The ID of the user pool that contains the user that you are setting options for.",
"Username" : "The user name of the user that you are setting options for.",
"MFAOptions" : [ {
"DeliveryMedium" : "The delivery medium to send the MFA code. You can use this parameter to set only the SMS delivery medium value.",
"AttributeName" : "The attribute name of the MFA option type. The only valid value is phone_number."
} ]
}

admin_update_auth_event_feedback

Provides feedback for an authentication event as to whether it was from a valid user. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID.",
"Username" : "The user pool username.",
"EventId" : "The authentication event ID.",
"FeedbackValue" : "The authentication event feedback value."
}

admin_update_device_status

Updates the device status as an administrator.
Calling this action requires developer credentials.

Parameters

$body

The request to update the device status, as an administrator.

Type: object

{
"UserPoolId" : "The user pool ID.",
"Username" : "The user name.",
"DeviceRememberedStatus" : "The status indicating whether a device has been remembered or not.",
"DeviceKey" : "The device key."
}

admin_update_user_attributes

Updates the specified user's attributes, including developer attributes, as an administrator. Works on any user.
For custom attributes, you must prepend the custom: prefix to the attribute name.
In addition to updating user attributes, this API can also be used to mark phone and email as verified.
Calling this action requires developer credentials.

Parameters

$body

Represents the request to update the user's attributes as an administrator.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool where you want to update user attributes.",
"Username" : "The user name of the user for whom you want to update user attributes.",
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminUpdateUserAttributes API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminUpdateUserAttributes request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"UserAttributes" : [ {
"Value" : "The value of the attribute.",
"Name" : "The name of the attribute."
} ]
}

admin_user_global_sign_out

Signs out users from all devices, as an administrator.
Calling this action requires developer credentials.

Parameters

$body

The request to sign out of all devices, as an administrator.

Type: object

{
"UserPoolId" : "The user pool ID.",
"Username" : "The user name."
}

associate_software_token

Returns a unique generated shared secret key code for the user account. The request takes an access token or a session string, but not both.

Parameters

$body

Type: object

{
"AccessToken" : "The access token.",
"Session" : "The session which should be passed both ways in challenge-response calls to the service. This allows authentication of the user as part of the MFA setup process."
}

change_password

Changes the password for a specified user in a user pool.

Parameters

$body

Represents the request to change a user password.

Type: object

{
"ProposedPassword" : "The new password.",
"AccessToken" : "The access token.",
"PreviousPassword" : "The old password."
}

confirm_device

Confirms tracking of the device. This API call is the call that begins device tracking.

Parameters

$body

Confirms the device request.

Type: object

{
"AccessToken" : "The access token.",
"DeviceKey" : "The device key.",
"DeviceSecretVerifierConfig" : {
"Salt" : "The salt.",
"PasswordVerifier" : "The password verifier."
},
"DeviceName" : "The device name."
}

confirm_forgot_password

Allows a user to enter a confirmation code to reset a forgotten password.

Parameters

$body

The request representing the confirmation for a password reset.

Type: object

{
"Username" : "The user name of the user for whom you want to enter a code to retrieve a forgotten password.",
"ConfirmationCode" : "The confirmation code sent by a user's request to retrieve a forgotten password. For more information, see ",
"SecretHash" : "A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.",
"UserContextData" : {
"EncodedData" : "Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security."
},
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the ConfirmForgotPassword API action, Amazon Cognito invokes the functions that are assigned to the post confirmation and pre mutation triggers. When Amazon Cognito invokes either of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ConfirmForgotPassword request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"ClientId" : "The app client ID of the app associated with the user pool.",
"AnalyticsMetadata" : {
"AnalyticsEndpointId" : "The endpoint ID."
},
"Password" : "The password sent by a user's request to retrieve a forgotten password."
}

confirm_sign_up

Confirms registration of a user and handles the existing alias from a previous user.

Parameters

$body

Represents the request to confirm registration of a user.

Type: object

{
"Username" : "The user name of the user whose registration you wish to confirm.",
"ConfirmationCode" : "The confirmation code sent by a user's request to confirm registration.",
"SecretHash" : "A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.",
"UserContextData" : {
"EncodedData" : "Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security."
},
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the ConfirmSignUp API action, Amazon Cognito invokes the function that is assigned to the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ConfirmSignUp request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"ClientId" : "The ID of the app client associated with the user pool.",
"AnalyticsMetadata" : {
"AnalyticsEndpointId" : "The endpoint ID."
},
"ForceAliasCreation" : "Boolean to be specified to force user confirmation irrespective of existing alias. By default set to False. If this parameter is set to True and the phone number/email used for sign up confirmation already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user being confirmed. If set to False, the API will throw an AliasExistsException error."
}

create_group

Creates a new group in the specified user pool.
Calling this action requires developer credentials.

Parameters

$body

Type: object

{
"GroupName" : "The name of the group. Must be unique.",
"UserPoolId" : "The user pool ID for the user pool.",
"Description" : "A string containing the description of the group.",
"Precedence" : "A nonnegative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower Precedence values take precedence over groups with higher or null Precedence values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN will be used in the cognito:roles and cognito:preferred_role claims in the user's tokens. \nTwo groups can have the same Precedence value. If this happens, neither group takes precedence over the other. If two groups with the same Precedence have the same role ARN, that role is used in the cognito:preferred_role claim in tokens for users in each group. If the two groups have different role ARNs, the cognito:preferred_role claim is not set in users' tokens. \nThe default Precedence value is null.",
"RoleArn" : "The role ARN for the group."
}

create_identity_provider

Creates an identity provider for a user pool.

Parameters

$body

Type: object

{
"ProviderName" : "The identity provider name.",
"UserPoolId" : "The user pool ID.",
"AttributeMapping" : "A mapping of identity provider attributes to standard and custom user pool attributes.",
"ProviderDetails" : "The identity provider details, such as MetadataURL and MetadataFile.",
"ProviderType" : "The identity provider type.",
"IdpIdentifiers" : [ "string" ]
}

create_resource_server

Creates a new OAuth2.0 resource server and defines custom scopes in it.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID for the user pool.",
"Identifier" : "A unique resource server identifier for the resource server. This could be an HTTPS endpoint where the resource server is located. For example, https://my-weather-api.example.com.",
"Scopes" : [ {
"ScopeName" : "The name of the scope.",
"ScopeDescription" : "A description of the scope."
} ],
"Name" : "A friendly name for the resource server."
}

create_user_import_job

Creates the user import job.

Parameters

$body

Represents the request to create the user import job.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool that the users are being imported into.",
"CloudWatchLogsRoleArn" : "The role ARN for the Amazon CloudWatch Logging role for the user import job.",
"JobName" : "The job name for the user import job."
}

create_user_pool

Creates a new Amazon Cognito user pool and sets the password policy for the pool.

Parameters

$body

Represents the request to create a user pool.

Type: object

{
"UserPoolTags" : "The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.",
"Policies" : {
"PasswordPolicy" : {
"RequireNumbers" : "In the password policy that you have set, refers to whether you have required users to use at least one number in their password.",
"MinimumLength" : "The minimum length of the password policy that you have set. Cannot be less than 6.",
"TemporaryPasswordValidityDays" : "In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator. \nWhen you set TemporaryPasswordValidityDays for a user pool, you will no longer be able to set the deprecated UnusedAccountValidityDays value for that user pool.",
"RequireUppercase" : "In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.",
"RequireLowercase" : "In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.",
"RequireSymbols" : "In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password."
}
},
"VerificationMessageTemplate" : {
"EmailMessageByLink" : "The email message template for sending a confirmation link to the user.",
"EmailMessage" : "The email message template.",
"SmsMessage" : "The SMS message template.",
"EmailSubject" : "The subject line for the email message template.",
"DefaultEmailOption" : "The default email option.",
"EmailSubjectByLink" : "The subject line for the email message template for sending a confirmation link to the user."
},
"MfaConfiguration" : "Specifies MFA configuration details.",
"Schema" : [ {
"DeveloperOnlyAttribute" : "Specifies whether the attribute type is developer only.",
"Mutable" : "Specifies whether the value of the attribute can be changed. \nFor any user pool attribute that's mapped to an identity provider attribute, you must set this parameter to true. Amazon Cognito updates mapped attributes when users sign in to your application through an identity provider. If an attribute is immutable, Amazon Cognito throws an error when it attempts to update the attribute. For more information, see Specifying Identity Provider Attribute Mappings for Your User Pool.",
"AttributeDataType" : "The attribute data type.",
"StringAttributeConstraints" : {
"MinLength" : "The minimum length.",
"MaxLength" : "The maximum length."
},
"Required" : "Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.",
"NumberAttributeConstraints" : {
"MinValue" : "The minimum value of an attribute that is of the number data type.",
"MaxValue" : "The maximum value of an attribute that is of the number data type."
},
"Name" : "A schema attribute of the name type."
} ],
"AdminCreateUserConfig" : {
"UnusedAccountValidityDays" : "The user account expiration limit, in days, after which the account is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying \"RESEND\" for the MessageAction parameter. The default value for this parameter is 7. \nIf you set a value for TemporaryPasswordValidityDays in PasswordPolicy, that value will be used and UnusedAccountValidityDays will be deprecated for that user pool. ",
"InviteMessageTemplate" : {
"EmailMessage" : "The message template for email messages.",
"SMSMessage" : "The message template for SMS messages.",
"EmailSubject" : "The subject line for email messages."
},
"AllowAdminCreateUserOnly" : "Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app."
},
"SmsAuthenticationMessage" : "A string representing the SMS authentication message.",
"SmsVerificationMessage" : "A string representing the SMS verification message.",
"UserPoolAddOns" : {
"AdvancedSecurityMode" : "The advanced security mode."
},
"PoolName" : "A string used to name the user pool.",
"EmailConfiguration" : {
"ReplyToEmailAddress" : "The destination to which the receiver of the email should reply to.",
"EmailSendingAccount" : "Specifies whether Amazon Cognito emails your users by using its built-in email functionality or your Amazon SES email configuration. Specify one of the following values: COGNITO_DEFAULT \nWhen Amazon Cognito emails your users, it uses its built-in email functionality. When you use the default option, Amazon Cognito allows only a limited number of emails each day for your user pool. For typical production environments, the default email limit is below the required delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon SES email configuration. \nTo look up the email delivery limit for the default option, see Limits in Amazon Cognito in the Amazon Cognito Developer Guide. \nThe default FROM address is no-reply@verificationemail.com. To customize the FROM address, provide the ARN of an Amazon SES verified email address for the SourceArn parameter. DEVELOPER \nWhen Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito calls Amazon SES on your behalf to send email from your verified email address. When you use this option, the email delivery limits are the same limits that apply to your Amazon SES verified email address in your AWS account. \nIf you use this option, you must provide the ARN of an Amazon SES verified email address for the SourceArn parameter. \nBefore Amazon Cognito can email your users, it requires additional permissions to call Amazon SES on your behalf. When you update your user pool with this option, Amazon Cognito creates a service-linked role, which is a type of IAM role, in your AWS account. This role contains the permissions that allow Amazon Cognito to access Amazon SES and send email messages with your address. For more information about the service-linked role that Amazon Cognito creates, see Using Service-Linked Roles for Amazon Cognito in the Amazon Cognito Developer Guide.",
"SourceArn" : "The Amazon Resource Name (ARN) of a verified email address in Amazon SES. This email address is used in one of the following ways, depending on the value that you specify for the EmailSendingAccount parameter: \n If you specify COGNITO_DEFAULT, Amazon Cognito uses this address as the custom FROM address when it emails your users by using its built-in email account. \n If you specify DEVELOPER, Amazon Cognito emails your users with this address by calling Amazon SES on your behalf. "
},
"SmsConfiguration" : {
"ExternalId" : "The external ID is a value that we recommend you use to add security to your IAM role which is used to call Amazon SNS to send SMS messages for your user pool. If you provide an ExternalId, the Cognito User Pool will include it when attempting to assume your IAM role, so that you can set your roles trust policy to require the ExternalID. If you use the Cognito Management Console to create a role for SMS MFA, Cognito will create a role with the required permissions and a trust policy that demonstrates use of the ExternalId.",
"SnsCallerArn" : "The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller. This is the ARN of the IAM role in your AWS account which Cognito will use to send SMS messages."
},
"AliasAttributes" : [ "string. Possible values: phone_number | email | preferred_username" ],
"EmailVerificationSubject" : "A string representing the email verification subject.",
"LambdaConfig" : {
"PreAuthentication" : "A pre-authentication AWS Lambda trigger.",
"CreateAuthChallenge" : "Creates an authentication challenge.",
"PreSignUp" : "A pre-registration AWS Lambda trigger.",
"DefineAuthChallenge" : "Defines the authentication challenge.",
"PreTokenGeneration" : "A Lambda trigger that is invoked before token generation.",
"UserMigration" : "The user migration Lambda config type.",
"PostConfirmation" : "A post-confirmation AWS Lambda trigger.",
"PostAuthentication" : "A post-authentication AWS Lambda trigger.",
"CustomMessage" : "A custom Message AWS Lambda trigger.",
"VerifyAuthChallengeResponse" : "Verifies the authentication challenge response."
},
"AutoVerifiedAttributes" : [ "string. Possible values: phone_number | email" ],
"UsernameAttributes" : [ "string. Possible values: phone_number | email" ],
"EmailVerificationMessage" : "A string representing the email verification message.",
"DeviceConfiguration" : {
"DeviceOnlyRememberedOnUserPrompt" : "If true, a device is only remembered on user prompt.",
"ChallengeRequiredOnNewDevice" : "Indicates whether a challenge is required on a new device. Only applicable to a new device."
}
}

create_user_pool_client

Creates the user pool client.

Parameters

$body

Represents the request to create a user pool client.

Type: object

{
"AnalyticsConfiguration" : {
"UserDataShared" : "If UserDataShared is true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.",
"ExternalId" : "The external ID.",
"ApplicationId" : "The application ID for an Amazon Pinpoint application.",
"RoleArn" : "The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics."
},
"GenerateSecret" : "Boolean to specify whether you want to generate a secret for the user pool client being created.",
"CallbackURLs" : [ "string" ],
"AllowedOAuthScopes" : [ "string" ],
"ReadAttributes" : [ "string" ],
"DefaultRedirectURI" : "The default redirect URI. Must be in the CallbackURLs list. \nA redirect URI must: \n Be an absolute URI. \n Be registered with the authorization server. \n Not include a fragment component. \nSee OAuth 2.0 - Redirection Endpoint. \nAmazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. \nApp callback URLs such as myapp://example are also supported.",
"AllowedOAuthFlowsUserPoolClient" : "Set to True if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.",
"SupportedIdentityProviders" : [ "string" ],
"ClientName" : "The client name for the user pool client you would like to create.",
"UserPoolId" : "The user pool ID for the user pool where you want to create a user pool client.",
"AllowedOAuthFlows" : [ "string. Possible values: code | implicit | client_credentials" ],
"ExplicitAuthFlows" : [ "string. Possible values: ADMIN_NO_SRP_AUTH | CUSTOM_AUTH_FLOW_ONLY | USER_PASSWORD_AUTH" ],
"LogoutURLs" : [ "string" ],
"RefreshTokenValidity" : "The time limit, in days, after which the refresh token is no longer valid and cannot be used.",
"WriteAttributes" : [ "string" ]
}

create_user_pool_domain

Creates a new domain for a user pool.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID.",
"CustomDomainConfig" : {
"CertificateArn" : "The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL certificate. You use this certificate for the subdomain of your custom domain."
},
"Domain" : "The domain string."
}

delete_group

Deletes a group. Currently only groups with no members can be deleted.
Calling this action requires developer credentials.

Parameters

$body

Type: object

{
"GroupName" : "The name of the group.",
"UserPoolId" : "The user pool ID for the user pool."
}

delete_identity_provider

Deletes an identity provider for a user pool.

Parameters

$body

Type: object

{
"ProviderName" : "The identity provider name.",
"UserPoolId" : "The user pool ID."
}

delete_resource_server

Deletes a resource server.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID for the user pool that hosts the resource server.",
"Identifier" : "The identifier for the resource server."
}

delete_user

Allows a user to delete himself or herself.

Parameters

$body

Represents the request to delete a user.

Type: object

{
"AccessToken" : "The access token from a request to delete a user."
}

delete_user_attributes

Deletes the attributes for a user.

Parameters

$body

Represents the request to delete user attributes.

Type: object

{
"UserAttributeNames" : [ "string" ],
"AccessToken" : "The access token used in the request to delete user attributes."
}

delete_user_pool

Deletes the specified Amazon Cognito user pool.

Parameters

$body

Represents the request to delete a user pool.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool you want to delete."
}

delete_user_pool_client

Allows the developer to delete the user pool client.

Parameters

$body

Represents the request to delete a user pool client.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool where you want to delete the client.",
"ClientId" : "The app client ID of the app associated with the user pool."
}

delete_user_pool_domain

Deletes a domain for a user pool.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID.",
"Domain" : "The domain string."
}

describe_identity_provider

Gets information about a specific identity provider.

Parameters

$body

Type: object

{
"ProviderName" : "The identity provider name.",
"UserPoolId" : "The user pool ID."
}

describe_resource_server

Describes a resource server.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID for the user pool that hosts the resource server.",
"Identifier" : "The identifier for the resource server"
}

describe_risk_configuration

Describes the risk configuration.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID.",
"ClientId" : "The app client ID."
}

describe_user_import_job

Describes the user import job.

Parameters

$body

Represents the request to describe the user import job.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool that the users are being imported into.",
"JobId" : "The job ID for the user import job."
}

describe_user_pool

Returns the configuration information and metadata of the specified user pool.

Parameters

$body

Represents the request to describe the user pool.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool you want to describe."
}

describe_user_pool_client

Client method for returning the configuration information and metadata of the specified user pool app client.

Parameters

$body

Represents the request to describe a user pool client.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool you want to describe.",
"ClientId" : "The app client ID of the app associated with the user pool."
}

describe_user_pool_domain

Gets information about a domain.

Parameters

$body

Type: object

{
"Domain" : "The domain string."
}

forget_device

Forgets the specified device.

Parameters

$body

Represents the request to forget the device.

Type: object

{
"AccessToken" : "The access token for the forgotten device request.",
"DeviceKey" : "The device key."
}

forgot_password

Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password. For the Username parameter, you can use the username or user alias. If a verified phone number exists for the user, the confirmation code is sent to the phone number. Otherwise, if a verified email exists, the confirmation code is sent to the email. If neither a verified phone number nor a verified email exists, InvalidParameterException is thrown. To use the confirmation code for resetting the password, call .

Parameters

$body

Represents the request to reset a user's password.

Type: object

{
"Username" : "The user name of the user for whom you want to enter a code to reset a forgotten password.",
"SecretHash" : "A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.",
"UserContextData" : {
"EncodedData" : "Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security."
},
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the ForgotPassword API action, Amazon Cognito invokes any functions that are assigned to the following triggers: pre sign-up, custom message, and user migration. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ForgotPassword request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"ClientId" : "The ID of the client associated with the user pool.",
"AnalyticsMetadata" : {
"AnalyticsEndpointId" : "The endpoint ID."
}
}

get_csv_header

Gets the header information for the .csv file to be used as input for the user import job.

Parameters

$body

Represents the request to get the header information for the .csv file for the user import job.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool that the users are to be imported into."
}

get_device

Gets the device.

Parameters

$body

Represents the request to get the device.

Type: object

{
"AccessToken" : "The access token.",
"DeviceKey" : "The device key."
}

get_group

Gets a group.
Calling this action requires developer credentials.

Parameters

$body

Type: object

{
"GroupName" : "The name of the group.",
"UserPoolId" : "The user pool ID for the user pool."
}

get_identity_provider_by_identifier

Gets the specified identity provider.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID.",
"IdpIdentifier" : "The identity provider ID."
}

get_signing_certificate

This method takes a user pool ID, and returns the signing certificate.

Parameters

$body

Request to get a signing certificate from Cognito.

Type: object

{
"UserPoolId" : "The user pool ID."
}

get_ui_customization

Gets the UI Customization information for a particular app client's app UI, if there is something set. If nothing is set for the particular client, but there is an existing pool level customization (app clientId will be ALL), then that is returned. If nothing is present, then an empty shape is returned.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID for the user pool.",
"ClientId" : "The client ID for the client app."
}

get_user

Gets the user attributes and metadata for a user.

Parameters

$body

Represents the request to get information about the user.

Type: object

{
"AccessToken" : "The access token returned by the server response to get information about the user."
}

get_user_attribute_verification_code

Gets the user attribute verification code for the specified attribute name.

Parameters

$body

Represents the request to get user attribute verification.

Type: object

{
"AccessToken" : "The access token returned by the server response to get the user attribute verification code.",
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the GetUserAttributeVerificationCode API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your GetUserAttributeVerificationCode request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"AttributeName" : "The attribute name returned by the server response to get the user attribute verification code."
}

get_user_pool_mfa_config

Gets the user pool multi-factor authentication (MFA) configuration.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID."
}

global_sign_out

Signs out users from all devices.

Parameters

$body

Represents the request to sign out all devices.

Type: object

{
"AccessToken" : "The access token."
}

initiate_auth

Initiates the authentication flow.

Parameters

$body

Initiates the authentication request.

Type: object

{
"AuthParameters" : "The authentication parameters. These are inputs corresponding to the AuthFlow that you are invoking. The required values depend on the value of AuthFlow: \n For USER_SRP_AUTH: USERNAME (required), SRP_A (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY \n For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: REFRESH_TOKEN (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY \n For CUSTOM_AUTH: USERNAME (required), SECRET_HASH (if app client is configured with client secret), DEVICE_KEY ",
"AuthFlow" : "The authentication flow for this call to execute. The API action will depend on this value. For example: \n REFRESH_TOKEN_AUTH will take in a valid refresh token and return new tokens. \n USER_SRP_AUTH will take in USERNAME and SRP_A and return the SRP variables to be used for next challenge execution. \n USER_PASSWORD_AUTH will take in USERNAME and PASSWORD and return the next challenge or tokens. \nValid values include: \n USER_SRP_AUTH: Authentication flow for the Secure Remote Password (SRP) protocol. \n REFRESH_TOKEN_AUTH/REFRESH_TOKEN: Authentication flow for refreshing the access token and ID token by supplying a valid refresh token. \n CUSTOM_AUTH: Custom authentication flow. \n USER_PASSWORD_AUTH: Non-SRP authentication flow; USERNAME and PASSWORD are passed directly. If a user migration Lambda trigger is set, this flow will invoke the user migration Lambda if the USERNAME is not found in the user pool. \n ADMIN_NO_SRP_AUTH is not a valid value.",
"UserContextData" : {
"EncodedData" : "Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security."
},
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the InitiateAuth API action, Amazon Cognito invokes the AWS Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers: \n Pre signup \n Pre authentication \n User migration \nWhen Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your InitiateAuth request. In your function code in AWS Lambda, you can process the validationData value to enhance your workflow for your specific needs. \nWhen you use the InitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it does not provide the ClientMetadata value as input: \n Post authentication \n Custom message \n Pre token generation \n Create auth challenge \n Define auth challenge \n Verify auth challenge \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"ClientId" : "The app client ID.",
"AnalyticsMetadata" : {
"AnalyticsEndpointId" : "The endpoint ID."
}
}

list_devices

Lists the devices.

Parameters

$body

Represents the request to list the devices.

Type: object

{
"AccessToken" : "The access tokens for the request to list devices.",
"Limit" : "The limit of the device request.",
"PaginationToken" : "The pagination token for the list request."
}

list_groups

Lists the groups associated with a user pool.
Calling this action requires developer credentials.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID for the user pool."
}

list_identity_providers

Lists information about all identity providers for a user pool.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID."
}

list_resource_servers

Lists the resource servers for a user pool.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID for the user pool."
}

list_tags_for_resource

Lists the tags that are assigned to an Amazon Cognito user pool.
A tag is a label that you can apply to user pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
You can use this action up to 10 times per second, per account.

Parameters

$body

Type: object

{
"ResourceArn" : "The Amazon Resource Name (ARN) of the user pool that the tags are assigned to."
}

list_user_import_jobs

Lists the user import jobs.

Parameters

$body

Represents the request to list the user import jobs.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool that the users are being imported into.",
"MaxResults" : "The maximum number of import jobs you want the request to return.",
"PaginationToken" : "An identifier that was returned from the previous call to ListUserImportJobs, which can be used to return the next set of import jobs in the list."
}

list_user_pool_clients

Lists the clients that have been created for the specified user pool.

Parameters

$body

Represents the request to list the user pool clients.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool where you want to list user pool clients."
}

list_user_pools

Lists the user pools associated with an AWS account.

This operation has no parameters

list_users

Lists the users in the Amazon Cognito user pool.

Parameters

$body

Represents the request to list users.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool on which the search should be performed.",
"Filter" : "A filter string of the form \"AttributeName Filter-Type \"AttributeValue\"\". Quotation marks within the filter string must be escaped using the backslash (\\) character. For example, \"family_name = \\\"Reddy\\\"\". \n AttributeName: The name of the attribute to search for. You can only search for one attribute at a time. \n Filter-Type: For an exact match, use =, for example, \"given_name = \\\"Jon\\\"\". For a prefix (\"starts with\") match, use ^=, for example, \"given_name ^= \\\"Jon\\\"\". \n AttributeValue: The attribute value that must be matched for each user. \nIf the filter string is empty, ListUsers returns all users in the user pool. \nYou can only search for the following standard attributes: \n username (case-sensitive) \n email \n phone_number \n name \n given_name \n family_name \n preferred_username \n cognito:user_status (called Status in the Console) (case-insensitive) \n status (called Enabled in the Console) (case-sensitive) \n sub \nCustom attributes are not searchable. \nFor more information, see Searching for Users Using the ListUsers API and Examples of Using the ListUsers API in the Amazon Cognito Developer Guide.",
"AttributesToGet" : [ "string" ]
}

list_users_in_group

Lists the users in the specified group.
Calling this action requires developer credentials.

Parameters

$body

Type: object

{
"GroupName" : "The name of the group.",
"UserPoolId" : "The user pool ID for the user pool."
}

resend_confirmation_code

Resends the confirmation (for confirmation of registration) to a specific user in the user pool.

Parameters

$body

Represents the request to resend the confirmation code.

Type: object

{
"Username" : "The user name of the user to whom you wish to resend a confirmation code.",
"SecretHash" : "A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.",
"UserContextData" : {
"EncodedData" : "Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security."
},
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the ResendConfirmationCode API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ResendConfirmationCode request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"ClientId" : "The ID of the client associated with the user pool.",
"AnalyticsMetadata" : {
"AnalyticsEndpointId" : "The endpoint ID."
}
}

respond_to_auth_challenge

Responds to the authentication challenge.

Parameters

$body

The request to respond to an authentication challenge.

Type: object

{
"ChallengeResponses" : "The challenge responses. These are inputs corresponding to the value of ChallengeName, for example: \n SECRET_HASH (if app client is configured with client secret) applies to all inputs below (including SOFTWARE_TOKEN_MFA). \n SMS_MFA: SMS_MFA_CODE, USERNAME. \n PASSWORD_VERIFIER: PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, TIMESTAMP, USERNAME. \n NEW_PASSWORD_REQUIRED: NEW_PASSWORD, any other required attributes, USERNAME. \n SOFTWARE_TOKEN_MFA: USERNAME and SOFTWARE_TOKEN_MFA_CODE are required attributes. \n DEVICE_SRP_AUTH requires USERNAME, DEVICE_KEY, SRP_A (and SECRET_HASH). \n DEVICE_PASSWORD_VERIFIER requires everything that PASSWORD_VERIFIER requires plus DEVICE_KEY. ",
"UserContextData" : {
"EncodedData" : "Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security."
},
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the RespondToAuthChallenge API action, Amazon Cognito invokes any functions that are assigned to the following triggers: post authentication, pre token generation, define auth challenge, create auth challenge, and verify auth challenge. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your RespondToAuthChallenge request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"ClientId" : "The app client ID.",
"AnalyticsMetadata" : {
"AnalyticsEndpointId" : "The endpoint ID."
},
"ChallengeName" : "The challenge name. For more information, see . \n ADMIN_NO_SRP_AUTH is not a valid value.",
"Session" : "The session which should be passed both ways in challenge-response calls to the service. If InitiateAuth or RespondToAuthChallenge API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call."
}

set_risk_configuration

Configures actions on detected risks. To delete the risk configuration for UserPoolId or ClientId, pass null values for all four configuration types.
To enable Amazon Cognito advanced security features, update the user pool to include the UserPoolAddOns keyAdvancedSecurityMode.
See .

Parameters

$body

Type: object

{
"CompromisedCredentialsRiskConfiguration" : {
"Actions" : {
"EventAction" : "The event action."
},
"EventFilter" : [ "string. Possible values: SIGN_IN | PASSWORD_CHANGE | SIGN_UP" ]
},
"UserPoolId" : "The user pool ID. ",
"ClientId" : "The app client ID. If ClientId is null, then the risk configuration is mapped to userPoolId. When the client ID is null, the same risk configuration is applied to all the clients in the userPool. \nOtherwise, ClientId is mapped to the client. When the client ID is not null, the user pool configuration is overridden and the risk configuration for the client is used instead.",
"AccountTakeoverRiskConfiguration" : {
"Actions" : {
"HighAction" : {
"Notify" : "Flag specifying whether to send a notification.",
"EventAction" : "The event action. \n BLOCK Choosing this action will block the request. \n MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request. \n MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request. \n NO_ACTION Allow the user sign-in. "
},
"LowAction" : {
"Notify" : "Flag specifying whether to send a notification.",
"EventAction" : "The event action. \n BLOCK Choosing this action will block the request. \n MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request. \n MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request. \n NO_ACTION Allow the user sign-in. "
},
"MediumAction" : {
"Notify" : "Flag specifying whether to send a notification.",
"EventAction" : "The event action. \n BLOCK Choosing this action will block the request. \n MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request. \n MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request. \n NO_ACTION Allow the user sign-in. "
}
},
"NotifyConfiguration" : {
"ReplyTo" : "The destination to which the receiver of an email should reply to.",
"BlockEmail" : {
"TextBody" : "The text body.",
"HtmlBody" : "The HTML body.",
"Subject" : "The subject."
},
"SourceArn" : "The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. It permits Amazon Cognito to send for the email address specified in the From parameter.",
"NoActionEmail" : {
"TextBody" : "The text body.",
"HtmlBody" : "The HTML body.",
"Subject" : "The subject."
},
"From" : "The email address that is sending the email. It must be either individually verified with Amazon SES, or from a domain that has been verified with Amazon SES.",
"MfaEmail" : {
"TextBody" : "The text body.",
"HtmlBody" : "The HTML body.",
"Subject" : "The subject."
}
}
},
"RiskExceptionConfiguration" : {
"BlockedIPRangeList" : [ "string" ],
"SkippedIPRangeList" : [ "string" ]
}
}

set_ui_customization

Sets the UI customization information for a user pool's built-in app UI.
You can specify app UI customization settings for a single client (with a specific clientId) or for all clients (by setting the clientId to ALL). If you specify ALL, the default configuration will be used for every client that has no UI customization set previously. If you specify UI customization settings for a particular client, it will no longer fall back to the ALL configuration.
To use this API, your user pool must have a domain associated with it. Otherwise, there is no place to host the app's pages, and the service will throw an error.

Parameters

$body

Type: object

{
"CSS" : "The CSS values in the UI customization.",
"UserPoolId" : "The user pool ID for the user pool.",
"ImageFile" : "The uploaded logo image for the UI customization.",
"ClientId" : "The client ID for the client app."
}

set_user_mfa_preference

Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are enabled and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are enabled. If multiple options are enabled and no preference is set, a challenge to choose an MFA option will be returned during sign in.

Parameters

$body

Type: object

{
"SMSMfaSettings" : {
"Enabled" : "Specifies whether SMS text message MFA is enabled.",
"PreferredMfa" : "Specifies whether SMS is the preferred MFA method."
},
"AccessToken" : "The access token for the user.",
"SoftwareTokenMfaSettings" : {
"Enabled" : "Specifies whether software token MFA is enabled.",
"PreferredMfa" : "Specifies whether software token MFA is the preferred MFA method."
}
}

set_user_pool_mfa_config

Set the user pool multi-factor authentication (MFA) configuration.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID.",
"SmsMfaConfiguration" : {
"SmsConfiguration" : {
"ExternalId" : "The external ID is a value that we recommend you use to add security to your IAM role which is used to call Amazon SNS to send SMS messages for your user pool. If you provide an ExternalId, the Cognito User Pool will include it when attempting to assume your IAM role, so that you can set your roles trust policy to require the ExternalID. If you use the Cognito Management Console to create a role for SMS MFA, Cognito will create a role with the required permissions and a trust policy that demonstrates use of the ExternalId.",
"SnsCallerArn" : "The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller. This is the ARN of the IAM role in your AWS account which Cognito will use to send SMS messages."
},
"SmsAuthenticationMessage" : "The SMS authentication message that will be sent to users with the code they need to sign in. The message must contain the ‘{####}’ placeholder, which will be replaced with the code. If the message is not included, and default message will be used."
},
"MfaConfiguration" : "The MFA configuration. Valid values include: \n OFF MFA will not be used for any users. \n ON MFA is required for all users to sign in. \n OPTIONAL MFA will be required only for individual users who have an MFA factor enabled. ",
"SoftwareTokenMfaConfiguration" : {
"Enabled" : "Specifies whether software token MFA is enabled."
}
}

set_user_settings

This action is no longer supported. You can use it to configure only SMS MFA. You can't use it to configure TOTP software token MFA. To configure either type of MFA, use the SetUserMFAPreference action instead.

Parameters

$body

Represents the request to set user settings.

Type: object

{
"AccessToken" : "The access token for the set user settings request.",
"MFAOptions" : [ {
"DeliveryMedium" : "The delivery medium to send the MFA code. You can use this parameter to set only the SMS delivery medium value.",
"AttributeName" : "The attribute name of the MFA option type. The only valid value is phone_number."
} ]
}

sign_up

Registers the user in the specified user pool and creates a user name, password, and user attributes.

Parameters

$body

Represents the request to register a user.

Type: object

{
"ValidationData" : [ {
"Value" : "The value of the attribute.",
"Name" : "The name of the attribute."
} ],
"Username" : "The user name of the user you wish to register.",
"SecretHash" : "A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.",
"UserContextData" : {
"EncodedData" : "Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security."
},
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the SignUp API action, Amazon Cognito invokes any functions that are assigned to the following triggers: pre sign-up, custom message, and post confirmation. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your SignUp request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"ClientId" : "The ID of the client associated with the user pool.",
"AnalyticsMetadata" : {
"AnalyticsEndpointId" : "The endpoint ID."
},
"Password" : "The password of the user you wish to register.",
"UserAttributes" : [ {
"Value" : "The value of the attribute.",
"Name" : "The name of the attribute."
} ]
}

start_user_import_job

Starts the user import.

Parameters

$body

Represents the request to start the user import job.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool that the users are being imported into.",
"JobId" : "The job ID for the user import job."
}

stop_user_import_job

Stops the user import job.

Parameters

$body

Represents the request to stop the user import job.

Type: object

{
"UserPoolId" : "The user pool ID for the user pool that the users are being imported into.",
"JobId" : "The job ID for the user import job."
}

tag_resource

Assigns a set of tags to an Amazon Cognito user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
Each tag consists of a key and value, both of which you define. A key is a general category for more specific values. For example, if you have two versions of a user pool, one for testing and another for production, you might assign an Environment tag key to both user pools. The value of this key might be Test for one user pool and Production for the other.
Tags are useful for cost tracking and access control. You can activate your tags so that they appear on the Billing and Cost Management console, where you can track the costs associated with your user pools. In an IAM policy, you can constrain permissions for user pools based on specific tags or tag values.
You can use this action up to 5 times per second, per account. A user pool can have as many as 50 tags.

Parameters

$body

Type: object

{
"ResourceArn" : "The Amazon Resource Name (ARN) of the user pool to assign the tags to.",
"Tags" : "The tags to assign to the user pool."
}

untag_resource

Removes the specified tags from an Amazon Cognito user pool. You can use this action up to 5 times per second, per account

Parameters

$body

Type: object

{
"ResourceArn" : "The Amazon Resource Name (ARN) of the user pool that the tags are assigned to.",
"TagKeys" : [ "string" ]
}

update_auth_event_feedback

Provides the feedback for an authentication event whether it was from a valid user or not. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID.",
"Username" : "The user pool username.",
"FeedbackToken" : "The feedback token.",
"EventId" : "The event ID.",
"FeedbackValue" : "The authentication event feedback value."
}

update_device_status

Updates the device status.

Parameters

$body

Represents the request to update the device status.

Type: object

{
"AccessToken" : "The access token.",
"DeviceRememberedStatus" : "The status of whether a device is remembered.",
"DeviceKey" : "The device key."
}

update_group

Updates the specified group with the specified attributes.
Calling this action requires developer credentials.

Parameters

$body

Type: object

{
"GroupName" : "The name of the group.",
"UserPoolId" : "The user pool ID for the user pool.",
"Description" : "A string containing the new description of the group.",
"Precedence" : "The new precedence value for the group. For more information about this parameter, see .",
"RoleArn" : "The new role ARN for the group. This is used for setting the cognito:roles and cognito:preferred_role claims in the token."
}

update_identity_provider

Updates identity provider information for a user pool.

Parameters

$body

Type: object

{
"ProviderName" : "The identity provider name.",
"UserPoolId" : "The user pool ID.",
"AttributeMapping" : "The identity provider attribute mapping to be changed.",
"ProviderDetails" : "The identity provider details to be updated, such as MetadataURL and MetadataFile.",
"IdpIdentifiers" : [ "string" ]
}

update_resource_server

Updates the name and scopes of resource server. All other fields are read-only.

Parameters

$body

Type: object

{
"UserPoolId" : "The user pool ID for the user pool.",
"Identifier" : "The identifier for the resource server.",
"Scopes" : [ {
"ScopeName" : "The name of the scope.",
"ScopeDescription" : "A description of the scope."
} ],
"Name" : "The name of the resource server."
}

update_user_attributes

Allows a user to update a specific attribute (one at a time).

Parameters

$body

Represents the request to update user attributes.

Type: object

{
"AccessToken" : "The access token for the request to update user attributes.",
"ClientMetadata" : "A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. \nYou create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the UpdateUserAttributes API action, Amazon Cognito invokes the functions that are assigned to the custom message and pre mutation triggers. When Amazon Cognito invokes either of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your UpdateUserAttributes request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs. \nFor more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide. \nTake the following limitations into consideration when you use the ClientMetadata parameter: \n Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. \n Amazon Cognito does not validate the ClientMetadata value. \n Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information. ",
"UserAttributes" : [ {
"Value" : "The value of the attribute.",
"Name" : "The name of the attribute."
} ]
}

update_user_pool

Updates the specified user pool with the specified attributes. If you don't provide a value for an attribute, it will be set to the default value. You can get a list of the current user pool settings with .

Parameters

$body

Represents the request to update the user pool.

Type: object

{
"UserPoolTags" : "The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.",
"Policies" : {
"PasswordPolicy" : {
"RequireNumbers" : "In the password policy that you have set, refers to whether you have required users to use at least one number in their password.",
"MinimumLength" : "The minimum length of the password policy that you have set. Cannot be less than 6.",
"TemporaryPasswordValidityDays" : "In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator. \nWhen you set TemporaryPasswordValidityDays for a user pool, you will no longer be able to set the deprecated UnusedAccountValidityDays value for that user pool.",
"RequireUppercase" : "In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.",
"RequireLowercase" : "In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.",
"RequireSymbols" : "In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password."
}
},
"VerificationMessageTemplate" : {
"EmailMessageByLink" : "The email message template for sending a confirmation link to the user.",
"EmailMessage" : "The email message template.",
"SmsMessage" : "The SMS message template.",
"EmailSubject" : "The subject line for the email message template.",
"DefaultEmailOption" : "The default email option.",
"EmailSubjectByLink" : "The subject line for the email message template for sending a confirmation link to the user."
},
"MfaConfiguration" : "Can be one of the following values: \n OFF - MFA tokens are not required and cannot be specified during user registration. \n ON - MFA tokens are required for all user registrations. You can only specify required when you are initially creating a user pool. \n OPTIONAL - Users have the option when registering to create an MFA token. ",
"AdminCreateUserConfig" : {
"UnusedAccountValidityDays" : "The user account expiration limit, in days, after which the account is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying \"RESEND\" for the MessageAction parameter. The default value for this parameter is 7. \nIf you set a value for TemporaryPasswordValidityDays in PasswordPolicy, that value will be used and UnusedAccountValidityDays will be deprecated for that user pool. ",
"InviteMessageTemplate" : {
"EmailMessage" : "The message template for email messages.",
"SMSMessage" : "The message template for SMS messages.",
"EmailSubject" : "The subject line for email messages."
},
"AllowAdminCreateUserOnly" : "Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app."
},
"SmsAuthenticationMessage" : "The contents of the SMS authentication message.",
"SmsVerificationMessage" : "A container with information about the SMS verification message.",
"UserPoolAddOns" : {
"AdvancedSecurityMode" : "The advanced security mode."
},
"UserPoolId" : "The user pool ID for the user pool you want to update.",
"EmailConfiguration" : {
"ReplyToEmailAddress" : "The destination to which the receiver of the email should reply to.",
"EmailSendingAccount" : "Specifies whether Amazon Cognito emails your users by using its built-in email functionality or your Amazon SES email configuration. Specify one of the following values: COGNITO_DEFAULT \nWhen Amazon Cognito emails your users, it uses its built-in email functionality. When you use the default option, Amazon Cognito allows only a limited number of emails each day for your user pool. For typical production environments, the default email limit is below the required delivery volume. To achieve a higher delivery volume, specify DEVELOPER to use your Amazon SES email configuration. \nTo look up the email delivery limit for the default option, see Limits in Amazon Cognito in the Amazon Cognito Developer Guide. \nThe default FROM address is no-reply@verificationemail.com. To customize the FROM address, provide the ARN of an Amazon SES verified email address for the SourceArn parameter. DEVELOPER \nWhen Amazon Cognito emails your users, it uses your Amazon SES configuration. Amazon Cognito calls Amazon SES on your behalf to send email from your verified email address. When you use this option, the email delivery limits are the same limits that apply to your Amazon SES verified email address in your AWS account. \nIf you use this option, you must provide the ARN of an Amazon SES verified email address for the SourceArn parameter. \nBefore Amazon Cognito can email your users, it requires additional permissions to call Amazon SES on your behalf. When you update your user pool with this option, Amazon Cognito creates a service-linked role, which is a type of IAM role, in your AWS account. This role contains the permissions that allow Amazon Cognito to access Amazon SES and send email messages with your address. For more information about the service-linked role that Amazon Cognito creates, see Using Service-Linked Roles for Amazon Cognito in the Amazon Cognito Developer Guide.",
"SourceArn" : "The Amazon Resource Name (ARN) of a verified email address in Amazon SES. This email address is used in one of the following ways, depending on the value that you specify for the EmailSendingAccount parameter: \n If you specify COGNITO_DEFAULT, Amazon Cognito uses this address as the custom FROM address when it emails your users by using its built-in email account. \n If you specify DEVELOPER, Amazon Cognito emails your users with this address by calling Amazon SES on your behalf. "
},
"SmsConfiguration" : {
"ExternalId" : "The external ID is a value that we recommend you use to add security to your IAM role which is used to call Amazon SNS to send SMS messages for your user pool. If you provide an ExternalId, the Cognito User Pool will include it when attempting to assume your IAM role, so that you can set your roles trust policy to require the ExternalID. If you use the Cognito Management Console to create a role for SMS MFA, Cognito will create a role with the required permissions and a trust policy that demonstrates use of the ExternalId.",
"SnsCallerArn" : "The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller. This is the ARN of the IAM role in your AWS account which Cognito will use to send SMS messages."
},
"EmailVerificationSubject" : "The subject of the email verification message.",
"LambdaConfig" : {
"PreAuthentication" : "A pre-authentication AWS Lambda trigger.",
"CreateAuthChallenge" : "Creates an authentication challenge.",
"PreSignUp" : "A pre-registration AWS Lambda trigger.",
"DefineAuthChallenge" : "Defines the authentication challenge.",
"PreTokenGeneration" : "A Lambda trigger that is invoked before token generation.",
"UserMigration" : "The user migration Lambda config type.",
"PostConfirmation" : "A post-confirmation AWS Lambda trigger.",
"PostAuthentication" : "A post-authentication AWS Lambda trigger.",
"CustomMessage" : "A custom Message AWS Lambda trigger.",
"VerifyAuthChallengeResponse" : "Verifies the authentication challenge response."
},
"AutoVerifiedAttributes" : [ "string. Possible values: phone_number | email" ],
"EmailVerificationMessage" : "The contents of the email verification message.",
"DeviceConfiguration" : {
"DeviceOnlyRememberedOnUserPrompt" : "If true, a device is only remembered on user prompt.",
"ChallengeRequiredOnNewDevice" : "Indicates whether a challenge is required on a new device. Only applicable to a new device."
}
}

update_user_pool_client

Updates the specified user pool app client with the specified attributes. If you don't provide a value for an attribute, it will be set to the default value. You can get a list of the current user pool app client settings with .

Parameters

$body

Represents the request to update the user pool client.

Type: object

{
"AnalyticsConfiguration" : {
"UserDataShared" : "If UserDataShared is true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.",
"ExternalId" : "The external ID.",
"ApplicationId" : "The application ID for an Amazon Pinpoint application.",
"RoleArn" : "The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics."
},
"CallbackURLs" : [ "string" ],
"AllowedOAuthScopes" : [ "string" ],
"ReadAttributes" : [ "string" ],
"DefaultRedirectURI" : "The default redirect URI. Must be in the CallbackURLs list. \nA redirect URI must: \n Be an absolute URI. \n Be registered with the authorization server. \n Not include a fragment component. \nSee OAuth 2.0 - Redirection Endpoint. \nAmazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. \nApp callback URLs such as myapp://example are also supported.",
"AllowedOAuthFlowsUserPoolClient" : "Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.",
"SupportedIdentityProviders" : [ "string" ],
"ClientName" : "The client name from the update user pool client request.",
"UserPoolId" : "The user pool ID for the user pool where you want to update the user pool client.",
"AllowedOAuthFlows" : [ "string. Possible values: code | implicit | client_credentials" ],
"ExplicitAuthFlows" : [ "string. Possible values: ADMIN_NO_SRP_AUTH | CUSTOM_AUTH_FLOW_ONLY | USER_PASSWORD_AUTH" ],
"ClientId" : "The ID of the client associated with the user pool.",
"LogoutURLs" : [ "string" ],
"RefreshTokenValidity" : "The time limit, in days, after which the refresh token is no longer valid and cannot be used.",
"WriteAttributes" : [ "string" ]
}

update_user_pool_domain

Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool.
You can use this operation to provide the Amazon Resource Name (ARN) of a new certificate to Amazon Cognito. You cannot use it to change the domain for a user pool.
A custom domain is used to host the Amazon Cognito hosted UI, which provides sign-up and sign-in pages for your application. When you set up a custom domain, you provide a certificate that you manage with AWS Certificate Manager (ACM). When necessary, you can use this operation to change the certificate that you applied to your custom domain.
Usually, this is unnecessary following routine certificate renewal with ACM. When you renew your existing certificate in ACM, the ARN for your certificate remains the same, and your custom domain uses the new certificate automatically.
However, if you replace your existing certificate with a new one, ACM gives the new certificate a new ARN. To apply the new certificate to your custom domain, you must provide this ARN to Amazon Cognito.
When you add your new certificate in ACM, you must choose US East (N. Virginia) as the AWS Region.
After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new certificate to your custom domain.
For more information about adding a custom domain to your user pool, see Using Your Own Domain for the Hosted UI.

Parameters

$body

The UpdateUserPoolDomain request input.

Type: object

{
"UserPoolId" : "The ID of the user pool that is associated with the custom domain that you are updating the certificate for.",
"CustomDomainConfig" : {
"CertificateArn" : "The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL certificate. You use this certificate for the subdomain of your custom domain."
},
"Domain" : "The domain name for the custom domain that hosts the sign-up and sign-in pages for your application. For example: auth.example.com. \nThis string can include only lowercase letters, numbers, and hyphens. Do not use a hyphen for the first or last character. Use periods to separate subdomain names."
}

verify_software_token

Use this API to register a user's entered TOTP code and mark the user's software token MFA status as "verified" if successful. The request takes an access token or a session string, but not both.

Parameters

$body

Type: object

{
"AccessToken" : "The access token.",
"UserCode" : "The one time password computed using the secret code returned by ",
"FriendlyDeviceName" : "The friendly device name.",
"Session" : "The session which should be passed both ways in challenge-response calls to the service."
}

verify_user_attribute

Verifies the specified user attributes in the user pool.

Parameters

$body

Represents the request to verify user attributes.

Type: object

{
"AccessToken" : "Represents the access token of the request to verify user attributes.",
"AttributeName" : "The attribute name in the request to verify user attributes.",
"Code" : "The verification code in the request to verify user attributes."
}