amazonaws.com – cognito-idp

OpenAPI apis-guru cloud

Using the Amazon Cognito user pools API, you can create a user pool to manage directories and users. You can authenticate a user to obtain tokens related to user identity and access policies.

This API reference provides information about user pools in Amazon Cognito user pools.

For more information, see the .

Homepage: https://api.apis.guru/v2/specs/amazonaws.com:cognito-idp/2016-04-18.json
Provider: amazonaws.com:cognito-idp / cognito-idp
OpenAPI version: 3.0.0
Spec (JSON): https://api.apis.guru/v2/specs/amazonaws.com/cognito-idp/2016-04-18/openapi.json
Spec (YAML): https://api.apis.guru/v2/specs/amazonaws.com/cognito-idp/2016-04-18/openapi.yaml

Tools (103)

Extracted live via the executor SDK.

xAmzTargetAwsCognitoIdentityProviderServiceAddCustomAttributes.addCustomAttributes

Adds additional user attributes to the user pool schema.
xAmzTargetAwsCognitoIdentityProviderServiceAdminAddUserToGroup.adminAddUserToGroup

Adds the specified user to the specified group.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminConfirmSignUp.adminConfirmSignUp

Confirms user registration as an admin without using a confirmation code. Works on any user.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminCreateUser.adminCreateUser

Creates a new user in the specified user pool.

If MessageAction isn't set, the default is to send a welcome message via email or phone (SMS).

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.

This message is based on a template that you configured in your call to create or update a user pool. This template includes your custom sign-up instructions and placeholders for user name and temporary password.

Alternatively, you can call AdminCreateUser with SUPPRESS for the MessageAction parameter, and Amazon Cognito won't send any email.

In either case, the user will be in the FORCE_CHANGE_PASSWORD state until they sign in and change their password.

AdminCreateUser requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminDeleteUser.adminDeleteUser

Deletes a user as an administrator. Works on any user.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminDeleteUserAttributes.adminDeleteUserAttributes

Deletes the user attributes in a user pool as an administrator. Works on any user.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminDisableProviderForUser.adminDisableProviderForUser

Prevents the user from signing in with the specified external (SAML or social) identity provider (IdP). If the user that you want to deactivate is a Amazon Cognito user pools native username + password user, they can't use their password to sign in. If the user to deactivate is a linked external IdP user, any link between that user and an existing user is removed. When the external user signs in again, and the user is no longer attached to the previously linked DestinationUser, the user must create a new user account. See .

This action is enabled only for admin access and requires developer credentials.

The ProviderName must match the value specified when creating an IdP for the pool.

To deactivate a native username + password user, the ProviderName value must be Cognito and the ProviderAttributeName must be Cognito_Subject. The ProviderAttributeValue must be the name that is used in the user pool for the user.

The ProviderAttributeName must always be Cognito_Subject for social IdPs. The ProviderAttributeValue must always be the exact subject that was used when the user was originally linked as a source user.

For de-linking a SAML identity, there are two scenarios. If the linked identity has not yet been used to sign in, the ProviderAttributeName and ProviderAttributeValue must be the same values that were used for the SourceUser when the identities were originally linked using AdminLinkProviderForUser call. (If the linking was done with ProviderAttributeName set to Cognito_Subject, the same applies here). However, if the user has already signed in, the ProviderAttributeName must be Cognito_Subject and ProviderAttributeValue must be the subject of the SAML assertion.
xAmzTargetAwsCognitoIdentityProviderServiceAdminDisableUser.adminDisableUser

Deactivates a user and revokes all access tokens for the user. A deactivated user can't sign in, but still appears in the responses to GetUser and ListUsers API requests.

You must make this API request with Amazon Web Services credentials that have cognito-idp:AdminDisableUser permissions.
xAmzTargetAwsCognitoIdentityProviderServiceAdminEnableUser.adminEnableUser

Enables the specified user as an administrator. Works on any user.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminForgetDevice.adminForgetDevice

Forgets the device, as an administrator.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminGetDevice.adminGetDevice

Gets the device, as an administrator.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminGetUser.adminGetUser

Gets the specified user by user name in a user pool as an administrator. Works on any user.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminInitiateAuth.adminInitiateAuth

Initiates the authentication flow, as an administrator.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminLinkProviderForUser.adminLinkProviderForUser

Links an existing user account in a user pool (DestinationUser) to an identity from an external IdP (SourceUser) based on a specified attribute name and value from the external IdP. This allows you to create a link from the existing user account to an external federated user identity that has not yet been used to sign in. You can then use the federated user identity to sign in as the existing user account.

For example, if there is an existing user with a username and password, this API links that user to a federated user identity. When the user signs in with a federated user identity, they sign in as the existing user account.

The maximum number of federated identities linked to a user is five.

Because this API allows a user with an external federated identity to sign in as an existing user in the user pool, it is critical that it only be used with external IdPs and provider attributes that have been trusted by the application owner.

This action is administrative and requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminListDevices.adminListDevices

Lists devices, as an administrator.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminListGroupsForUser.adminListGroupsForUser

Lists the groups that the user belongs to.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminListUserAuthEvents.adminListUserAuthEvents

A history of user activity and any risks detected as part of Amazon Cognito advanced security.
xAmzTargetAwsCognitoIdentityProviderServiceAdminRemoveUserFromGroup.adminRemoveUserFromGroup

Removes the specified user from the specified group.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminResetUserPassword.adminResetUserPassword

Resets the specified user's password in a user pool as an administrator. Works on any user.

When a developer calls this API, the current password is invalidated, so it must be changed. If a user tries to sign in after the API is called, the app will get a PasswordResetRequiredException exception back and should direct the user down the flow to reset the password, which is the same as the forgot password flow. In addition, if the user pool has phone verification selected and a verified phone number exists for the user, or if email verification is selected and a verified email exists for the user, calling this API will also result in sending a message to the end user with the code to change their password.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminRespondToAuthChallenge.adminRespondToAuthChallenge

Responds to an authentication challenge, as an administrator.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminSetUserMfaPreference.adminSetUserMfaPreference

The user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in.
xAmzTargetAwsCognitoIdentityProviderServiceAdminSetUserPassword.adminSetUserPassword

Sets the specified user's password in a user pool as an administrator. Works on any user.

The password can be temporary or permanent. If it is temporary, the user status enters the FORCE_CHANGE_PASSWORD state. When the user next tries to sign in, the InitiateAuth/AdminInitiateAuth response will contain the NEW_PASSWORD_REQUIRED challenge. If the user doesn't sign in before it expires, the user won't be able to sign in, and an administrator must reset their password.

Once the user has set a new password, or the password is permanent, the user status is set to Confirmed.
xAmzTargetAwsCognitoIdentityProviderServiceAdminSetUserSettings.adminSetUserSettings

This action is no longer supported. You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token MFA. To configure either type of MFA, use instead.
xAmzTargetAwsCognitoIdentityProviderServiceAdminUpdateAuthEventFeedback.adminUpdateAuthEventFeedback

Provides feedback for an authentication event indicating if it was from a valid user. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
xAmzTargetAwsCognitoIdentityProviderServiceAdminUpdateDeviceStatus.adminUpdateDeviceStatus

Updates the device status as an administrator.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminUpdateUserAttributes.adminUpdateUserAttributes

Updates the specified user's attributes, including developer attributes, as an administrator. Works on any user.

For custom attributes, you must prepend the custom: prefix to the attribute name.

In addition to updating user attributes, this API can also be used to mark phone and email as verified.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAdminUserGlobalSignOut.adminUserGlobalSignOut

Signs out a user from all devices. You must sign AdminUserGlobalSignOut requests with Amazon Web Services credentials. It also invalidates all refresh tokens that Amazon Cognito has issued to a user. The user's current access and ID tokens remain valid until they expire. By default, access and ID tokens expire one hour after they're issued. A user can still use a hosted UI cookie to retrieve new tokens for the duration of the cookie validity period of 1 hour.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceAssociateSoftwareToken.associateSoftwareToken

Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response. You can authorize an AssociateSoftwareToken request with either the user's access token, or a session string from a challenge response that you received from Amazon Cognito.

Amazon Cognito disassociates an existing software token when you verify the new token in a API request. If you don't verify the software token and your user pool doesn't require MFA, the user can then authenticate with user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito generates an MFA_SETUP or SOFTWARE_TOKEN_SETUP challenge each time your user signs. Complete setup with AssociateSoftwareToken and VerifySoftwareToken.

After you set up software token MFA for your user, Amazon Cognito generates a SOFTWARE_TOKEN_MFA challenge when they authenticate. Respond to this challenge with your user's TOTP.
xAmzTargetAwsCognitoIdentityProviderServiceChangePassword.changePassword

Changes the password for a specified user in a user pool.
xAmzTargetAwsCognitoIdentityProviderServiceConfirmDevice.confirmDevice

Confirms tracking of the device. This API call is the call that begins device tracking.
xAmzTargetAwsCognitoIdentityProviderServiceConfirmForgotPassword.confirmForgotPassword

Allows a user to enter a confirmation code to reset a forgotten password.
xAmzTargetAwsCognitoIdentityProviderServiceConfirmSignUp.confirmSignUp

Confirms registration of a new user.
xAmzTargetAwsCognitoIdentityProviderServiceCreateGroup.createGroup

Creates a new group in the specified user pool.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceCreateIdentityProvider.createIdentityProvider

Creates an IdP for a user pool.
xAmzTargetAwsCognitoIdentityProviderServiceCreateResourceServer.createResourceServer

Creates a new OAuth2.0 resource server and defines custom scopes within it.
xAmzTargetAwsCognitoIdentityProviderServiceCreateUserImportJob.createUserImportJob

Creates the user import job.
xAmzTargetAwsCognitoIdentityProviderServiceCreateUserPool.createUserPool

Creates a new Amazon Cognito user pool and sets the password policy for the pool.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.
xAmzTargetAwsCognitoIdentityProviderServiceCreateUserPoolClient.createUserPoolClient

Creates the user pool client.

When you create a new user pool client, token revocation is automatically activated. For more information about revoking tokens, see .
xAmzTargetAwsCognitoIdentityProviderServiceCreateUserPoolDomain.createUserPoolDomain

Creates a new domain for a user pool.
xAmzTargetAwsCognitoIdentityProviderServiceDeleteGroup.deleteGroup

Deletes a group.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceDeleteIdentityProvider.deleteIdentityProvider

Deletes an IdP for a user pool.
xAmzTargetAwsCognitoIdentityProviderServiceDeleteResourceServer.deleteResourceServer

Deletes a resource server.
xAmzTargetAwsCognitoIdentityProviderServiceDeleteUser.deleteUser

Allows a user to delete himself or herself.
xAmzTargetAwsCognitoIdentityProviderServiceDeleteUserAttributes.deleteUserAttributes

Deletes the attributes for a user.
xAmzTargetAwsCognitoIdentityProviderServiceDeleteUserPool.deleteUserPool

Deletes the specified Amazon Cognito user pool.
xAmzTargetAwsCognitoIdentityProviderServiceDeleteUserPoolClient.deleteUserPoolClient

Allows the developer to delete the user pool client.
xAmzTargetAwsCognitoIdentityProviderServiceDeleteUserPoolDomain.deleteUserPoolDomain

Deletes a domain for a user pool.
xAmzTargetAwsCognitoIdentityProviderServiceDescribeIdentityProvider.describeIdentityProvider

Gets information about a specific IdP.
xAmzTargetAwsCognitoIdentityProviderServiceDescribeResourceServer.describeResourceServer

Describes a resource server.
xAmzTargetAwsCognitoIdentityProviderServiceDescribeRiskConfiguration.describeRiskConfiguration

Describes the risk configuration.
xAmzTargetAwsCognitoIdentityProviderServiceDescribeUserImportJob.describeUserImportJob

Describes the user import job.
xAmzTargetAwsCognitoIdentityProviderServiceDescribeUserPool.describeUserPool

Returns the configuration information and metadata of the specified user pool.
xAmzTargetAwsCognitoIdentityProviderServiceDescribeUserPoolClient.describeUserPoolClient

Client method for returning the configuration information and metadata of the specified user pool app client.
xAmzTargetAwsCognitoIdentityProviderServiceDescribeUserPoolDomain.describeUserPoolDomain

Gets information about a domain.
xAmzTargetAwsCognitoIdentityProviderServiceForgetDevice.forgetDevice

Forgets the specified device.
xAmzTargetAwsCognitoIdentityProviderServiceForgotPassword.forgotPassword

Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password. For the Username parameter, you can use the username or user alias. The method used to send the confirmation code is sent according to the specified AccountRecoverySetting. For more information, see in the Amazon Cognito Developer Guide. If neither a verified phone number nor a verified email exists, an InvalidParameterException is thrown. To use the confirmation code for resetting the password, call .

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.
xAmzTargetAwsCognitoIdentityProviderServiceGetCsvHeader.getCsvHeader

Gets the header information for the comma-separated value (CSV) file to be used as input for the user import job.
xAmzTargetAwsCognitoIdentityProviderServiceGetDevice.getDevice

Gets the device.
xAmzTargetAwsCognitoIdentityProviderServiceGetGroup.getGroup

Gets a group.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceGetIdentityProviderByIdentifier.getIdentityProviderByIdentifier

Gets the specified IdP.
xAmzTargetAwsCognitoIdentityProviderServiceGetSigningCertificate.getSigningCertificate

This method takes a user pool ID, and returns the signing certificate. The issued certificate is valid for 10 years from the date of issue.

Amazon Cognito issues and assigns a new signing certificate annually. This process returns a new value in the response to GetSigningCertificate, but doesn't invalidate the original certificate.
xAmzTargetAwsCognitoIdentityProviderServiceGetUiCustomization.getUiCustomization

Gets the user interface (UI) Customization information for a particular app client's app UI, if any such information exists for the client. If nothing is set for the particular client, but there is an existing pool level customization (the app clientId is ALL), then that information is returned. If nothing is present, then an empty shape is returned.
xAmzTargetAwsCognitoIdentityProviderServiceGetUser.getUser

Gets the user attributes and metadata for a user.
xAmzTargetAwsCognitoIdentityProviderServiceGetUserAttributeVerificationCode.getUserAttributeVerificationCode

Generates a user attribute verification code for the specified attribute name. Sends a message to a user with a code that they must return in a VerifyUserAttribute request.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.
xAmzTargetAwsCognitoIdentityProviderServiceGetUserPoolMfaConfig.getUserPoolMfaConfig

Gets the user pool multi-factor authentication (MFA) configuration.
xAmzTargetAwsCognitoIdentityProviderServiceGlobalSignOut.globalSignOut

Signs out users from all devices. It also invalidates all refresh tokens that Amazon Cognito has issued to a user. A user can still use a hosted UI cookie to retrieve new tokens for the duration of the 1-hour cookie validity period.
xAmzTargetAwsCognitoIdentityProviderServiceInitiateAuth.initiateAuth

Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user with a federated IdP with InitiateAuth. For more information, see .

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.
xAmzTargetAwsCognitoIdentityProviderServiceListDevices.listDevices

Lists the sign-in devices that Amazon Cognito has registered to the current user.
xAmzTargetAwsCognitoIdentityProviderServiceListGroups.listGroups

Lists the groups associated with a user pool.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceListIdentityProviders.listIdentityProviders

Lists information about all IdPs for a user pool.
xAmzTargetAwsCognitoIdentityProviderServiceListResourceServers.listResourceServers

Lists the resource servers for a user pool.
xAmzTargetAwsCognitoIdentityProviderServiceListTagsForResource.listTagsForResource

Lists the tags that are assigned to an Amazon Cognito user pool.

A tag is a label that you can apply to user pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.

You can use this action up to 10 times per second, per account.
xAmzTargetAwsCognitoIdentityProviderServiceListUserImportJobs.listUserImportJobs

Lists the user import jobs.
xAmzTargetAwsCognitoIdentityProviderServiceListUserPoolClients.listUserPoolClients

Lists the clients that have been created for the specified user pool.
xAmzTargetAwsCognitoIdentityProviderServiceListUserPools.listUserPools

Lists the user pools associated with an Amazon Web Services account.
xAmzTargetAwsCognitoIdentityProviderServiceListUsers.listUsers

Lists the users in the Amazon Cognito user pool.
xAmzTargetAwsCognitoIdentityProviderServiceListUsersInGroup.listUsersInGroup

Lists the users in the specified group.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceResendConfirmationCode.resendConfirmationCode

Resends the confirmation (for confirmation of registration) to a specific user in the user pool.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.
xAmzTargetAwsCognitoIdentityProviderServiceRespondToAuthChallenge.respondToAuthChallenge

Responds to the authentication challenge.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.
xAmzTargetAwsCognitoIdentityProviderServiceRevokeToken.revokeToken

Revokes all of the access tokens generated by, and at the same time as, the specified refresh token. After a token is revoked, you can't use the revoked token to access Amazon Cognito user APIs, or to authorize access to your resource server.
xAmzTargetAwsCognitoIdentityProviderServiceSetRiskConfiguration.setRiskConfiguration

Configures actions on detected risks. To delete the risk configuration for UserPoolId or ClientId, pass null values for all four configuration types.

To activate Amazon Cognito advanced security features, update the user pool to include the UserPoolAddOns keyAdvancedSecurityMode.
xAmzTargetAwsCognitoIdentityProviderServiceSetUiCustomization.setUiCustomization

Sets the user interface (UI) customization information for a user pool's built-in app UI.

You can specify app UI customization settings for a single client (with a specific clientId) or for all clients (by setting the clientId to ALL). If you specify ALL, the default configuration is used for every client that has no previously set UI customization. If you specify UI customization settings for a particular client, it will no longer return to the ALL configuration.

To use this API, your user pool must have a domain associated with it. Otherwise, there is no place to host the app's pages, and the service will throw an error.
xAmzTargetAwsCognitoIdentityProviderServiceSetUserMfaPreference.setUserMfaPreference

Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in. If an MFA type is activated for a user, the user will be prompted for MFA during all sign-in attempts unless device tracking is turned on and the device has been trusted. If you want MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users and turn on Adaptive Authentication for the user pool.
xAmzTargetAwsCognitoIdentityProviderServiceSetUserPoolMfaConfig.setUserPoolMfaConfig

Sets the user pool multi-factor authentication (MFA) configuration.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.
xAmzTargetAwsCognitoIdentityProviderServiceSetUserSettings.setUserSettings

This action is no longer supported. You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token MFA. To configure either type of MFA, use instead.
xAmzTargetAwsCognitoIdentityProviderServiceSignUp.signUp

Registers the user in the specified user pool and creates a user name, password, and user attributes.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.
xAmzTargetAwsCognitoIdentityProviderServiceStartUserImportJob.startUserImportJob

Starts the user import.
xAmzTargetAwsCognitoIdentityProviderServiceStopUserImportJob.stopUserImportJob

Stops the user import job.
xAmzTargetAwsCognitoIdentityProviderServiceTagResource.tagResource

Assigns a set of tags to an Amazon Cognito user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.

Each tag consists of a key and value, both of which you define. A key is a general category for more specific values. For example, if you have two versions of a user pool, one for testing and another for production, you might assign an Environment tag key to both user pools. The value of this key might be Test for one user pool, and Production for the other.

Tags are useful for cost tracking and access control. You can activate your tags so that they appear on the Billing and Cost Management console, where you can track the costs associated with your user pools. In an Identity and Access Management policy, you can constrain permissions for user pools based on specific tags or tag values.

You can use this action up to 5 times per second, per account. A user pool can have as many as 50 tags.
xAmzTargetAwsCognitoIdentityProviderServiceUntagResource.untagResource

Removes the specified tags from an Amazon Cognito user pool. You can use this action up to 5 times per second, per account.
xAmzTargetAwsCognitoIdentityProviderServiceUpdateAuthEventFeedback.updateAuthEventFeedback

Provides the feedback for an authentication event, whether it was from a valid user or not. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
xAmzTargetAwsCognitoIdentityProviderServiceUpdateDeviceStatus.updateDeviceStatus

Updates the device status.
xAmzTargetAwsCognitoIdentityProviderServiceUpdateGroup.updateGroup

Updates the specified group with the specified attributes.

Calling this action requires developer credentials.
xAmzTargetAwsCognitoIdentityProviderServiceUpdateIdentityProvider.updateIdentityProvider

Updates IdP information for a user pool.
xAmzTargetAwsCognitoIdentityProviderServiceUpdateResourceServer.updateResourceServer

Updates the name and scopes of resource server. All other fields are read-only.

If you don't provide a value for an attribute, it is set to the default value.
xAmzTargetAwsCognitoIdentityProviderServiceUpdateUserAttributes.updateUserAttributes

Allows a user to update a specific attribute (one at a time).

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.
xAmzTargetAwsCognitoIdentityProviderServiceUpdateUserPool.updateUserPool

Updates the specified user pool with the specified attributes. You can get a list of the current user pool settings using . If you don't provide a value for an attribute, it will be set to the default value.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with . Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see in the Amazon Cognito Developer Guide.
xAmzTargetAwsCognitoIdentityProviderServiceUpdateUserPoolClient.updateUserPoolClient

Updates the specified user pool app client with the specified attributes. You can get a list of the current user pool app client settings using .

If you don't provide a value for an attribute, it will be set to the default value.

You can also use this operation to enable token revocation for user pool clients. For more information about revoking tokens, see .
xAmzTargetAwsCognitoIdentityProviderServiceUpdateUserPoolDomain.updateUserPoolDomain

Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool.

You can use this operation to provide the Amazon Resource Name (ARN) of a new certificate to Amazon Cognito. You can't use it to change the domain for a user pool.

A custom domain is used to host the Amazon Cognito hosted UI, which provides sign-up and sign-in pages for your application. When you set up a custom domain, you provide a certificate that you manage with Certificate Manager (ACM). When necessary, you can use this operation to change the certificate that you applied to your custom domain.

Usually, this is unnecessary following routine certificate renewal with ACM. When you renew your existing certificate in ACM, the ARN for your certificate remains the same, and your custom domain uses the new certificate automatically.

However, if you replace your existing certificate with a new one, ACM gives the new certificate a new ARN. To apply the new certificate to your custom domain, you must provide this ARN to Amazon Cognito.

When you add your new certificate in ACM, you must choose US East (N. Virginia) as the Amazon Web Services Region.

After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new certificate to your custom domain.

For more information about adding a custom domain to your user pool, see .
xAmzTargetAwsCognitoIdentityProviderServiceVerifySoftwareToken.verifySoftwareToken

Use this API to register a user's entered time-based one-time password (TOTP) code and mark the user's software token MFA status as "verified" if successful. The request takes an access token or a session string, but not both.
xAmzTargetAwsCognitoIdentityProviderServiceVerifyUserAttribute.verifyUserAttribute

Verifies the specified user attributes in the user pool.

If your user pool requires verification before Amazon Cognito updates the attribute value, VerifyUserAttribute updates the affected attribute to its pending value. For more information, see .
openapi.previewSpec

Preview an OpenAPI document before adding it as a source
openapi.addSource

Add an OpenAPI source and register its operations as tools