View Source aws_cognito_identity_provider (aws v1.0.4)

With the Amazon Cognito user pools API, you can configure user pools and authenticate users.

To authenticate users from third-party identity providers (IdPs) in this API, you can link IdP users to native user profiles: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html. Learn more about the authentication and authorization of federated users at Adding user pool sign-in through a third party: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html and in the User pool federation endpoints and hosted UI reference: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html.

This API reference provides detailed information about API operations and object types in Amazon Cognito.

Along with resource management operations, the Amazon Cognito user pools API includes classes of operations and authorization models for client-side and server-side authentication of users. You can interact with operations in the Amazon Cognito user pools API as any of the following subjects.

  1. An administrator who wants to configure user pools, app clients, users, groups, or other user pool functions.

  2. A server-side app, like a web application, that wants to use its Amazon Web Services privileges to manage, authenticate, or authorize a user.

  3. A client-side app, like a mobile app, that wants to make unauthenticated requests to manage, authenticate, or authorize a user.

For more information, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html in the Amazon Cognito Developer Guide.

With your Amazon Web Services SDK, you can build the logic to support operational flows in every use case for this API. You can also make direct REST API requests to Amazon Cognito user pools service endpoints: https://docs.aws.amazon.com/general/latest/gr/cognito_identity.html#cognito_identity_your_user_pools_region. The following links can get you started with the CognitoIdentityProvider client in other supported Amazon Web Services SDKs.

  • Amazon Web Services Command Line Interface: https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/index.html#cli-aws-cognito-idp

  • Amazon Web Services SDK for .NET: https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/CognitoIdentityProvider/TCognitoIdentityProviderClient.html

  • Amazon Web Services SDK for C++: https://sdk.amazonaws.com/cpp/api/LATEST/aws-cpp-sdk-cognito-idp/html/class_aws_1_1_cognito_identity_provider_1_1_cognito_identity_provider_client.html

  • Amazon Web Services SDK for Go: https://docs.aws.amazon.com/sdk-for-go/api/service/cognitoidentityprovider/#CognitoIdentityProvider

  • Amazon Web Services SDK for Java V2: https://sdk.amazonaws.com/java/api/latest/software/amazon/awssdk/services/cognitoidentityprovider/CognitoIdentityProviderClient.html

  • Amazon Web Services SDK for JavaScript: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html

  • Amazon Web Services SDK for PHP V3: https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html

  • Amazon Web Services SDK for Python: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp.html

  • Amazon Web Services SDK for Ruby V3: https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Client.html

To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services: http://aws.amazon.com/developer/tools/. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services SDKs: https://docs.aws.amazon.com/cognito/latest/developerguide/service_code_examples_cognito-identity-provider.html.

Summary

Functions

Adds additional user attributes to the user pool schema.

Adds a user to a group.

This IAM-authenticated API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool.

Creates a new user in the specified user pool.

Deletes a user as an administrator.

Deletes the user attributes in a user pool as an administrator.

Prevents the user from signing in with the specified external (SAML or social) identity provider (IdP).

Deactivates a user and revokes all access tokens for the user.

Enables the specified user as an administrator.

Forgets the device, as an administrator.

Gets the device, as an administrator.

Gets the specified user by user name in a user pool as an administrator.

Initiates the authentication flow, as an administrator.

Links an existing user account in a user pool (DestinationUser) to an identity from an external IdP (SourceUser) based on a specified attribute name and value from the external IdP.

Lists devices, as an administrator.

Lists the groups that a user belongs to.

A history of user activity and any risks detected as part of Amazon Cognito advanced security.

Removes the specified user from the specified group.

Resets the specified user's password in a user pool as an administrator.

Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge.

The user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred.

Sets the specified user's password in a user pool as an administrator.

This action is no longer supported.

Provides feedback for an authentication event indicating if it was from a valid user.

Updates the device status as an administrator.

This action might generate an SMS text message.

Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user.

Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response.

Changes the password for a specified user in a user pool.

Confirms tracking of the device.

Allows a user to enter a confirmation code to reset a forgotten password.

This public API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool via the SignUp: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html API operation.

Creates a new group in the specified user pool.

Adds a configuration and trust relationship between a third-party identity provider (IdP) and a user pool.

Creates a new OAuth2.0 resource server and defines custom scopes within it.

Creates a user import job.

This action might generate an SMS text message.

Creates the user pool client.

Creates a new domain for a user pool.

Deletes a group.

Deletes an IdP for a user pool.
Deletes a resource server.

Allows a user to delete their own user profile.

Deletes the attributes for a user.

Deletes the specified Amazon Cognito user pool.
Allows the developer to delete the user pool client.
Deletes a domain for a user pool.
Gets information about a specific IdP.
Describes a resource server.
Describes the risk configuration.
Describes the user import job.

Returns the configuration information and metadata of the specified user pool.

Client method for returning the configuration information and metadata of the specified user pool app client.

Gets information about a domain.

Forgets the specified device.

Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password.

Gets the header information for the comma-separated value (CSV) file to be used as input for the user import job.

Gets the device.

Gets a group.

Gets the detailed activity logging configuration for a user pool.

This method takes a user pool ID, and returns the signing certificate.

Gets the user interface (UI) Customization information for a particular app client's app UI, if any such information exists for the client.

Gets the user attributes and metadata for a user.

Generates a user attribute verification code for the specified attribute name.

Gets the user pool multi-factor authentication (MFA) configuration.

Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user.

Initiates sign-in for a user in the Amazon Cognito user directory.

Lists the sign-in devices that Amazon Cognito has registered to the current user.

Lists the groups associated with a user pool.

Lists information about all IdPs for a user pool.

Lists the resource servers for a user pool.

Lists the tags that are assigned to an Amazon Cognito user pool.

Lists user import jobs for a user pool.

Lists the clients that have been created for the specified user pool.

Lists the user pools associated with an Amazon Web Services account.

Lists users and their basic details in a user pool.

Lists the users in the specified group.

Resends the confirmation (for confirmation of registration) to a specific user in the user pool.

Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge.

Revokes all of the access tokens generated by, and at the same time as, the specified refresh token.

Sets up or modifies the detailed activity logging configuration of a user pool.

Configures actions on detected risks.

Sets the user interface (UI) customization information for a user pool's built-in app UI.

Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred.

Sets the user pool multi-factor authentication (MFA) configuration.

This action is no longer supported.

Registers the user in the specified user pool and creates a user name, password, and user attributes.

Starts the user import.
Stops the user import job.

Assigns a set of tags to an Amazon Cognito user pool.

Removes the specified tags from an Amazon Cognito user pool.

Provides the feedback for an authentication event, whether it was from a valid user or not.

Updates the device status.

Updates the specified group with the specified attributes.

Updates IdP information for a user pool.

Updates the name and scopes of resource server.

With this operation, your users can update one or more of their attributes with their own credentials.

This action might generate an SMS text message.

Updates the specified user pool app client with the specified attributes.

Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool.

Use this API to register a user's entered time-based one-time password (TOTP) code and mark the user's software token MFA status as "verified" if successful.

Verifies the specified user attributes in the user pool.

Functions

Link to this function

add_custom_attributes(Client, Input)

View Source

Adds additional user attributes to the user pool schema.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

add_custom_attributes(Client, Input, Options)

View Source
Link to this function

admin_add_user_to_group(Client, Input)

View Source

Adds a user to a group.

A user who is in a group can present a preferred-role claim to an identity pool, and populates a cognito:groups claim to their access and identity tokens.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_add_user_to_group(Client, Input, Options)

View Source
Link to this function

admin_confirm_sign_up(Client, Input)

View Source

This IAM-authenticated API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool.

After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.

Local users who signed up in your user pool are the only type of user who can confirm sign-up with a code. Users who federate through an external identity provider (IdP) have already been confirmed by their IdP. Administrator-created users confirm their accounts when they respond to their invitation email message and choose a password.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_confirm_sign_up(Client, Input, Options)

View Source
Link to this function

admin_create_user(Client, Input)

View Source

Creates a new user in the specified user pool.

If MessageAction isn't set, the default is to send a welcome message via email or phone (SMS).

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.

This message is based on a template that you configured in your call to create or update a user pool. This template includes your custom sign-up instructions and placeholders for user name and temporary password.

Alternatively, you can call AdminCreateUser with SUPPRESS for the MessageAction parameter, and Amazon Cognito won't send any email.

In either case, the user will be in the FORCE_CHANGE_PASSWORD state until they sign in and change their password.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_create_user(Client, Input, Options)

View Source
Link to this function

admin_delete_user(Client, Input)

View Source

Deletes a user as an administrator.

Works on any user.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_delete_user(Client, Input, Options)

View Source
Link to this function

admin_delete_user_attributes(Client, Input)

View Source

Deletes the user attributes in a user pool as an administrator.

Works on any user.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_delete_user_attributes(Client, Input, Options)

View Source
Link to this function

admin_disable_provider_for_user(Client, Input)

View Source

Prevents the user from signing in with the specified external (SAML or social) identity provider (IdP).

If the user that you want to deactivate is a Amazon Cognito user pools native username + password user, they can't use their password to sign in. If the user to deactivate is a linked external IdP user, any link between that user and an existing user is removed. When the external user signs in again, and the user is no longer attached to the previously linked DestinationUser, the user must create a new user account. See AdminLinkProviderForUser: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html.

The ProviderName must match the value specified when creating an IdP for the pool.

To deactivate a native username + password user, the ProviderName value must be Cognito and the ProviderAttributeName must be Cognito_Subject. The ProviderAttributeValue must be the name that is used in the user pool for the user.

The ProviderAttributeName must always be Cognito_Subject for social IdPs. The ProviderAttributeValue must always be the exact subject that was used when the user was originally linked as a source user.

For de-linking a SAML identity, there are two scenarios. If the linked identity has not yet been used to sign in, the ProviderAttributeName and ProviderAttributeValue must be the same values that were used for the SourceUser when the identities were originally linked using AdminLinkProviderForUser call. (If the linking was done with ProviderAttributeName set to Cognito_Subject, the same applies here). However, if the user has already signed in, the ProviderAttributeName must be Cognito_Subject and ProviderAttributeValue must be the subject of the SAML assertion.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_disable_provider_for_user(Client, Input, Options)

View Source
Link to this function

admin_disable_user(Client, Input)

View Source

Deactivates a user and revokes all access tokens for the user.

A deactivated user can't sign in, but still appears in the responses to GetUser and ListUsers API requests.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_disable_user(Client, Input, Options)

View Source
Link to this function

admin_enable_user(Client, Input)

View Source

Enables the specified user as an administrator.

Works on any user.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_enable_user(Client, Input, Options)

View Source
Link to this function

admin_forget_device(Client, Input)

View Source

Forgets the device, as an administrator.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_forget_device(Client, Input, Options)

View Source
Link to this function

admin_get_device(Client, Input)

View Source

Gets the device, as an administrator.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_get_device(Client, Input, Options)

View Source
Link to this function

admin_get_user(Client, Input)

View Source

Gets the specified user by user name in a user pool as an administrator.

Works on any user.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_get_user(Client, Input, Options)

View Source
Link to this function

admin_initiate_auth(Client, Input)

View Source

Initiates the authentication flow, as an administrator.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_initiate_auth(Client, Input, Options)

View Source
Link to this function

admin_list_devices(Client, Input)

View Source

Lists devices, as an administrator.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_list_devices(Client, Input, Options)

View Source
Link to this function

admin_list_groups_for_user(Client, Input)

View Source

Lists the groups that a user belongs to.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_list_groups_for_user(Client, Input, Options)

View Source
Link to this function

admin_list_user_auth_events(Client, Input)

View Source

A history of user activity and any risks detected as part of Amazon Cognito advanced security.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_list_user_auth_events(Client, Input, Options)

View Source
Link to this function

admin_remove_user_from_group(Client, Input)

View Source

Removes the specified user from the specified group.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_remove_user_from_group(Client, Input, Options)

View Source
Link to this function

admin_reset_user_password(Client, Input)

View Source

Resets the specified user's password in a user pool as an administrator.

Works on any user.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.

Deactivates a user's password, requiring them to change it. If a user tries to sign in after the API is called, Amazon Cognito responds with a PasswordResetRequiredException error. Your app must then perform the actions that reset your user's password: the forgot-password flow. In addition, if the user pool has phone verification selected and a verified phone number exists for the user, or if email verification is selected and a verified email exists for the user, calling this API will also result in sending a message to the end user with the code to change their password.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_reset_user_password(Client, Input, Options)

View Source
Link to this function

admin_respond_to_auth_challenge(Client, Input)

View Source

Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge.

An AdminRespondToAuthChallenge API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.

For more information about custom authentication challenges, see Custom authentication challenge Lambda triggers: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_respond_to_auth_challenge(Client, Input, Options)

View Source
Link to this function

admin_set_user_mfa_preference(Client, Input)

View Source

The user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred.

Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_set_user_mfa_preference(Client, Input, Options)

View Source
Link to this function

admin_set_user_password(Client, Input)

View Source

Sets the specified user's password in a user pool as an administrator.

Works on any user.

The password can be temporary or permanent. If it is temporary, the user status enters the FORCE_CHANGE_PASSWORD state. When the user next tries to sign in, the InitiateAuth/AdminInitiateAuth response will contain the NEW_PASSWORD_REQUIRED challenge. If the user doesn't sign in before it expires, the user won't be able to sign in, and an administrator must reset their password.

Once the user has set a new password, or the password is permanent, the user status is set to Confirmed.

AdminSetUserPassword can set a password for the user profile that Amazon Cognito creates for third-party federated users. When you set a password, the federated user's status changes from EXTERNAL_PROVIDER to CONFIRMED. A user in this state can sign in as a federated user, and initiate authentication flows in the API like a linked native user. They can also modify their password and attributes in token-authenticated API requests like ChangePassword and UpdateUserAttributes. As a best security practice and to keep users in sync with your external IdP, don't set passwords on federated user profiles. To set up a federated user for native sign-in with a linked native user, refer to Linking federated users to an existing user profile: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_set_user_password(Client, Input, Options)

View Source
Link to this function

admin_set_user_settings(Client, Input)

View Source

This action is no longer supported.

You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token MFA. To configure either type of MFA, use AdminSetUserMFAPreference: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html instead.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_set_user_settings(Client, Input, Options)

View Source
Link to this function

admin_update_auth_event_feedback(Client, Input)

View Source

Provides feedback for an authentication event indicating if it was from a valid user.

This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_update_auth_event_feedback(Client, Input, Options)

View Source
Link to this function

admin_update_device_status(Client, Input)

View Source

Updates the device status as an administrator.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_update_device_status(Client, Input, Options)

View Source
Link to this function

admin_update_user_attributes(Client, Input)

View Source

This action might generate an SMS text message.

Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.

Updates the specified user's attributes, including developer attributes, as an administrator. Works on any user. To delete an attribute from your user, submit the attribute in your API request with a blank value.

For custom attributes, you must prepend the custom: prefix to the attribute name.

In addition to updating user attributes, this API can also be used to mark phone and email as verified.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_update_user_attributes(Client, Input, Options)

View Source
Link to this function

admin_user_global_sign_out(Client, Input)

View Source

Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user.

Call this operation with your administrative credentials when your user signs out of your app. This results in the following behavior.

  • Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.

    Amazon Cognito returns an Access Token has been revoked error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope aws.cognito.signin.user.admin.

  • Amazon Cognito no longer accepts a signed-out user's ID token in a GetId : https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html request to an identity pool with ServerSideTokenCheck enabled for its user pool IdP configuration in CognitoIdentityProvider: https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_CognitoIdentityProvider.html.

  • Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.

Other requests might be valid until your user's token expires.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

admin_user_global_sign_out(Client, Input, Options)

View Source
Link to this function

associate_software_token(Client, Input)

View Source

Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response.

You can authorize an AssociateSoftwareToken request with either the user's access token, or a session string from a challenge response that you received from Amazon Cognito.

Amazon Cognito disassociates an existing software token when you verify the new token in a VerifySoftwareToken: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifySoftwareToken.html API request. If you don't verify the software token and your user pool doesn't require MFA, the user can then authenticate with user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito generates an MFA_SETUP or SOFTWARE_TOKEN_SETUP challenge each time your user signs. Complete setup with AssociateSoftwareToken and VerifySoftwareToken.

After you set up software token MFA for your user, Amazon Cognito generates a SOFTWARE_TOKEN_MFA challenge when they authenticate. Respond to this challenge with your user's TOTP.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

associate_software_token(Client, Input, Options)

View Source
Link to this function

change_password(Client, Input)

View Source

Changes the password for a specified user in a user pool.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

change_password(Client, Input, Options)

View Source
Link to this function

confirm_device(Client, Input)

View Source

Confirms tracking of the device.

This API call is the call that begins device tracking. For more information about device authentication, see Working with user devices in your user pool: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

confirm_device(Client, Input, Options)

View Source
Link to this function

confirm_forgot_password(Client, Input)

View Source

Allows a user to enter a confirmation code to reset a forgotten password.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

confirm_forgot_password(Client, Input, Options)

View Source
Link to this function

confirm_sign_up(Client, Input)

View Source

This public API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool via the SignUp: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html API operation.

After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.

Local users who signed up in your user pool are the only type of user who can confirm sign-up with a code. Users who federate through an external identity provider (IdP) have already been confirmed by their IdP. Administrator-created users, users created with the AdminCreateUser: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html API operation, confirm their accounts when they respond to their invitation email message and choose a password. They do not receive a confirmation code. Instead, they receive a temporary password.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

confirm_sign_up(Client, Input, Options)

View Source
Link to this function

create_group(Client, Input)

View Source

Creates a new group in the specified user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

create_group(Client, Input, Options)

View Source
Link to this function

create_identity_provider(Client, Input)

View Source

Adds a configuration and trust relationship between a third-party identity provider (IdP) and a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

create_identity_provider(Client, Input, Options)

View Source
Link to this function

create_resource_server(Client, Input)

View Source

Creates a new OAuth2.0 resource server and defines custom scopes within it.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

create_resource_server(Client, Input, Options)

View Source
Link to this function

create_user_import_job(Client, Input)

View Source

Creates a user import job.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

create_user_import_job(Client, Input, Options)

View Source
Link to this function

create_user_pool(Client, Input)

View Source

This action might generate an SMS text message.

Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.

Creates a new Amazon Cognito user pool and sets the password policy for the pool.

If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

create_user_pool(Client, Input, Options)

View Source
Link to this function

create_user_pool_client(Client, Input)

View Source

Creates the user pool client.

When you create a new user pool client, token revocation is automatically activated. For more information about revoking tokens, see RevokeToken: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html.

If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

create_user_pool_client(Client, Input, Options)

View Source
Link to this function

create_user_pool_domain(Client, Input)

View Source

Creates a new domain for a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

create_user_pool_domain(Client, Input, Options)

View Source
Link to this function

delete_group(Client, Input)

View Source

Deletes a group.

Calling this action requires developer credentials.
Link to this function

delete_group(Client, Input, Options)

View Source
Link to this function

delete_identity_provider(Client, Input)

View Source
Deletes an IdP for a user pool.
Link to this function

delete_identity_provider(Client, Input, Options)

View Source
Link to this function

delete_resource_server(Client, Input)

View Source
Deletes a resource server.
Link to this function

delete_resource_server(Client, Input, Options)

View Source
Link to this function

delete_user(Client, Input)

View Source

Allows a user to delete their own user profile.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

delete_user(Client, Input, Options)

View Source
Link to this function

delete_user_attributes(Client, Input)

View Source

Deletes the attributes for a user.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

delete_user_attributes(Client, Input, Options)

View Source
Link to this function

delete_user_pool(Client, Input)

View Source
Deletes the specified Amazon Cognito user pool.
Link to this function

delete_user_pool(Client, Input, Options)

View Source
Link to this function

delete_user_pool_client(Client, Input)

View Source
Allows the developer to delete the user pool client.
Link to this function

delete_user_pool_client(Client, Input, Options)

View Source
Link to this function

delete_user_pool_domain(Client, Input)

View Source
Deletes a domain for a user pool.
Link to this function

delete_user_pool_domain(Client, Input, Options)

View Source
Link to this function

describe_identity_provider(Client, Input)

View Source
Gets information about a specific IdP.
Link to this function

describe_identity_provider(Client, Input, Options)

View Source
Link to this function

describe_resource_server(Client, Input)

View Source
Describes a resource server.
Link to this function

describe_resource_server(Client, Input, Options)

View Source
Link to this function

describe_risk_configuration(Client, Input)

View Source
Describes the risk configuration.
Link to this function

describe_risk_configuration(Client, Input, Options)

View Source
Link to this function

describe_user_import_job(Client, Input)

View Source
Describes the user import job.
Link to this function

describe_user_import_job(Client, Input, Options)

View Source
Link to this function

describe_user_pool(Client, Input)

View Source

Returns the configuration information and metadata of the specified user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

describe_user_pool(Client, Input, Options)

View Source
Link to this function

describe_user_pool_client(Client, Input)

View Source

Client method for returning the configuration information and metadata of the specified user pool app client.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

describe_user_pool_client(Client, Input, Options)

View Source
Link to this function

describe_user_pool_domain(Client, Input)

View Source
Gets information about a domain.
Link to this function

describe_user_pool_domain(Client, Input, Options)

View Source
Link to this function

forget_device(Client, Input)

View Source

Forgets the specified device.

For more information about device authentication, see Working with user devices in your user pool: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

forget_device(Client, Input, Options)

View Source
Link to this function

forgot_password(Client, Input)

View Source

Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password.

For the Username parameter, you can use the username or user alias. The method used to send the confirmation code is sent according to the specified AccountRecoverySetting. For more information, see Recovering User Accounts: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html in the Amazon Cognito Developer Guide. To use the confirmation code for resetting the password, call ConfirmForgotPassword: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html.

If neither a verified phone number nor a verified email exists, this API returns InvalidParameterException. If your app client has a client secret and you don't provide a SECRET_HASH parameter, this API returns NotAuthorizedException.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.
Link to this function

forgot_password(Client, Input, Options)

View Source
Link to this function

get_csv_header(Client, Input)

View Source
Gets the header information for the comma-separated value (CSV) file to be used as input for the user import job.
Link to this function

get_csv_header(Client, Input, Options)

View Source
Link to this function

get_device(Client, Input)

View Source

Gets the device.

For more information about device authentication, see Working with user devices in your user pool: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

get_device(Client, Input, Options)

View Source
Link to this function

get_group(Client, Input)

View Source

Gets a group.

Calling this action requires developer credentials.
Link to this function

get_group(Client, Input, Options)

View Source
Link to this function

get_identity_provider_by_identifier(Client, Input)

View Source
Gets the specified IdP.
Link to this function

get_identity_provider_by_identifier(Client, Input, Options)

View Source
Link to this function

get_log_delivery_configuration(Client, Input)

View Source
Gets the detailed activity logging configuration for a user pool.
Link to this function

get_log_delivery_configuration(Client, Input, Options)

View Source
Link to this function

get_signing_certificate(Client, Input)

View Source

This method takes a user pool ID, and returns the signing certificate.

The issued certificate is valid for 10 years from the date of issue.

Amazon Cognito issues and assigns a new signing certificate annually. This process returns a new value in the response to GetSigningCertificate, but doesn't invalidate the original certificate.
Link to this function

get_signing_certificate(Client, Input, Options)

View Source
Link to this function

get_ui_customization(Client, Input)

View Source

Gets the user interface (UI) Customization information for a particular app client's app UI, if any such information exists for the client.

If nothing is set for the particular client, but there is an existing pool level customization (the app clientId is ALL), then that information is returned. If nothing is present, then an empty shape is returned.
Link to this function

get_ui_customization(Client, Input, Options)

View Source

Gets the user attributes and metadata for a user.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

get_user(Client, Input, Options)

View Source
Link to this function

get_user_attribute_verification_code(Client, Input)

View Source

Generates a user attribute verification code for the specified attribute name.

Sends a message to a user with a code that they must return in a VerifyUserAttribute request.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.
Link to this function

get_user_attribute_verification_code(Client, Input, Options)

View Source
Link to this function

get_user_pool_mfa_config(Client, Input)

View Source
Gets the user pool multi-factor authentication (MFA) configuration.
Link to this function

get_user_pool_mfa_config(Client, Input, Options)

View Source
Link to this function

global_sign_out(Client, Input)

View Source

Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user.

Call this operation when your user signs out of your app. This results in the following behavior.

  • Amazon Cognito no longer accepts token-authorized user operations that you authorize with a signed-out user's access tokens. For more information, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.

    Amazon Cognito returns an Access Token has been revoked error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope aws.cognito.signin.user.admin.

  • Amazon Cognito no longer accepts a signed-out user's ID token in a GetId : https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html request to an identity pool with ServerSideTokenCheck enabled for its user pool IdP configuration in CognitoIdentityProvider: https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_CognitoIdentityProvider.html.

  • Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.

Other requests might be valid until your user's token expires.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

global_sign_out(Client, Input, Options)

View Source
Link to this function

initiate_auth(Client, Input)

View Source

Initiates sign-in for a user in the Amazon Cognito user directory.

You can't sign in a user with a federated IdP with InitiateAuth. For more information, see Adding user pool sign-in through a third party: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.
Link to this function

initiate_auth(Client, Input, Options)

View Source
Link to this function

list_devices(Client, Input)

View Source

Lists the sign-in devices that Amazon Cognito has registered to the current user.

For more information about device authentication, see Working with user devices in your user pool: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

list_devices(Client, Input, Options)

View Source
Link to this function

list_groups(Client, Input)

View Source

Lists the groups associated with a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

list_groups(Client, Input, Options)

View Source
Link to this function

list_identity_providers(Client, Input)

View Source

Lists information about all IdPs for a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

list_identity_providers(Client, Input, Options)

View Source
Link to this function

list_resource_servers(Client, Input)

View Source

Lists the resource servers for a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

list_resource_servers(Client, Input, Options)

View Source
Link to this function

list_tags_for_resource(Client, Input)

View Source

Lists the tags that are assigned to an Amazon Cognito user pool.

A tag is a label that you can apply to user pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.

You can use this action up to 10 times per second, per account.
Link to this function

list_tags_for_resource(Client, Input, Options)

View Source
Link to this function

list_user_import_jobs(Client, Input)

View Source

Lists user import jobs for a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

list_user_import_jobs(Client, Input, Options)

View Source
Link to this function

list_user_pool_clients(Client, Input)

View Source

Lists the clients that have been created for the specified user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

list_user_pool_clients(Client, Input, Options)

View Source
Link to this function

list_user_pools(Client, Input)

View Source

Lists the user pools associated with an Amazon Web Services account.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

list_user_pools(Client, Input, Options)

View Source
Link to this function

list_users(Client, Input)

View Source

Lists users and their basic details in a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

list_users(Client, Input, Options)

View Source
Link to this function

list_users_in_group(Client, Input)

View Source

Lists the users in the specified group.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

list_users_in_group(Client, Input, Options)

View Source
Link to this function

resend_confirmation_code(Client, Input)

View Source

Resends the confirmation (for confirmation of registration) to a specific user in the user pool.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.
Link to this function

resend_confirmation_code(Client, Input, Options)

View Source
Link to this function

respond_to_auth_challenge(Client, Input)

View Source

Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge.

A RespondToAuthChallenge API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.

For more information about custom authentication challenges, see Custom authentication challenge Lambda triggers: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.
Link to this function

respond_to_auth_challenge(Client, Input, Options)

View Source
Link to this function

revoke_token(Client, Input)

View Source

Revokes all of the access tokens generated by, and at the same time as, the specified refresh token.

After a token is revoked, you can't use the revoked token to access Amazon Cognito user APIs, or to authorize access to your resource server.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

revoke_token(Client, Input, Options)

View Source
Link to this function

set_log_delivery_configuration(Client, Input)

View Source
Sets up or modifies the detailed activity logging configuration of a user pool.
Link to this function

set_log_delivery_configuration(Client, Input, Options)

View Source
Link to this function

set_risk_configuration(Client, Input)

View Source

Configures actions on detected risks.

To delete the risk configuration for UserPoolId or ClientId, pass null values for all four configuration types.

To activate Amazon Cognito advanced security features, update the user pool to include the UserPoolAddOns keyAdvancedSecurityMode.
Link to this function

set_risk_configuration(Client, Input, Options)

View Source
Link to this function

set_ui_customization(Client, Input)

View Source

Sets the user interface (UI) customization information for a user pool's built-in app UI.

You can specify app UI customization settings for a single client (with a specific clientId) or for all clients (by setting the clientId to ALL). If you specify ALL, the default configuration is used for every client that has no previously set UI customization. If you specify UI customization settings for a particular client, it will no longer return to the ALL configuration.

To use this API, your user pool must have a domain associated with it. Otherwise, there is no place to host the app's pages, and the service will throw an error.
Link to this function

set_ui_customization(Client, Input, Options)

View Source
Link to this function

set_user_mfa_preference(Client, Input)

View Source

Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred.

Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in. If an MFA type is activated for a user, the user will be prompted for MFA during all sign-in attempts unless device tracking is turned on and the device has been trusted. If you want MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users and turn on Adaptive Authentication for the user pool.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

set_user_mfa_preference(Client, Input, Options)

View Source
Link to this function

set_user_pool_mfa_config(Client, Input)

View Source

Sets the user pool multi-factor authentication (MFA) configuration.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.
Link to this function

set_user_pool_mfa_config(Client, Input, Options)

View Source
Link to this function

set_user_settings(Client, Input)

View Source

This action is no longer supported.

You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token MFA. To configure either type of MFA, use SetUserMFAPreference: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html instead.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

set_user_settings(Client, Input, Options)

View Source

Registers the user in the specified user pool and creates a user name, password, and user attributes.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.
Link to this function

sign_up(Client, Input, Options)

View Source
Link to this function

start_user_import_job(Client, Input)

View Source
Starts the user import.
Link to this function

start_user_import_job(Client, Input, Options)

View Source
Link to this function

stop_user_import_job(Client, Input)

View Source
Stops the user import job.
Link to this function

stop_user_import_job(Client, Input, Options)

View Source
Link to this function

tag_resource(Client, Input)

View Source

Assigns a set of tags to an Amazon Cognito user pool.

A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.

Each tag consists of a key and value, both of which you define. A key is a general category for more specific values. For example, if you have two versions of a user pool, one for testing and another for production, you might assign an Environment tag key to both user pools. The value of this key might be Test for one user pool, and Production for the other.

Tags are useful for cost tracking and access control. You can activate your tags so that they appear on the Billing and Cost Management console, where you can track the costs associated with your user pools. In an Identity and Access Management policy, you can constrain permissions for user pools based on specific tags or tag values.

You can use this action up to 5 times per second, per account. A user pool can have as many as 50 tags.
Link to this function

tag_resource(Client, Input, Options)

View Source
Link to this function

untag_resource(Client, Input)

View Source

Removes the specified tags from an Amazon Cognito user pool.

You can use this action up to 5 times per second, per account.
Link to this function

untag_resource(Client, Input, Options)

View Source
Link to this function

update_auth_event_feedback(Client, Input)

View Source

Provides the feedback for an authentication event, whether it was from a valid user or not.

This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

update_auth_event_feedback(Client, Input, Options)

View Source
Link to this function

update_device_status(Client, Input)

View Source

Updates the device status.

For more information about device authentication, see Working with user devices in your user pool: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

update_device_status(Client, Input, Options)

View Source
Link to this function

update_group(Client, Input)

View Source

Updates the specified group with the specified attributes.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

update_group(Client, Input, Options)

View Source
Link to this function

update_identity_provider(Client, Input)

View Source

Updates IdP information for a user pool.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

update_identity_provider(Client, Input, Options)

View Source
Link to this function

update_resource_server(Client, Input)

View Source

Updates the name and scopes of resource server.

All other fields are read-only.

If you don't provide a value for an attribute, it is set to the default value.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

update_resource_server(Client, Input, Options)

View Source
Link to this function

update_user_attributes(Client, Input)

View Source

With this operation, your users can update one or more of their attributes with their own credentials.

You authorize this API request with the user's access token. To delete an attribute from your user, submit the attribute in your API request with a blank value. Custom attribute values in this request must include the custom: prefix.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.

This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.
Link to this function

update_user_attributes(Client, Input, Options)

View Source
Link to this function

update_user_pool(Client, Input)

View Source

This action might generate an SMS text message.

Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint: https://console.aws.amazon.com/pinpoint/home/. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Service, Amazon Simple Notification Service might place your account in the SMS sandbox. In sandbox mode: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html , you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html in the Amazon Cognito Developer Guide.

Updates the specified user pool with the specified attributes. You can get a list of the current user pool settings using DescribeUserPool: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html.

If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

update_user_pool(Client, Input, Options)

View Source
Link to this function

update_user_pool_client(Client, Input)

View Source

Updates the specified user pool app client with the specified attributes.

You can get a list of the current user pool app client settings using DescribeUserPoolClient: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html.

If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

You can also use this operation to enable token revocation for user pool clients. For more information about revoking tokens, see RevokeToken: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

update_user_pool_client(Client, Input, Options)

View Source
Link to this function

update_user_pool_domain(Client, Input)

View Source

Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool.

You can use this operation to provide the Amazon Resource Name (ARN) of a new certificate to Amazon Cognito. You can't use it to change the domain for a user pool.

A custom domain is used to host the Amazon Cognito hosted UI, which provides sign-up and sign-in pages for your application. When you set up a custom domain, you provide a certificate that you manage with Certificate Manager (ACM). When necessary, you can use this operation to change the certificate that you applied to your custom domain.

Usually, this is unnecessary following routine certificate renewal with ACM. When you renew your existing certificate in ACM, the ARN for your certificate remains the same, and your custom domain uses the new certificate automatically.

However, if you replace your existing certificate with a new one, ACM gives the new certificate a new ARN. To apply the new certificate to your custom domain, you must provide this ARN to Amazon Cognito.

When you add your new certificate in ACM, you must choose US East (N. Virginia) as the Amazon Web Services Region.

After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new certificate to your custom domain.

For more information about adding a custom domain to your user pool, see Using Your Own Domain for the Hosted UI: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html.

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.

Learn more

Signing Amazon Web Services API Requests: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html

Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
Link to this function

update_user_pool_domain(Client, Input, Options)

View Source
Link to this function

verify_software_token(Client, Input)

View Source

Use this API to register a user's entered time-based one-time password (TOTP) code and mark the user's software token MFA status as "verified" if successful.

The request takes an access token or a session string, but not both.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

verify_software_token(Client, Input, Options)

View Source
Link to this function

verify_user_attribute(Client, Input)

View Source

Verifies the specified user attributes in the user pool.

If your user pool requires verification before Amazon Cognito updates the attribute value, VerifyUserAttribute updates the affected attribute to its pending value. For more information, see UserAttributeUpdateSettingsType: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserAttributeUpdateSettingsType.html.

Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html.
Link to this function

verify_user_attribute(Client, Input, Options)

View Source