# Configure user pool features
<a name="user-pools-configure-features"></a>

In previous chapters, you've likely configured some features with guidance from the Amazon Cognito console. The pages in this section are a deeper dive into the detailed configuration requirements of some of the core features of user pools. There's important reference information about your options with app clients, email and SMS configuration, remembering user devices, and more.

**Topics**
+ [Updating user pool and app client configuration](cognito-user-pool-updating.md)
+ [Application-specific settings with app clients](user-pool-settings-client-apps.md)
+ [Working with user devices in your user pool](amazon-cognito-user-pools-device-tracking.md)
+ [Using Amazon Pinpoint for user pool analytics](cognito-user-pools-pinpoint-integration.md)
+ [Email settings for Amazon Cognito user pools](user-pool-email.md)
+ [SMS message settings for Amazon Cognito user pools](user-pool-sms-settings.md)

# Updating user pool and app client configuration
<a name="cognito-user-pool-updating"></a>

When you want to change a setting in a user pool or app client, you can apply the update in the Amazon Cognito console with a few clicks. You navigate through the feature-based tabs in your user pool settings and update fields as described in other areas of this guide.

Many organizations manage their resources programmatically in AWS CloudFormation, applications built on the AWS SDKs or CDK, and other automation software. When this is your resource-management model, you must take extra care when you stage changes to your resources.

The API operations [ UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) and [ UpdateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html) make updates to an existing user pool or app client. Each comes with a warning in the API Reference: *If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.* When you submit an update request with just one parameter, Amazon Cognito sets that parameter to the value of your choosing and sets all others to a default value. This can reset configurations including your attribute schema, your Lambda triggers, and your email and SMS message configuration.

Additionally, some settings are locked in after you create your user pool or app client, and you can't change them unless you create a new resource.

**Topics**
+ [Settings you can't change](#cognito-user-pool-updating-fixed-settings)
+ [SMS configuration](#cognito-user-pool-updating-sms)
+ [Updating a user pool with an AWS SDK, AWS CDK, or REST API](#cognito-user-pool-updating-api-cli)

## Settings you can't change
<a name="cognito-user-pool-updating-fixed-settings"></a>

You can't change some settings after you create a user pool. If you want to change the following settings, you must create a new user pool or app client.

**Note**  
Previously, you couldn't change the name of a user pool. This has changed. You can now assign new friendly names to your user pools.

**User pool ID**  
API parameter name: [Id/UserPoolId](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolType.html#CognitoUserPools-Type-UserPoolType-ID)  
The user pool ID, for example `us-east-1_EXAMPLE`, is automatically generated by Amazon Cognito and can't be changed.

**Amazon Cognito user pool sign-in options**  
API parameter names: [AliasAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#CognitoUserPools-CreateUserPool-request-AliasAttributes) and [UsernameAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#CognitoUserPools-CreateUserPool-request-UsernameAttributes)  
The attributes that your users can pass as a user name when they sign in. When you create a user pool, you can choose to allow sign-in with user name, email address, phone number, or a preferred user name. To change user pool sign-in options, create a new user pool.

**Make user name case sensitive**  
API parameter name: [UsernameConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#CognitoUserPools-CreateUserPool-request-UsernameConfiguration)  
When you create a user name that matches another user name except for the letter case, Amazon Cognito can treat them as either the same user or as unique users. For more information, see [User pool case sensitivity](user-pool-case-sensitivity.md). To change case sensitivity, create a new user pool.

**Client secret**  
API parameter name: [GenerateSecret](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html#CognitoUserPools-CreateUserPoolClient-request-GenerateSecret)  
When you create an app client, you can generate a client secret so that only trusted sources can make requests to your user pool. For more information, see [Application-specific settings with app clients](user-pool-settings-client-apps.md). To change a client secret, create a new app client in the same user pool.

**Required attributes**  
API parameter name: [Schema](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#CognitoUserPools-CreateUserPool-request-Schema)  
The attributes that your users must provide values for when they sign up, or when you create them. For more information, see [Working with user attributes](user-pool-settings-attributes.md). To change required attributes, create a new user pool.

**Custom attributes (deletion)**  
API parameter name: [Schema](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#CognitoUserPools-CreateUserPool-request-Schema)  
Attributes with custom names. You can change the value of a user's custom attribute, but you can't delete a custom attribute from your user pool. For more information, see [Working with user attributes](user-pool-settings-attributes.md). If you reach the maximum number of custom attributes and you want to modify the list, create a new user pool.

## SMS configuration
<a name="cognito-user-pool-updating-sms"></a>

After you activate SMS messages in your user pool, you can't deactivate them.
+ If you choose to configure SMS messages when you create a user pool, you can't deactivate SMS after you complete setup.
+ You can activate SMS messages in a user pool that you created, but after that you can't deactivate SMS.
+ Amazon Cognito can use SMS messages for user account invitation and recovery, attribute verification, and multi-factor authentication (MFA). After you activate SMS messages, you can turn SMS messages on or off for these functions at any time.
+ SMS message configuration includes an IAM role that you delegate to Amazon Cognito to send messages with Amazon SNS. You can change the assigned role at any time.

## Updating a user pool with an AWS SDK, AWS CDK, or REST API
<a name="cognito-user-pool-updating-api-cli"></a>

In the Amazon Cognito console, you can change your user pool settings one parameter at a time. For example, to add a Lambda trigger, you choose **Add Lambda trigger** and choose the function and trigger type. The Amazon Cognito user pools API is structured in a way that update operations for user pools and app clients require the full set of parameters for the user pool. However, the console transparently automates this update operation with your other user pool settings.

You might find at times that a change elsewhere in your AWS account can cause updates to generate an error when they aren't related to the setting you want to change. A deleted Amazon SES identity or a change in an IAM permission for AWS WAF, for example. If one of the current parameters is no longer valid, you can't update your settings until you fix it. When you encounter such an error, examine the error response and validate the setting that it mentions.

The [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk), [Amazon Cognito user pools REST API](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/Welcome.html) and [AWS SDKs](https://aws.amazon.com/developer/tools/) are tools for automation and programmatic configuration of Amazon Cognito resources. Requests with these tools must also, like the Amazon Cognito console, update a setting with a full resource configuration in the request body. At a high level, you must perform the following process.

1. Capture the output from an operation that describes the configuration of your existing resource .

1. Modify the output with your settings change.

1. Send the modified configuration in an operation that updates your resource.

The following procedure updates your configuration with the [ UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) API operation. The same approach, with different input fields, applies to [ UpdateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html).

**Important**  
If you don't provide values for existing parameters, Amazon Cognito sets them to default values. For example, when you have existing `LambdaConfig` and you submit an `UpdateUserPool` with an empty `LambdaConfig`, you delete the assignment of all Lambda functions to user pool triggers. Plan accordingly when you want to automate changes to your user pool configuration.

1. Capture the existing state of your user pool with [ DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html).

1. Format the output of `DescribeUserPool` to match the [ request parameters](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html#API_UpdateUserPool_RequestSyntax) of `UpdateUserPool`. Remove the following top-level fields and their child objects from the output JSON.
   + `Arn`
   + `CreationDate`
   + `CustomDomain`
     + Update this field with the [UpdateUserPoolDomain](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolDomain.html) API operation.
   + `Domain`
     + Update this field with the [UpdateUserPoolDomain](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolDomain.html) API operation.
   + `EmailConfigurationFailure`
   + `EstimatedNumberOfUsers`
   + `Id`
   + `LastModifiedDate`
   + `Name`
   + `SchemaAttributes`
   + `SmsConfigurationFailure`
   + `Status`

1. Confirm that the resulting JSON matches the [ request parameters](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html#API_UpdateUserPool_RequestSyntax) of `UpdateUserPool`.

1. Modify any parameters that you want to change in the resulting JSON.

1. Submit an `UpdateUserPool` API request with your modified JSON as the request input.

You can also use this modified `DescribeUserPool` output in the `--cli-input-json` parameter of `update-user-pool` in the AWS CLI.

Alternately, run the following AWS CLI command to generate JSON with blank values for the accepted input fields for `update-user-pool`. You can then populate these fields with the existing values from your user pool.

```
aws cognito-idp update-user-pool --generate-cli-skeleton --output json
```

Run the following command to generate the same JSON object for an app client.

```
aws cognito-idp update-user-pool-client --generate-cli-skeleton --output json
```

# Application-specific settings with app clients
<a name="user-pool-settings-client-apps"></a>

A user pool app client is a configuration within a user pool that interacts with one mobile or web application that authenticates with Amazon Cognito. App clients can call authenticated and unauthenticated API operations, and read or modify some or all of your users' attributes. Your app must identify itself to the app client in operations to register, sign in, and handle forgotten passwords. These API requests must include self-identification with an app client ID, and authorization with an optional client secret. You must secure any app client IDs or secrets so that only authorized client apps can call these unauthenticated operations. Additionally, if you configure your app to sign authenticated API requests with AWS credentials, you must secure your credentials against user inspection.

You can create multiple apps for a user pool. An app client might be linked to the code platform of an app, or a separate tenant in your user pool. For example, you might create an app for a server-side application and a different Android app. Each app has its own app client ID.

You can apply settings for the following user pool features at the app client level:

1. [Analytics](cognito-user-pools-pinpoint-integration.md)

1. [Managed login](cognito-user-pools-managed-login.md) IdPs, grant types, callback URLs, and customization

1. [Resource servers and custom scopes](cognito-user-pools-define-resource-servers.md)

1. [Threat protection](cognito-user-pool-settings-threat-protection.md)

1. [Attribute read and write permissions](user-pool-settings-attributes.md#user-pool-settings-attribute-permissions-and-scopes)

1. [Token expiration and revocation](amazon-cognito-user-pools-using-tokens-with-identity-providers.md)

1. [Authentication flows](authentication.md#amazon-cognito-user-pools-authentication-flow)

## App client types
<a name="user-pool-settings-client-app-client-types"></a>

When you create an app client in Amazon Cognito, you can pre-populate options based on the standard OAuth client types **public client** and **confidential client**. Configure a **confidential client** with a **client secret**. For more information about client types, see [IETF RFC 6749 \$12.1](https://datatracker.ietf.org/doc/html/rfc6749#section-2.1).

**Public client**  
A public client runs in a browser or on a mobile device. Because it does not have trusted server-side resources, it does not have a client secret.

**Confidential client**  
A confidential client has server-side resources that can be trusted with a **client secret** for unauthenticated API operations. The app might run as a daemon or shell script on your backend server.

**Client secret**  
A client secret, or client password, is a fixed string that your app must use in all API requests to the app client. Your app client must have a client secret to perform `client_credentials` grants. For more information, see [IETF RFC 6749 \$12.3.1](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1).  
Each app client can have up to two secrets at a time, enabling secret rotation without downtime. When you create an app client, you can either let Amazon Cognito generate a secret value or provide your own custom secret value. You can't change secrets after you create an app. You can add a second secret with the [AddUserPoolClientSecret](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AddUserPoolClientSecret.html) API operation to rotate secrets. When you add a secret, you can either let Amazon Cognito generate a secret value or provide your own custom secret value. To delete a secret, use the [DeleteUserPoolClientSecret](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DeleteUserPoolClientSecret.html) API operation. You cannot delete the only secret associated with an app client. You can also delete an app to block access from apps that use that app client ID.  
The Amazon Cognito console creates app clients with client secrets when you select the **Traditional web application** and **Machine-to-machine application** options for application type. Choose one of these options to generate a client secret, or create the client programmatically with [CreateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html) and set `GenerateSecret` to `true`.

You can use a confidential client, and a client secret, with a public app. Use an Amazon CloudFront proxy to add a `SECRET_HASH` in transit. For more information, see [Protect public clients for Amazon Cognito by using an Amazon CloudFront proxy](https://aws.amazon.com/blogs/security/protect-public-clients-for-amazon-cognito-by-using-an-amazon-cloudfront-proxy/) on the AWS blog.

## JSON web tokens
<a name="user-pool-settings-client-app-token-types"></a>

Amazon Cognito app clients can issue JSON web tokens (JWTs) of the following types.

**Identity (ID) token**  
A verifiable statement that your user is authenticated from your user pool. OpenID Connect (OIDC) added the [ID token specification](https://openid.net/specs/openid-connect-core-1_0.html#IDToken) to the access and refresh token standards defined by OAuth 2.0. The ID token contains identity information, like user attributes, that your app can use to create a user profile and provision resources. See [Understanding the identity (ID) token](amazon-cognito-user-pools-using-the-id-token.md) for more information.

**Access token**  
A verifiable statement of your user's access rights. The access token contains [scopes](https://datatracker.ietf.org/doc/html/rfc6749#section-3.3), a feature of OIDC and OAuth 2.0. Your app can present scopes to back-end resources and prove that your user pool authorized a user or machine to access data from an API, or their own user data. An access token with *custom scopes*, often from an M2M client-credentials grant, authorizes access to a resource server. See [Understanding the access token](amazon-cognito-user-pools-using-the-access-token.md) for more information.

**Refresh token**  
An encrypted statement of initial authentication that your app can present to your user pool when your user's tokens expire. A refresh-token request returns new, unexpired access and ID tokens. See [Refresh tokens](amazon-cognito-user-pools-using-the-refresh-token.md) for more information.

You can set the expiration of these tokens for each app client from the **App clients** menu of your user pool in the [Amazon Cognito console](https://console.aws.amazon.com/cognito/v2/idp/user-pools).

## App client terms
<a name="cognito-user-pools-app-idp-settings-about"></a>

The following terms are available properties of app clients in the Amazon Cognito console.

**Allowed callback URLs**  
A callback URL indicates where the user will be redirected after a successful sign-in. Choose at least one callback URL. The callback URL must:  
+ Be an absolute URI.
+ Be pre-registered with a client.
+ Not include a fragment component.
See [OAuth 2.0 - redirection endpoint](https://tools.ietf.org/html/rfc6749#section-3.1.2).  
Amazon Cognito requires `HTTPS` over `HTTP` except for `http://localhost` for testing purposes only.  
App callback URLs such as `myapp://example` are also supported.

**Allowed sign out URLs**  
A sign-out URL indicates where your user is to be redirected after signing out.

**Attribute read and write permissions**  
Your user pool might have many customers, each with their own app client and IdPs. You can configure your app client to have read and write access to only those user attributes that are relevant to the app. In cases like machine-to-machine (M2M) authorization, you can grant access to none of your user attributes.  

**Considerations for attribute read and write permissions configuration**
+ When you create an app client and don't customize attribute read and write permissions, Amazon Cognito grants read and write permissions to all user pool attributes.
+ You can grant write access to immutable [custom attributes](user-pool-settings-attributes.md#user-pool-settings-custom-attributes.title). Your app client can write values to immutable attributes when you create or sign up a user. After this, you can't write values to any immutable custom attributes for the user.
+ App clients must have write access to required attributes in your user pool. The Amazon Cognito console automatically sets required attributes as writeable.
+ You can't permit an app client to have write access to `email_verified` or `phone_number_verified`. A user pool administrator can modify these values. A user can only change the value of these attributes through [attribute verification](signing-up-users-in-your-app.md#allowing-users-to-sign-up-and-confirm-themselves.title).

**Authentication flows**  
The methods that your app client allows for sign-in. Your app can support authentication with username and password, email and SMS message OTPs, passkey authenticators, custom authentication with Lambda triggers, and token refresh. As a best security practice, use SRP authentication for username and password authentication in custom-built applications.

**Custom scopes**  
A custom scope is one that you define for your own resource server in the **Resource Servers**. The format is *resource-server-identifier*/*scope*. See [Scopes, M2M, and resource servers](cognito-user-pools-define-resource-servers.md).

**Default redirect URI**  
Replaces the `redirect_uri` parameter in authentication requests for users with third-party IdPs. Configure this app client setting with the `DefaultRedirectURI` parameter of a [CreateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html) or [UpdateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html) API request. This URL must also be a member of the `CallbackURLs` for your app client. Amazon Cognito redirects authenticated sessions to this URL when:  

1. Your app client has one [identity provider](#app-client-terms-identity-provider) assigned and multiple [callback URLs](#app-client-terms-callback-urls) defined. Your user pool redirects authentication requests to the [authorization server](authorization-endpoint.md) to the default redirect URI when they don't include a `redirect_uri` parameter.

1. Your app client has one [identity provider](#app-client-terms-identity-provider) assigned and one [callback URLs](#app-client-terms-callback-urls) defined. In this scenario it's not necessary to define a default callback URL. Requests that don't include a `redirect_uri` parameter redirect to the one available callback URL.

**Identity providers**  
You can choose some or all of your user pool external identity providers (IdPs) to authenticate your users. Your app client can also authenticate only local users in your user pool. When you add an IdP to your app client, you can generate authorization links to the IdP and display it on your managed login sign-in page. You can assign multiple IdPs, but you must assign at least one. For more information on using external IdPs, see [User pool sign-in with third party identity providers](cognito-user-pools-identity-federation.md).

**OpenID Connect scopes**  
Choose one or more of the following `OAuth` scopes to specify the access privileges that can be requested for access tokens.  
+ The `openid` scope declares that you want to retrieve an ID token and a user's unique ID. It also requests all or some user attributes, depending on additional scopes in the request. Amazon Cognito doesn't return an ID token unless you request the `openid` scope. The `openid` scope authorizes structural ID token claims like expiration and key ID, and determines the user attributes that you receive in a response from the [userInfo endpoint](userinfo-endpoint.md).
  + When `openid` is the only scope that you request, Amazon Cognito populates the ID token with all user attributes that the current app client can read. The `userInfo` response to an access token with this scope alone returns all user attributes.
  + When you request `openid` with other scopes like `phone`, `email`, or `profile`, the ID token and `userInfo` return the user's unique ID and the attributes defined by the additional scopes.
+ The `phone` scope grants access to the `phone_number` and `phone_number_verified` claims. This scope can only be requested with the `openid` scope.
+ The `email` scope grants access to the `email` and `email_verified` claims. This scope can only be requested with the `openid` scope.
+ The `aws.cognito.signin.user.admin` scope grants access to [Amazon Cognito user pools API operations](authentication-flows-public-server-side.md#user-pools-API-operations) that require access tokens, such as [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html) and [VerifyUserAttribute](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html).
+ The `profile` scope grants access to all user attributes that are readable by the client. This scope can only be requested with the `openid` scope.
For more information about scopes, see the list of [standard OIDC scopes](http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims).

**OAuth grant types**  
An OAuth grant is a method of authentication that retrieves user-pool tokens. Amazon Cognito supports the following types of grants. To integrate these OAuth grants in your app, you must add a domain to your user pool.  
**Authorization code grant**  
The authorization code grant generates a code that your app can exchange for user pool tokens with the [Token endpoint](token-endpoint.md). When you exchange an authorization code, your app receives ID, access, and refresh tokens. This OAuth flow, like the implicit grant, happens in your users' browsers. An authorization code grant is the most secure grant that Amazon Cognito offers, because tokens aren't visible in your users' sessions. Instead, your app generates the request that returns tokens and can cache them in protected storage. For more information, see *Authorization code* in [IETF RFC 6749 \$11.3.1](https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.1)
As a best security practice in public-client apps, activate only the authorization-code grant OAuth flow, and implement Proof Key for Code Exchange (PKCE) to restrict token exchange. With PKCE, a client can only exchange an authorization code when they have provided the token endpoint with the same secret that was presented in the original authentication request. For more information on PKCE, see [IETF RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636).
**Implicit grant**  
The implicit grant delivers an access and ID token, but not refresh token, to your user's browser session directly from the [Authorize endpoint](authorization-endpoint.md). An implicit grant removes the requirement for a separate request to the token endpoint, but isn't compatible with PKCE and doesn't return refresh tokens. This grant accommodates testing scenarios and app architecture that can't complete authorization-code grants. For more information, see *Implicit grant* in [IETF RFC 6749 \$11.3.2](https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.2). You can activate both the authorization-code grant and the implicit grant in an app client, and then use each grant as needed.
**Client credentials grant**  
The client credentials grant is for machine-to-machine (M2M) communications. Authorization-code and implicit grants issue tokens to authenticated human users. Client credentials grant scope-based authorization from a non-interactive system to an API. Your app can request client credentials directly from the token endpoint and receive an access token. For more information, see *Client Credentials* in [IETF RFC 6749 \$11.3.4](https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.4). You can only activate client-credentials grants in app clients that have a client secret and that don't support authorization-code or implicit grants.
Because you don't invoke the client credentials flow as a user, this grant can only add *custom* scopes to access tokens. A custom scope is one that you define for your own resource server. Default scopes like `openid` and `profile` don't apply to nonhuman users.  
Because ID tokens are a validation of user attributes, they aren't relevant to M2M communication, and a client credentials grants doesn't issue them. See [Scopes, M2M, and resource servers](cognito-user-pools-define-resource-servers.md).
Client credentials grants add costs to your AWS bill. For more information, see [Amazon Cognito Pricing](https://aws.amazon.com/cognito/pricing).

## Creating an app client
<a name="cognito-user-pools-app-idp-settings-console-create"></a>

------
#### [ AWS Management Console ]

**To create an app client (console)**

1. Go to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). If prompted, enter your AWS credentials.

1. Choose **User Pools**.

1. Choose an existing user pool from the list, or create a user pool. Both options prompt you to configure an app client with application-specific settings.

1. Choose an **Application type** that reflects your application architecture.

1. **Name your application** with a friendly identifier.

1. Enter a **Return URL**.

1. Choose **Create app client**. You can change advanced options after you create your app client.

1. Amazon Cognito returns you to app client details. To access example code for your application, select a platform from the **Quick setup guide** tab.

------
#### [ AWS CLI ]

```
aws cognito-idp create-user-pool-client --user-pool-id MyUserPoolID --client-name myApp
```

**Note**  
Use JSON format for callback and logout URLs to prevent the CLI from treating them as remote parameter files:  

```
--callback-urls "["https://example.com"]"
--logout-urls "["https://example.com"]"
```

See the AWS CLI command reference for more information: [create-user-pool-client](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/create-user-pool-client.html)

------
#### [ Amazon Cognito user pools API ]

Generate a [CreateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html) API request. You must specify a value for all parameters that you don't want set to a default value.

------

## Updating a user pool app client (AWS CLI and AWS API)
<a name="cognito-user-pools-app-idp-settings-cli-api-update-user-pool-client"></a>

At the AWS CLI, enter the following command:

```
aws cognito-idp update-user-pool-client --user-pool-id  "MyUserPoolID" --client-id "MyAppClientID" --allowed-o-auth-flows-user-pool-client --allowed-o-auth-flows "code" "implicit" --allowed-o-auth-scopes "openid" --callback-urls "["https://example.com"]" --supported-identity-providers "["MySAMLIdP", "LoginWithAmazon"]"
```

If the command is successful, the AWS CLI returns a confirmation:

```
{
    "UserPoolClient": {
        "ClientId": "MyClientID",
        "SupportedIdentityProviders": [
            "LoginWithAmazon",
            "MySAMLIdP"
        ],
        "CallbackURLs": [
            "https://example.com"
        ],
        "AllowedOAuthScopes": [
            "openid"
        ],
        "ClientName": "Example",
        "AllowedOAuthFlows": [
            "implicit",
            "code"
        ],
        "RefreshTokenValidity": 30,
        "AuthSessionValidity": 3,
        "CreationDate": 1524628110.29,
        "AllowedOAuthFlowsUserPoolClient": true,
        "UserPoolId": "MyUserPoolID",
        "LastModifiedDate": 1530055177.553
    }
}
```

See the AWS CLI command reference for more information: [update-user-pool-client](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool-client.html).

AWS API: [UpdateUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html)

## Getting information about a user pool app client (AWS CLI and AWS API)
<a name="cognito-user-pools-app-idp-settings-cli-api-describe-user-pool-client"></a>

```
aws cognito-idp describe-user-pool-client --user-pool-id MyUserPoolID --client-id MyClientID
```

See the AWS CLI command reference for more information: [describe-user-pool-client](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/describe-user-pool-client.html).

AWS API: [DescribeUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html)

## Listing all app client information in a user pool (AWS CLI and AWS API)
<a name="cognito-user-pools-app-idp-settings-cli-api-list-user-pool-clients"></a>

```
aws cognito-idp list-user-pool-clients --user-pool-id "MyUserPoolID" --max-results 3
```

See the AWS CLI command reference for more information: [list-user-pool-clients](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/list-user-pool-clients.html).

AWS API: [ListUserPoolClients](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUserPoolClients.html)

## Deleting a user pool app client (AWS CLI and AWS API)
<a name="cognito-user-pools-app-idp-settings-cli-api-delete-user-pool-client"></a>

```
aws cognito-idp delete-user-pool-client --user-pool-id "MyUserPoolID" --client-id "MyAppClientID"
```

See the AWS CLI command reference for more information: [delete-user-pool-client](https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/delete-user-pool-client.html)

AWS API: [DeleteUserPoolClient](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DeleteUserPoolClient.html)

# Working with user devices in your user pool
<a name="amazon-cognito-user-pools-device-tracking"></a>

When you sign in local user pool users with the Amazon Cognito user pools API, you can associate your users’ activity logs from [threat protection](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html) with each of their devices and, optionally, allow your users to skip multi-factor authentication (MFA) if they’re on a trusted device. Amazon Cognito includes a device key in the response to any sign-in that doesn’t already include device information. The device key is in the format `Region_UUID`. With a device key, a Secure Remote Password (SRP) library, and a user pool that permits device authentication, you can prompt users in your app to trust the current device and no longer prompt for an MFA code at sign-in.

**Topics**
+ [Setting up remembered devices](#amazon-cognito-user-pools-setting-up-remembered-devices)
+ [Getting a device key](#user-pools-remembered-devices-getting-a-device-key)
+ [Signing in with a device](#user-pools-remembered-devices-signing-in-with-a-device)
+ [Viewing, updating and forgetting devices](#user-pools-remembered-devices-viewing-updating-forgetting)

## Setting up remembered devices
<a name="amazon-cognito-user-pools-setting-up-remembered-devices"></a>

With Amazon Cognito user pools, you can associate each of your users' devices with a unique device identifier: a device key. When you present the device key and perform device authentication at sign-in, you can configure your application with a *trusted device* authentication flow. In this flow, your application can present a choice to users to sign in without MFA until a later time, as determined by the security requirements of your app or the preferences of your users. At the end of that time period, your application must change the device status to *not remembered* and the user must sign in with MFA until they confirm that they want to remember a device. For example, your application might prompt your users to trust a device for 30, 60, or 90 days. You can store this date in a custom attribute and on that date, change the remembered status of their device. You must then re-prompt your user to submit an MFA code and set the device to be remembered again after successful authentication.

1. Remembered devices can override MFA only in user pools with MFA active.

When your user signs in with a remembered device, you must perform an additional device authentication during their authentication flow. For more information, see [Signing in with a device](#user-pools-remembered-devices-signing-in-with-a-device).

Configure your user pool to remember devices in the **Sign-in** menu of your user pool, under **Device tracking**. When setting up the remembered devices functionality through the Amazon Cognito console, you have three options: **Always**, **User Opt-In**, and **No**.

**Don't remember**  
Your user pool doesn't prompt users to remember devices when they sign in.

**Always remember**  
When your app confirms a user's device, your user pool always remembers the device and doesn't return MFA challenges on future successful device sign-ins.

**User opt-in**  
When your app confirms a user's device, your user pool doesn't automatically suppress MFA challenges. You must prompt your user to choose whether they want to remember the device.

When you choose **Always remember** or **User Opt-In**, Amazon Cognito generates a device-identifier key and secret every time a user signs in from an unidentified device. The device key is the initial identifier that your app sends to your user pool when your user performs device authentication.

With each confirmed user device, whether remembered automatically or opted-in, you can use the device-identifier key and secret to authenticate a device on every user sign-in. 

You can also configure remembered-device settings for your user pool in a [CreateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html) or [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) API request. For more information, see the [DeviceConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html#CognitoUserPools-UpdateUserPool-request-DeviceConfiguration) property.

The Amazon Cognito user pools API has additional operations for remembered devices.

1. [ListDevices](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListDevices.html) and [AdminListDevices](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListDevices.html) return a list of the device keys and their metadata for a user.

1. [GetDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetDevice.html) and [AdminGetDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminGetDevice.html) return the device key and metadata for a single device.

1. [UpdateDeviceStatus](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html) and [AdminUpdateDeviceStatus](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateDeviceStatus.html) set a user's device as remembered or not remembered.

1. [ForgetDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgetDevice.html) and [AdminForgetDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminForgetDevice.html) remove a user's confirmed device from their profile.

API operations with names that begin with `Admin` are for use in server-side apps and must be authorized with IAM credentials. For more information, see [Understanding API, OIDC, and managed login pages authentication](authentication-flows-public-server-side.md#user-pools-API-operations).

## Getting a device key
<a name="user-pools-remembered-devices-getting-a-device-key"></a>

Any time that your user signs in with the user pools API and doesn’t include a device key in the authentication parameters as `DEVICE_KEY`, Amazon Cognito returns a new device key in the response. In your public client-side app, place the device key in app storage so that you can include it in future requests. In your confidential server-side app, set a browser cookie or another client-side token with your user’s device key.

Before your user can sign in with their trusted device, your app must confirm the device key and provide additional information. Generate a [ConfirmDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html) request to Amazon Cognito that confirms your user’s device with the device key, a friendly name, password verifier, and a salt. If you configured your user pool for opt-in device authentication, Amazon Cognito responds to your `ConfirmDevice` request with a prompt that your user must choose whether to remember the current device. Respond with your user’s selection in an [UpdateDeviceStatus](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html) request. 

When you confirm your user’s device but don’t set it as remembered, Amazon Cognito stores the association but proceeds with non-device sign-in when you provide the device key. Devices can generate logs that are useful for user security and troubleshooting. A confirmed but unremembered device doesn’t take advantage of the sign-in feature, but does take advantage of the security monitoring logs feature. When you activate threat protection for your app client and encode a device fingerprint into your request, Amazon Cognito associates user events with the confirmed device. 

**To get a new device key**

1. Start your user’s sign-in session with an [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) API request.

1. Respond to all authentication challenges with [RespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html) until you receive JSON web tokens (JWTs) that mark your user’s sign-in session complete.

1. In your app, record the values that Amazon Cognito returns in `NewDeviceMetadata` in its `RespondToAuthChallenge` or `InitiateAuth` response: `DeviceGroupKey` and `DeviceKey`.

1. Generate a new SRP secret for your user: a salt and a password verifier. This function is available in SDKs that provide SRP libraries.

1. Prompt your user for a device name, or generate one from your user’s device characteristics.

1. Provide your user’s access token, device key, device name, and SRP secret in a [ConfirmDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html) API request. If your user pool is set to **Always remember** devices, your user’s registration is complete.

1. If Amazon Cognito responded to `ConfirmDevice` with `"UserConfirmationNecessary": true`, prompt your user to choose if they would like to remember the device. If they affirm that they want to remember the device, generate an [UpdateDeviceStatus](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html) API request with your user’s access token, device key, and `"DeviceRememberedStatus": "remembered"`.

1. If you have instructed Amazon Cognito to remember the device, the next time they sign in, instead of an MFA challenge, they’re presented with a `DEVICE_SRP_AUTH` challenge.

## Signing in with a device
<a name="user-pools-remembered-devices-signing-in-with-a-device"></a>

After you configure a user’s device to be remembered, Amazon Cognito no longer requires them to submit an MFA code when they sign in with the same device key. Device authentication only replaces the MFA-authentication challenge with a device-authentication challenge. You can’t sign users in with device authentication only. Your user must first complete authentication with their password or a custom challenge. The following is the authentication process for a user on a remembered device.

To perform device authentication in a flow that uses [Custom authentication challenge Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html), pass a `DEVICE_KEY` parameter in your [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) API request. After your user succeeds all challenges and the `CUSTOM_CHALLENGE` challenge returns an `issueTokens` value of `true`, Amazon Cognito returns one final `DEVICE_SRP_AUTH` challenge.

**To sign in with a device**

1. Retrieve your user’s device key from client storage.

1. Start your user’s sign-in session with an [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) API request. Choose an `AuthFlow` of `USER_SRP_AUTH`, `REFRESH_TOKEN_AUTH`, `USER_PASSWORD_AUTH`, or `CUSTOM_AUTH`. In `AuthParameters`, add your user’s device key to the `DEVICE_KEY` parameter, and include the other required parameters for your selected sign-in flow.

   1. You can also pass `DEVICE_KEY` in the parameters of a `PASSWORD_VERIFIER` response to an authentication challenge.

1. Complete challenge responses until you receive a `DEVICE_SRP_AUTH` challenge in the response.

1. In a [RespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html) API request, send a `ChallengeName` of `DEVICE_SRP_AUTH` and parameters for `USERNAME`, `DEVICE_KEY`, and `SRP_A`.

1. Amazon Cognito responds with a `DEVICE_PASSWORD_VERIFIER` challenge. This challenge response includes values for `SECRET_BLOCK` and `SRP_B`.

1. With your SRP library, generate and submit `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`, and `DEVICE_KEY` parameters. Submit these in an additional `RespondToAuthChallenge` request.

1. Complete additional challenges until you receive the user’s JWTs.

The following pseudocode demonstrates how to calculate values for your `DEVICE_PASSWORD_VERIFIER` challenge response. For SRP authentication with a device, generate a *new* SRP secret for your user: a fresh high-entropy password `DeviceSecret`, a salt, and the associated password verifier. These values are distinct from the password, salt, and verifier used for the user's SRP authentication. They are only used for device authentication and are only stored on the device. Functions for generating the SRP secrets for users' devices are available in [SRP libraries](https://github.com/secure-remote-password/implementations) that are available in various SDKs.

```
PASSWORD_CLAIM_SECRET_BLOCK = SECRET_BLOCK
TIMESTAMP = "Tue May 7 00:09:40 UTC 2025"
k = SHA256(N || g) as a non-negative integer in big-endian
u = SHA256(SRP_A || SRP_B) as a non-negative integer in big-endian
x = SHA256(salt || SHA256(DeviceGroupKey || DeviceKey || ":" || DeviceSecret)) as a non-negative integer in big-endian
S_USER = (SRP_B - k * g^x)^(a + u * x) % N
K_USER = HKDF_HMAC_SHA256(salt=u, ikm=S_USER, info="Caldera Derived Key", length=16 bytes)
PASSWORD_CLAIM_SIGNATURE = Base64(HMAC_SHA256(key=K_USER, message=(DeviceGroupKey || DeviceKey || PASSWORD_CLAIM_SECRET_BLOCK || TIMESTAMP)))
```

## Viewing, updating and forgetting devices
<a name="user-pools-remembered-devices-viewing-updating-forgetting"></a>

You can implement the following features in your app with the Amazon Cognito API.

1. Display information about a user’s current device.

1. Display a list of all of your user’s devices.

1. Forget a device.

1. Update a device remembered state.

The access tokens that authorize the API requests in the following descriptions must include the `aws.cognito.signin.user.admin` scope. Amazon Cognito adds a claim for this scope to all access tokens that you generate with the Amazon Cognito user pools API. Third-party IdPs must separately manage devices and MFA for their users who authenticate to Amazon Cognito. In managed login, you can request the `aws.cognito.signin.user.admin` scope, but managed login automatically adds device information to advanced security user logs, and doesn't offer to remember devices.

**Display information about a device**  
You can query information about a user’s device to determine if it is still in current use. For example, you might want to deactivate remembered devices after they haven’t signed in for 90 days. 
+ To display your user’s device information in a public-client app, submit your user’s access key and device key in a [GetDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetDevice.html) API request.
+ To display your user’s device information in a confidential-client app, sign an [AdminGetDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminGetDevice.html) API request with AWS credentials and submit your user’s username, device key, and user pool.

**Display a list of all your user’s devices**  
You can display a list of all your user’s devices and their properties. For example, you might want to verify that the current device matches a remembered device. 
+ In a public-client app, submit your user’s access token in a [ListDevices](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListDevices.html) API request.
+ In a confidential-client app, sign an [AdminListDevices](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListDevices.html) API request with AWS credentials and submit your user’s username and user pool.

**Forget a device**  
You can delete a user’s device key. You might want to do this when you determine that your user no longer uses a device, or when you detect unusual activity and want to prompt a user to complete MFA again. To register the device again later, you must generate and store a new device key.
+ In a public-client app, submit your user’s device key and access token in [ForgetDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgetDevice.html) API request.
+ In a confidential-client app, submit your user’s device key and access token in [AdminForgetDevice](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminForgetDevice.html) API request.

# Using Amazon Pinpoint for user pool analytics
<a name="cognito-user-pools-pinpoint-integration"></a>

**Note**  
**End of support notice:** On October 30, 2026, AWS will end support for Amazon Pinpoint. After October 30, 2026, you will no longer be able to access the Amazon Pinpoint console or Amazon Pinpoint resources (endpoints, segments, campaigns, journeys, and analytics). For more information, see [Amazon Pinpoint end of support](https://docs.aws.amazon.com/console/pinpoint/migration-guide). **Note:** APIs related to SMS, voice, mobile push, OTP, and phone number validate are not impacted by this change and are supported by AWS End User Messaging.

Amazon Cognito user pools are integrated with Amazon Pinpoint to provide analytics for Amazon Cognito user pools and to enrich the user data for Amazon Pinpoint campaigns. Amazon Pinpoint provides analytics and targeted campaigns to drive user engagement in mobile apps using push notifications. With Amazon Pinpoint analytics support in Amazon Cognito user pools, you can track user pool sign-ups, sign-ins, failed authentications, daily active users (DAUs), and monthly active users (MAUs) in the Amazon Pinpoint console. You can drill into the data for different date ranges or attributes, such as device platform, device locale, and app version.

You can also set up custom attributes for your app. Those can then be used to segment your users on Amazon Pinpoint and send them targeted push notifications. If you choose **Share user attribute data with Amazon Pinpoint** in the **Analytics** configuration for your app client in the **App clients** menu in the Amazon Cognito console, Amazon Pinpoint creates additional endpoints for user email addresses and phone numbers.

When you activate Amazon Pinpoint analytics in your user pool with the Amazon Cognito console, you also create a [service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#service-linked-role-permissions) that Amazon Cognito assumes when it makes an API request to Amazon Pinpoint for your user pool. The IAM principal that adds your analytics configuration must have [CreateServiceLinkedRole](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateServiceLinkedRole.html) permissions. The service-linked role is [AWSServiceRoleForAmazonCognitoIdp](https://console.aws.amazon.com/iamv2/home?region=us-east-1#/roles/details/AWSServiceRoleForAmazonCognitoIdp). For more information, see [Using service-linked roles for Amazon Cognito](using-service-linked-roles.md).

When you apply an `AnalyticsConfiguration` to your app client in the Amazon Cognito API, you can assign a custom IAM role for Amazon Pinpoint and an external ID to assume the role. The role must trust the `cognito-idp` service principal, and if the role trust policy requires an external ID, it must match your `AnalyticsConfiguration`. You must grant the role `cognito-idp:Describe*` permissions, and the following permissions for your **Amazon Pinpoint project**.
+ `mobiletargeting:UpdateEndpoint`
+ `mobiletargeting:PutEvents`

## Amazon Cognito and Amazon Pinpoint Region availability
<a name="cognito-user-pools-find-region-mappings"></a>

The following table shows the AWS Region mappings between Amazon Cognito and Amazon Pinpoint that meet one of the following conditions.
+ You can only use an Amazon Pinpoint project in the US East (N. Virginia) (us-east-1) Region.
+ You can use an Amazon Pinpoint project in the same Region *or* in the US East (N. Virginia) (us-east-1) Region

By default, Amazon Cognito can only send analytics to a Amazon Pinpoint project in the same AWS Region. The exceptions to this rule are the Regions in the following table, and Regions where Amazon Pinpoint in unavailable.

Amazon Pinpoint isn't available in the following Regions. Amazon Cognito user pools in these Regions don't support analytics.
+ Europe (Milan)
+ Middle East (Bahrain)
+ Asia Pacific (Osaka)
+ Israel (Tel Aviv)
+ Africa (Cape Town)
+ Asia Pacific (Jakarta)
+ Asia Pacific (Malaysia)

The table shows the relation between the Region where you built your Amazon Cognito user pool and the corresponding Region in Amazon Pinpoint. You must configure your Amazon Pinpoint project in an available Region to integrate it with Amazon Cognito.


| Amazon Cognito user pool Region | Region for Amazon Pinpoint project | 
| --- | --- | 
|  ap-northeast-1  |  us-east-1  | 
|  ap-northeast-2  |  us-east-1  | 
|  ap-south-1  |  us-east-1, ap-south-1  | 
|  ap-southeast-1  |  us-east-1  | 
|  ap-southeast-2  |  us-east-1, ap-southeast-2  | 
|  ca-central-1  |  us-east-1  | 
|  eu-central-1  |  us-east-1, eu-central-1  | 
|  eu-west-1  |  us-east-1, eu-west-1  | 
|  eu-west-2  |  us-east-1  | 
|  us-east-1  |  us-east-1  | 
|  us-east-2  |  us-east-1  | 
|  us-west-2  |  us-east-1, us-west-2  | 

**Region mapping examples**
+ If you create a user pool in ap-northeast-1, you can create your Amazon Pinpoint project in us-east-1.
+ If you create a user pool in ap-south-1, you can create your Amazon Pinpoint project in either us-east-1 or ap-south-1.

**Note**  
For all AWS Regions except those in the preceding table, Amazon Cognito can only use an Amazon Pinpoint project in the same Region as your user pool. If Amazon Pinpoint isn't available in the Region where you built your user pool, and it's not listed in the table, then Amazon Cognito doesn't support Amazon Pinpoint analytics in that Region. For detailed AWS Region information, see [Amazon Pinpoint endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/pinpoint.html).

### Specifying Amazon Pinpoint analytics settings (AWS Management Console)
<a name="cognito-user-pools-pinpoint-integration-console"></a>

You can configure your Amazon Cognito user pool to send analytics data to Amazon Pinpoint. Amazon Cognito only sends analytics data to Amazon Pinpoint for local users. After you configure your user pool to associate with a Amazon Pinpoint project, you must include `AnalyticsMetadata` in your API requests. For more information, see [Integrating your app with Amazon Pinpoint](#cognito-user-pools-pinpoint-integration-client).

**To specify analytics settings**

1. Go to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). You might be prompted for your AWS credentials.

1. Select **User Pools** and choose an existing user pool from the list.

1. Choose the **App clients** menu and select the app client that you want to update.

1. In the **Analytics** tab under **Pinpoint analytics**, choose **Enable**.

1. Choose a **Pinpoint Region**.

1. Choose an **Amazon Pinpoint project** or select **Create Amazon Pinpoint project**.
**Note**  
The Amazon Pinpoint project ID is a 32-character string that is unique to your Amazon Pinpoint project. It is listed in the Amazon Pinpoint console.  
You can map multiple Amazon Cognito apps to a single Amazon Pinpoint project. However, each Amazon Cognito app can only be mapped to one Amazon Pinpoint project.  
In Amazon Pinpoint, each project should be a single app. For example, if a game developer has two games, each game should be a separate Amazon Pinpoint project, even if both games use the same Amazon Cognito user pool. For more information on Amazon Pinpoint projects, see [Create a project in Amazon Pinpoint](https://docs.aws.amazon.com/push-notifications/latest/userguide/mobile-push.html#mobile-push-create-project). 

1. Under **User data sharing**, choose **Share user data with Amazon Pinpoint** if you want Amazon Cognito to send email addresses and phone numbers to Amazon Pinpoint and create additional endpoints for users. After your users verify their email address and phone number, Amazon Cognito only shares them with Amazon Pinpoint if they are available to the user account.
**Note**  
An *endpoint* uniquely identifies a user device to which you can send push notifications with Amazon Pinpoint. For more information about endpoints, see [Adding endpoints](https://docs.aws.amazon.com/pinpoint/latest/developerguide/endpoints.html) in the *Amazon Pinpoint Developer Guide*.

1. Choose **Save changes**.

### Specifying Amazon Pinpoint analytics settings (AWS CLI and AWS API)
<a name="cognito-user-pools-pinpoint-integration-cli-api"></a>

Use the following commands to specify Amazon Pinpoint analytics settings for your user pool.

**To specify the analytics settings for your user pool's existing client app at app creation time**
+ AWS CLI: `aws cognito-idp create-user-pool-client`
+ AWS API: [https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html)

**To update the analytics settings for your user pool's existing client app**
+ AWS CLI: `aws cognito-idp update-user-pool-client`
+ AWS API: [https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html)

**Note**  
Amazon Cognito supports in-Region integrations when you use `ApplicationArn`

## Integrating your app with Amazon Pinpoint
<a name="cognito-user-pools-pinpoint-integration-client"></a>

You can publish analytics metadata to Amazon Pinpoint for Amazon Cognito *local users* in the *user pools API*.

**Local users**  
Users who signed up for an account or were created in your user pool instead of signing in through a third-party identity provider (IdP).

**User pools API**  
The operations that you can integrate with an AWS SDK, using an app with a custom user interface (UI). You can't pass analytics metadata for federated or local users who sign in through managed login. See the [Amazon Cognito API Reference](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/Welcome.html) for a list of user pools API operations.

After you configure your user pool to publish to a campaign, Amazon Cognito passes metadata to Amazon Pinpoint for the following API operations.
+ `AdminInitiateAuth`
+ `AdminRespondToAuthChallenge`
+ `ConfirmForgotPassword`
+ `ConfirmSignUp`
+ `ForgotPassword`
+ `InitiateAuth`
+ `ResendConfirmationCode`
+ `RespondToAuthChallenge`
+ `SignUp`

To pass metadata about your user's session to your Amazon Pinpoint campaign, include an `AnalyticsEndpointId` value in the `AnalyticsMetadata` parameter of your API request. For a JavaScript example, see [Why aren't my Amazon Cognito user pool analytics appearing on my Amazon Pinpoint dashboard?](https://aws.amazon.com/premiumsupport/knowledge-center/pinpoint-cognito-user-pool-analytics/) in the *AWS Knowledge Center*.

# Email settings for Amazon Cognito user pools
<a name="user-pool-email"></a>

Certain events in your application can cause Amazon Cognito to email your users. For example, if you configure your user pool to require email verification, Amazon Cognito sends an email when a user signs up for a new account in your app or resets their password. Depending on the action that initiates the email, the email contains a verification code or a temporary password.

To handle email delivery, you can use either of the following options:
+ [The default email configuration](#user-pool-email-default) that is built into the Amazon Cognito service.
+ [Your Amazon Simple Email Service (Amazon SES) configuration](#user-pool-email-developer).

You can change your delivery option after you create your user pool.

Amazon Cognito sends email messages to your users with either a code that they can enter or a URL link that they can select. The following table shows the events that can generate an email message.

**Message options**


| Activity | API operation | Delivery options | Format options | Customizable | [Message template](cognito-user-pool-settings-message-customizations.md) | 
| --- |--- |--- |--- |--- |--- |
| Forgot password | [ForgotPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html), [AdminResetUserPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html) | Email, SMS | code | Yes | Verification message | 
| Invitation | [AdminCreateUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html) | Email, SMS | code | Yes | Invitation message | 
| Self-registration | [SignUp](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html), [ResendConfirmationCode](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ResendConfirmationCode.html) | Email, SMS | code, link | Yes | Verification message | 
| Email address or phone number verification | [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html), [AdminUpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html), [GetUserAttributeVerificationCode](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserAttributeVerificationCode.html) | Email, SMS | code | Yes | Verification message | 
| Multi-factor authentication (MFA) | [AdminInitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html), [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) | Email¹, SMS, authenticator app | code | Yes² | MFA message | 
| One-time password authentication (OTP) | [AdminInitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html), [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) | Email¹, SMS | code | Yes | MFA message³ | 

¹ Requires Essentials [feature plan](cognito-sign-in-feature-plans.md) or higher and [Amazon SES email configuration](#user-pool-email-developer). 

² For SMS and email messages.

³ You can only customize the MFA message template when MFA is required or optional in your user pool. When MFA is inactive, Amazon Cognito sends one-time passwords with the default template.

Amazon SES charges for email messages. For more information, see [Amazon SES pricing](https://aws.amazon.com/ses/pricing/).

To learn more about email MFA, see [SMS and email message MFA](user-pool-settings-mfa-sms-email-message.md).

Amazon Cognito might prevent delivery of additional email or SMS messages to a single destination in a short time period. If you believe your user pool is affected, configure and review [logs for message delivery errors](exporting-quotas-and-usage.md#exporting-quotas-and-usage-messages) and then contact your account team.

## Default email configuration
<a name="user-pool-email-default"></a>

Amazon Cognito can use its default email configuration to handle email deliveries for you. When you use the default option, Amazon Cognito limits the number of emails it sends each day for your user pool. For information on service limits, see [Quotas in Amazon Cognito](quotas.md). For typical production environments, the default email limit is below the required delivery volume. To enable a higher delivery volume, you can use your Amazon SES email configuration.

When you use the default configuration, you use Amazon SES resources that are managed by AWS to send email messages. Amazon SES adds email addresses that return a [hard bounce](https://docs.aws.amazon.com/ses/latest/dg/send-email-concepts-deliverability.html#send-email-concepts-deliverability-bounce) to an [account-level suppression list](https://docs.aws.amazon.com/ses/latest/dg/sending-email-suppression-list.html) or a [global suppression list](https://docs.aws.amazon.com/ses/latest/dg/send-email-concepts-deliverability.html#send-email-concepts-deliverability-suppression-list). If an undeliverable email address becomes deliverable later, you can't control its removal from the suppression list while your user pool is configured to use the default configuration. An email address can remain on the AWS-managed suppression list indefinitely. To manage undeliverable email addresses, use your Amazon SES email configuration with an account-level suppression list, as described in the next section.

When you use the default email configuration, you can use either of the following email addresses as the FROM address:
+ The default email address, *no-reply@verificationemail.com*.
+ A custom email address. Before you can use your own email address, you must verify it with Amazon SES and grant Amazon Cognito permission to use this address.

## Amazon SES email configuration
<a name="user-pool-email-developer"></a>

Your application might require a higher delivery volume than what is available with the default option. To increase the possible delivery volume, use your Amazon SES resources with your user pool to email your users. You can also [monitor your email sending activity](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/monitor-sending-activity.html) when you send email messages with your own Amazon SES configuration.

Before you can use your Amazon SES configuration, you must verify one or more email addresses, or a domain, with Amazon SES. Use a verified email address, or an address from a verified domain, as the FROM email address that you assign to your user pool. When Amazon Cognito sends email to a user, it calls Amazon SES for you and uses your email address.

When you use your Amazon SES configuration, the following conditions apply:
+ The email delivery limits for your user pool are the same limits that apply to your Amazon SES verified email address in your AWS account.
+ You can manage your messages to undeliverable email addresses with an account-level suppression list in Amazon SES that overrides the [global suppression list](https://docs.aws.amazon.com/ses/latest/dg/send-email-concepts-deliverability.html#send-email-concepts-deliverability-suppression-list). When you use an account-level suppression list, email message bounces affect the reputation of your account as a sender. For more information, see [Using the Amazon SES account-level suppression list](https://docs.aws.amazon.com/ses/latest/dg/sending-email-suppression-list.html) in the Amazon Simple Email Service Developer Guide.

### Amazon SES email configuration Regions
<a name="user-pool-email-developer-region-mapping"></a>

The AWS Region where you create a user pool will have one of three requirements for the configuration of email messages with Amazon SES. You might send email messages from Amazon SES in the same Region as your user pool, several Regions including the same Region, or one or more remote Regions. For best performance, send email messages with a Amazon SES verified identity in the same Region as your user pool when you have the option.Categories of Region requirements for Amazon SES verified identities

**In-Region only**  
Your user pools can send email messages with verified identities in the same AWS Region as the user pool. In the default email configuration without a custom `FROM` email address, Amazon Cognito uses a `no-reply@verificationemail.com` verified identity in the same Region.

**Backwards compatible**  
Your user pools can send email messages with verified identities in the same AWS Region or in one of the following alternate Regions:   
+ US East (N. Virginia)
+ US West (Oregon)
+ Europe (Ireland)
This feature supports continuity for user pool resources that you might have created to match Amazon Cognito requirements when the service launched. User pools from that period could only send email messages with verified identities in a limited number of AWS Regions. In the default email configuration without a custom `FROM` email address, Amazon Cognito uses a `no-reply@verificationemail.com` verified identity in the same Region.

**Alternate Region**  
Your user pools can send email messages with verified identities in an alternate AWS Region that is outside of the user pool Region. This configuration occurs when Amazon SES isn't available in a Region where Amazon Cognito is available.  
The Amazon SES sending authorization policy for your verified identity in the alternate Region must trust the Amazon Cognito service principal of the originating Region. For more information, see [To grant permissions to use the default email configuration](#user-pool-email-permissions-default).  
In some of these Regions, Amazon Cognito splits email messages between two alternate Regions for the default email configuration of `COGNITO_DEFAULT`. In these cases, to use a custom `FROM` email address, the Amazon SES sending authorization policy for your verified identity in each alternate Region must trust the Amazon Cognito service principal of the originating Region. For more information, see [To grant permissions to use the default email configuration](#user-pool-email-permissions-default). With the Amazon SES email configuration of `DEVELOPER` in these Regions, you must use a verified identity in the *first* listed Region and configure it to trust the Amazon Cognito service principal in the user pool Region. For example, in a user pool in Middle East (UAE), configure a verified identity in Europe (Frankfurt) to trust `cognito-idp.me-central-1.amazonaws.com`. In the default email configuration without a custom `FROM` email address, Amazon Cognito uses a `no-reply@verificationemail.com` verified identity in each Region.

**Note**  
Under the following combination of conditions, you must specify the `SourceArn` parameter of [EmailConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#CognitoUserPools-CreateUserPool-request-EmailConfiguration) with a wildcard in the Region element, in the format `arn:${Partition}:ses:*:${Account}:identity/${IdentityName}`. This permits your user pool to send email messages with identical verified identities in your AWS account in both AWS Regions.  
Your EmailSendingAccount is `COGNITO_DEFAULT`.
You want to use a custom `FROM` address.
Your user pool sends emails in an **Alternate Region**.
Your user pool has a *second*[1](#cognito-email-alternate-regions-note) **Alternate Region** specified in the table of **Amazon SES supported Regions** that follows.

If you create a user pool programmatically–with an AWS SDK, the Amazon Cognito API or CLI, the AWS CDK, or AWS CloudFormation–your user pool sends email messages with the Amazon SES identity that the `SourceArn` parameter of [EmailConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#CognitoUserPools-CreateUserPool-request-EmailConfiguration) specifies for your user pool. The Amazon SES identity must occupy a supported AWS Region. If your `EmailSendingAccount` is `COGNITO_DEFAULT` and you don't specify a `SourceArn` parameter, Amazon Cognito sends email messages from `no-reply@verificationemail.com` using resources in the Region where you created your user pool.

The following table shows the AWS Regions where you can use Amazon SES identities with Amazon Cognito.


| User pool Region | Region option | Amazon SES supported Regions | 
| --- | --- | --- | 
|  US East (N. Virginia)  |  Backwards compatible  |  US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
|  US East (Ohio)  |  Backwards compatible  |  US East (Ohio), US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
|  US West (N. California)  |  In-Region only  |  US West (N. California)  | 
|  US West (Oregon)  |  Backwards compatible  |  US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
|  Canada (Central)  |  Backwards compatible  |  Canada (Central), US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
|  Canada West (Calgary)  |  Alternate Region  |  Canada (Central), US West (N. California)[1](#cognito-email-alternate-regions-note)  | 
|  Mexico (Central)  |  Alternate Region  |  US East (N. Virginia), US West (Oregon)[1](#cognito-email-alternate-regions-note)  | 
|  Asia Pacific (Tokyo)  |  Backwards compatible  |  Asia Pacific (Tokyo), US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
|  Asia Pacific (Hong Kong)  |  Alternate Region  |  Asia Pacific (Singapore), Asia Pacific (Tokyo)[1](#cognito-email-alternate-regions-note)  | 
|  Asia Pacific (Seoul)  |  Backwards compatible  |  Asia Pacific (Seoul), US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
| Asia Pacific (Malaysia) | Alternate Region | Asia Pacific (Sydney), Asia Pacific (Singapore)[1](#cognito-email-alternate-regions-note) | 
| Asia Pacific (Thailand) | Alternate Region | Asia Pacific (Singapore), Asia Pacific (Mumbai)[1](#cognito-email-alternate-regions-note) | 
|  Asia Pacific (Mumbai)  |  Backwards compatible  |  Asia Pacific (Mumbai), US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
|  Asia Pacific (Hyderabad)  |  Alternate Region  |  Asia Pacific (Mumbai), Asia Pacific (Singapore)[1](#cognito-email-alternate-regions-note)  | 
|  Asia Pacific (Singapore)  |  Backwards compatible  |  Asia Pacific (Singapore), US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
|  Asia Pacific (Sydney)  |  Backwards compatible  |  Asia Pacific (Sydney), US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
|  Asia Pacific (Osaka)  |  In-Region only  |  Asia Pacific (Osaka)  | 
|  Asia Pacific (Jakarta)  |  In-Region only  |  Asia Pacific (Jakarta)  | 
|  Asia Pacific (Melbourne)  |  Alternate Region  |  Asia Pacific (Sydney), Asia Pacific (Singapore)[1](#cognito-email-alternate-regions-note)  | 
|  Europe (Ireland)  |  Backwards compatible  |  US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
|  Europe (London)  |  Backwards compatible  |  Europe (London), US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
|  Europe (Paris)  |  In-Region only  |  Europe (Paris)  | 
|  Europe (Frankfurt)  |  Backwards compatible  |  Europe (Frankfurt), US East (N. Virginia), US West (Oregon), Europe (Ireland)  | 
|  Europe (Zurich)  |  Alternate Region  |  Europe (Frankfurt), Europe (London)[1](#cognito-email-alternate-regions-note)  | 
|  Europe (Stockholm)  |  In-Region only  |  Europe (Stockholm)  | 
| Europe (Milan) |  In-Region only  | Europe (Milan) | 
| Europe (Spain) |  Alternate Region  | Europe (Paris), Europe (Stockholm)[1](#cognito-email-alternate-regions-note) | 
|  Middle East (Bahrain)  |  In-Region only  |  Middle East (Bahrain)  | 
|  Middle East (UAE)  |  Alternate Region  |  Europe (Frankfurt), Europe (London)[1](#cognito-email-alternate-regions-note)  | 
|  South America (São Paulo)  |  In-Region only  |  South America (São Paulo)  | 
|  Israel (Tel Aviv)  |  In-Region only  |  Israel (Tel Aviv)  | 
|  Africa (Cape Town)  |  In-Region only  |  Africa (Cape Town)  | 

 1 Used in user pools with the default email configuration. Amazon Cognito distributes email messages among verified identities with the same email address in each Region. To use a custom `FROM` address, configure `EmailConfiguration` with a `SourceArn` parameter in the format `arn:${Partition}:ses:*:${Account}:identity/${IdentityName}`.

## Configuring email for your user pool
<a name="user-pool-email-configure"></a>

Complete the following steps to configure the email settings for your user pool. Depending on the settings that you use, you might need IAM permissions in Amazon SES, AWS Identity and Access Management (IAM), and Amazon Cognito.

**Note**  
You can't share the resources that you create in these steps across AWS accounts. For example, you can't configure a user pool in one account, and then use it with an Amazon SES email address in a different account. If you use Amazon Cognito in multiple accounts, repeat these steps for each account.

### Step 1: Verify your email address or domain with Amazon SES
<a name="user-pool-email-configure-verify-ses"></a>

Before you configure your user pool, you must verify one or more domains or email addresses with Amazon SES if you want to do either of the following:
+ Use your own email address as the FROM address
+ Use your Amazon SES configuration to handle email delivery

By verifying your email address or domain, you confirm that you own it, which helps prevent unauthorized use.

For information on verifying an email address with Amazon SES, see [Verifying an Email Address](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-email-addresses-procedure.html) in the *Amazon Simple Email Service Developer Guide*. For information on verifying a domain with Amazon SES, see [Verifying domains](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-domains.html).

### Step 2: Move your account out of the Amazon SES sandbox
<a name="user-pool-email-configure-sandbox"></a>

Omit this step if you are using the default Amazon Cognito email configuration.

When you first use Amazon SES in any AWS Region, it places your AWS account in the Amazon SES sandbox for that Region. Amazon SES uses the sandbox to prevent fraud and abuse. If you use your Amazon SES configuration to handle email delivery, you must move your AWS account out of the sandbox before Amazon Cognito can email your users.

In the sandbox, Amazon SES imposes restrictions on how many emails you can send and where you can send them. You can send emails only to addresses and domains that you have verified with Amazon SES, or you can send them to Amazon SES mailbox simulator addresses. While your AWS account remains in the sandbox, don't use your Amazon SES configuration for applications that are in production. In this situation, Amazon Cognito can't send messages to your users' email addresses.

To remove your AWS account from the sandbox, see [Moving out of the Amazon SES sandbox](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html) in the *Amazon Simple Email Service Developer Guide.*

### Step 3: Grant email permissions to Amazon Cognito
<a name="user-pool-email-permissions"></a>

You might need to grant specific permissions to Amazon Cognito before it can email your users. The permissions that you grant, and the process that you use to grant them, depend on whether you are using the default email configuration, or your Amazon SES configuration.

#### To grant permissions to use the default email configuration
<a name="user-pool-email-permissions-default"></a>

Complete this step only if you configure your user pool to **Send email with Cognito** or set `EmailSendingAccount` to `COGNITO_DEFAULT`.

With the default email configuration, your user pool can send email messages with either of the following addresses.
+ The default address `no-reply@verificationemail.com`.
+ A custom FROM address from your verified email addresses or domains in Amazon SES.

If you use a custom address, Amazon Cognito needs additional permissions to email users from that address. These permissions are granted by a [sending authorization policy](https://docs.aws.amazon.com/ses/latest/dg/sending-authorization.html) for the address or domain in Amazon SES. If you use the Amazon Cognito console to add a custom address to your user pool, the policy is automatically attached to the Amazon SES verified email address. However, if you configure your user pool outside of the console, such as using the AWS CLI or the Amazon Cognito API, you must attach the policy using the [Amazon SES console](https://console.aws.amazon.com/ses/) or the [PutIdentityPolicy](https://docs.aws.amazon.com/ses/latest/APIReference/API_PutIdentityPolicy.html) API.

**Note**  
You can only configure a FROM address in a verified domain using the AWS CLI or the Amazon Cognito API.

A sending authorization policy allows or denies access based on the account resources that are using Amazon Cognito to invoke Amazon SES. For more information about resource-based policies, see the [IAM User Guide](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_resource-based). You can also find example resource-based policies in the [Amazon SES Developer Guide](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization-policy-examples.html).

**Example Sending authorization policy**  
The following example sending authorization policy grants Amazon Cognito a limited ability to use an Amazon SES verified identity. Amazon Cognito can only send email messages when it does so on behalf of both the user pool in the `aws:SourceArn` condition and the account in the `aws:SourceAccount` condition.  
Your sending authorization policy in the user pool Region or alternate Region must permit the Amazon Cognito service principal to send email messages. Refer to the [Regions table](#ses-regions-table) for more information. If your **User pool Region** matches at least one value in **Amazon SES Region**, configure your sending authorization policy with the global service principal in the following example.    
****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "stmnt1234567891234",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "email.cognito-idp.amazonaws.com"
                ]
            },
            "Action": [
                "SES:SendEmail",
                "SES:SendRawEmail"
            ],
            "Resource": "arn:aws:ses:us-east-1:111122223333:identity/support@example.com",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "111122223333"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:cognito-idp:us-east-1:111122223333:userpool/us-east-1_EXAMPLE"
                }
            }
        }
    ]
}
```
Amazon SES isn't available in all opt-in AWS Regions where Amazon Cognito is available. Middle East (UAE) is an example, and can only send emails with verified identities in Europe (Frankfurt) (`eu-central-1`). In user pools with the default email configuration, Amazon Cognito also sends email messages with a verified identity in each of two Regions. In the case of Middle East (UAE), the additional Region is Europe (London). You must update the sending authorization policy in both Regions.  
Your sending authorization policy in each of the alternate Regions must permit the Amazon Cognito service principal in the user pool opt-in Region to send email messages. Refer to the [Regions table](#ses-regions-table) for more information. If your Region is marked as **Alternate Region**, configure your sending authorization policies with the Regional service principal as in the following example. Replace the example Region identifier *me-central-1* with the required Region ID as needed.    
****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cognito-idp.me-central-1.amazonaws.com"
                ]
            },
            "Action": [
                "SES:SendEmail",
                "SES:SendRawEmail"
            ],
            "Resource": "arn:aws:ses:us-east-1:111122223333:identity/support@example.com",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "111122223333"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:cognito-idp:us-east-1:111122223333:userpool/us-east-1_EXAMPLE"
                }
            }
        }
    ]
}
```
For more information about policy syntax, see [Amazon SES sending authorization policies](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization-policies.html) in the *Amazon Simple Email Service Developer Guide*.  
For more examples, see [Amazon SES sending authorization policy examples](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization-policy-examples.html) in the *Amazon Simple Email Service Developer Guide*.

#### To grant permissions to use your Amazon SES configuration
<a name="user-pool-email-permissions-developer"></a>

If you configure your user pool to use your Amazon SES configuration, Amazon Cognito needs additional permissions to call Amazon SES on your behalf when it emails your users. This authorization is granted with the IAM service.

When you configure your user pool with this option, Amazon Cognito creates a *service-linked role*, which is a type of IAM role, in your AWS account. This role contains the permissions that allow Amazon Cognito to access Amazon SES and send email with your address.

Amazon Cognito creates your service-linked role with the AWS credentials of the user session that sets the configuration. The IAM permissions of this session must include the `iam:CreateServiceLinkedRole` action. For more information about permissions in IAM, see [Access management for AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.

For more information about the service-linked role that Amazon Cognito creates, see [Using service-linked roles for Amazon Cognito](using-service-linked-roles.md).

### Step 4: Configure your user pool
<a name="user-pool-email-configure-user-pool"></a>

Complete the following steps if you want to configure your user pool with any of the following:
+ A custom FROM address that appears as the email sender
+ A custom REPLY-TO address that receives the messages that your users send to your FROM address
+ Your Amazon SES configuration

**Note**  
If your verified identity is an email address, Amazon Cognito sets that email address as the FROM and REPLY-TO email address by default. But, if your verified identity is a domain, you must provide a value for the FROM email address.

Omit this procedure if you want to use the default Amazon Cognito email configuration and address.

**To configure your user pool to use a custom email address**

1. Go to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). If prompted, enter your AWS credentials.

1. Choose **User Pools**.

1. Choose an existing user pool from the list.

1. Choose the **Authentication methods** menu, locate **Email configuration**, choose **Edit**.

1. On the **Edit email configuration** page, select **Send email from Amazon SES** or **Send email with Amazon Cognito**. You can customize the **SES Region**, **Configuration Set**, and **FROM sender name** only when you choose **Send email from Amazon SES**.

1. To use a custom FROM address, complete the following steps:

   1. Under **SES Region**, choose the Region that contains your verified email address.

   1. Under **FROM email address**, choose your email address. Use an email address that you have verified with Amazon SES.

   1. (Optional) Under **Configuration set**, choose a configuration set for Amazon SES to use. Making and saving this change creates a service-linked role.

   1. (Optional) Under **FROM sender address**, enter an email address. You can provide only an email address, or an email address and a friendly name in the format `Jane Doe <janedoe@example.com>`.

   1. (Optional) Under **REPLY-TO email address**, enter the email address where you want to receive messages that your users send to your FROM address.

1. Choose **Save changes**.

**Related Topics**
+ [Customizing email verification messages](cognito-user-pool-settings-message-customizations.md#cognito-user-pool-settings-email-verification-message-customization)
+ [Customizing user invitation messages](cognito-user-pool-settings-message-customizations.md#cognito-user-pool-settings-user-invitation-message-customization)

# SMS message settings for Amazon Cognito user pools
<a name="user-pool-sms-settings"></a>

Some Amazon Cognito events for your user pool might cause Amazon Cognito to send SMS text messages to your users. For example, if you configure your user pool to require phone verification, Amazon Cognito sends an SMS text message when a user signs up for a new account in your app or resets their password. Depending on the action that initiates the SMS text message, the message contains a verification code, a temporary password, or a welcome message.

Amazon Cognito uses Amazon Simple Notification Service (Amazon SNS) for delivery of SMS text messages. Amazon SNS in turn hands off SMS messages to AWS End User Messaging SMS. If you are sending a text message through Amazon Cognito for the first time, AWS End User Messaging SMS places you in a [sandbox environment](https://docs.aws.amazon.com/sms-voice/latest/userguide/sandbox.html). In the sandbox environment, you can test your applications for SMS text messages. In the sandbox, you can only simulate the sending of messages.

**Note**  
In November 2024, AWS replaced Amazon SNS SMS messaging with AWS End User Messaging SMS. Currently, The Amazon Cognito console refers to Amazon SNS resources. User pools initiate SMS messages with the Amazon SNS [Publish](https://docs.aws.amazon.com/sns/latest/api/API_Publish.html) operation, which is a pass-through to AWS End User Messaging SMS. Accordingly, you must still configure permissions for `sns:Publish`, not `sms-voice:SendTextMessage`.

AWS End User Messaging SMS charges for SMS text messages. For more information, see [AWS End User Messaging SMS pricing](https://aws.amazon.com/end-user-messaging/pricing/).

Amazon Cognito sends SMS messages to your users with a code that they can enter. The following table shows the events that can generate an SMS message.

**Message options**


| Activity | API operation | Delivery options | Format options | Customizable | [Message template](cognito-user-pool-settings-message-customizations.md) | 
| --- |--- |--- |--- |--- |--- |
| Forgot password | [ForgotPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html), [AdminResetUserPassword](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html) | Email, SMS | code | Yes | Verification message | 
| Invitation | [AdminCreateUser](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html) | Email, SMS | code | Yes | Invitation message | 
| Self-registration | [SignUp](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html), [ResendConfirmationCode](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ResendConfirmationCode.html) | Email, SMS | code, link | Yes | Verification message | 
| Email address or phone number verification | [UpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html), [AdminUpdateUserAttributes](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html), [GetUserAttributeVerificationCode](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserAttributeVerificationCode.html) | Email, SMS | code | Yes | Verification message | 
| Multi-factor authentication (MFA) | [AdminInitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html), [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) | Email¹, SMS, authenticator app | code | Yes² | MFA message | 
| One-time password authentication (OTP) | [AdminInitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html), [InitiateAuth](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) | Email¹, SMS | code | Yes | MFA message³ | 

¹ Requires Essentials [feature plan](cognito-sign-in-feature-plans.md) or higher and [Amazon SES email configuration](user-pool-email.md#user-pool-email-developer). 

² For SMS and email messages.

³ You can only customize the MFA message template when MFA is required or optional in your user pool. When MFA is inactive, Amazon Cognito sends one-time passwords with the default template.

AWS End User Messaging SMS charges for SMS messages. For more information, see [AWS End User Messaging SMS pricing](https://aws.amazon.com/end-user-messaging/pricing/).

To learn more about MFA, see [SMS and email message MFA](user-pool-settings-mfa-sms-email-message.md).

Amazon Cognito might prevent delivery of additional email or SMS messages to a single destination in a short time period. If you believe your user pool is affected, configure and review [logs for message delivery errors](exporting-quotas-and-usage.md#exporting-quotas-and-usage-messages) and then contact your account team.

## Best practices
<a name="user-pool-sms-settings-best-practices"></a>

Because of the volume of unsolicited SMS traffic worldwide, some governments impose barriers between the senders and recipients of SMS messages. When you use SMS messages for MFA and user updates, you must take additional steps to ensure that your messages are delivered. You must also monitor SMS-message-related regulations in countries where your users might live and keep your SMS message configuration current. For more information, see [SMS and MMS country capabilities and limitations](https://docs.aws.amazon.com/sms-voice/latest/userguide/phone-numbers-sms-support-by-country.html) in the *AWS End User Messaging SMS User Guide*.

The use of SMS messages to authenticate and verify users isn't a security best practice. Phone numbers can change owners, and might not reliably represent a *something you have* factor of MFA for your users. Instead, implement TOTP MFA in your app or with your third-party IdP. You can also create additional custom authentication factors with [Custom authentication challenge Lambda triggers](user-pool-lambda-challenge.md).

Review the following links for information about securing your SMS message delivery architecture.
+ [Reduce risks of user sign-up fraud and SMS pumping with Amazon Cognito user pools](https://aws.amazon.com/blogs/security/reduce-risks-of-user-sign-up-fraud-and-sms-pumping-with-amazon-cognito-user-pools/)
+ [Defending Against SMS Pumping: New AWS Features to Help Combat Artificially Inflated Traffic](https://aws.amazon.com/blogs/messaging-and-targeting/defending-against-sms-pumping-new-aws-features-to-help-combat-artificially-inflated-traffic/)

## Setting up SMS messaging for the first time in Amazon Cognito user pools
<a name="user-pool-sms-settings-first-time"></a>

Amazon Cognito uses Amazon SNS, and indirectly AWS End User Messaging SMS, to send SMS messages from your user pools. You can also use a [Custom SMS sender Lambda trigger](user-pool-lambda-custom-sms-sender.md) to use your own resources to send SMS messages. The first time that you set up SMS text messages in a particular AWS Region, AWS End User Messaging SMS places your AWS account in the SMS sandbox for that Region. AWS End User Messaging SMS uses the sandbox to prevent fraud and abuse and to meet compliance requirements. When your AWS account is in the sandbox, AWS End User Messaging SMS imposes some [restrictions](https://docs.aws.amazon.com/sms-voice/latest/userguide/sandbox.html#sandbox-sms). For example, you can send text messages to a maximum of 10 verified destination numbers if you have an origination identity, or you can simulate sending messages without an origination identity. While your AWS account remains in the sandbox, do not send SMS messages in production. When you're in the sandbox, Amazon Cognito can't send messages to your users' phone numbers.

**Topics**
+ [Prepare an IAM role that Amazon Cognito can use to send SMS messages with AWS End User Messaging SMS](#sms-create-a-role)
+ [Choose the AWS Region for SMS messages](#sms-choose-a-region)
+ [Obtain an origination identity to send SMS messages to US phone numbers](#user-pool-sms-settings-first-time-origination)
+ [Confirm that you are in the SMS sandbox](#user-pool-sms-settings-first-time-confirm-sandbox)
+ [Move your account out of the sandbox](#user-pool-sms-settings-first-time-out-sandbox)
+ [Use simulator numbers or verified phone numbers with AWS End User Messaging SMS](#user-pool-sms-settings-first-time-verify-numbers)
+ [Complete user pool setup in Amazon Cognito](#user-pool-sms-settings-first-time-finish-user-pool)

### Prepare an IAM role that Amazon Cognito can use to send SMS messages with AWS End User Messaging SMS
<a name="sms-create-a-role"></a>

When you send an SMS message from your user pool, Amazon Cognito assumes an IAM role in your account. Amazon Cognito uses the `sns:Publish` permission assigned to that role to send SMS messages to your users. In the Amazon Cognito console, you can set an **IAM role selection** from the **Authentication methods** menu of your user pool, under **SMS** or make this selection during the user pool creation wizard.

The following example IAM role trust policy grants Amazon Cognito user pools a limited ability to assume the role. Amazon Cognito can only assume the role when it meets the following conditions:
+ The assume-role operation is on behalf of the user pool in the `aws:SourceArn` condition.
+ The assume-role operation is on behalf of a user pool in the AWS account set by the `aws:SourceAccount` condition.
+ The assume-role operation includes the external ID in the `sts:externalId` condition.

------
#### [ JSON ]

****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": "cognito-idp.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
                    "aws:SourceAccount": "111122223333"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:cognito-idp:us-west-2:111122223333:userpool/us-west-2_EXAMPLE"
                }
            }
        }
    ]
}
```

------

You can specify an exact [user pool ARN](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncognitouserpools.html#amazoncognitouserpools-resources-for-iam-policies) or a wildcard ARN in the value of the `aws:SourceArn` condition. Look up the ARNs of your user pools in the AWS Management Console or with a [DescribeUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html) API request.

To send SMS messages for [multi-factor authentication](user-pool-settings-mfa-sms-email-message.md), your IAM role trust policy must have an `sts:ExternalId` condition. The value of this condition must match the `ExternalId` property of the [SmsConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html#CognitoUserPools-CreateUserPool-request-SmsConfiguration) of your user pool. When you create an IAM role during the process of user pool creation in the Amazon Cognito console, Amazon Cognito configures the external ID for you in the role and in the user pool settings. This isn't true when you use an existing IAM role.

You must update the user pool `ExternalId` parameter in an [UpdateUserPool](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html) API request and update the IAM role trust policy with an `sts:externalId` condition with the same value. To learn how to use the API to update a user pool in a way that preserves the original configuration, see [Updating user pool and app client configuration](cognito-user-pool-updating.md).

For more information about IAM roles and trust policies, see [Roles terms and concepts](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html) in the *AWS Identity and Access Management User Guide*.

### Choose the AWS Region for SMS messages
<a name="sms-choose-a-region"></a>

**Note**  
SMS messages in AWS are now managed in [AWS End User Messaging SMS](https://console.aws.amazon.com/sms-voice/home).

In some AWS Regions, you can choose the Region that contains the Amazon SNS resources that you want to use for Amazon Cognito SMS messages. In any AWS Region where Amazon Cognito is available, except for Asia Pacific (Seoul), you can use Amazon SNS resources in the AWS Region where you created your user pool. To make your SMS messaging faster and more reliable when you have a choice of Regions, use Amazon SNS resources in the same Region as your user pool.

Choose a Region for SMS resources in the **Configure message delivery** step of the new user pool wizard. You can also choose **Edit** under **SMS** in the **Authentication methods** menu of an existing user pool.

At launch, for some AWS Regions, Amazon Cognito sent SMS messages with Amazon SNS resources in an alternate Region. To set your preferred Region, use the `SnsRegion` parameter of the [SmsConfigurationType](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SmsConfigurationType.html) object for your user pool. When you programmatically create an Amazon Cognito user pools resource in an **Amazon Cognito Region** from the following table and you do not provide an `SnsRegion` parameter, your user pool can send SMS messages with Amazon SNS resources in a legacy **Amazon SNS Region**.

Amazon Cognito user pools in the Asia Pacific (Seoul) AWS Region must use your Amazon SNS configuration in the Asia Pacific (Tokyo) Region.

Amazon SNS (via AWS End User Messaging SMS) sets the spending quota for all new accounts at \$11.00 (USD) per month. You might have increased your spend limit in an AWS Region that you use with Amazon Cognito. Before you change the AWS Region for Amazon SNS SMS messages, open a quota increase case in the AWS Support Center to increase your limit in the new Region. For more information, see [Moving from the AWS End User Messaging SMS MMS and Voice sandbox to production](https://docs.aws.amazon.com/sms-voice/latest/userguide/sandbox.html#sandbox-sms-move-to-production) in the *AWS End User Messaging SMS User Guide*.

You can send SMS messages for any **Amazon Cognito Region** in the following table with AWS End User Messaging SMS resources in the corresponding **SMS message Region**.


| Amazon Cognito Region | SMS message Region | 
| --- | --- | 
|  US East (Ohio)  |  US East (Ohio), US East (N. Virginia)  | 
|  US East (N. Virginia)  |  US East (N. Virginia)  | 
|  US West (N. California)  |  US West (N. California)  | 
|  US West (Oregon)  |  US West (Oregon)  | 
|  Canada (Central)  |  Canada (Central), US East (N. Virginia)  | 
|  Canada West (Calgary)  |  Canada West (Calgary)  | 
|  Mexico (Central)  |  Mexico (Central)  | 
|  Europe (Frankfurt)  |  Europe (Frankfurt), Europe (Ireland)  | 
|  Europe (London)  |  Europe (London), Europe (Ireland)  | 
|  Europe (Ireland)  |  Europe (Ireland)  | 
|  Europe (Paris)  |  Europe (Paris)  | 
|  Europe (Stockholm)  |  Europe (Stockholm)  | 
|  Europe (Milan)  |  Europe (Milan)  | 
|  Europe (Spain)  |  Europe (Spain)  | 
|  Europe (Zurich)  |  Europe (Zurich)  | 
| Asia Pacific (Malaysia) | Asia Pacific (Singapore) | 
|  Asia Pacific (Thailand)  |  Asia Pacific (Mumbai)  | 
|  Asia Pacific (Mumbai)  |  Asia Pacific (Mumbai), Asia Pacific (Singapore)  | 
|  Asia Pacific (Hyderabad)  |  Asia Pacific (Hyderabad)  | 
|  Asia Pacific (Hong Kong)  |  Asia Pacific (Singapore)  | 
|  Asia Pacific (Seoul)  |  Asia Pacific (Tokyo)  | 
|  Asia Pacific (Singapore)  |  Asia Pacific (Singapore)  | 
|  Asia Pacific (Sydney)  |  Asia Pacific (Sydney)  | 
|  Asia Pacific (Tokyo)  |  Asia Pacific (Tokyo)  | 
|  Asia Pacific (Jakarta)  |  Asia Pacific (Jakarta)  | 
|  Asia Pacific (Osaka)  |  Asia Pacific (Osaka)  | 
|  Asia Pacific (Melbourne)  |  Asia Pacific (Melbourne)  | 
|  Middle East (Bahrain)  |  Middle East (Bahrain)  | 
|  Middle East (UAE)  |  Middle East (UAE)  | 
|  South America (São Paulo)  |  South America (São Paulo)  | 
|  Israel (Tel Aviv)  |  Israel (Tel Aviv)  | 
|  Africa (Cape Town)  |  Africa (Cape Town)  | 

### Obtain an origination identity to send SMS messages to US phone numbers
<a name="user-pool-sms-settings-first-time-origination"></a>

If you plan to send SMS text messages to US phone numbers, you must obtain an origination identity, regardless of whether you build an SMS sandbox testing environment, or a production environment.

US carriers require an origination identity to send messages to US phone numbers. If you don't already have an origination identity, you must get one. To learn how to obtain an origination identity, see [Request a phone number](https://docs.aws.amazon.com/sms-voice/latest/userguide/phone-numbers-request.html) in the *AWS End User Messaging SMS User Guide*.

When you have more than one origination identity in the same AWS Region, AWS End User Messaging SMS chooses an origination identity type in the following order of priority: short code, 10DLC, toll-free number. You can't change this priority. For more information, see [AWS End User Messaging SMS FAQs](https://aws.amazon.com/end-user-messaging/faqs/).

### Confirm that you are in the SMS sandbox
<a name="user-pool-sms-settings-first-time-confirm-sandbox"></a>

Use the following procedure to confirm that you are in the SMS sandbox. Repeat for each AWS Region where you have production Amazon Cognito user pools.

#### Review SMS sandbox status in the Amazon Cognito console
<a name="check-that-you-are-in-the-sms-sandbox"></a>

**To confirm that you are in the SMS sandbox**

1. Go to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home). If prompted, enter your AWS credentials.

1. Choose **User Pools**.

1. Choose an existing user pool from the list.

1. Choose the **Authentication methods** menu.

1. In the **SMS configuration** section, expand **Move to Amazon SNS production environment**. If your account is in the SMS sandbox, you will see the following message:

   **Configure AWS service dependencies to complete your SMS message setup**

   If you don’t see this message, then someone has set up SMS messages in your account already. Skip to [Complete user pool setup in Amazon Cognito](#user-pool-sms-settings-first-time-finish-user-pool).

1. Choose the [Amazon SNS](https://console.aws.amazon.com/sns/home) link under **Move to Amazon SNS production environment**. This opens the Amazon SNS console in a new tab.

1. Verify that you are in the sandbox environment. The console message indicates your sandbox status and AWS Region, as follows:

   `This account is in the SMS sandbox in US East (N. Virginia).`

### Move your account out of the sandbox
<a name="user-pool-sms-settings-first-time-out-sandbox"></a>

To use your app in production, move your account out of the SMS sandbox and into production. After you have configured an origination identity in the AWS Region that contains the AWS End User Messaging SMS resources that you want Amazon Cognito to use, you can verify US phone numbers while your AWS account remains in the SMS sandbox. When your environment is in production, you don't have to verify user phone numbers before you send SMS messages to them.

You can create a request to exit the sandbox from either the AWS End User Messaging SMS console or the Amazon SNS console. For detailed instructions, see [Moving from the SMS Sandbox](https://docs.aws.amazon.com/sms-voice/latest/userguide/sandbox.html#sandbox-sms-move-to-production) in the *AWS End User Messaging SMS User Guide*.

### Use simulator numbers or verified phone numbers with AWS End User Messaging SMS
<a name="user-pool-sms-settings-first-time-verify-numbers"></a>

If you have moved your account out of the SMS sandbox, skip this step.

If you're in the sandbox but you have set up an origination number, you can send messages to verified destination numbers. To set up verified destinations, see [Add a verified destination phone number](https://docs.aws.amazon.com/sms-voice/latest/userguide/verify-destination-phone-number.html) in the *AWS End User Messaging SMS User Guide*.

You can also send messages with simulated senders and destinations. Simulator messages produce logs but don't get sent out over the carrier network. From the [Shortcuts menu](https://console.aws.amazon.com/sms-voice/home?#/shortcuts), select **Test SMS sending with SMS simulator**. For more information, see [Simulator phone numbers](https://docs.aws.amazon.com/sms-voice/latest/userguide/test-phone-numbers.html) in the *AWS End User Messaging SMS User Guide*.

### Complete user pool setup in Amazon Cognito
<a name="user-pool-sms-settings-first-time-finish-user-pool"></a>

Return to the browser tab where you were creating or [editing](signing-up-users-in-your-app.md#verification-configure) your user pool. Complete the procedure. When you have successfully added SMS configuration to your user pool, Amazon Cognito sends a test message to an internal phone number to verify that your configuration works. Amazon SNS charges for each test SMS message.