SDK for PHP V3

Client: Aws\Signin\SigninClient
Service ID: signin
Version: 2023-01-01

This page describes the parameters and results for the operations of the AWS Sign-In Service (2023-01-01), and shows how to use the Aws\Signin\SigninClient object to call the described operations. This documentation is specific to the 2023-01-01 API version of the service.

Operation Summary

Each of the following operations can be created from a client using $client->getCommand('CommandName'), where "CommandName" is the name of one of the following operations. Note: a command is a value that encapsulates an operation and the parameters used to create an HTTP request.

You can also create and send a command immediately using the magic methods available on a client object: $client->commandName(/* parameters */). You can send the command asynchronously (returning a promise) by appending the word "Async" to the operation name: $client->commandNameAsync(/* parameters */).

CreateOAuth2Token ( array $params = [] )
CreateOAuth2Token API Path: /v1/token Request Method: POST Content-Type: application/json or application/x-www-form-urlencoded This API implements OAuth 2.
CreateOAuth2TokenWithIAM ( array $params = [] )
Grants permission to exchange client credentials for an OAuth 2.
DeleteConsoleAuthorizationConfiguration ( array $params = [] )
Delete console authorization configuration with automatic scope detection
DeleteResourcePermissionStatement ( array $params = [] )
Remove a permission statement from the account's SignIn resource-based policy
GetConsoleAuthorizationConfiguration ( array $params = [] )
Get console authorization configuration with automatic scope detection
GetResourcePolicy ( array $params = [] )
Retrieve the account's consolidated SignIn resource-based policy
IntrospectOAuth2TokenWithIAM ( array $params = [] )
Grants permission to inspect the metadata and state of an OAuth 2.
ListResourcePermissionStatements ( array $params = [] )
Retrieve all permission statements in the account's SignIn resource-based policy
PutConsoleAuthorizationConfiguration ( array $params = [] )
Enable console authorization configuration with automatic scope detection
PutResourcePermissionStatement ( array $params = [] )
Create a permission statement in the account's SignIn resource-based policy
RevokeOAuth2TokenWithIAM ( array $params = [] )
Grants permission to revoke an OAuth 2.

Paginators

Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:

ListResourcePermissionStatements

Operations

CreateOAuth2Token

$result = $client->createOAuth2Token([/* ... */]);
$promise = $client->createOAuth2TokenAsync([/* ... */]);

CreateOAuth2Token API

Path: /v1/token Request Method: POST Content-Type: application/json or application/x-www-form-urlencoded

This API implements OAuth 2.0 flows for AWS Sign-In CLI clients, supporting both:

  1. Authorization code redemption (grant_type=authorization_code) - NOT idempotent
  2. Token refresh (grant_type=refresh_token) - Idempotent within token validity window

The operation behavior is determined by the grant_type parameter in the request body:

Authorization Code Flow (NOT Idempotent):

  • JSON or form-encoded body with client_id, grant_type=authorization_code, code, redirect_uri, code_verifier
  • Returns access_token, token_type, expires_in, refresh_token, and id_token
  • Each authorization code can only be used ONCE for security (prevents replay attacks)

Token Refresh Flow (Idempotent):

  • JSON or form-encoded body with client_id, grant_type=refresh_token, refresh_token
  • Returns access_token, token_type, expires_in, and refresh_token (no id_token)
  • Multiple calls with same refresh_token return consistent results within validity window

Authentication and authorization:

  • Confidential clients: sigv4 signing required with signin:ExchangeToken permissions
  • CLI clients (public): authn/authz skipped based on client_id & grant_type

Note: This operation cannot be marked as @idempotent because it handles both idempotent (token refresh) and non-idempotent (auth code redemption) flows in a single endpoint.

Parameter Syntax

$result = $client->createOAuth2Token([
    'tokenInput' => [ // REQUIRED
        'clientId' => '<string>', // REQUIRED
        'code' => '<string>',
        'codeVerifier' => '<string>',
        'grantType' => '<string>', // REQUIRED
        'redirectUri' => '<string>',
        'refreshToken' => '<string>',
    ],
]);

Parameter Details

Members
tokenInput
Required: Yes
Type: CreateOAuth2TokenRequestBody structure

Flattened token operation inputs The specific operation is determined by grant_type in the request body

Result Syntax

[
    'tokenOutput' => [
        'accessToken' => [
            'accessKeyId' => '<string>',
            'secretAccessKey' => '<string>',
            'sessionToken' => '<string>',
        ],
        'expiresIn' => <integer>,
        'idToken' => '<string>',
        'refreshToken' => '<string>',
        'tokenType' => '<string>',
    ],
]

Result Details

Members
tokenOutput
Required: Yes
Type: CreateOAuth2TokenResponseBody structure

Flattened token operation outputs The specific response fields depend on the grant_type used in the request

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

CreateOAuth2TokenWithIAM

$result = $client->createOAuth2TokenWithIAM([/* ... */]);
$promise = $client->createOAuth2TokenWithIAMAsync([/* ... */]);

Grants permission to exchange client credentials for an OAuth 2.0 access token scoped to a resource that can be used to access AWS services from applications

Parameter Syntax

$result = $client->createOAuth2TokenWithIAM([
    'grantType' => '<string>', // REQUIRED
    'resource' => '<string>', // REQUIRED
]);

Parameter Details

Members
grantType
Required: Yes
Type: string

OAuth 2.0 grant type. Must be "client_credentials".

resource
Required: Yes
Type: string

The OAuth resource for which the access token is requested. Example: "aws-mcp.amazonaws.com".

Result Syntax

[
    'accessToken' => '<string>',
    'expiresIn' => <integer>,
    'tokenType' => '<string>',
]

Result Details

Members
accessToken
Required: Yes
Type: string

JWT access token containing principal identity, resource scope, and session metadata

expiresIn
Required: Yes
Type: int

Token lifetime in seconds. Value is the minimum of session validity and 1 hour.

tokenType
Required: Yes
Type: string

Always "Bearer" per OAuth 2.1 specification

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

DeleteConsoleAuthorizationConfiguration

$result = $client->deleteConsoleAuthorizationConfiguration([/* ... */]);
$promise = $client->deleteConsoleAuthorizationConfigurationAsync([/* ... */]);

Delete console authorization configuration with automatic scope detection

Parameter Syntax

$result = $client->deleteConsoleAuthorizationConfiguration([
    'targetId' => '<string>',
]);

Parameter Details

Members
targetId
Type: string

Target account identifier

Result Syntax

[
    'consoleAuthorizationEnabled' => true || false,
    'scope' => '<string>',
    'targetId' => '<string>',
]

Result Details

Members
consoleAuthorizationEnabled
Required: Yes
Type: boolean

Whether console authorization is enabled

scope
Required: Yes
Type: string

Authorization scope

targetId
Required: Yes
Type: string

Target account identifier

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

DeleteResourcePermissionStatement

$result = $client->deleteResourcePermissionStatement([/* ... */]);
$promise = $client->deleteResourcePermissionStatementAsync([/* ... */]);

Remove a permission statement from the account's SignIn resource-based policy

Parameter Syntax

$result = $client->deleteResourcePermissionStatement([
    'clientToken' => '<string>',
    'statementId' => '<string>', // REQUIRED
]);

Parameter Details

Members
clientToken
Type: string

Idempotency token for the request

statementId
Required: Yes
Type: string

Unique identifier of the permission statement to delete

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

GetConsoleAuthorizationConfiguration

$result = $client->getConsoleAuthorizationConfiguration([/* ... */]);
$promise = $client->getConsoleAuthorizationConfigurationAsync([/* ... */]);

Get console authorization configuration with automatic scope detection

Parameter Syntax

$result = $client->getConsoleAuthorizationConfiguration([
    'targetId' => '<string>',
]);

Parameter Details

Members
targetId
Type: string

Target account identifier

Result Syntax

[
    'consoleAuthorizationEnabled' => true || false,
    'scope' => '<string>',
    'targetId' => '<string>',
]

Result Details

Members
consoleAuthorizationEnabled
Required: Yes
Type: boolean

Whether console authorization is enabled

scope
Required: Yes
Type: string

Authorization scope

targetId
Required: Yes
Type: string

Target account identifier

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

GetResourcePolicy

$result = $client->getResourcePolicy([/* ... */]);
$promise = $client->getResourcePolicyAsync([/* ... */]);

Retrieve the account's consolidated SignIn resource-based policy

Parameter Syntax

$result = $client->getResourcePolicy([
]);

Parameter Details

Members

Result Syntax

[
    'signinResourceBasedPolicy' => [
        'statement' => [
            [
                'action' => ['<string>', ...],
                'condition' => [
                    '<ConditionType>' => [
                        '<String>' => ['<string>', ...],
                        // ...
                    ],
                    // ...
                ],
                'effect' => '<string>',
                'principal' => ['<string>', ...],
                'resource' => '<string>',
            ],
            // ...
        ],
        'version' => '<string>',
    ],
]

Result Details

Members
signinResourceBasedPolicy
Required: Yes
Type: SigninResourceBasedPolicy structure

The account's SignIn resource-based policy

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

IntrospectOAuth2TokenWithIAM

$result = $client->introspectOAuth2TokenWithIAM([/* ... */]);
$promise = $client->introspectOAuth2TokenWithIAMAsync([/* ... */]);

Grants permission to inspect the metadata and state of an OAuth 2.0 access token or refresh token

Implements RFC 7662 OAuth 2.0 Token Introspection over a SigV4-authenticated endpoint. Inspects the metadata of an access_token or refresh_token issued by AWS Sign-In and returns the claims associated with it.

Inactive token semantics (RFC 7662 ยง2.2): when the supplied token is unknown, expired, revoked, malformed, or owned by a different account, the response body is exactly { "active": false } with all other claims omitted.

Parameter Syntax

$result = $client->introspectOAuth2TokenWithIAM([
    'token' => '<string>', // REQUIRED
    'tokenTypeHint' => '<string>',
]);

Parameter Details

Members
token
Required: Yes
Type: string

The string value of the token to introspect. May be either an access_token or a refresh_token issued by AWS Sign-In.

tokenTypeHint
Type: string

Optional hint about the type of the token submitted for introspection. The server uses this hint to optimize lookup, but still falls back to the other token type on miss. Allowed values: access_token, refresh_token.

Result Syntax

[
    'accountId' => '<string>',
    'active' => true || false,
    'aud' => '<string>',
    'clientId' => '<string>',
    'exp' => <integer>,
    'iat' => <integer>,
    'iss' => '<string>',
    'jti' => '<string>',
    'nbf' => <integer>,
    'resource' => '<string>',
    'signinSession' => '<string>',
    'sub' => '<string>',
    'tokenType' => '<string>',
    'userId' => '<string>',
]

Result Details

Members
accountId
Type: string

12-digit AWS account ID of the token's subject principal.

active
Required: Yes
Type: boolean

Indicates whether the token is currently active. true only when the token is valid, has not expired, has not been revoked, and belongs to the caller's account.

aud
Type: string

Audience of the token: the OAuth resource the token is scoped to (for example, "aws-mcp.amazonaws.com"). Omitted for refresh tokens.

clientId
Type: string

Client identifier for the OAuth 2.0 client that requested the token.

exp
Type: long (int|float)

Token expiration time as a NumericDate (Unix epoch seconds).

iat
Type: long (int|float)

Token issuance time as a NumericDate (Unix epoch seconds).

iss
Type: string

Issuer of the token. Always "signin.amazonaws.com" for AWS Sign-In.

jti
Type: string

Unique identifier for the token.

nbf
Type: long (int|float)

Token "not before" time as a NumericDate (Unix epoch seconds).

resource
Type: string

The OAuth resource the token is scoped to during Human OAuth flow. Only present for refresh token introspection.

signinSession
Type: string

AWS Sign-In session ARN bound to the token, of the form arn:aws:signin:{region}:{account}:session/{uuid}.

sub
Type: string

Subject of the token: the IAM principal ARN. For assumed-role sessions, this is the session ARN (matches sts:GetCallerIdentity's Arn field), e.g. arn:aws:sts::123456789012:assumed-role/MyRole/session-name.

tokenType
Type: string

Indicates which kind of token was introspected. One of "access_token" or "refresh_token".

userId
Type: string

User identifier matching sts:GetCallerIdentity's UserId field for the token's subject principal (e.g. "AIDAEXAMPLE" for an IAM user, or "AROAEXAMPLE:session-name" for an assumed role).

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

ListResourcePermissionStatements

$result = $client->listResourcePermissionStatements([/* ... */]);
$promise = $client->listResourcePermissionStatementsAsync([/* ... */]);

Retrieve all permission statements in the account's SignIn resource-based policy

Parameter Syntax

$result = $client->listResourcePermissionStatements([
    'maxResults' => <integer>,
    'nextToken' => '<string>',
]);

Parameter Details

Members
maxResults
Type: int

Maximum number of results to return

nextToken
Type: string

Token for pagination

Result Syntax

[
    'nextToken' => '<string>',
    'permissionStatements' => [
        [
            'condition' => [
                '<ConditionType>' => [
                    '<String>' => ['<string>', ...],
                    // ...
                ],
                // ...
            ],
            'sid' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
nextToken
Type: string

Token for next page of results

permissionStatements
Required: Yes
Type: Array of PermissionStatementSummary structures

List of permission statement summaries

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

PutConsoleAuthorizationConfiguration

$result = $client->putConsoleAuthorizationConfiguration([/* ... */]);
$promise = $client->putConsoleAuthorizationConfigurationAsync([/* ... */]);

Enable console authorization configuration with automatic scope detection

Parameter Syntax

$result = $client->putConsoleAuthorizationConfiguration([
    'targetId' => '<string>',
]);

Parameter Details

Members
targetId
Type: string

Target account identifier

Result Syntax

[
    'consoleAuthorizationEnabled' => true || false,
    'scope' => '<string>',
    'targetId' => '<string>',
]

Result Details

Members
consoleAuthorizationEnabled
Required: Yes
Type: boolean

Whether console authorization is enabled

scope
Required: Yes
Type: string

Authorization scope

targetId
Required: Yes
Type: string

Target account identifier

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ConflictException:

Error thrown when request conflicts with current state

HTTP Status Code: 409 Conflict

Used when the request conflicts with the current state of the resource

ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

PutResourcePermissionStatement

$result = $client->putResourcePermissionStatement([/* ... */]);
$promise = $client->putResourcePermissionStatementAsync([/* ... */]);

Create a permission statement in the account's SignIn resource-based policy

Parameter Syntax

$result = $client->putResourcePermissionStatement([
    'clientToken' => '<string>',
    'consoleSourceVpce' => '<string>',
    'excludedPrincipal' => '<string>',
    'requestedRegion' => '<string>',
    'signinSourceVpce' => '<string>',
    'sourceIp' => '<string>',
    'sourceVpc' => '<string>',
    'vpcSourceIp' => '<string>',
]);

Parameter Details

Members
clientToken
Type: string

Idempotency token for the request

consoleSourceVpce
Type: string

Console VPC endpoint identifier

excludedPrincipal
Type: string

Principal to exclude from the permission statement

requestedRegion
Type: string

AWS region where the VPC and VPC endpoint reside Required when sourceVpc or signinSourceVpce/consoleSourceVpce is provided

signinSourceVpce
Type: string

SignIn VPC endpoint identifier

sourceIp
Type: string

Source IP address

sourceVpc
Type: string

VPC identifier to restrict console access

vpcSourceIp
Type: string

Source IP address within VPC

Result Syntax

[
    'statementId' => '<string>',
]

Result Details

Members
statementId
Required: Yes
Type: string

Unique identifier for the created permission statement

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ConflictException:

Error thrown when request conflicts with current state

HTTP Status Code: 409 Conflict

Used when the request conflicts with the current state of the resource

ServiceQuotaExceededException:

Error thrown when service quota is exceeded

HTTP Status Code: 402 Payment Required (used as quota exceeded indicator)

Used when the request would cause a service quota to be exceeded

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

RevokeOAuth2TokenWithIAM

$result = $client->revokeOAuth2TokenWithIAM([/* ... */]);
$promise = $client->revokeOAuth2TokenWithIAMAsync([/* ... */]);

Grants permission to revoke an OAuth 2.0 refresh token and its associated refresh tokens

Revokes a refresh_token issued by AWS Sign-In, invalidating the entire token chain so that the refresh_token can no longer be used to mint new access_tokens.

Idempotency: revoking an already-revoked, expired, or otherwise invalid token still returns 200 OK with an empty body. Only the refresh_token type is accepted.

Parameter Syntax

$result = $client->revokeOAuth2TokenWithIAM([
    'token' => '<string>', // REQUIRED
]);

Parameter Details

Members
token
Required: Yes
Type: string

The refresh_token to revoke. Must be a refresh_token issued by AWS Sign-In (prefix "ASOR"); access_tokens are not accepted for revocation.

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

Shapes

AccessDeniedException

Description

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating the specific type of access denial Can be TOKEN_EXPIRED, AUTHCODE_EXPIRED, USER_CREDENTIALS_CHANGED, or INSUFFICIENT_PERMISSIONS

message
Required: Yes
Type: string

Detailed message explaining the access denial Provides specific information about why access was denied

AccessToken

Description

AWS credentials structure containing temporary access credentials

Scoped, temporary AWS credentials with a 15-minute duration.

Members
accessKeyId
Required: Yes
Type: string

AWS access key ID for temporary credentials

secretAccessKey
Required: Yes
Type: string

AWS secret access key for temporary credentials

sessionToken
Required: Yes
Type: string

AWS session token for temporary credentials

ConflictException

Description

Error thrown when request conflicts with current state

HTTP Status Code: 409 Conflict

Used when the request conflicts with the current state of the resource

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating conflict Will be CONFLICT

message
Required: Yes
Type: string

Detailed message explaining the conflict Provides specific information about what caused the conflict

CreateOAuth2TokenRequestBody

Description

Request body payload for CreateOAuth2Token operation

The operation type is determined by the grant_type parameter:

  • grant_type=authorization_code: Requires code, redirect_uri, code_verifier
  • grant_type=refresh_token: Requires refresh_token
Members
clientId
Required: Yes
Type: string

The client identifier (ARN) used during Sign-In onboarding Required for both authorization code and refresh token flows

code
Type: string

The authorization code received from /v1/authorize Required only when grant_type=authorization_code

codeVerifier
Type: string

PKCE code verifier to prove possession of the original code challenge Required only when grant_type=authorization_code

grantType
Required: Yes
Type: string

OAuth 2.0 grant type - determines which flow is used Must be "authorization_code" or "refresh_token"

redirectUri
Type: string

The redirect URI that must match the original authorization request Required only when grant_type=authorization_code

refreshToken
Type: string

The refresh token returned from auth_code redemption Required only when grant_type=refresh_token

CreateOAuth2TokenResponseBody

Description

Response body payload for CreateOAuth2Token operation

The response content depends on the grant_type from the request:

  • grant_type=authorization_code: Returns all fields including refresh_token and id_token
  • grant_type=refresh_token: Returns access_token, token_type, expires_in, refresh_token (no id_token)
Members
accessToken
Required: Yes
Type: AccessToken structure

Scoped-down AWS credentials (15 minute duration) Present for both authorization code redemption and token refresh

expiresIn
Required: Yes
Type: int

Time to expiry in seconds (maximum 900) Present for both authorization code redemption and token refresh

idToken
Type: string

ID token containing user identity information Present only in authorization code redemption response (grant_type=authorization_code) Not included in token refresh responses

refreshToken
Required: Yes
Type: string

Encrypted refresh token with cnf.jkt (SHA-256 thumbprint of presented jwk) Always present in responses (required for both flows)

tokenType
Required: Yes
Type: string

Token type indicating this is AWS SigV4 credentials Value is "aws_sigv4" for both flows

InternalServerException

Description

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating server error Will be SERVER_ERROR for internal server errors

message
Required: Yes
Type: string

Detailed message explaining the server error May include error details for debugging purposes

PermissionStatementSummary

Description

Summary of a permission statement

Members
condition
Type: Associative array of custom strings keys (ConditionType) to maps

Condition block for the permission statement

sid
Required: Yes
Type: string

Unique identifier for the permission statement

PolicyStatement

Description

Individual policy statement within a resource-based policy

Members
action
Type: Array of strings

Actions the statement controls

condition
Type: Associative array of custom strings keys (ConditionType) to maps

Condition block for the statement

effect
Type: string

Effect of the policy statement (Allow/Deny)

principal
Type: Associative array of custom strings keys (String) to strings

Principal the statement applies to

resource
Type: string

Resource the statement applies to

ResourceNotFoundException

Description

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating resource not found Will be RESOURCE_NOT_FOUND

message
Required: Yes
Type: string

Detailed message explaining which resource was not found Provides specific information about the missing resource

ServiceQuotaExceededException

Description

Error thrown when service quota is exceeded

HTTP Status Code: 402 Payment Required (used as quota exceeded indicator)

Used when the request would cause a service quota to be exceeded

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating service quota exceeded Will be SERVICE_QUOTA_EXCEEDED

message
Required: Yes
Type: string

Detailed message explaining which quota was exceeded Provides specific information about the limit and current usage

SigninResourceBasedPolicy

Description

SignIn resource-based policy document

Members
statement
Type: Array of PolicyStatement structures

Policy statements

version
Type: string

Policy version

TooManyRequestsError

Description

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating the specific type of error Will be INVALID_REQUEST for rate limiting scenarios

message
Required: Yes
Type: string

Detailed message about the rate limiting May include retry-after information or rate limit details

ValidationException

Description

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating validation failure Will be INVALID_REQUEST for validation errors

message
Required: Yes
Type: string

Detailed message explaining the validation failure Provides specific information about which validation failed