# Actions


The following actions are supported:
+  [AddCustomAttributes](API_AddCustomAttributes.md) 
+  [AddUserPoolClientSecret](API_AddUserPoolClientSecret.md) 
+  [AdminAddUserToGroup](API_AdminAddUserToGroup.md) 
+  [AdminConfirmSignUp](API_AdminConfirmSignUp.md) 
+  [AdminCreateUser](API_AdminCreateUser.md) 
+  [AdminDeleteUser](API_AdminDeleteUser.md) 
+  [AdminDeleteUserAttributes](API_AdminDeleteUserAttributes.md) 
+  [AdminDisableProviderForUser](API_AdminDisableProviderForUser.md) 
+  [AdminDisableUser](API_AdminDisableUser.md) 
+  [AdminEnableUser](API_AdminEnableUser.md) 
+  [AdminForgetDevice](API_AdminForgetDevice.md) 
+  [AdminGetDevice](API_AdminGetDevice.md) 
+  [AdminGetUser](API_AdminGetUser.md) 
+  [AdminInitiateAuth](API_AdminInitiateAuth.md) 
+  [AdminLinkProviderForUser](API_AdminLinkProviderForUser.md) 
+  [AdminListDevices](API_AdminListDevices.md) 
+  [AdminListGroupsForUser](API_AdminListGroupsForUser.md) 
+  [AdminListUserAuthEvents](API_AdminListUserAuthEvents.md) 
+  [AdminRemoveUserFromGroup](API_AdminRemoveUserFromGroup.md) 
+  [AdminResetUserPassword](API_AdminResetUserPassword.md) 
+  [AdminRespondToAuthChallenge](API_AdminRespondToAuthChallenge.md) 
+  [AdminSetUserMFAPreference](API_AdminSetUserMFAPreference.md) 
+  [AdminSetUserPassword](API_AdminSetUserPassword.md) 
+  [AdminSetUserSettings](API_AdminSetUserSettings.md) 
+  [AdminUpdateAuthEventFeedback](API_AdminUpdateAuthEventFeedback.md) 
+  [AdminUpdateDeviceStatus](API_AdminUpdateDeviceStatus.md) 
+  [AdminUpdateUserAttributes](API_AdminUpdateUserAttributes.md) 
+  [AdminUserGlobalSignOut](API_AdminUserGlobalSignOut.md) 
+  [AssociateSoftwareToken](API_AssociateSoftwareToken.md) 
+  [ChangePassword](API_ChangePassword.md) 
+  [CompleteWebAuthnRegistration](API_CompleteWebAuthnRegistration.md) 
+  [ConfirmDevice](API_ConfirmDevice.md) 
+  [ConfirmForgotPassword](API_ConfirmForgotPassword.md) 
+  [ConfirmSignUp](API_ConfirmSignUp.md) 
+  [CreateGroup](API_CreateGroup.md) 
+  [CreateIdentityProvider](API_CreateIdentityProvider.md) 
+  [CreateManagedLoginBranding](API_CreateManagedLoginBranding.md) 
+  [CreateResourceServer](API_CreateResourceServer.md) 
+  [CreateTerms](API_CreateTerms.md) 
+  [CreateUserImportJob](API_CreateUserImportJob.md) 
+  [CreateUserPool](API_CreateUserPool.md) 
+  [CreateUserPoolClient](API_CreateUserPoolClient.md) 
+  [CreateUserPoolDomain](API_CreateUserPoolDomain.md) 
+  [DeleteGroup](API_DeleteGroup.md) 
+  [DeleteIdentityProvider](API_DeleteIdentityProvider.md) 
+  [DeleteManagedLoginBranding](API_DeleteManagedLoginBranding.md) 
+  [DeleteResourceServer](API_DeleteResourceServer.md) 
+  [DeleteTerms](API_DeleteTerms.md) 
+  [DeleteUser](API_DeleteUser.md) 
+  [DeleteUserAttributes](API_DeleteUserAttributes.md) 
+  [DeleteUserPool](API_DeleteUserPool.md) 
+  [DeleteUserPoolClient](API_DeleteUserPoolClient.md) 
+  [DeleteUserPoolClientSecret](API_DeleteUserPoolClientSecret.md) 
+  [DeleteUserPoolDomain](API_DeleteUserPoolDomain.md) 
+  [DeleteWebAuthnCredential](API_DeleteWebAuthnCredential.md) 
+  [DescribeIdentityProvider](API_DescribeIdentityProvider.md) 
+  [DescribeManagedLoginBranding](API_DescribeManagedLoginBranding.md) 
+  [DescribeManagedLoginBrandingByClient](API_DescribeManagedLoginBrandingByClient.md) 
+  [DescribeResourceServer](API_DescribeResourceServer.md) 
+  [DescribeRiskConfiguration](API_DescribeRiskConfiguration.md) 
+  [DescribeTerms](API_DescribeTerms.md) 
+  [DescribeUserImportJob](API_DescribeUserImportJob.md) 
+  [DescribeUserPool](API_DescribeUserPool.md) 
+  [DescribeUserPoolClient](API_DescribeUserPoolClient.md) 
+  [DescribeUserPoolDomain](API_DescribeUserPoolDomain.md) 
+  [ForgetDevice](API_ForgetDevice.md) 
+  [ForgotPassword](API_ForgotPassword.md) 
+  [GetCSVHeader](API_GetCSVHeader.md) 
+  [GetDevice](API_GetDevice.md) 
+  [GetGroup](API_GetGroup.md) 
+  [GetIdentityProviderByIdentifier](API_GetIdentityProviderByIdentifier.md) 
+  [GetLogDeliveryConfiguration](API_GetLogDeliveryConfiguration.md) 
+  [GetSigningCertificate](API_GetSigningCertificate.md) 
+  [GetTokensFromRefreshToken](API_GetTokensFromRefreshToken.md) 
+  [GetUICustomization](API_GetUICustomization.md) 
+  [GetUser](API_GetUser.md) 
+  [GetUserAttributeVerificationCode](API_GetUserAttributeVerificationCode.md) 
+  [GetUserAuthFactors](API_GetUserAuthFactors.md) 
+  [GetUserPoolMfaConfig](API_GetUserPoolMfaConfig.md) 
+  [GlobalSignOut](API_GlobalSignOut.md) 
+  [InitiateAuth](API_InitiateAuth.md) 
+  [ListDevices](API_ListDevices.md) 
+  [ListGroups](API_ListGroups.md) 
+  [ListIdentityProviders](API_ListIdentityProviders.md) 
+  [ListResourceServers](API_ListResourceServers.md) 
+  [ListTagsForResource](API_ListTagsForResource.md) 
+  [ListTerms](API_ListTerms.md) 
+  [ListUserImportJobs](API_ListUserImportJobs.md) 
+  [ListUserPoolClients](API_ListUserPoolClients.md) 
+  [ListUserPoolClientSecrets](API_ListUserPoolClientSecrets.md) 
+  [ListUserPools](API_ListUserPools.md) 
+  [ListUsers](API_ListUsers.md) 
+  [ListUsersInGroup](API_ListUsersInGroup.md) 
+  [ListWebAuthnCredentials](API_ListWebAuthnCredentials.md) 
+  [ResendConfirmationCode](API_ResendConfirmationCode.md) 
+  [RespondToAuthChallenge](API_RespondToAuthChallenge.md) 
+  [RevokeToken](API_RevokeToken.md) 
+  [SetLogDeliveryConfiguration](API_SetLogDeliveryConfiguration.md) 
+  [SetRiskConfiguration](API_SetRiskConfiguration.md) 
+  [SetUICustomization](API_SetUICustomization.md) 
+  [SetUserMFAPreference](API_SetUserMFAPreference.md) 
+  [SetUserPoolMfaConfig](API_SetUserPoolMfaConfig.md) 
+  [SetUserSettings](API_SetUserSettings.md) 
+  [SignUp](API_SignUp.md) 
+  [StartUserImportJob](API_StartUserImportJob.md) 
+  [StartWebAuthnRegistration](API_StartWebAuthnRegistration.md) 
+  [StopUserImportJob](API_StopUserImportJob.md) 
+  [TagResource](API_TagResource.md) 
+  [UntagResource](API_UntagResource.md) 
+  [UpdateAuthEventFeedback](API_UpdateAuthEventFeedback.md) 
+  [UpdateDeviceStatus](API_UpdateDeviceStatus.md) 
+  [UpdateGroup](API_UpdateGroup.md) 
+  [UpdateIdentityProvider](API_UpdateIdentityProvider.md) 
+  [UpdateManagedLoginBranding](API_UpdateManagedLoginBranding.md) 
+  [UpdateResourceServer](API_UpdateResourceServer.md) 
+  [UpdateTerms](API_UpdateTerms.md) 
+  [UpdateUserAttributes](API_UpdateUserAttributes.md) 
+  [UpdateUserPool](API_UpdateUserPool.md) 
+  [UpdateUserPoolClient](API_UpdateUserPoolClient.md) 
+  [UpdateUserPoolDomain](API_UpdateUserPoolDomain.md) 
+  [VerifySoftwareToken](API_VerifySoftwareToken.md) 
+  [VerifyUserAttribute](API_VerifyUserAttribute.md) 

# AddCustomAttributes


Adds additional user attributes to the user pool schema. Custom attributes can be mutable or immutable and have a `custom:` or `dev:` prefix. For more information, see [Custom attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-custom-attributes).

You can also create custom attributes in the [CreateUserPool](API_CreateUserPool.md) of `CreateUserPool` and `UpdateUserPool`. You can't delete custom attributes after you create them.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "CustomAttributes": [ 
      { 
         "AttributeDataType": "string",
         "DeveloperOnlyAttribute": boolean,
         "Mutable": boolean,
         "Name": "string",
         "NumberAttributeConstraints": { 
            "MaxValue": "string",
            "MinValue": "string"
         },
         "Required": boolean,
         "StringAttributeConstraints": { 
            "MaxLength": "string",
            "MinLength": "string"
         }
      }
   ],
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [CustomAttributes](#API_AddCustomAttributes_RequestSyntax) **   <a name="CognitoUserPools-AddCustomAttributes-request-CustomAttributes"></a>
An array of custom attribute names and other properties. Sets the following characteristics:    
AttributeDataType  
The expected data type. Can be a string, a number, a date and time, or a boolean.  
Mutable  
If true, you can grant app clients write access to the attribute value. If false, the attribute value can only be set up on sign-up or administrator creation of users.  
Name  
The attribute name. For an attribute like `custom:myAttribute`, enter `myAttribute` for this field.  
Required  
When true, users who sign up or are created must set a value for the attribute.  
NumberAttributeConstraints  
The minimum and maximum length of accepted values for a `Number`-type attribute.  
StringAttributeConstraints  
The minimum and maximum length of accepted values for a `String`-type attribute.  
DeveloperOnlyAttribute  
This legacy option creates an attribute with a `dev:` prefix. You can only set the value of a developer-only attribute with administrative IAM credentials.
Type: Array of [SchemaAttributeType](API_SchemaAttributeType.md) objects  
Array Members: Minimum number of 1 item. Maximum number of 25 items.  
Required: Yes

 ** [UserPoolId](#API_AddCustomAttributes_RequestSyntax) **   <a name="CognitoUserPools-AddCustomAttributes-request-UserPoolId"></a>
The ID of the user pool where you want to add custom attributes.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserImportInProgressException **   
This exception is thrown when you're trying to modify a user pool while a user import job is in progress for that pool.    
 ** message **   
The message returned when the user pool has an import job running.
HTTP Status Code: 400

## Examples


### Example


This example request adds the mutable custom attribute `custom:deliverables`, a string with a maximum length of 255 characters, to the user pool schema.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AddCustomAttributes
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
    "CustomAttributes": [
        {
            "AttributeDataType": "String",
            "DeveloperOnlyAttribute": false,
            "Mutable": true,
            "Name": "deliverables",
            "Required": false,
            "StringAttributeConstraints": {
                "MaxLength": "255",
                "MinLength": "1"
            }
        }
    ],
    "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AddCustomAttributes) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AddCustomAttributes) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AddCustomAttributes) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AddCustomAttributes) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AddCustomAttributes) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AddCustomAttributes) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AddCustomAttributes) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AddCustomAttributes) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AddCustomAttributes) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AddCustomAttributes) 

# AddUserPoolClientSecret


Creates a new client secret for an existing confidential user pool app client. Supports up to 2 active secrets per app client for zero-downtime credential rotation workflows.

## Request Syntax


```
{
   "ClientId": "string",
   "ClientSecret": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_AddUserPoolClientSecret_RequestSyntax) **   <a name="CognitoUserPools-AddUserPoolClientSecret-request-ClientId"></a>
The ID of the app client for which you want to create a new secret.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientSecret](#API_AddUserPoolClientSecret_RequestSyntax) **   <a name="CognitoUserPools-AddUserPoolClientSecret-request-ClientSecret"></a>
The client secret value you want to use. If you don't provide this parameter, Amazon Cognito generates a secure secret for you.  
Type: String  
Length Constraints: Minimum length of 24. Maximum length of 64.  
Pattern: `[\w+]+`   
Required: No

 ** [UserPoolId](#API_AddUserPoolClientSecret_RequestSyntax) **   <a name="CognitoUserPools-AddUserPoolClientSecret-request-UserPoolId"></a>
The ID of the user pool that contains the app client.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "ClientSecretDescriptor": { 
      "ClientSecretCreateDate": number,
      "ClientSecretId": "string",
      "ClientSecretValue": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [ClientSecretDescriptor](#API_AddUserPoolClientSecret_ResponseSyntax) **   <a name="CognitoUserPools-AddUserPoolClientSecret-response-ClientSecretDescriptor"></a>
The details of the newly created client secret, including its unique identifier and creation timestamp. The ClientSecretValue is only returned when Amazon Cognito generates the secret. For custom secrets that you provide, the ClientSecretValue is not included in the response.  
Type: [ClientSecretDescriptorType](API_ClientSecretDescriptorType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** AccessDeniedException **   
This exception is thrown when you don't have sufficient permissions to perform the requested operation.  
HTTP Status Code: 400

 ** InternalServerException **   
This exception is thrown when Amazon Cognito encounters an internal server error.  
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AddUserPoolClientSecret) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AddUserPoolClientSecret) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AddUserPoolClientSecret) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AddUserPoolClientSecret) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AddUserPoolClientSecret) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AddUserPoolClientSecret) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AddUserPoolClientSecret) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AddUserPoolClientSecret) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AddUserPoolClientSecret) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AddUserPoolClientSecret) 

# AdminAddUserToGroup


Adds a user to a group. A user who is in a group can present a preferred-role claim to an identity pool, and populates a `cognito:groups` claim to their access and identity tokens.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "GroupName": "string",
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [GroupName](#API_AdminAddUserToGroup_RequestSyntax) **   <a name="CognitoUserPools-AdminAddUserToGroup-request-GroupName"></a>
The name of the group that you want to add your user to.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [Username](#API_AdminAddUserToGroup_RequestSyntax) **   <a name="CognitoUserPools-AdminAddUserToGroup-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminAddUserToGroup_RequestSyntax) **   <a name="CognitoUserPools-AdminAddUserToGroup-request-UserPoolId"></a>
The ID of the user pool that contains the group that you want to add the user to.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


This example request adds the user "testuser" to the group "testgroup."

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminAddUserToGroup
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "GroupName": "testgroup",
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminAddUserToGroup) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminAddUserToGroup) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminAddUserToGroup) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminAddUserToGroup) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminAddUserToGroup) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminAddUserToGroup) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminAddUserToGroup) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminAddUserToGroup) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminAddUserToGroup) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminAddUserToGroup) 

# AdminConfirmSignUp


Confirms user sign-up as an administrator. 

Unlike [ConfirmSignUp](API_ConfirmSignUp.md), your IAM credentials authorize this operation to confirm user accounts. No confirmation code is required.

This request sets a user account active in a user pool that [requires confirmation of new user accounts](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#signing-up-users-in-your-app-and-confirming-them-as-admin) before they can sign in. You can configure your user pool to not send confirmation codes to new users and instead confirm them with this API operation on the back end.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

To configure your user pool to require administrative confirmation of users, set `AllowAdminCreateUserOnly` to `true` in a `CreateUserPool` or `UpdateUserPool` request.

## Request Syntax


```
{
   "ClientMetadata": { 
      "string" : "string" 
   },
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientMetadata](#API_AdminConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-AdminConfirmSignUp-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [Username](#API_AdminConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-AdminConfirmSignUp-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-AdminConfirmSignUp-request-UserPoolId"></a>
The ID of the user pool where you want to confirm a user's sign-up request.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyFailedAttemptsException **   
This exception is thrown when the user has made too many failed attempts for a given action, such as sign-in.    
 ** message **   
The message returned when Amazon Cognito returns a `TooManyFailedAttempts` exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example operation confirms sign-up for the user "testuser." Note that because this is an administrative API operation, no confirmation code is required.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminConfirmSignUp
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminConfirmSignUp) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminConfirmSignUp) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminConfirmSignUp) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminConfirmSignUp) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminConfirmSignUp) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminConfirmSignUp) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminConfirmSignUp) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminConfirmSignUp) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminConfirmSignUp) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminConfirmSignUp) 

# AdminCreateUser


Creates a new user in the specified user pool.

If `MessageAction` isn't set, the default is to send a welcome message via email or phone (SMS).

This message is based on a template that you configured in your call to create or update a user pool. This template includes your custom sign-up instructions and placeholders for user name and temporary password.

Alternatively, you can call `AdminCreateUser` with `SUPPRESS` for the `MessageAction` parameter, and Amazon Cognito won't send any email. 

In either case, if the user has a password, they will be in the `FORCE_CHANGE_PASSWORD` state until they sign in and set their password. Your invitation message template must have the `{####}` password placeholder if your users have passwords. If your template doesn't have this placeholder, Amazon Cognito doesn't deliver the invitation message. In this case, you must update your message template and resend the password with a new `AdminCreateUser` request with a `MessageAction` value of `RESEND`.

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "ClientMetadata": { 
      "string" : "string" 
   },
   "DesiredDeliveryMediums": [ "string" ],
   "ForceAliasCreation": boolean,
   "MessageAction": "string",
   "TemporaryPassword": "string",
   "UserAttributes": [ 
      { 
         "Name": "string",
         "Value": "string"
      }
   ],
   "Username": "string",
   "UserPoolId": "string",
   "ValidationData": [ 
      { 
         "Name": "string",
         "Value": "string"
      }
   ]
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientMetadata](#API_AdminCreateUser_RequestSyntax) **   <a name="CognitoUserPools-AdminCreateUser-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [DesiredDeliveryMediums](#API_AdminCreateUser_RequestSyntax) **   <a name="CognitoUserPools-AdminCreateUser-request-DesiredDeliveryMediums"></a>
Specify `EMAIL` if email will be used to send the welcome message. Specify `SMS` if the phone number will be used. The default value is `SMS`. You can specify more than one value.  
Type: Array of strings  
Valid Values: `SMS | EMAIL`   
Required: No

 ** [ForceAliasCreation](#API_AdminCreateUser_RequestSyntax) **   <a name="CognitoUserPools-AdminCreateUser-request-ForceAliasCreation"></a>
This parameter is used only if the `phone_number_verified` or `email_verified` attribute is set to `True`. Otherwise, it is ignored.  
If this parameter is set to `True` and the phone number or email address specified in the `UserAttributes` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias.  
If this parameter is set to `False`, the API throws an `AliasExistsException` error if the alias already exists. The default value is `False`.  
Type: Boolean  
Required: No

 ** [MessageAction](#API_AdminCreateUser_RequestSyntax) **   <a name="CognitoUserPools-AdminCreateUser-request-MessageAction"></a>
Set to `RESEND` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to `SUPPRESS` to suppress sending the message. You can specify only one value.  
Type: String  
Valid Values: `RESEND | SUPPRESS`   
Required: No

 ** [TemporaryPassword](#API_AdminCreateUser_RequestSyntax) **   <a name="CognitoUserPools-AdminCreateUser-request-TemporaryPassword"></a>
The user's temporary password. This password must conform to the password policy that you specified when you created the user pool.  
The exception to the requirement for a password is when your user pool supports passwordless sign-in with email or SMS OTPs. To create a user with no password, omit this parameter or submit a blank value. You can only create a passwordless user when passwordless sign-in is available.  
For enabling passwordless factors, see [CreateUserPool:Policies](API_CreateUserPool.md#CognitoUserPools-CreateUserPool-request-Policies) and [UpdateUserPool:Policies](API_UpdateUserPool.md#CognitoUserPools-UpdateUserPool-request-Policies).  
The temporary password is valid only once. To complete the Admin Create User flow, the user must enter the temporary password in the sign-in page, along with a new password to be used in all future sign-ins.  
If you don't specify a value, Amazon Cognito generates one for you unless you have passwordless options active for your user pool.  
The temporary password can only be used until the user account expiration limit that you set for your user pool. To reset the account after that time limit, you must call `AdminCreateUser` again and specify `RESEND` for the `MessageAction` parameter.  
Type: String  
Length Constraints: Maximum length of 256.  
Pattern: `[\S]+`   
Required: No

 ** [UserAttributes](#API_AdminCreateUser_RequestSyntax) **   <a name="CognitoUserPools-AdminCreateUser-request-UserAttributes"></a>
An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than `Username`. However, any attributes that you specify as required (when creating a user pool or in the **Attributes** tab of the console) either you should supply (in your call to `AdminCreateUser`) or the user should supply (when they sign up in response to your welcome message).  
For custom attributes, you must prepend the `custom:` prefix to the attribute name.  
To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the **Users** tab of the Amazon Cognito console for managing your user pools.  
You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a `TemporaryPassword`.  
In your `AdminCreateUser` request, you can set the `email_verified` and `phone_number_verified` attributes to `true`. The following conditions apply:    
email  
The email address where you want the user to receive their confirmation code and username. You must provide a value for `email` when you want to set `email_verified` to `true`, or if you set `EMAIL` in the `DesiredDeliveryMediums` parameter.  
phone\$1number  
The phone number where you want the user to receive their confirmation code and username. You must provide a value for `phone_number` when you want to set `phone_number_verified` to `true`, or if you set `SMS` in the `DesiredDeliveryMediums` parameter.
You can also set attributes verified with [AdminUpdateUserAttributes](API_AdminUpdateUserAttributes.md).  
Type: Array of [AttributeType](API_AttributeType.md) objects  
Required: No

 ** [Username](#API_AdminCreateUser_RequestSyntax) **   <a name="CognitoUserPools-AdminCreateUser-request-Username"></a>
The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter.  
+ The username can't be a duplicate of another username in the same user pool.
+ You can't change the value of a username after you create it.
+ You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases).
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminCreateUser_RequestSyntax) **   <a name="CognitoUserPools-AdminCreateUser-request-UserPoolId"></a>
The ID of the user pool where you want to create a user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

 ** [ValidationData](#API_AdminCreateUser_RequestSyntax) **   <a name="CognitoUserPools-AdminCreateUser-request-ValidationData"></a>
Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.  
Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and verify select users or perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs.  
For more information about the pre sign-up Lambda trigger, see [Pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html).  
Type: Array of [AttributeType](API_AttributeType.md) objects  
Required: No

## Response Syntax


```
{
   "User": { 
      "Attributes": [ 
         { 
            "Name": "string",
            "Value": "string"
         }
      ],
      "Enabled": boolean,
      "MFAOptions": [ 
         { 
            "AttributeName": "string",
            "DeliveryMedium": "string"
         }
      ],
      "UserCreateDate": number,
      "UserLastModifiedDate": number,
      "Username": "string",
      "UserStatus": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [User](#API_AdminCreateUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminCreateUser-response-User"></a>
The new user's profile details.  
Type: [UserType](API_UserType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** CodeDeliveryFailureException **   
This exception is thrown when a verification code fails to deliver successfully.    
 ** message **   
The message sent when a verification code fails to deliver successfully.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidPasswordException **   
This exception is thrown when Amazon Cognito encounters an invalid password.    
 ** message **   
The message returned when Amazon Cognito throws an invalid user password exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PreconditionNotMetException **   
This exception is thrown when a precondition is not met.    
 ** message **   
The message returned when a precondition is not met.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UnsupportedUserStateException **   
The request failed because the user is in an unsupported state.    
 ** message **   
The message returned when the user is in an unsupported state.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UsernameExistsException **   
This exception is thrown when Amazon Cognito encounters a user name that already exists in the user pool.    
 ** message **   
The message returned when Amazon Cognito throws a user name exists exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


An AdminCreateUser request for for a test user named John.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminCreateUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
    "UserPoolId": "us-east-1_EXAMPLE",
    "Username": "testuser",
    "DesiredDeliveryMediums": [
        "SMS"
    ],
    "MessageAction": "SUPPRESS",
    "TemporaryPassword": "This-is-my-test-99!",
    "UserAttributes": [
        {
            "Name": "name",
            "Value": "John"
        },
        {
            "Name": "phone_number",
            "Value": "+12065551212"
        },
        {
            "Name": "email",
            "Value": "testuser@example.com"
        }
    ]
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
      "User": {
        "Attributes": [
          {
            "Name": "sub",
            "Value": "d16b4aa8-8633-4abd-93b3-5062a8e1b5f8"
          },
          {
            "Name": "name",
            "Value": "John"
          },
          {
            "Name": "phone_number",
            "Value": "+12065551212"
          },
          {
            "Name": "email",
            "Value": "testuser@example.com"
          }
        ],
        "Enabled": true,
        "UserCreateDate": 1689980857.949,
        "UserLastModifiedDate": 1689980857.949,
        "UserStatus": "FORCE_CHANGE_PASSWORD",
        "Username": "testuser"
      }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminCreateUser) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminCreateUser) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminCreateUser) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminCreateUser) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminCreateUser) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminCreateUser) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminCreateUser) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminCreateUser) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminCreateUser) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminCreateUser) 

# AdminDeleteUser


Deletes a user profile in your user pool.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Username](#API_AdminDeleteUser_RequestSyntax) **   <a name="CognitoUserPools-AdminDeleteUser-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminDeleteUser_RequestSyntax) **   <a name="CognitoUserPools-AdminDeleteUser-request-UserPoolId"></a>
The ID of the user pool where you want to delete the user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example operation deletes the user "testuser" from the user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminDeleteUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminDeleteUser) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminDeleteUser) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminDeleteUser) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminDeleteUser) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminDeleteUser) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminDeleteUser) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminDeleteUser) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminDeleteUser) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminDeleteUser) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminDeleteUser) 

# AdminDeleteUserAttributes


Deletes attribute values from a user. This operation doesn't affect tokens for existing user sessions. The next ID token that the user receives will no longer have the deleted attributes.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "UserAttributeNames": [ "string" ],
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [UserAttributeNames](#API_AdminDeleteUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-AdminDeleteUserAttributes-request-UserAttributeNames"></a>
An array of strings representing the user attribute names you want to delete.  
For custom attributes, you must prepend the `custom:` prefix to the attribute name.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 32.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\t\n\r ]+`   
Required: Yes

 ** [Username](#API_AdminDeleteUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-AdminDeleteUserAttributes-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminDeleteUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-AdminDeleteUserAttributes-request-UserPoolId"></a>
The ID of the user pool where you want to delete user attributes.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example API request deletes the attribute `custom:deliverables` from the user "testuser."

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminDeleteUserAttributes
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "UserAttributeNames": [
    "custom:deliverables"
  ],
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminDeleteUserAttributes) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminDeleteUserAttributes) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminDeleteUserAttributes) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminDeleteUserAttributes) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminDeleteUserAttributes) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminDeleteUserAttributes) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminDeleteUserAttributes) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminDeleteUserAttributes) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminDeleteUserAttributes) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminDeleteUserAttributes) 

# AdminDisableProviderForUser


Prevents the user from signing in with the specified external (SAML or social) identity provider (IdP). If the user that you want to deactivate is a Amazon Cognito user pools native username \$1 password user, they can't use their password to sign in. If the user to deactivate is a linked external IdP user, any link between that user and an existing user is removed. When the external user signs in again, and the user is no longer attached to the previously linked `DestinationUser`, the user must create a new user account.

For information about linking users, see [AdminLinkProviderForUser](API_AdminLinkProviderForUser.md).

The value of `ProviderName` must match the name of a user pool IdP.

To deactivate a local user, set `ProviderName` to `Cognito` and the `ProviderAttributeName` to `Cognito_Subject`. The `ProviderAttributeValue` must be user's local username.

The `ProviderAttributeName` must always be `Cognito_Subject` for social IdPs. The `ProviderAttributeValue` must always be the exact subject that was used when the user was originally linked as a source user.

For de-linking a SAML identity, there are two scenarios. If the linked identity has not yet been used to sign in, the `ProviderAttributeName` and `ProviderAttributeValue` must be the same values that were used for the `SourceUser` when the identities were originally linked using ` AdminLinkProviderForUser` call. This is also true if the linking was done with `ProviderAttributeName` set to `Cognito_Subject`. If the user has already signed in, the `ProviderAttributeName` must be `Cognito_Subject` and `ProviderAttributeValue` must be the `NameID` from their SAML assertion.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "User": { 
      "ProviderAttributeName": "string",
      "ProviderAttributeValue": "string",
      "ProviderName": "string"
   },
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [User](#API_AdminDisableProviderForUser_RequestSyntax) **   <a name="CognitoUserPools-AdminDisableProviderForUser-request-User"></a>
The user profile that you want to delete a linked identity from.  
Type: [ProviderUserIdentifierType](API_ProviderUserIdentifierType.md) object  
Required: Yes

 ** [UserPoolId](#API_AdminDisableProviderForUser_RequestSyntax) **   <a name="CognitoUserPools-AdminDisableProviderForUser-request-UserPoolId"></a>
The ID of the user pool where you want to delete the user's linked identities.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** AliasExistsException **   
This exception is thrown when a user tries to confirm the account with an email address or phone number that has already been supplied as an alias for a different user profile. This exception indicates that an account with this email address or phone already exists in a user pool that you've configured to use email address or phone number as a sign-in alias.    
 ** message **   
The message that Amazon Cognito sends to the user when the value of an alias attribute is already linked to another user profile.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminDisableProviderForUser) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminDisableProviderForUser) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminDisableProviderForUser) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminDisableProviderForUser) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminDisableProviderForUser) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminDisableProviderForUser) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminDisableProviderForUser) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminDisableProviderForUser) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminDisableProviderForUser) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminDisableProviderForUser) 

# AdminDisableUser


Deactivates a user profile and revokes all access tokens for the user. A deactivated user can't sign in, but still appears in the responses to `ListUsers` API requests.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Username](#API_AdminDisableUser_RequestSyntax) **   <a name="CognitoUserPools-AdminDisableUser-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminDisableUser_RequestSyntax) **   <a name="CognitoUserPools-AdminDisableUser-request-UserPoolId"></a>
The ID of the user pool where you want to disable the user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example API request deactivates the user "testuser."

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminDisableUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminDisableUser) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminDisableUser) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminDisableUser) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminDisableUser) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminDisableUser) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminDisableUser) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminDisableUser) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminDisableUser) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminDisableUser) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminDisableUser) 

# AdminEnableUser


Activates sign-in for a user profile that previously had sign-in access disabled.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Username](#API_AdminEnableUser_RequestSyntax) **   <a name="CognitoUserPools-AdminEnableUser-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminEnableUser_RequestSyntax) **   <a name="CognitoUserPools-AdminEnableUser-request-UserPoolId"></a>
The ID of the user pool where you want to activate sign-in for the user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example API request activates the user "testuser."

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminEnableUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminEnableUser) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminEnableUser) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminEnableUser) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminEnableUser) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminEnableUser) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminEnableUser) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminEnableUser) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminEnableUser) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminEnableUser) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminEnableUser) 

# AdminForgetDevice


Forgets, or deletes, a remembered device from a user's profile. After you forget the device, the user can no longer complete device authentication with that device and when applicable, must submit MFA codes again. For more information, see [Working with devices](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "DeviceKey": "string",
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [DeviceKey](#API_AdminForgetDevice_RequestSyntax) **   <a name="CognitoUserPools-AdminForgetDevice-request-DeviceKey"></a>
The key ID of the device that you want to delete.  
You can get device keys in the response to an [AdminListDevices](API_AdminListDevices.md) request.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-f-]+`   
Required: Yes

 ** [Username](#API_AdminForgetDevice_RequestSyntax) **   <a name="CognitoUserPools-AdminForgetDevice-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminForgetDevice_RequestSyntax) **   <a name="CognitoUserPools-AdminForgetDevice-request-UserPoolId"></a>
The ID of the user pool where the device owner is a user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example API request deletes a remembered device for the user "testuser."

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminForgetDevice
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminForgetDevice) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminForgetDevice) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminForgetDevice) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminForgetDevice) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminForgetDevice) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminForgetDevice) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminForgetDevice) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminForgetDevice) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminForgetDevice) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminForgetDevice) 

# AdminGetDevice


Given the device key, returns details for a user's device. For more information, see [Working with devices](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "DeviceKey": "string",
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [DeviceKey](#API_AdminGetDevice_RequestSyntax) **   <a name="CognitoUserPools-AdminGetDevice-request-DeviceKey"></a>
The key of the device that you want to delete.  
You can get device IDs in the response to an [AdminListDevices](API_AdminListDevices.md) request.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-f-]+`   
Required: Yes

 ** [Username](#API_AdminGetDevice_RequestSyntax) **   <a name="CognitoUserPools-AdminGetDevice-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminGetDevice_RequestSyntax) **   <a name="CognitoUserPools-AdminGetDevice-request-UserPoolId"></a>
The ID of the user pool where the device owner is a user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Device": { 
      "DeviceAttributes": [ 
         { 
            "Name": "string",
            "Value": "string"
         }
      ],
      "DeviceCreateDate": number,
      "DeviceKey": "string",
      "DeviceLastAuthenticatedDate": number,
      "DeviceLastModifiedDate": number
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Device](#API_AdminGetDevice_ResponseSyntax) **   <a name="CognitoUserPools-AdminGetDevice-response-Device"></a>
Details of the requested device. Includes device information, last-accessed and created dates, and the device key.  
Type: [DeviceType](API_DeviceType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example API request retrieves information about a device that belongs to the user "testuser."

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminGetDevice
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
	"Device": {
		"DeviceAttributes": [
			{
				"Name": "device_status",
				"Value": "valid"
			},
			{
				"Name": "device_name",
				"Value": "Dart-device"
			},
			{
				"Name": "dev:device_arn",
				"Value": "arn:aws:cognito-idp:us-west-2:123456789012:owner/testuser.us-west-2_EXAMPLE/device/us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
			},
			{
				"Name": "dev:device_owner",
				"Value": "testuser.us-west-2_EXAMPLE"
			},
			{
				"Name": "last_ip_used",
				"Value": "192.0.2.1"
			},
			{
				"Name": "dev:device_remembered_status",
				"Value": "remembered"
			},
			{
				"Name": "dev:device_sdk",
				"Value": "aws-sdk-unknown-unknown"
			}
		],
		"DeviceCreateDate": 1715100742.022,
		"DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
		"DeviceLastAuthenticatedDate": 1715100742.0,
		"DeviceLastModifiedDate": 1715100742.022
	}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminGetDevice) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminGetDevice) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminGetDevice) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminGetDevice) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminGetDevice) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminGetDevice) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminGetDevice) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminGetDevice) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminGetDevice) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminGetDevice) 

# AdminGetUser


Given a username, returns details about a user profile in a user pool. You can specify alias attributes in the `Username` request parameter.

This operation contributes to your monthly active user (MAU) count for the purpose of billing.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Username](#API_AdminGetUser_RequestSyntax) **   <a name="CognitoUserPools-AdminGetUser-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminGetUser_RequestSyntax) **   <a name="CognitoUserPools-AdminGetUser-request-UserPoolId"></a>
The ID of the user pool where you want to get information about the user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Enabled": boolean,
   "MFAOptions": [ 
      { 
         "AttributeName": "string",
         "DeliveryMedium": "string"
      }
   ],
   "PreferredMfaSetting": "string",
   "UserAttributes": [ 
      { 
         "Name": "string",
         "Value": "string"
      }
   ],
   "UserCreateDate": number,
   "UserLastModifiedDate": number,
   "UserMFASettingList": [ "string" ],
   "Username": "string",
   "UserStatus": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Enabled](#API_AdminGetUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminGetUser-response-Enabled"></a>
Indicates whether the user is activated for sign-in.  
The [AdminDisableUser](API_AdminDisableUser.md) and [AdminEnableUser](API_AdminEnableUser.md) API operations deactivate and activate user sign-in, respectively.  
Type: Boolean

 ** [MFAOptions](#API_AdminGetUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminGetUser-response-MFAOptions"></a>
 *This response parameter is no longer supported.* It provides information only about SMS MFA configurations. It doesn't provide information about time-based one-time password (TOTP) software token MFA configurations. To look up information about either type of MFA configuration, use UserMFASettingList instead.  
Type: Array of [MFAOptionType](API_MFAOptionType.md) objects

 ** [PreferredMfaSetting](#API_AdminGetUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminGetUser-response-PreferredMfaSetting"></a>
The user's preferred MFA. Users can prefer SMS message, email message, or TOTP MFA.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [UserAttributes](#API_AdminGetUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminGetUser-response-UserAttributes"></a>
An array of name-value pairs of user attributes and their values, for example `"email": "testuser@example.com"`.  
Type: Array of [AttributeType](API_AttributeType.md) objects

 ** [UserCreateDate](#API_AdminGetUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminGetUser-response-UserCreateDate"></a>
The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a human-readable format like ISO 8601 or a Java `Date` object.  
Type: Timestamp

 ** [UserLastModifiedDate](#API_AdminGetUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminGetUser-response-UserLastModifiedDate"></a>
The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a human-readable format like ISO 8601 or a Java `Date` object.  
Type: Timestamp

 ** [UserMFASettingList](#API_AdminGetUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminGetUser-response-UserMFASettingList"></a>
The MFA options that are activated for the user. The possible values in this list are `SMS_MFA`, `EMAIL_OTP`, and `SOFTWARE_TOKEN_MFA`.  
You can change the MFA preference for users who have more than one available MFA factor with [AdminSetUserMFAPreference](API_AdminSetUserMFAPreference.md) or [SetUserMFAPreference](API_SetUserMFAPreference.md).  
Type: Array of strings  
Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [Username](#API_AdminGetUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminGetUser-response-Username"></a>
The username of the user that you requested.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+` 

 ** [UserStatus](#API_AdminGetUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminGetUser-response-UserStatus"></a>
The user's status. Can be one of the following:  
+ UNCONFIRMED - User has been created but not confirmed.
+ CONFIRMED - User has been confirmed.
+ UNKNOWN - User status isn't known.
+ RESET\$1REQUIRED - User is confirmed, but the user must request a code and reset their password before they can sign in.
+ FORCE\$1CHANGE\$1PASSWORD - The user is confirmed and the user can sign in using a temporary password, but on first sign-in, the user must change their password to a new value before doing anything else. 
+ EXTERNAL\$1PROVIDER - The user signed in with a third-party identity provider.
Type: String  
Valid Values: `UNCONFIRMED | CONFIRMED | ARCHIVED | COMPROMISED | UNKNOWN | RESET_REQUIRED | FORCE_CHANGE_PASSWORD | EXTERNAL_PROVIDER` 

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example API request gets user details for the user "testuser."

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminGetUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "Enabled": true,
    "UserAttributes": [
        {
            "Name": "sub",
            "Value": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
        },
        {
            "Name": "identities",
            "Value": "[{\"userId\":\"a1b2c3d4-5678-90ab-cdef-EXAMPLE22222\",\"providerName\":\"SignInWithApple\",\"providerType\":\"SignInWithApple\",\"issuer\":null,\"primary\":false,\"dateCreated\":1701125599632}]"
        },
        {
            "Name": "email_verified",
            "Value": "true"
        },
        {
            "Name": "custom:deliverables",
            "Value": "project-111222"
        },
        {
            "Name": "name",
            "Value": "John"
        },
        {
            "Name": "phone_number_verified",
            "Value": "true"
        },
        {
            "Name": "phone_number",
            "Value": "+12065551212"
        },
        {
            "Name": "preferred_username",
            "Value": "John Doe"
        },
        {
            "Name": "locale",
            "Value": "EMEA"
        },
        {
            "Name": "email",
            "Value": "testuser@example.com"
        }
    ],
    "UserCreateDate": 1.682955829578E9,
    "UserLastModifiedDate": 1.722380161794E9,
    "UserStatus": "CONFIRMED",
    "Username": "testuser"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminGetUser) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminGetUser) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminGetUser) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminGetUser) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminGetUser) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminGetUser) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminGetUser) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminGetUser) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminGetUser) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminGetUser) 

# AdminInitiateAuth


Starts sign-in for applications with a server-side component, for example a traditional web application. This operation specifies the authentication flow that you'd like to begin. The authentication flow that you specify must be supported in your app client configuration. For more information about authentication flows, see [Authentication flows](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html).

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "AnalyticsMetadata": { 
      "AnalyticsEndpointId": "string"
   },
   "AuthFlow": "string",
   "AuthParameters": { 
      "string" : "string" 
   },
   "ClientId": "string",
   "ClientMetadata": { 
      "string" : "string" 
   },
   "ContextData": { 
      "EncodedData": "string",
      "HttpHeaders": [ 
         { 
            "headerName": "string",
            "headerValue": "string"
         }
      ],
      "IpAddress": "string",
      "ServerName": "string",
      "ServerPath": "string"
   },
   "Session": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AnalyticsMetadata](#API_AdminInitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-request-AnalyticsMetadata"></a>
Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone number.  
Type: [AnalyticsMetadataType](API_AnalyticsMetadataType.md) object  
Required: No

 ** [AuthFlow](#API_AdminInitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-request-AuthFlow"></a>
The authentication flow that you want to initiate. Each `AuthFlow` has linked `AuthParameters` that you must submit. The following are some example flows.  
Include the required [AdminInitiateAuth:AuthParameters](#CognitoUserPools-AdminInitiateAuth-request-AuthParameters) for the flow that you choose.    
USER\$1AUTH  
The entry point for [choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice) with passwords, one-time passwords, and WebAuthn authenticators. Request a preferred authentication type or review available authentication types. From the offered authentication types, select one in a challenge response and then authenticate with that method in an additional challenge response. To activate this setting, your user pool must be in the [ Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.  
USER\$1SRP\$1AUTH  
Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see [Use SRP password verification in custom authentication flow](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow).  
REFRESH\$1TOKEN\$1AUTH and REFRESH\$1TOKEN  
Receive new ID and access tokens when you pass a `REFRESH_TOKEN` parameter with a valid refresh token as the value. For more information, see [Using the refresh token](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html).  
CUSTOM\$1AUTH  
Custom authentication with Lambda triggers. For more information, see [Custom authentication challenge Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html).  
ADMIN\$1USER\$1PASSWORD\$1AUTH  
Server-side username-password authentication with the password sent directly in the request. For more information about client-side and server-side authentication, see [SDK authorization models](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-public-server-side.html).
 `USER_PASSWORD_AUTH` is a flow type of [InitiateAuth](API_InitiateAuth.md) and isn't valid for AdminInitiateAuth.  
Type: String  
Valid Values: `USER_SRP_AUTH | REFRESH_TOKEN_AUTH | REFRESH_TOKEN | CUSTOM_AUTH | ADMIN_NO_SRP_AUTH | USER_PASSWORD_AUTH | ADMIN_USER_PASSWORD_AUTH | USER_AUTH`   
Required: Yes

 ** [AuthParameters](#API_AdminInitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-request-AuthParameters"></a>
The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking.  
The following are some authentication flows and their parameters. Add a `SECRET_HASH` parameter if your app client has a client secret. Add `DEVICE_KEY` if you want to bypass multi-factor authentication with a remembered device.     
USER\$1AUTH  
+  `USERNAME` (required)
+  `PREFERRED_CHALLENGE`. If you don't provide a value for `PREFERRED_CHALLENGE`, Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the available sign-in methods.  
USER\$1SRP\$1AUTH  
+  `USERNAME` (required)
+  `SRP_A` (required)  
ADMIN\$1USER\$1PASSWORD\$1AUTH  
+  `USERNAME` (required)
+  `PASSWORD` (required)  
REFRESH\$1TOKEN\$1AUTH/REFRESH\$1TOKEN  
+  `REFRESH_TOKEN`(required)  
CUSTOM\$1AUTH  
+  `USERNAME` (required)
+  `ChallengeName: SRP_A` (when preceding custom authentication with SRP authentication)
+  `SRP_A: (An SRP_A value)` (when preceding custom authentication with SRP authentication)
For more information about `SECRET_HASH`, see [Computing secret hash values](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash). For information about `DEVICE_KEY`, see [Working with user devices in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).  
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [ClientId](#API_AdminInitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-request-ClientId"></a>
The ID of the app client where the user wants to sign in.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientMetadata](#API_AdminInitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
The `ClientMetadata` value is passed as input to the functions for only the following triggers:  
+ Pre signup
+ Pre authentication
+ User migration
This request also invokes the functions for the following triggers, but doesn't pass `ClientMetadata`:  
+ Post authentication
+ Custom message
+ Pre token generation
+ Create auth challenge
+ Define auth challenge
+ Custom email sender
+ Custom SMS sender
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [ContextData](#API_AdminInitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-request-ContextData"></a>
Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat protection evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.  
For more information, see [Collecting data for threat protection in applications](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-threat-protection-app.html).  
Type: [ContextDataType](API_ContextDataType.md) object  
Required: No

 ** [Session](#API_AdminInitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-request-Session"></a>
The optional session ID from a `ConfirmSignUp` API request. You can sign in a user directly from the sign-up process with an `AuthFlow` of `USER_AUTH` and `AuthParameters` of `EMAIL_OTP` or `SMS_OTP`, depending on how your user pool sent the confirmation-code message.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** [UserPoolId](#API_AdminInitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-request-UserPoolId"></a>
The ID of the user pool where the user wants to sign in.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "AuthenticationResult": { 
      "AccessToken": "string",
      "ExpiresIn": number,
      "IdToken": "string",
      "NewDeviceMetadata": { 
         "DeviceGroupKey": "string",
         "DeviceKey": "string"
      },
      "RefreshToken": "string",
      "TokenType": "string"
   },
   "AvailableChallenges": [ "string" ],
   "ChallengeName": "string",
   "ChallengeParameters": { 
      "string" : "string" 
   },
   "Session": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [AuthenticationResult](#API_AdminInitiateAuth_ResponseSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-response-AuthenticationResult"></a>
The outcome of successful authentication. This is only returned if the user pool has no additional challenges to return. If Amazon Cognito returns another challenge, the response includes `ChallengeName`, `ChallengeParameters`, and `Session` so that your user can answer the challenge.  
Type: [AuthenticationResultType](API_AuthenticationResultType.md) object

 ** [AvailableChallenges](#API_AdminInitiateAuth_ResponseSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-response-AvailableChallenges"></a>
This response parameter lists the available authentication challenges that users can select from in [choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice). For example, they might be able to choose between passkey authentication, a one-time password from an SMS message, and a traditional password.  
Type: Array of strings  
Valid Values: `SMS_MFA | EMAIL_OTP | SOFTWARE_TOKEN_MFA | SELECT_MFA_TYPE | MFA_SETUP | PASSWORD_VERIFIER | CUSTOM_CHALLENGE | SELECT_CHALLENGE | DEVICE_SRP_AUTH | DEVICE_PASSWORD_VERIFIER | ADMIN_NO_SRP_AUTH | NEW_PASSWORD_REQUIRED | SMS_OTP | PASSWORD | WEB_AUTHN | PASSWORD_SRP` 

 ** [ChallengeName](#API_AdminInitiateAuth_ResponseSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-response-ChallengeName"></a>
The name of the challenge that you're responding to with this call. This is returned in the `AdminInitiateAuth` response if you must pass another challenge.  
Possible challenges include the following:  
All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication.
+  `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and security keys.
+  `PASSWORD`: Respond with the user's password as `PASSWORD`.
+  `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`.
+  `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP`.
+  `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` 
+  `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` 
+  `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` .
+  `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`.
+  `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`.
+  `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response.
+  `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after client-side SRP calculations. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `NEW_PASSWORD_REQUIRED`: For users who are required to change their passwords after successful first login. Respond to this challenge with `NEW_PASSWORD` and any required attributes that Amazon Cognito returned in the `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and that your app client can write.

  Amazon Cognito only returns this challenge for users who have temporary passwords. When you create passwordless users, you must provide values for all required attributes.
**Note**  
In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or `UpdateUserAttributes` API operation to modify the value of any additional attributes.
+  `MFA_SETUP`: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters `MFAS_CAN_SETUP` value. 

  To set up time-based one-time password (TOTP) MFA, use the session returned in this challenge from `InitiateAuth` or `AdminInitiateAuth` as an input to `AssociateSoftwareToken`. Then, use the session returned by `VerifySoftwareToken` as an input to `RespondToAuthChallenge` or `AdminRespondToAuthChallenge` with challenge name `MFA_SETUP` to complete sign-in. 

  To set up SMS or email MFA, collect a `phone_number` or `email` attribute for the user. Then restart the authentication flow with an `InitiateAuth` or `AdminInitiateAuth` request. 
Type: String  
Valid Values: `SMS_MFA | EMAIL_OTP | SOFTWARE_TOKEN_MFA | SELECT_MFA_TYPE | MFA_SETUP | PASSWORD_VERIFIER | CUSTOM_CHALLENGE | SELECT_CHALLENGE | DEVICE_SRP_AUTH | DEVICE_PASSWORD_VERIFIER | ADMIN_NO_SRP_AUTH | NEW_PASSWORD_REQUIRED | SMS_OTP | PASSWORD | WEB_AUTHN | PASSWORD_SRP` 

 ** [ChallengeParameters](#API_AdminInitiateAuth_ResponseSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-response-ChallengeParameters"></a>
The parameters of an authentication challenge. Amazon Cognito returns challenge parameters as a guide to the responses your user or application must provide for the returned `ChallengeName`. Calculate responses to the challenge parameters and pass them in the `ChallengeParameters` of `AdminRespondToAuthChallenge`.  
All challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH`.  
In SRP challenges, Amazon Cognito returns the `username` attribute in `USER_ID_FOR_SRP` instead of any email address, preferred username, or phone number alias that you might have specified in your `AdminInitiateAuth` request. You must use the username and not an alias in the `ChallengeResponses` of your challenge response.  
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [Session](#API_AdminInitiateAuth_ResponseSyntax) **   <a name="CognitoUserPools-AdminInitiateAuth-response-Session"></a>
The session that must be passed to challenge-response requests. If an `AdminInitiateAuth` or `AdminRespondToAuthChallenge` API request results in another authentication challenge, Amazon Cognito returns a session ID and the parameters of the next challenge. Pass this session ID in the `Session` parameter of `AdminRespondToAuthChallenge`.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** MFAMethodNotFoundException **   
This exception is thrown when Amazon Cognito can't find a multi-factor authentication (MFA) method.    
 ** message **   
The message returned when Amazon Cognito throws an MFA method not found exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UnsupportedOperationException **   
Exception that is thrown when you attempt to perform an operation that isn't enabled for the user pool client.  
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request signs in the user "testuser" to an app client with a client secret. It includes context data for advanced security features and ClientMetadata for Lambda triggers. The device key and device group key in the response indicate that this user pool supports the device-remembering feature. 

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminInitiateAuth
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "AuthFlow": "ADMIN_USER_PASSWORD_AUTH",
    "ClientId": "1example23456789",
    "UserPoolId": "us-west-2_EXAMPLE",
    "AuthParameters": {
        "USERNAME": "testuser",
        "PASSWORD": "TestUserPassword1=",
        "SECRET_HASH": "cKtx2L2fvV1FeAbk3iUPgCyXY+5B0ItO0ItxhFaLkeA="
    },
    "ContextData": {
      "EncodedData": "VGhpc0lzTXlFbmNvZGVkRGF0YQ",
      "HttpHeaders": [
         {
            "headerName": "Referer",
            "headerValue": "https://home.example.com"
         }
      ],
      "IpAddress": "192.0.2.100",
      "ServerName": "auth.example.com",
      "ServerPath": "/web/private/program.html"
    },
    "ClientMetadata": {
        "MyTestKey": "MyTestValue"
    }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"AuthenticationResult": {
		"AccessToken": "eyJraACCESSEXAMPLE...",
		"ExpiresIn": 3600,
		"IdToken": "eyJraIDEXAMPLE...",
		"NewDeviceMetadata": {
			"DeviceGroupKey": "-v7w9UcY6",
			"DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
		},
		"RefreshToken": "eyJjREFRESHEXAMPLE...",
		"TokenType": "Bearer"
	},
	"ChallengeParameters": {}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminInitiateAuth) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminInitiateAuth) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminInitiateAuth) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminInitiateAuth) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminInitiateAuth) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminInitiateAuth) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminInitiateAuth) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminInitiateAuth) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminInitiateAuth) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminInitiateAuth) 

# AdminLinkProviderForUser


Links an existing user account in a user pool, or `DestinationUser`, to an identity from an external IdP, or `SourceUser`, based on a specified attribute name and value from the external IdP.

This operation connects a local user profile with a user identity who hasn't yet signed in from their third-party IdP. When the user signs in with their IdP, they get access-control configuration from the local user profile. Linked local users can also sign in with SDK-based API operations like `InitiateAuth` after they sign in at least once through their IdP. For more information, see [Linking federated users](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html).

**Note**  
The maximum number of federated identities linked to a user is five.

**Important**  
Because this API allows a user with an external federated identity to sign in as a local user, it is critical that it only be used with external IdPs and linked attributes that you trust.

See also [AdminDisableProviderForUser](API_AdminDisableProviderForUser.md).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "DestinationUser": { 
      "ProviderAttributeName": "string",
      "ProviderAttributeValue": "string",
      "ProviderName": "string"
   },
   "SourceUser": { 
      "ProviderAttributeName": "string",
      "ProviderAttributeValue": "string",
      "ProviderName": "string"
   },
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [DestinationUser](#API_AdminLinkProviderForUser_RequestSyntax) **   <a name="CognitoUserPools-AdminLinkProviderForUser-request-DestinationUser"></a>
The existing user in the user pool that you want to assign to the external IdP user account. This user can be a local (Username \$1 Password) Amazon Cognito user pools user or a federated user (for example, a SAML or Facebook user). If the user doesn't exist, Amazon Cognito generates an exception. Amazon Cognito returns this user when the new user (with the linked IdP attribute) signs in.  
For a native username \$1 password user, the `ProviderAttributeValue` for the `DestinationUser` should be the username in the user pool. For a federated user, it should be the provider-specific `user_id`.  
The `ProviderAttributeName` of the `DestinationUser` is ignored.  
The `ProviderName` should be set to `Cognito` for users in Cognito user pools.  
All attributes in the DestinationUser profile must be mutable. If you have assigned the user any immutable custom attributes, the operation won't succeed.
Type: [ProviderUserIdentifierType](API_ProviderUserIdentifierType.md) object  
Required: Yes

 ** [SourceUser](#API_AdminLinkProviderForUser_RequestSyntax) **   <a name="CognitoUserPools-AdminLinkProviderForUser-request-SourceUser"></a>
An external IdP account for a user who doesn't exist yet in the user pool. This user must be a federated user (for example, a SAML or Facebook user), not another native user.  
If the `SourceUser` is using a federated social IdP, such as Facebook, Google, or Login with Amazon, you must set the `ProviderAttributeName` to `Cognito_Subject`. For social IdPs, the `ProviderName` will be `Facebook`, `Google`, or `LoginWithAmazon`, and Amazon Cognito will automatically parse the Facebook, Google, and Login with Amazon tokens for `id`, `sub`, and `user_id`, respectively. The `ProviderAttributeValue` for the user must be the same value as the `id`, `sub`, or `user_id` value found in the social IdP token.  
For OIDC, the `ProviderAttributeName` can be any mapped value from a claim in the ID token, or that your app retrieves from the `userInfo` endpoint. For SAML, the `ProviderAttributeName` can be any mapped value from a claim in the SAML assertion.  
The following additional considerations apply to `SourceUser` for OIDC and SAML providers.  
+ You must map the claim to a user pool attribute in your IdP configuration, and set the user pool attribute name as the value of `ProviderAttributeName` in your `AdminLinkProviderForUser` request. For example, `email`.
+ When you set `ProviderAttributeName` to `Cognito_Subject`, Amazon Cognito will automatically parse the default unique identifier found in the subject from the IdP token.
Type: [ProviderUserIdentifierType](API_ProviderUserIdentifierType.md) object  
Required: Yes

 ** [UserPoolId](#API_AdminLinkProviderForUser_RequestSyntax) **   <a name="CognitoUserPools-AdminLinkProviderForUser-request-UserPoolId"></a>
The ID of the user pool where you want to link a federated identity.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** AliasExistsException **   
This exception is thrown when a user tries to confirm the account with an email address or phone number that has already been supplied as an alias for a different user profile. This exception indicates that an account with this email address or phone already exists in a user pool that you've configured to use email address or phone number as a sign-in alias.    
 ** message **   
The message that Amazon Cognito sends to the user when the value of an alias attribute is already linked to another user profile.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example links a Facebook user to the user pool user "adminlink-testuser." The user's unique identifier with Facebook is represented in the value of `ProviderAttributeValue`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminLinkProviderForUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "DestinationUser": {
    "ProviderAttributeValue": "adminlink-testuser",
    "ProviderName": "Cognito"
  },
  "SourceUser": {
    "ProviderAttributeName": "Cognito_Subject",
    "ProviderAttributeValue": "123456789012345",
    "ProviderName": "Facebook"
  },
  "UserPoolId": "us-west-2_EXAMPLE"}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

### Example


The following example links a Google user to the user pool user "adminlink-testuser." The user's unique identifier with Google is represented in the value of `ProviderAttributeValue`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminLinkProviderForUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "DestinationUser": {
    "ProviderAttributeValue": "adminlink-testuser",
    "ProviderName": "Cognito"
  },
  "SourceUser": {
    "ProviderAttributeName": "Cognito_Subject",
    "ProviderAttributeValue": "5432109876543210",
    "ProviderName": "Google"
  },
  "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

### Example


The following example links a Login With Amazon user to the user pool user "adminlink-testuser." The user's unique identifier with Amazon is represented in the value of `ProviderAttributeValue`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminLinkProviderForUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "DestinationUser": {
    "ProviderAttributeValue": "adminlink-testuser",
    "ProviderName": "Cognito"
  },
  "SourceUser": {
    "ProviderAttributeName": "Cognito_Subject",
    "ProviderAttributeValue": "amzn1.account.AFALI...",
    "ProviderName": "LoginWithAmazon"
  },
  "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

### Example


The following example links a Sign In With Apple user to the user pool user "adminlink-testuser." The user's unique identifier with Apple is represented in the value of `ProviderAttributeValue`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminLinkProviderForUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
	"DestinationUser": {
		"ProviderAttributeValue": "adminlink-testuser",
		"ProviderName": "Cognito"
	},
	"SourceUser": {
		"ProviderAttributeName": "Cognito_Subject",
		"ProviderAttributeValue": "000111.11111111111111111111111111111111111111.1111",
		"ProviderName": "SignInWithApple"
	},
	"UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

### Example


The following example links a user from OIDC provider "MyOIDCProvider" to the user pool user "adminlink-testuser." This request links the local user to an IdP user that has a `preferred_username` attribute of `testuser@example.com`. For this user to sync, your application must request scopes that return the `preferred_username` attribute from the IdP.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminLinkProviderForUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
	"DestinationUser": {
		"ProviderAttributeValue": "adminlink-testuser",
		"ProviderName": "Cognito"
	},
	"SourceUser": {
		"ProviderAttributeName": "preferred_username",
		"ProviderAttributeValue": "testuser@example.com",
		"ProviderName": "MyOIDCProvider"
	},
	"UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

### Example


The following example links a user from SAML 2.0 provider "MySAMLProvider" to the user pool user "adminlink-testuser." This request links the local user to an IdP user that has a `email` attribute of `testuser@example.com`. For this user to sync, your application must receive an `email` claim in the SAML assertion.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminLinkProviderForUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
	"DestinationUser": {
		"ProviderAttributeValue": "adminlink-testuser",
		"ProviderName": "Cognito"
	},
	"SourceUser": {
		"ProviderAttributeName": "email",
		"ProviderAttributeValue": "testuser@example.com",
		"ProviderName": "MySAMLProvider"
	},
	"UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminLinkProviderForUser) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminLinkProviderForUser) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminLinkProviderForUser) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminLinkProviderForUser) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminLinkProviderForUser) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminLinkProviderForUser) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminLinkProviderForUser) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminLinkProviderForUser) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminLinkProviderForUser) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminLinkProviderForUser) 

# AdminListDevices


Lists a user's registered devices. Remembered devices are used in authentication services where you offer a "Remember me" option for users who you want to permit to sign in without MFA from a trusted device. Users can bypass MFA while your application performs device SRP authentication on the back end. For more information, see [Working with devices](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Limit": number,
   "PaginationToken": "string",
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Limit](#API_AdminListDevices_RequestSyntax) **   <a name="CognitoUserPools-AdminListDevices-request-Limit"></a>
The maximum number of devices that you want Amazon Cognito to return in the response.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 60.  
Required: No

 ** [PaginationToken](#API_AdminListDevices_RequestSyntax) **   <a name="CognitoUserPools-AdminListDevices-request-PaginationToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+`   
Required: No

 ** [Username](#API_AdminListDevices_RequestSyntax) **   <a name="CognitoUserPools-AdminListDevices-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminListDevices_RequestSyntax) **   <a name="CognitoUserPools-AdminListDevices-request-UserPoolId"></a>
The ID of the user pool where the device owner is a user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Devices": [ 
      { 
         "DeviceAttributes": [ 
            { 
               "Name": "string",
               "Value": "string"
            }
         ],
         "DeviceCreateDate": number,
         "DeviceKey": "string",
         "DeviceLastAuthenticatedDate": number,
         "DeviceLastModifiedDate": number
      }
   ],
   "PaginationToken": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Devices](#API_AdminListDevices_ResponseSyntax) **   <a name="CognitoUserPools-AdminListDevices-response-Devices"></a>
An array of devices and their information. Each entry that's returned includes device information, last-accessed and created dates, and the device key.  
Type: Array of [DeviceType](API_DeviceType.md) objects

 ** [PaginationToken](#API_AdminListDevices_ResponseSyntax) **   <a name="CognitoUserPools-AdminListDevices-response-PaginationToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+` 

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example API request retrieves information about the first two devices that belong to the user "testuser."

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminListDevices
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser" ,
  "Limit": 2
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"Devices": [
		{
			"DeviceAttributes": [
				{
					"Name": "device_status",
					"Value": "valid"
				},
				{
					"Name": "device_name",
					"Value": "Dart-device"
				},
				{
					"Name": "dev:device_arn",
					"Value": "arn:aws:cognito-idp:us-west-2:123456789012:owner/testuser.us-west-2_EXAMPLE/device/us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
				},
				{
					"Name": "dev:device_owner",
					"Value": "testuser.us-west-2_EXAMPLE"
				},
				{
					"Name": "last_ip_used",
					"Value": "192.0.2.1"
				},
				{
					"Name": "dev:device_remembered_status",
					"Value": "remembered"
				},
				{
					"Name": "dev:device_sdk",
					"Value": "aws-sdk-unknown-unknown"
				}
			],
			"DeviceCreateDate": 1715100742.022,
			"DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
			"DeviceLastAuthenticatedDate": 1715100742.0,
			"DeviceLastModifiedDate": 1715100742.022
		},
		{
			"DeviceAttributes": [
				{
					"Name": "device_status",
					"Value": "valid"
				},
				{
					"Name": "device_name",
					"Value": "Mobile-device"
				},
				{
					"Name": "dev:device_arn",
					"Value": "arn:aws:cognito-idp:us-west-2:123456789012:owner/testuser.us-west-2_EXAMPLE/device/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
				},
				{
					"Name": "dev:device_owner",
					"Value": "testuser.us-west-2_EXAMPLE"
				},
				{
					"Name": "last_ip_used",
					"Value": "192.0.2.99"
				},
				{
					"Name": "dev:device_remembered_status",
					"Value": "remembered"
				},
				{
					"Name": "dev:device_sdk",
					"Value": "aws-sdk-unknown-unknown"
				}
			],
			"DeviceCreateDate": 1715100742.022,
			"DeviceKey": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
			"DeviceLastAuthenticatedDate": 1715100742.0,
			"DeviceLastModifiedDate": 1715100742.022
		}
	]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminListDevices) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminListDevices) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminListDevices) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminListDevices) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminListDevices) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminListDevices) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminListDevices) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminListDevices) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminListDevices) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminListDevices) 

# AdminListGroupsForUser


Lists the groups that a user belongs to. User pool groups are identifiers that you can reference from the contents of ID and access tokens, and set preferred IAM roles for identity-pool authentication. For more information, see [Adding groups to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Limit": number,
   "NextToken": "string",
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Limit](#API_AdminListGroupsForUser_RequestSyntax) **   <a name="CognitoUserPools-AdminListGroupsForUser-request-Limit"></a>
The maximum number of groups that you want Amazon Cognito to return in the response.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 60.  
Required: No

 ** [NextToken](#API_AdminListGroupsForUser_RequestSyntax) **   <a name="CognitoUserPools-AdminListGroupsForUser-request-NextToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+`   
Required: No

 ** [Username](#API_AdminListGroupsForUser_RequestSyntax) **   <a name="CognitoUserPools-AdminListGroupsForUser-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminListGroupsForUser_RequestSyntax) **   <a name="CognitoUserPools-AdminListGroupsForUser-request-UserPoolId"></a>
The ID of the user pool where you want to view a user's groups.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Groups": [ 
      { 
         "CreationDate": number,
         "Description": "string",
         "GroupName": "string",
         "LastModifiedDate": number,
         "Precedence": number,
         "RoleArn": "string",
         "UserPoolId": "string"
      }
   ],
   "NextToken": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Groups](#API_AdminListGroupsForUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminListGroupsForUser-response-Groups"></a>
An array of groups and information about them.  
Type: Array of [GroupType](API_GroupType.md) objects

 ** [NextToken](#API_AdminListGroupsForUser_ResponseSyntax) **   <a name="CognitoUserPools-AdminListGroupsForUser-response-NextToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+` 

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the first two groups for the user "testuser." Note that one group has no description and another has no IAM role or precedence assigned. This operation only returns group properties that are configured.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminListGroupsForUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser",
  "Limit": 2
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"Groups": [
		{
			"CreationDate": 1712262633.88,
			"Description": "My first example group",
			"GroupName": "MyExampleGroup1",
			"LastModifiedDate": 1712262633.88,
			"UserPoolId": "us-west-2_EXAMPLE"
		},
		{
			"CreationDate": 1611685503.954,
			"GroupName": "MyExampleGroup2",
			"LastModifiedDate": 1697211218.305,
			"Precedence": 7,
			"RoleArn": "arn:aws:iam::123456789012:role/example-cognito-role",
			"UserPoolId": "us-west-2_EXAMPLE"
		}
	]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminListGroupsForUser) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminListGroupsForUser) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminListGroupsForUser) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminListGroupsForUser) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminListGroupsForUser) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminListGroupsForUser) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminListGroupsForUser) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminListGroupsForUser) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminListGroupsForUser) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminListGroupsForUser) 

# AdminListUserAuthEvents


Requests a history of user activity and any risks detected as part of Amazon Cognito threat protection. For more information, see [Viewing user event history](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-event-user-history).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "MaxResults": number,
   "NextToken": "string",
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [MaxResults](#API_AdminListUserAuthEvents_RequestSyntax) **   <a name="CognitoUserPools-AdminListUserAuthEvents-request-MaxResults"></a>
The maximum number of authentication events to return. Returns 60 events if you set `MaxResults` to 0, or if you don't include a `MaxResults` parameter.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 60.  
Required: No

 ** [NextToken](#API_AdminListUserAuthEvents_RequestSyntax) **   <a name="CognitoUserPools-AdminListUserAuthEvents-request-NextToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+`   
Required: No

 ** [Username](#API_AdminListUserAuthEvents_RequestSyntax) **   <a name="CognitoUserPools-AdminListUserAuthEvents-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminListUserAuthEvents_RequestSyntax) **   <a name="CognitoUserPools-AdminListUserAuthEvents-request-UserPoolId"></a>
The Id of the user pool that contains the user profile with the logged events.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "AuthEvents": [ 
      { 
         "ChallengeResponses": [ 
            { 
               "ChallengeName": "string",
               "ChallengeResponse": "string"
            }
         ],
         "CreationDate": number,
         "EventContextData": { 
            "City": "string",
            "Country": "string",
            "DeviceName": "string",
            "IpAddress": "string",
            "Timezone": "string"
         },
         "EventFeedback": { 
            "FeedbackDate": number,
            "FeedbackValue": "string",
            "Provider": "string"
         },
         "EventId": "string",
         "EventResponse": "string",
         "EventRisk": { 
            "CompromisedCredentialsDetected": boolean,
            "RiskDecision": "string",
            "RiskLevel": "string"
         },
         "EventType": "string"
      }
   ],
   "NextToken": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [AuthEvents](#API_AdminListUserAuthEvents_ResponseSyntax) **   <a name="CognitoUserPools-AdminListUserAuthEvents-response-AuthEvents"></a>
The response object. It includes the `EventID`, `EventType`, `CreationDate`, `EventRisk`, and `EventResponse`.  
Type: Array of [AuthEventType](API_AuthEventType.md) objects

 ** [NextToken](#API_AdminListUserAuthEvents_ResponseSyntax) **   <a name="CognitoUserPools-AdminListUserAuthEvents-response-NextToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+` 

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

 ** UserPoolAddOnNotEnabledException **   
This exception is thrown when user pool add-ons aren't enabled.  
HTTP Status Code: 400

## Examples


### Example


The following example returns the two most recent advanced security features events for the user "testuser."

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminListUserAuthEvents
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser",
  "MaxResults": 2
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "AuthEvents": [
        {
            "ChallengeResponses": [
                {
                    "ChallengeName": "Password",
                    "ChallengeResponse": "Success"
                }
            ],
            "CreationDate": 1.7232229982E9,
            "EventContextData": {
                "City": "null",
                "Country": "United States",
                "IpAddress": "192.0.2.1"
            },
            "EventId": "7875548a-bd00-490a-93b8-fa36fe42a3e0",
            "EventResponse": "Pass",
            "EventRisk": {
                "CompromisedCredentialsDetected": false,
                "RiskDecision": "AccountTakeover",
                "RiskLevel": "Medium"
            },
            "EventType": "SignIn"
        },
        {
            "ChallengeResponses": [
                {
                    "ChallengeName": "Password",
                    "ChallengeResponse": "Success"
                }
            ],
            "CreationDate": 1.723136049929E9,
            "EventContextData": {
                "City": "Loughborough",
                "Country": "United Kingdom",
                "DeviceName": "Other, Other",
                "IpAddress": "192.0.2.99"
            },
            "EventId": "768d375c-ee6c-435e-a005-25c4981565c3",
            "EventResponse": "Pass",
            "EventRisk": {
                "CompromisedCredentialsDetected": false,
                "RiskDecision": "AccountTakeover",
                "RiskLevel": "Low"
            },
            "EventType": "SignIn"
        }
    ],
    "NextToken": "768d375c-ee6c-435e-a005-25c4981565c3#2024-08-08T16:54:09.929Z"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminListUserAuthEvents) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminListUserAuthEvents) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminListUserAuthEvents) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminListUserAuthEvents) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminListUserAuthEvents) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminListUserAuthEvents) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminListUserAuthEvents) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminListUserAuthEvents) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminListUserAuthEvents) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminListUserAuthEvents) 

# AdminRemoveUserFromGroup


Given a username and a group name, removes them from the group. User pool groups are identifiers that you can reference from the contents of ID and access tokens, and set preferred IAM roles for identity-pool authentication. For more information, see [Adding groups to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "GroupName": "string",
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [GroupName](#API_AdminRemoveUserFromGroup_RequestSyntax) **   <a name="CognitoUserPools-AdminRemoveUserFromGroup-request-GroupName"></a>
The name of the group that you want to remove the user from, for example `MyTestGroup`.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [Username](#API_AdminRemoveUserFromGroup_RequestSyntax) **   <a name="CognitoUserPools-AdminRemoveUserFromGroup-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminRemoveUserFromGroup_RequestSyntax) **   <a name="CognitoUserPools-AdminRemoveUserFromGroup-request-UserPoolId"></a>
The ID of the user pool that contains the group and the user that you want to remove.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example removes the user "testuser" from the group "MyExampleGroup1."

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminRemoveUserFromGroup
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "GroupName": "MyExampleGroup1",
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminRemoveUserFromGroup) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminRemoveUserFromGroup) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminRemoveUserFromGroup) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminRemoveUserFromGroup) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminRemoveUserFromGroup) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminRemoveUserFromGroup) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminRemoveUserFromGroup) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminRemoveUserFromGroup) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminRemoveUserFromGroup) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminRemoveUserFromGroup) 

# AdminResetUserPassword


Begins the password reset process. Sets the requested user’s account into a `RESET_REQUIRED` status, and sends them a password-reset code. Your user pool also sends the user a notification with a reset code and the information that their password has been reset. At sign-in, your application or the managed login session receives a challenge to complete the reset by confirming the code and setting a new password.

This operation is the administrative API equivalent to [ForgotPassword](API_ForgotPassword.md).

This operation deactivates a user's password, requiring them to change it. If a user tries to sign in after the API request, Amazon Cognito responds with a `PasswordResetRequiredException` error. Your app must then complete the forgot-password flow by prompting the user for their code and a new password, then submitting those values in a [ConfirmForgotPassword](API_ConfirmForgotPassword.md) request. In addition, if the user pool has phone verification selected and a verified phone number exists for the user, or if email verification is selected and a verified email exists for the user, calling this API will also result in sending a message to the end user with the code to change their password.

To use this API operation, your user pool must have self-service account recovery configured.

Use [AdminSetUserPassword](API_AdminSetUserPassword.md) if you manage passwords as an administrator.

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "ClientMetadata": { 
      "string" : "string" 
   },
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientMetadata](#API_AdminResetUserPassword_RequestSyntax) **   <a name="CognitoUserPools-AdminResetUserPassword-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [Username](#API_AdminResetUserPassword_RequestSyntax) **   <a name="CognitoUserPools-AdminResetUserPassword-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminResetUserPassword_RequestSyntax) **   <a name="CognitoUserPools-AdminResetUserPassword-request-UserPoolId"></a>
The ID of the user pool where you want to reset the user's password.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example resets the password for the user "testuser" and passes a `ClientMetadata` object to Lambda trigger events that can take a `ForgotPassword` trigger source.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminResetUserPassword
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser",
  "ClientMetadata": {
        "MyTestKey": "MyTestValue"
    }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminResetUserPassword) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminResetUserPassword) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminResetUserPassword) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminResetUserPassword) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminResetUserPassword) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminResetUserPassword) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminResetUserPassword) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminResetUserPassword) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminResetUserPassword) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminResetUserPassword) 

# AdminRespondToAuthChallenge


Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge. An `AdminRespondToAuthChallenge` API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.

For more information about custom authentication challenges, see [Custom authentication challenge Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html).

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "AnalyticsMetadata": { 
      "AnalyticsEndpointId": "string"
   },
   "ChallengeName": "string",
   "ChallengeResponses": { 
      "string" : "string" 
   },
   "ClientId": "string",
   "ClientMetadata": { 
      "string" : "string" 
   },
   "ContextData": { 
      "EncodedData": "string",
      "HttpHeaders": [ 
         { 
            "headerName": "string",
            "headerValue": "string"
         }
      ],
      "IpAddress": "string",
      "ServerName": "string",
      "ServerPath": "string"
   },
   "Session": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AnalyticsMetadata](#API_AdminRespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-request-AnalyticsMetadata"></a>
Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone number.  
Type: [AnalyticsMetadataType](API_AnalyticsMetadataType.md) object  
Required: No

 ** [ChallengeName](#API_AdminRespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-request-ChallengeName"></a>
The name of the challenge that you are responding to.  
Possible challenges include the following:  
All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication.
+  `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and security keys.
+  `PASSWORD`: Respond with the user's password as `PASSWORD`.
+  `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`.
+  `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP`.
+  `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` 
+  `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` 
+  `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` .
+  `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`.
+  `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`.
+  `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response.
+  `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after client-side SRP calculations. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `NEW_PASSWORD_REQUIRED`: For users who are required to change their passwords after successful first login. Respond to this challenge with `NEW_PASSWORD` and any required attributes that Amazon Cognito returned in the `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and that your app client can write.

  Amazon Cognito only returns this challenge for users who have temporary passwords. When you create passwordless users, you must provide values for all required attributes.
**Note**  
In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or `UpdateUserAttributes` API operation to modify the value of any additional attributes.
+  `MFA_SETUP`: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters `MFAS_CAN_SETUP` value. 

  To set up time-based one-time password (TOTP) MFA, use the session returned in this challenge from `InitiateAuth` or `AdminInitiateAuth` as an input to `AssociateSoftwareToken`. Then, use the session returned by `VerifySoftwareToken` as an input to `RespondToAuthChallenge` or `AdminRespondToAuthChallenge` with challenge name `MFA_SETUP` to complete sign-in. 

  To set up SMS or email MFA, collect a `phone_number` or `email` attribute for the user. Then restart the authentication flow with an `InitiateAuth` or `AdminInitiateAuth` request. 
Type: String  
Valid Values: `SMS_MFA | EMAIL_OTP | SOFTWARE_TOKEN_MFA | SELECT_MFA_TYPE | MFA_SETUP | PASSWORD_VERIFIER | CUSTOM_CHALLENGE | SELECT_CHALLENGE | DEVICE_SRP_AUTH | DEVICE_PASSWORD_VERIFIER | ADMIN_NO_SRP_AUTH | NEW_PASSWORD_REQUIRED | SMS_OTP | PASSWORD | WEB_AUTHN | PASSWORD_SRP`   
Required: Yes

 ** [ChallengeResponses](#API_AdminRespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-request-ChallengeResponses"></a>
The responses to the challenge that you received in the previous request. Each challenge has its own required response parameters. The following examples are partial JSON request bodies that highlight challenge-response parameters.  
You must provide a SECRET\$1HASH parameter in all challenge responses to an app client that has a client secret. Include a `DEVICE_KEY` for device authentication.  
SELECT\$1CHALLENGE  
 `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "USERNAME": "[username]", "ANSWER": "[Challenge name]"}`   
Available challenges are `PASSWORD`, `PASSWORD_SRP`, `EMAIL_OTP`, `SMS_OTP`, and `WEB_AUTHN`.  
Complete authentication in the `SELECT_CHALLENGE` response for `PASSWORD`, `PASSWORD_SRP`, and `WEB_AUTHN`:  
+  `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "WEB_AUTHN", "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"}` 

  See [ AuthenticationResponseJSON](https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson).
+  `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD", "USERNAME": "[username]", "PASSWORD": "[password]"}` 
+  `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD_SRP", "USERNAME": "[username]", "SRP_A": "[SRP_A]"}` 
For `SMS_OTP` and `EMAIL_OTP`, respond with the username and answer. Your user pool will send a code for the user to submit in the next challenge response.  
+  `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "SMS_OTP", "USERNAME": "[username]"}` 
+  `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "EMAIL_OTP", "USERNAME": "[username]"}`   
WEB\$1AUTHN  
 `"ChallengeName": "WEB_AUTHN", "ChallengeResponses": { "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"}`   
See [ AuthenticationResponseJSON](https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson).  
PASSWORD  
 `"ChallengeName": "PASSWORD", "ChallengeResponses": { "USERNAME": "[username]", "PASSWORD": "[password]"}`   
PASSWORD\$1SRP  
 `"ChallengeName": "PASSWORD_SRP", "ChallengeResponses": { "USERNAME": "[username]", "SRP_A": "[SRP_A]"}`   
SMS\$1OTP  
 `"ChallengeName": "SMS_OTP", "ChallengeResponses": {"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"}`   
EMAIL\$1OTP  
 `"ChallengeName": "EMAIL_OTP", "ChallengeResponses": {"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"}`   
SMS\$1MFA  
 `"ChallengeName": "SMS_MFA", "ChallengeResponses": {"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"}`   
PASSWORD\$1VERIFIER  
This challenge response is part of the SRP flow. Amazon Cognito requires that your application respond to this challenge within a few seconds. When the response time exceeds this period, your user pool returns a `NotAuthorizedException` error.  
 `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses": {"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}`   
CUSTOM\$1CHALLENGE  
 `"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[challenge_answer]"}`   
NEW\$1PASSWORD\$1REQUIRED  
 `"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses": {"NEW_PASSWORD": "[new_password]", "USERNAME": "[username]"}`   
To set any required attributes that `InitiateAuth` returned in an `requiredAttributes` parameter, add `"userAttributes.[attribute_name]": "[attribute_value]"`. This parameter can also set values for writable attributes that aren't required by your user pool.  
In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or `UpdateUserAttributes` API operation to modify the value of any additional attributes.  
SOFTWARE\$1TOKEN\$1MFA  
 `"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses": {"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE": [authenticator_code]}`   
DEVICE\$1SRP\$1AUTH  
 `"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses": {"USERNAME": "[username]", "DEVICE_KEY": "[device_key]", "SRP_A": "[srp_a]"}`   
DEVICE\$1PASSWORD\$1VERIFIER  
 `"ChallengeName": "DEVICE_PASSWORD_VERIFIER", "ChallengeResponses": {"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}`   
MFA\$1SETUP  
 `"ChallengeName": "MFA_SETUP", "ChallengeResponses": {"USERNAME": "[username]"}, "SESSION": "[Session ID from VerifySoftwareToken]"`   
SELECT\$1MFA\$1TYPE  
 `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA|EMAIL_MFA|SOFTWARE_TOKEN_MFA]"}` 
For more information about `SECRET_HASH`, see [Computing secret hash values](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash). For information about `DEVICE_KEY`, see [Working with user devices in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).  
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [ClientId](#API_AdminRespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-request-ClientId"></a>
The ID of the app client where you initiated sign-in.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientMetadata](#API_AdminRespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [ContextData](#API_AdminRespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-request-ContextData"></a>
Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat protection evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.  
For more information, see [Collecting data for threat protection in applications](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-threat-protection-app.html).  
Type: [ContextDataType](API_ContextDataType.md) object  
Required: No

 ** [Session](#API_AdminRespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-request-Session"></a>
The session identifier that maintains the state of authentication requests and challenge responses. If an `AdminInitiateAuth` or `AdminRespondToAuthChallenge` API request results in a determination that your application must pass another challenge, Amazon Cognito returns a session with other challenge parameters. Send this session identifier, unmodified, to the next `AdminRespondToAuthChallenge` request.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** [UserPoolId](#API_AdminRespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-request-UserPoolId"></a>
The ID of the user pool where you want to respond to an authentication challenge.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "AuthenticationResult": { 
      "AccessToken": "string",
      "ExpiresIn": number,
      "IdToken": "string",
      "NewDeviceMetadata": { 
         "DeviceGroupKey": "string",
         "DeviceKey": "string"
      },
      "RefreshToken": "string",
      "TokenType": "string"
   },
   "ChallengeName": "string",
   "ChallengeParameters": { 
      "string" : "string" 
   },
   "Session": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [AuthenticationResult](#API_AdminRespondToAuthChallenge_ResponseSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-response-AuthenticationResult"></a>
The outcome of a successful authentication process. After your application has passed all challenges, Amazon Cognito returns an `AuthenticationResult` with the JSON web tokens (JWTs) that indicate successful sign-in.  
Type: [AuthenticationResultType](API_AuthenticationResultType.md) object

 ** [ChallengeName](#API_AdminRespondToAuthChallenge_ResponseSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-response-ChallengeName"></a>
The name of the next challenge that you must respond to.  
Possible challenges include the following:  
All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication.
+  `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and security keys.
+  `PASSWORD`: Respond with the user's password as `PASSWORD`.
+  `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`.
+  `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP`.
+  `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` 
+  `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` 
+  `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` .
+  `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`.
+  `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`.
+  `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response.
+  `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after client-side SRP calculations. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `NEW_PASSWORD_REQUIRED`: For users who are required to change their passwords after successful first login. Respond to this challenge with `NEW_PASSWORD` and any required attributes that Amazon Cognito returned in the `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and that your app client can write.

  Amazon Cognito only returns this challenge for users who have temporary passwords. When you create passwordless users, you must provide values for all required attributes.
**Note**  
In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or `UpdateUserAttributes` API operation to modify the value of any additional attributes.
+  `MFA_SETUP`: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters `MFAS_CAN_SETUP` value. 

  To set up time-based one-time password (TOTP) MFA, use the session returned in this challenge from `InitiateAuth` or `AdminInitiateAuth` as an input to `AssociateSoftwareToken`. Then, use the session returned by `VerifySoftwareToken` as an input to `RespondToAuthChallenge` or `AdminRespondToAuthChallenge` with challenge name `MFA_SETUP` to complete sign-in. 

  To set up SMS or email MFA, collect a `phone_number` or `email` attribute for the user. Then restart the authentication flow with an `InitiateAuth` or `AdminInitiateAuth` request. 
Type: String  
Valid Values: `SMS_MFA | EMAIL_OTP | SOFTWARE_TOKEN_MFA | SELECT_MFA_TYPE | MFA_SETUP | PASSWORD_VERIFIER | CUSTOM_CHALLENGE | SELECT_CHALLENGE | DEVICE_SRP_AUTH | DEVICE_PASSWORD_VERIFIER | ADMIN_NO_SRP_AUTH | NEW_PASSWORD_REQUIRED | SMS_OTP | PASSWORD | WEB_AUTHN | PASSWORD_SRP` 

 ** [ChallengeParameters](#API_AdminRespondToAuthChallenge_ResponseSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-response-ChallengeParameters"></a>
The parameters that define your response to the next challenge.  
Take the values in `ChallengeParameters` and provide values for them in the `ChallengeResponses` of the next [AdminRespondToAuthChallenge](#API_AdminRespondToAuthChallenge) request.  
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [Session](#API_AdminRespondToAuthChallenge_ResponseSyntax) **   <a name="CognitoUserPools-AdminRespondToAuthChallenge-response-Session"></a>
The session identifier that maintains the state of authentication requests and challenge responses. If an `AdminInitiateAuth` or `AdminRespondToAuthChallenge` API request results in a determination that your application must pass another challenge, Amazon Cognito returns a session with other challenge parameters. Send this session identifier, unmodified, to the next `AdminRespondToAuthChallenge` request.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** AliasExistsException **   
This exception is thrown when a user tries to confirm the account with an email address or phone number that has already been supplied as an alias for a different user profile. This exception indicates that an account with this email address or phone already exists in a user pool that you've configured to use email address or phone number as a sign-in alias.    
 ** message **   
The message that Amazon Cognito sends to the user when the value of an alias attribute is already linked to another user profile.
HTTP Status Code: 400

 ** CodeMismatchException **   
This exception is thrown if the provided code doesn't match what the server was expecting.    
 ** message **   
The message provided when the code mismatch exception is thrown.
HTTP Status Code: 400

 ** ExpiredCodeException **   
This exception is thrown if a code has expired.    
 ** message **   
The message returned when the expired code exception is thrown.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidPasswordException **   
This exception is thrown when Amazon Cognito encounters an invalid password.    
 ** message **   
The message returned when Amazon Cognito throws an invalid user password exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** MFAMethodNotFoundException **   
This exception is thrown when Amazon Cognito can't find a multi-factor authentication (MFA) method.    
 ** message **   
The message returned when Amazon Cognito throws an MFA method not found exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordHistoryPolicyViolationException **   
The message returned when a user's new password matches a previous password and doesn't comply with the password-history policy.  
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** SoftwareTokenMFANotFoundException **   
This exception is thrown when the software token time-based one-time password (TOTP) multi-factor authentication (MFA) isn't activated for the user pool.  
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example provides an authenticator-app password in response to a TOTP challenge.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminRespondToAuthChallenge
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
	"ChallengeName": "SOFTWARE_TOKEN_MFA",
	"ClientId": "1example23456789",
	"UserPoolId": "us-west-2_EXAMPLE",
	"ChallengeResponses": {
		"USERNAME": "testuser",
		"SOFTWARE_TOKEN_MFA_CODE": "123456",
		"SECRET_HASH": "cKtx2L2fvV1FeAbk3iUPgCyXY+5B0ItO0ItxhFaLkeA="
	},
	"Session": "EXAMPLE_SESSION_TOKEN_FROM_ADMININITIATEAUTH..."
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"AuthenticationResult": {
		"AccessToken": "eyJraACCESSEXAMPLE...",
		"ExpiresIn": 3600,
		"IdToken": "eyJraIDEXAMPLE...",
		"NewDeviceMetadata": {
			"DeviceGroupKey": "-v7w9UcY6",
			"DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
		},
		"RefreshToken": "eyJjREFRESHEXAMPLE...",
		"TokenType": "Bearer"
	},
	"ChallengeParameters": {}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminRespondToAuthChallenge) 

# AdminSetUserMFAPreference


Sets the user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in.

This operation doesn't reset an existing TOTP MFA for a user. To register a new TOTP factor for a user, make an [AssociateSoftwareToken](API_AssociateSoftwareToken.md) request. For more information, see [TOTP software token MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "EmailMfaSettings": { 
      "Enabled": boolean,
      "PreferredMfa": boolean
   },
   "SMSMfaSettings": { 
      "Enabled": boolean,
      "PreferredMfa": boolean
   },
   "SoftwareTokenMfaSettings": { 
      "Enabled": boolean,
      "PreferredMfa": boolean
   },
   "Username": "string",
   "UserPoolId": "string",
   "WebAuthnMfaSettings": { 
      "Enabled": boolean
   }
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [EmailMfaSettings](#API_AdminSetUserMFAPreference_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserMFAPreference-request-EmailMfaSettings"></a>
User preferences for email message MFA. Activates or deactivates email MFA and sets it as the preferred MFA method when multiple methods are available. To activate this setting, your user pool must be in the [ Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.  
Type: [EmailMfaSettingsType](API_EmailMfaSettingsType.md) object  
Required: No

 ** [SMSMfaSettings](#API_AdminSetUserMFAPreference_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserMFAPreference-request-SMSMfaSettings"></a>
User preferences for SMS message MFA. Activates or deactivates SMS MFA and sets it as the preferred MFA method when multiple methods are available.  
Type: [SMSMfaSettingsType](API_SMSMfaSettingsType.md) object  
Required: No

 ** [SoftwareTokenMfaSettings](#API_AdminSetUserMFAPreference_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserMFAPreference-request-SoftwareTokenMfaSettings"></a>
User preferences for time-based one-time password (TOTP) MFA. Activates or deactivates TOTP MFA and sets it as the preferred MFA method when multiple methods are available.  
Type: [SoftwareTokenMfaSettingsType](API_SoftwareTokenMfaSettingsType.md) object  
Required: No

 ** [Username](#API_AdminSetUserMFAPreference_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserMFAPreference-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminSetUserMFAPreference_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserMFAPreference-request-UserPoolId"></a>
The ID of the user pool where you want to set a user's MFA preferences.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

 ** [WebAuthnMfaSettings](#API_AdminSetUserMFAPreference_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserMFAPreference-request-WebAuthnMfaSettings"></a>
User preferences for passkey MFA. Activates or deactivates passkey MFA for the user. When activated, passkey authentication requires user verification, and passkey sign-in is available when MFA is required. To activate this setting, the `FactorConfiguration` of your user pool `WebAuthnConfiguration` must be `MULTI_FACTOR_WITH_USER_VERIFICATION`. To activate this setting, your user pool must be in the [ Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.  
Type: [WebAuthnMfaSettingsType](API_WebAuthnMfaSettingsType.md) object  
Required: No

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request sets the user "testuser" to have both SMS and TOTP sign-in available, but to prefer SMS messages.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminSetUserMFAPreference
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser",
  "SMSMfaSettings": {
    "Enabled": true,
    "PreferredMfa": true
  },
  "SoftwareTokenMfaSettings": {
    "Enabled": true,
    "PreferredMfa": false
  }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminSetUserMFAPreference) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminSetUserMFAPreference) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminSetUserMFAPreference) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminSetUserMFAPreference) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminSetUserMFAPreference) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminSetUserMFAPreference) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminSetUserMFAPreference) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminSetUserMFAPreference) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminSetUserMFAPreference) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminSetUserMFAPreference) 

# AdminSetUserPassword


Sets the specified user's password in a user pool. This operation administratively sets a temporary or permanent password for a user. With this operation, you can bypass self-service password changes and permit immediate sign-in with the password that you set. To do this, set `Permanent` to `true`.

You can also set a new temporary password in this request, send it to a user, and require them to choose a new password on their next sign-in. To do this, set `Permanent` to `false`.

If the password is temporary, the user's `Status` becomes `FORCE_CHANGE_PASSWORD`. When the user next tries to sign in, the `InitiateAuth` or `AdminInitiateAuth` response includes the `NEW_PASSWORD_REQUIRED` challenge. If the user doesn't sign in before the temporary password expires, they can no longer sign in and you must repeat this operation to set a temporary or permanent password for them.

After the user sets a new password, or if you set a permanent password, their status becomes `Confirmed`.

 `AdminSetUserPassword` can set a password for the user profile that Amazon Cognito creates for third-party federated users. When you set a password, the federated user's status changes from `EXTERNAL_PROVIDER` to `CONFIRMED`. A user in this state can sign in as a federated user, and initiate authentication flows in the API like a linked native user. They can also modify their password and attributes in token-authenticated API requests like `ChangePassword` and `UpdateUserAttributes`. As a best security practice and to keep users in sync with your external IdP, don't set passwords on federated user profiles. To set up a federated user for native sign-in with a linked native user, refer to [Linking federated users to an existing user profile](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Password": "string",
   "Permanent": boolean,
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Password](#API_AdminSetUserPassword_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserPassword-request-Password"></a>
The new temporary or permanent password that you want to set for the user. You can't remove the password for a user who already has a password so that they can only sign in with passwordless methods. In this scenario, you must create a new user without a password.  
Type: String  
Length Constraints: Maximum length of 256.  
Pattern: `[\S]+`   
Required: Yes

 ** [Permanent](#API_AdminSetUserPassword_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserPassword-request-Permanent"></a>
Set to `true` to set a password that the user can immediately sign in with. Set to `false` to set a temporary password that the user must change on their next sign-in.  
Type: Boolean  
Required: No

 ** [Username](#API_AdminSetUserPassword_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserPassword-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminSetUserPassword_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserPassword-request-UserPoolId"></a>
The ID of the user pool where you want to set the user's password.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidPasswordException **   
This exception is thrown when Amazon Cognito encounters an invalid password.    
 ** message **   
The message returned when Amazon Cognito throws an invalid user password exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordHistoryPolicyViolationException **   
The message returned when a user's new password matches a previous password and doesn't comply with the password-history policy.  
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request sets the user "testuser" to have the password "MyExamplePassword1=", and to be able to sign in with that password without a reset.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminSetUserPassword
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "Password": "MyExamplePassword1=",
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser",
  "Permanent": true
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminSetUserPassword) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminSetUserPassword) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminSetUserPassword) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminSetUserPassword) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminSetUserPassword) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminSetUserPassword) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminSetUserPassword) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminSetUserPassword) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminSetUserPassword) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminSetUserPassword) 

# AdminSetUserSettings


 *This action is no longer supported.* You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token MFA.

To configure all types of MFA, use [AdminSetUserMFAPreference](API_AdminSetUserMFAPreference.md) instead.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "MFAOptions": [ 
      { 
         "AttributeName": "string",
         "DeliveryMedium": "string"
      }
   ],
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [MFAOptions](#API_AdminSetUserSettings_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserSettings-request-MFAOptions"></a>
You can use this parameter only to set an SMS configuration that uses SMS for delivery.  
Type: Array of [MFAOptionType](API_MFAOptionType.md) objects  
Required: Yes

 ** [Username](#API_AdminSetUserSettings_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserSettings-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminSetUserSettings_RequestSyntax) **   <a name="CognitoUserPools-AdminSetUserSettings-request-UserPoolId"></a>
The ID of the user pool that contains the user whose options you're setting.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminSetUserSettings) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminSetUserSettings) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminSetUserSettings) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminSetUserSettings) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminSetUserSettings) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminSetUserSettings) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminSetUserSettings) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminSetUserSettings) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminSetUserSettings) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminSetUserSettings) 

# AdminUpdateAuthEventFeedback


Provides the feedback for an authentication event generated by threat protection features. Your response indicates that you think that the event either was from a valid user or was an unwanted authentication attempt. This feedback improves the risk evaluation decision for the user pool as part of Amazon Cognito threat protection. To activate this setting, your user pool must be on the [ Plus tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html).

To train the threat-protection model to recognize trusted and untrusted sign-in characteristics, configure threat protection in audit-only mode and provide a mechanism for users or administrators to submit feedback. Your feedback can tell Amazon Cognito that a risk rating was assigned at a level you don't agree with.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "EventId": "string",
   "FeedbackValue": "string",
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [EventId](#API_AdminUpdateAuthEventFeedback_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateAuthEventFeedback-request-EventId"></a>
The ID of the threat protection authentication event that you want to update.  
To query authentication events for a user, see [AdminListUserAuthEvents](API_AdminListUserAuthEvents.md).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 50.  
Pattern: `[\w+-]+`   
Required: Yes

 ** [FeedbackValue](#API_AdminUpdateAuthEventFeedback_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateAuthEventFeedback-request-FeedbackValue"></a>
Your feedback to the authentication event. When you provide a `FeedbackValue` value of `valid`, you tell Amazon Cognito that you trust a user session where Amazon Cognito has evaluated some level of risk. When you provide a `FeedbackValue` value of `invalid`, you tell Amazon Cognito that you don't trust a user session, or you don't believe that Amazon Cognito evaluated a high-enough risk level.  
Type: String  
Valid Values: `Valid | Invalid`   
Required: Yes

 ** [Username](#API_AdminUpdateAuthEventFeedback_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateAuthEventFeedback-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminUpdateAuthEventFeedback_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateAuthEventFeedback-request-UserPoolId"></a>
The ID of the user pool where you want to submit authentication-event feedback.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

 ** UserPoolAddOnNotEnabledException **   
This exception is thrown when user pool add-ons aren't enabled.  
HTTP Status Code: 400

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminUpdateAuthEventFeedback) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminUpdateAuthEventFeedback) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminUpdateAuthEventFeedback) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminUpdateAuthEventFeedback) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminUpdateAuthEventFeedback) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminUpdateAuthEventFeedback) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminUpdateAuthEventFeedback) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminUpdateAuthEventFeedback) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminUpdateAuthEventFeedback) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminUpdateAuthEventFeedback) 

# AdminUpdateDeviceStatus


Updates the status of a user's device so that it is marked as remembered or not remembered for the purpose of device authentication. Device authentication is a "remember me" mechanism that silently completes sign-in from trusted devices with a device key instead of a user-provided MFA code. This operation changes the status of a device without deleting it, so you can enable it again later. For more information about device authentication, see [Working with devices](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "DeviceKey": "string",
   "DeviceRememberedStatus": "string",
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [DeviceKey](#API_AdminUpdateDeviceStatus_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateDeviceStatus-request-DeviceKey"></a>
The unique identifier, or device key, of the device that you want to update the status for.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-f-]+`   
Required: Yes

 ** [DeviceRememberedStatus](#API_AdminUpdateDeviceStatus_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateDeviceStatus-request-DeviceRememberedStatus"></a>
To enable device authentication with the specified device, set to `remembered`.To disable, set to `not_remembered`.  
Type: String  
Valid Values: `remembered | not_remembered`   
Required: No

 ** [Username](#API_AdminUpdateDeviceStatus_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateDeviceStatus-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminUpdateDeviceStatus_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateDeviceStatus-request-UserPoolId"></a>
The ID of the user pool where you want to change a user's device status.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request sets the device with key "us-west-2\$1a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" to be remembered for device authentication in future sign-in attempts.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminUpdateDeviceStatus
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser",
  "DeviceRememberedStatus": "remembered"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminUpdateDeviceStatus) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminUpdateDeviceStatus) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminUpdateDeviceStatus) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminUpdateDeviceStatus) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminUpdateDeviceStatus) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminUpdateDeviceStatus) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminUpdateDeviceStatus) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminUpdateDeviceStatus) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminUpdateDeviceStatus) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminUpdateDeviceStatus) 

# AdminUpdateUserAttributes


Updates the specified user's attributes. To delete an attribute from your user, submit the attribute in your API request with a blank value.

For custom attributes, you must add a `custom:` prefix to the attribute name, for example `custom:department`.

This operation can set a user's email address or phone number as verified and permit immediate sign-in in user pools that require verification of these attributes. To do this, set the `email_verified` or `phone_number_verified` attribute to `true`.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

## Request Syntax


```
{
   "ClientMetadata": { 
      "string" : "string" 
   },
   "UserAttributes": [ 
      { 
         "Name": "string",
         "Value": "string"
      }
   ],
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientMetadata](#API_AdminUpdateUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateUserAttributes-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [UserAttributes](#API_AdminUpdateUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateUserAttributes-request-UserAttributes"></a>
An array of name-value pairs representing user attributes.  
For custom attributes, you must prepend the `custom:` prefix to the attribute name.  
If your user pool requires verification before Amazon Cognito updates an attribute value that you specify in this request, Amazon Cognito doesn’t immediately update the value of that attribute. After your user receives and responds to a verification message to verify the new value, Amazon Cognito updates the attribute value. Your user can sign in and receive messages with the original attribute value until they verify the new value.  
To skip the verification message and update the value of an attribute that requires verification in the same API request, include the `email_verified` or `phone_number_verified` attribute, with a value of `true`. If you set the `email_verified` or `phone_number_verified` value for an `email` or `phone_number` attribute that requires verification to `true`, Amazon Cognito doesn’t send a verification message to your user.  
Type: Array of [AttributeType](API_AttributeType.md) objects  
Required: Yes

 ** [Username](#API_AdminUpdateUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateUserAttributes-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminUpdateUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-AdminUpdateUserAttributes-request-UserPoolId"></a>
The ID of the user pool where you want to update user attributes.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** AliasExistsException **   
This exception is thrown when a user tries to confirm the account with an email address or phone number that has already been supplied as an alias for a different user profile. This exception indicates that an account with this email address or phone already exists in a user pool that you've configured to use email address or phone number as a sign-in alias.    
 ** message **   
The message that Amazon Cognito sends to the user when the value of an alias attribute is already linked to another user profile.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request sets the values of two attributes for "testuser." The request also includes client metadata that the user pool passes on in a ` CustomMessage_UpdateUserAttribute` Lambda trigger event.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminUpdateUserAttributes
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "UserAttributes": [
      {
          "Name": "custom:deliverables",
          "Value": "project-111222"
      },
      {
          "Name": "name",
          "Value": "John"
      }
  ],
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser",
  "ClientMetadata": {
        "MyTestKey": "MyTestValue"
  }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminUpdateUserAttributes) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminUpdateUserAttributes) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminUpdateUserAttributes) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminUpdateUserAttributes) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminUpdateUserAttributes) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminUpdateUserAttributes) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminUpdateUserAttributes) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminUpdateUserAttributes) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminUpdateUserAttributes) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminUpdateUserAttributes) 

# AdminUserGlobalSignOut


Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation with your administrative credentials when your user signs out of your app. This results in the following behavior.
+ Amazon Cognito no longer accepts *token-authorized* user operations that you authorize with a signed-out user's access tokens. For more information, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

  Amazon Cognito returns an `Access Token has been revoked` error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope `aws.cognito.signin.user.admin`.
+ Amazon Cognito no longer accepts a signed-out user's ID token in a [GetId ](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html) request to an identity pool with `ServerSideTokenCheck` enabled for its user pool IdP configuration in [CognitoIdentityProvider](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_CognitoIdentityProvider.html).
+ Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.

Other requests might be valid until your user's token expires. This operation doesn't clear the [managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html) session cookie. To clear the session for a user who signed in with managed login or the classic hosted UI, direct their browser session to the [logout endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Username](#API_AdminUserGlobalSignOut_RequestSyntax) **   <a name="CognitoUserPools-AdminUserGlobalSignOut-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_AdminUserGlobalSignOut_RequestSyntax) **   <a name="CognitoUserPools-AdminUserGlobalSignOut-request-UserPoolId"></a>
The ID of the user pool where you want to sign out a user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request signs out the user "testuser."

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AdminUserGlobalSignOut
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "UserPoolId": "us-west-2_EXAMPLE",
  "Username": "testuser",
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AdminUserGlobalSignOut) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AdminUserGlobalSignOut) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminUserGlobalSignOut) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AdminUserGlobalSignOut) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminUserGlobalSignOut) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AdminUserGlobalSignOut) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AdminUserGlobalSignOut) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AdminUserGlobalSignOut) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminUserGlobalSignOut) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AdminUserGlobalSignOut) 

# AssociateSoftwareToken


Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response. You can authorize an `AssociateSoftwareToken` request with either the user's access token, or a session string from a challenge response that you received from Amazon Cognito.

**Note**  
Amazon Cognito disassociates an existing software token when you verify the new token in a [VerifySoftwareToken](API_VerifySoftwareToken.md) API request. If you don't verify the software token and your user pool doesn't require MFA, the user can then authenticate with user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito generates an `MFA_SETUP` or `SOFTWARE_TOKEN_SETUP` challenge each time your user signs in. Complete setup with `AssociateSoftwareToken` and `VerifySoftwareToken`.  
After you set up software token MFA for your user, Amazon Cognito generates a `SOFTWARE_TOKEN_MFA` challenge when they authenticate. Respond to this challenge with your user's TOTP.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

## Request Syntax


```
{
   "AccessToken": "string",
   "Session": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_AssociateSoftwareToken_RequestSyntax) **   <a name="CognitoUserPools-AssociateSoftwareToken-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
You can provide either an access token or a session ID in the request.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: No

 ** [Session](#API_AssociateSoftwareToken_RequestSyntax) **   <a name="CognitoUserPools-AssociateSoftwareToken-request-Session"></a>
The session identifier that maintains the state of authentication requests and challenge responses. In `AssociateSoftwareToken`, this is the session ID from a successful sign-in. You can provide either an access token or a session ID in the request.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

## Response Syntax


```
{
   "SecretCode": "string",
   "Session": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [SecretCode](#API_AssociateSoftwareToken_ResponseSyntax) **   <a name="CognitoUserPools-AssociateSoftwareToken-response-SecretCode"></a>
A unique generated shared secret code that is used by the TOTP algorithm to generate a one-time code.  
Type: String  
Length Constraints: Minimum length of 16.  
Pattern: `[A-Za-z0-9]+` 

 ** [Session](#API_AssociateSoftwareToken_ResponseSyntax) **   <a name="CognitoUserPools-AssociateSoftwareToken-response-Session"></a>
The session identifier that maintains the state of authentication requests and challenge responses.  
This session ID is valid for the next request in this flow, [VerifySoftwareToken](API_VerifySoftwareToken.md).  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** SoftwareTokenMFANotFoundException **   
This exception is thrown when the software token time-based one-time password (TOTP) multi-factor authentication (MFA) isn't activated for the user pool.  
HTTP Status Code: 400

## Examples


### Example


The following example request generates a TOTP private key for the user who the access key was issued to.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.AssociateSoftwareToken
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "AccessToken": "eyJraACCESSEXAMPLE..."
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"SecretCode": "PRIVATECODEEXAMPLE..."
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/AssociateSoftwareToken) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/AssociateSoftwareToken) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AssociateSoftwareToken) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/AssociateSoftwareToken) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AssociateSoftwareToken) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/AssociateSoftwareToken) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/AssociateSoftwareToken) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/AssociateSoftwareToken) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AssociateSoftwareToken) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/AssociateSoftwareToken) 

# ChangePassword


Changes the password for the currently signed-in user.

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "PreviousPassword": "string",
   "ProposedPassword": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_ChangePassword_RequestSyntax) **   <a name="CognitoUserPools-ChangePassword-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the user whose password you want to change.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [PreviousPassword](#API_ChangePassword_RequestSyntax) **   <a name="CognitoUserPools-ChangePassword-request-PreviousPassword"></a>
The user's previous password. Required if the user has a password. If the user has no password and only signs in with passwordless authentication options, you can omit this parameter.  
Type: String  
Length Constraints: Maximum length of 256.  
Pattern: `[\S]+`   
Required: No

 ** [ProposedPassword](#API_ChangePassword_RequestSyntax) **   <a name="CognitoUserPools-ChangePassword-request-ProposedPassword"></a>
A new password that you prompted the user to enter in your application.  
Type: String  
Length Constraints: Maximum length of 256.  
Pattern: `[\S]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidPasswordException **   
This exception is thrown when Amazon Cognito encounters an invalid password.    
 ** message **   
The message returned when Amazon Cognito throws an invalid user password exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordHistoryPolicyViolationException **   
The message returned when a user's new password matches a previous password and doesn't comply with the password-history policy.  
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example changes the password of the user with the access key "eyJra456defEXAMPLE" and current password "MyCurrentPassword1\$1".

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ChangePassword
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE",
   "PreviousPassword": "MyCurrentPassword1!",
   "ProposedPassword": "MyNewPassword2!"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ChangePassword) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ChangePassword) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ChangePassword) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ChangePassword) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ChangePassword) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ChangePassword) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ChangePassword) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ChangePassword) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ChangePassword) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ChangePassword) 

# CompleteWebAuthnRegistration


Completes registration of a passkey authenticator for the currently signed-in user.

Your application provides data from a successful registration request with the data from the output of a [StartWebAuthnRegistration](API_StartWebAuthnRegistration.md).

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

## Request Syntax


```
{
   "AccessToken": "string",
   "Credential": JSON value
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_CompleteWebAuthnRegistration_RequestSyntax) **   <a name="CognitoUserPools-CompleteWebAuthnRegistration-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [Credential](#API_CompleteWebAuthnRegistration_RequestSyntax) **   <a name="CognitoUserPools-CompleteWebAuthnRegistration-request-Credential"></a>
A [RegistrationResponseJSON](https://www.w3.org/TR/WebAuthn-3/#dictdef-registrationresponsejson) public-key credential response from the user's passkey provider.  
Type: JSON value  
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** WebAuthnChallengeNotFoundException **   
This exception is thrown when the challenge from `StartWebAuthn` registration has expired.  
HTTP Status Code: 400

 ** WebAuthnClientMismatchException **   
This exception is thrown when the access token is for a different client than the one in the original `StartWebAuthnRegistration` request.  
HTTP Status Code: 400

 ** WebAuthnCredentialNotSupportedException **   
This exception is thrown when a user presents passkey credentials from an unsupported device or provider.  
HTTP Status Code: 400

 ** WebAuthnNotEnabledException **   
This exception is thrown when the passkey feature isn't enabled for the user pool.  
HTTP Status Code: 400

 ** WebAuthnOriginNotAllowedException **   
This exception is thrown when the passkey credential's registration origin does not align with the user pool relying party id.  
HTTP Status Code: 400

 ** WebAuthnRelyingPartyMismatchException **   
This exception is thrown when the given passkey credential is associated with a different relying party ID than the user pool relying party ID.  
HTTP Status Code: 400

## Examples


### Example


The following example completes passkey registration for the user with access token "eyJra456defEXAMPLE".

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CompleteWebAuthnRegistration
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE",
   "Credential": "[RegistrationResponseJSON]"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/CompleteWebAuthnRegistration) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/CompleteWebAuthnRegistration) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/CompleteWebAuthnRegistration) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/CompleteWebAuthnRegistration) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CompleteWebAuthnRegistration) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/CompleteWebAuthnRegistration) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/CompleteWebAuthnRegistration) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/CompleteWebAuthnRegistration) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/CompleteWebAuthnRegistration) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/CompleteWebAuthnRegistration) 

# ConfirmDevice


Confirms a device that a user wants to remember. A remembered device is a "Remember me on this device" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see [Working with user devices in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "DeviceKey": "string",
   "DeviceName": "string",
   "DeviceSecretVerifierConfig": { 
      "PasswordVerifier": "string",
      "Salt": "string"
   }
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_ConfirmDevice_RequestSyntax) **   <a name="CognitoUserPools-ConfirmDevice-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [DeviceKey](#API_ConfirmDevice_RequestSyntax) **   <a name="CognitoUserPools-ConfirmDevice-request-DeviceKey"></a>
The unique identifier, or device key, of the device that you want to update the status for.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-f-]+`   
Required: Yes

 ** [DeviceName](#API_ConfirmDevice_RequestSyntax) **   <a name="CognitoUserPools-ConfirmDevice-request-DeviceName"></a>
A friendly name for the device, for example `MyMobilePhone`.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Required: No

 ** [DeviceSecretVerifierConfig](#API_ConfirmDevice_RequestSyntax) **   <a name="CognitoUserPools-ConfirmDevice-request-DeviceSecretVerifierConfig"></a>
The configuration of the device secret verifier.  
Type: [DeviceSecretVerifierConfigType](API_DeviceSecretVerifierConfigType.md) object  
Required: No

## Response Syntax


```
{
   "UserConfirmationNecessary": boolean
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UserConfirmationNecessary](#API_ConfirmDevice_ResponseSyntax) **   <a name="CognitoUserPools-ConfirmDevice-response-UserConfirmationNecessary"></a>
When `true`, your user must confirm that they want to remember the device. Prompt the user for an answer.  
You must then make an [UpdateDeviceStatus](API_UpdateDeviceStatus.md) request that sets the device to `remembered` or `not_remembered`.  
When `false`, immediately sets the device as remembered and eligible for device authentication.  
You can configure your user pool to always remember devices, in which case this response is `false`, or to allow users to opt in, in which case this response is `true`. Configure this option under *Device tracking* in the *Sign-in* menu of your user pool.  
You can also configure this option with the `DeviceConfiguration` parameter of a [CreateUserPool](API_CreateUserPool.md) or [UpdateUserPool](API_UpdateUserPool.md) request.  
Type: Boolean

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** DeviceKeyExistsException **   
This exception is thrown when a user attempts to confirm a device with a device key that already exists.  
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidPasswordException **   
This exception is thrown when Amazon Cognito encounters an invalid password.    
 ** message **   
The message returned when Amazon Cognito throws an invalid user password exception.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UsernameExistsException **   
This exception is thrown when Amazon Cognito encounters a user name that already exists in the user pool.    
 ** message **   
The message returned when Amazon Cognito throws a user name exists exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request confirms a device for the user with the access token "eyJra456defEXAMPLE". In the user pool in this example, the user must confirm that they want to remember the device with a new [UpdateDeviceStatus](API_UpdateDeviceStatus.md) request that sets `DeviceRememberedStatus` to `true` for the device with key `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ConfirmDevice
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE",
   "DeviceKey": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
   "DeviceName": "MyMobileDevice",
   "DeviceSecretVerifierConfig": {
      "PasswordVerifier": "[calculated verifier string]",
      "Salt": "[salt]"
   }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
   "UserConfirmationNecessary": true
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ConfirmDevice) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ConfirmDevice) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ConfirmDevice) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ConfirmDevice) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ConfirmDevice) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ConfirmDevice) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ConfirmDevice) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ConfirmDevice) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ConfirmDevice) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ConfirmDevice) 

# ConfirmForgotPassword


This public API operation accepts a confirmation code that Amazon Cognito sent to a user and accepts a new password for that user.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AnalyticsMetadata": { 
      "AnalyticsEndpointId": "string"
   },
   "ClientId": "string",
   "ClientMetadata": { 
      "string" : "string" 
   },
   "ConfirmationCode": "string",
   "Password": "string",
   "SecretHash": "string",
   "UserContextData": { 
      "EncodedData": "string",
      "IpAddress": "string"
   },
   "Username": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AnalyticsMetadata](#API_ConfirmForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ConfirmForgotPassword-request-AnalyticsMetadata"></a>
Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone number.  
Type: [AnalyticsMetadataType](API_AnalyticsMetadataType.md) object  
Required: No

 ** [ClientId](#API_ConfirmForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ConfirmForgotPassword-request-ClientId"></a>
The ID of the app client where the user wants to reset their password. This parameter is an identifier of the client application that users are resetting their password from, but this operation resets users' irrespective of the app clients they sign in to.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientMetadata](#API_ConfirmForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ConfirmForgotPassword-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [ConfirmationCode](#API_ConfirmForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ConfirmForgotPassword-request-ConfirmationCode"></a>
The confirmation code that your user pool delivered when your user requested to reset their password.  
Your user pool sends these codes in response to [AdminResetUserPassword](API_AdminResetUserPassword.md) or [ForgotPassword](API_ForgotPassword.md) requests.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Pattern: `[\S]+`   
Required: Yes

 ** [Password](#API_ConfirmForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ConfirmForgotPassword-request-Password"></a>
The new password that your user wants to set.  
Type: String  
Length Constraints: Maximum length of 256.  
Pattern: `[\S]+`   
Required: Yes

 ** [SecretHash](#API_ConfirmForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ConfirmForgotPassword-request-SecretHash"></a>
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message. For more information about `SecretHash`, see [Computing secret hash values](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=/]+`   
Required: No

 ** [UserContextData](#API_ConfirmForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ConfirmForgotPassword-request-UserContextData"></a>
Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat protection evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.  
For more information, see [Collecting data for threat protection in applications](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-threat-protection-app.html).  
Type: [UserContextDataType](API_UserContextDataType.md) object  
Required: No

 ** [Username](#API_ConfirmForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ConfirmForgotPassword-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** CodeMismatchException **   
This exception is thrown if the provided code doesn't match what the server was expecting.    
 ** message **   
The message provided when the code mismatch exception is thrown.
HTTP Status Code: 400

 ** ExpiredCodeException **   
This exception is thrown if a code has expired.    
 ** message **   
The message returned when the expired code exception is thrown.
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidPasswordException **   
This exception is thrown when Amazon Cognito encounters an invalid password.    
 ** message **   
The message returned when Amazon Cognito throws an invalid user password exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordHistoryPolicyViolationException **   
The message returned when a user's new password matches a previous password and doesn't comply with the password-history policy.  
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyFailedAttemptsException **   
This exception is thrown when the user has made too many failed attempts for a given action, such as sign-in.    
 ** message **   
The message returned when Amazon Cognito returns a `TooManyFailedAttempts` exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request sets a new password for the user "testuser".

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ConfirmForgotPassword
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ClientId": "1example23456789",
   "ConfirmationCode": "123456",
   "Password": "MyNewPassword1!",
   "Username": "testuser"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ConfirmForgotPassword) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ConfirmForgotPassword) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ConfirmForgotPassword) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ConfirmForgotPassword) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ConfirmForgotPassword) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ConfirmForgotPassword) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ConfirmForgotPassword) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ConfirmForgotPassword) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ConfirmForgotPassword) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ConfirmForgotPassword) 

# ConfirmSignUp


Confirms the account of a new user. This public API operation submits a code that Amazon Cognito sent to your user when they signed up in your user pool. After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.

Local users who signed up in your user pool are the only type of user who can confirm sign-up with a code. Users who federate through an external identity provider (IdP) have already been confirmed by their IdP.

Administrator-created users, users created with the [AdminCreateUser](API_AdminCreateUser.md) API operation, confirm their accounts when they respond to their invitation email message and choose a password. They do not receive a confirmation code. Instead, they receive a temporary password.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AnalyticsMetadata": { 
      "AnalyticsEndpointId": "string"
   },
   "ClientId": "string",
   "ClientMetadata": { 
      "string" : "string" 
   },
   "ConfirmationCode": "string",
   "ForceAliasCreation": boolean,
   "SecretHash": "string",
   "Session": "string",
   "UserContextData": { 
      "EncodedData": "string",
      "IpAddress": "string"
   },
   "Username": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AnalyticsMetadata](#API_ConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-ConfirmSignUp-request-AnalyticsMetadata"></a>
Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone number.  
Type: [AnalyticsMetadataType](API_AnalyticsMetadataType.md) object  
Required: No

 ** [ClientId](#API_ConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-ConfirmSignUp-request-ClientId"></a>
The ID of the app client associated with the user pool.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientMetadata](#API_ConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-ConfirmSignUp-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [ConfirmationCode](#API_ConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-ConfirmSignUp-request-ConfirmationCode"></a>
The confirmation code that your user pool sent in response to the `SignUp` request.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Pattern: `[\S]+`   
Required: Yes

 ** [ForceAliasCreation](#API_ConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-ConfirmSignUp-request-ForceAliasCreation"></a>
When `true`, forces user confirmation despite any existing aliases. Defaults to `false`. A value of `true` migrates the alias from an existing user to the new user if an existing user already has the phone number or email address as an alias.  
Say, for example, that an existing user has an `email` attribute of `bob@example.com` and email is an alias in your user pool. If the new user also has an email of `bob@example.com` and your `ConfirmSignUp` response sets `ForceAliasCreation` to `true`, the new user can sign in with a username of `bob@example.com` and the existing user can no longer do so.  
If `false` and an attribute belongs to an existing alias, this request returns an **AliasExistsException** error.  
For more information about sign-in aliases, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases).  
Type: Boolean  
Required: No

 ** [SecretHash](#API_ConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-ConfirmSignUp-request-SecretHash"></a>
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message. For more information about `SecretHash`, see [Computing secret hash values](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=/]+`   
Required: No

 ** [Session](#API_ConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-ConfirmSignUp-request-Session"></a>
The optional session ID from a `SignUp` API request. You can sign in a user directly from the sign-up process with the `USER_AUTH` authentication flow.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** [UserContextData](#API_ConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-ConfirmSignUp-request-UserContextData"></a>
Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat protection evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.  
For more information, see [Collecting data for threat protection in applications](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-threat-protection-app.html).  
Type: [UserContextDataType](API_UserContextDataType.md) object  
Required: No

 ** [Username](#API_ConfirmSignUp_RequestSyntax) **   <a name="CognitoUserPools-ConfirmSignUp-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

## Response Syntax


```
{
   "Session": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Session](#API_ConfirmSignUp_ResponseSyntax) **   <a name="CognitoUserPools-ConfirmSignUp-response-Session"></a>
A session identifier that you can use to immediately sign in the confirmed user. You can automatically sign users in with the one-time password that they provided in a successful `ConfirmSignUp` request.  
To do this, pass the `Session` parameter from this response in the `Session` parameter of an [InitiateAuth](API_InitiateAuth.md) or [AdminInitiateAuth](API_AdminInitiateAuth.md) request.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** AliasExistsException **   
This exception is thrown when a user tries to confirm the account with an email address or phone number that has already been supplied as an alias for a different user profile. This exception indicates that an account with this email address or phone already exists in a user pool that you've configured to use email address or phone number as a sign-in alias.    
 ** message **   
The message that Amazon Cognito sends to the user when the value of an alias attribute is already linked to another user profile.
HTTP Status Code: 400

 ** CodeMismatchException **   
This exception is thrown if the provided code doesn't match what the server was expecting.    
 ** message **   
The message provided when the code mismatch exception is thrown.
HTTP Status Code: 400

 ** ExpiredCodeException **   
This exception is thrown if a code has expired.    
 ** message **   
The message returned when the expired code exception is thrown.
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyFailedAttemptsException **   
This exception is thrown when the user has made too many failed attempts for a given action, such as sign-in.    
 ** message **   
The message returned when Amazon Cognito returns a `TooManyFailedAttempts` exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request confirms sign-up for the user "testuser" with the submitted confirmation code `123456`. The response includes a session ID that your application can pass to [InitiateAuth](API_InitiateAuth.md) or [AdminInitiateAuth](API_AdminInitiateAuth.md) for automatic email or SMS OTP sign-in with the already-submitted `123456` confirmation code.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ConfirmSignUp
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "ClientId": "1example23456789",
    "ConfirmationCode": "123456",
    "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
   "Session":"AYABeC1-y8qooiuysEv0uM4wAqQAHQABAAdTZXJ2aWNlABBDb2duaXRvVXNlclBvb2xzAAEAB2F3cy1rbXMAS2Fybjphd3M6a21zOnVzLXd..."
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ConfirmSignUp) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ConfirmSignUp) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ConfirmSignUp) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ConfirmSignUp) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ConfirmSignUp) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ConfirmSignUp) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ConfirmSignUp) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ConfirmSignUp) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ConfirmSignUp) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ConfirmSignUp) 

# CreateGroup


Creates a new group in the specified user pool. For more information about user pool groups, see [Adding groups to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Description": "string",
   "GroupName": "string",
   "Precedence": number,
   "RoleArn": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Description](#API_CreateGroup_RequestSyntax) **   <a name="CognitoUserPools-CreateGroup-request-Description"></a>
A description of the group that you're creating.  
Type: String  
Length Constraints: Maximum length of 2048.  
Required: No

 ** [GroupName](#API_CreateGroup_RequestSyntax) **   <a name="CognitoUserPools-CreateGroup-request-GroupName"></a>
A name for the group. This name must be unique in your user pool.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [Precedence](#API_CreateGroup_RequestSyntax) **   <a name="CognitoUserPools-CreateGroup-request-Precedence"></a>
A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower `Precedence` values take precedence over groups with higher or null `Precedence` values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the `cognito:roles` and `cognito:preferred_role` claims.  
Two groups can have the same `Precedence` value. If this happens, neither group takes precedence over the other. If two groups with the same `Precedence` have the same role ARN, that role is used in the `cognito:preferred_role` claim in tokens for users in each group. If the two groups have different role ARNs, the `cognito:preferred_role` claim isn't set in users' tokens.  
The default `Precedence` value is null. The maximum `Precedence` value is `2^31-1`.  
Type: Integer  
Valid Range: Minimum value of 0.  
Required: No

 ** [RoleArn](#API_CreateGroup_RequestSyntax) **   <a name="CognitoUserPools-CreateGroup-request-RoleArn"></a>
The Amazon Resource Name (ARN) for the IAM role that you want to associate with the group. A group role primarily declares a preferred role for the credentials that you get from an identity pool. Amazon Cognito ID tokens have a `cognito:preferred_role` claim that presents the highest-precedence group that a user belongs to. Both ID and access tokens also contain a `cognito:groups` claim that list all the groups that a user is a member of.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Pattern: `arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?`   
Required: No

 ** [UserPoolId](#API_CreateGroup_RequestSyntax) **   <a name="CognitoUserPools-CreateGroup-request-UserPoolId"></a>
The ID of the user pool where you want to create a user group.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Group": { 
      "CreationDate": number,
      "Description": "string",
      "GroupName": "string",
      "LastModifiedDate": number,
      "Precedence": number,
      "RoleArn": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Group](#API_CreateGroup_ResponseSyntax) **   <a name="CognitoUserPools-CreateGroup-response-Group"></a>
The response object for a created group.  
Type: [GroupType](API_GroupType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** GroupExistsException **   
This exception is thrown when Amazon Cognito encounters a group that already exists in the user pool.  
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example creates the group `ExampleGroup` with precedence 1.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CreateGroup
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "Description": "My Example Group",
   "GroupName": "ExampleGroup",
   "Precedence": 1,
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"Group": {
		"CreationDate": 1735240477.884,
		"Description": "My Example Group",
		"GroupName": "ExampleGroup",
		"LastModifiedDate": 1735240477.884,
		"Precedence": 1,
		"UserPoolId": "us-west-2_EXAMPLE"
	}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/CreateGroup) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/CreateGroup) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/CreateGroup) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/CreateGroup) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CreateGroup) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/CreateGroup) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/CreateGroup) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/CreateGroup) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/CreateGroup) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/CreateGroup) 

# CreateIdentityProvider


Adds a configuration and trust relationship between a third-party identity provider (IdP) and a user pool. Amazon Cognito accepts sign-in with third-party identity providers through managed login and OIDC relying-party libraries. For more information, see [Third-party IdP sign-in](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "AttributeMapping": { 
      "string" : "string" 
   },
   "IdpIdentifiers": [ "string" ],
   "ProviderDetails": { 
      "string" : "string" 
   },
   "ProviderName": "string",
   "ProviderType": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AttributeMapping](#API_CreateIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-CreateIdentityProvider-request-AttributeMapping"></a>
A mapping of IdP attributes to standard and custom user pool attributes. Specify a user pool attribute as the key of the key-value pair, and the IdP attribute claim name as the value.  
Type: String to string map  
Key Length Constraints: Minimum length of 1. Maximum length of 32.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [IdpIdentifiers](#API_CreateIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-CreateIdentityProvider-request-IdpIdentifiers"></a>
An array of IdP identifiers, for example `"IdPIdentifiers": [ "MyIdP", "MyIdP2" ]`. Identifiers are friendly names that you can pass in the `idp_identifier` query parameter of requests to the [Authorize endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) to silently redirect to sign-in with the associated IdP. Identifiers in a domain format also enable the use of [email-address matching with SAML providers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-naming.html).   
Type: Array of strings  
Array Members: Minimum number of 0 items. Maximum number of 50 items.  
Length Constraints: Minimum length of 1. Maximum length of 40.  
Pattern: `[\w\s+=.@-]+`   
Required: No

 ** [ProviderDetails](#API_CreateIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-CreateIdentityProvider-request-ProviderDetails"></a>
The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP `authorize_scopes` values must match the values listed here.    
OpenID Connect (OIDC)  
Amazon Cognito accepts the following elements when it can't discover endpoint URLs from `oidc_issuer`: `attributes_url`, `authorize_url`, `jwks_uri`, `token_url`.  
Create or update request: `"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`   
Describe response: `"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`   
SAML  
Create or update request with Metadata URL: `"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`   
Create or update request with Metadata file: `"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`   
The value of `MetadataFile` must be the plaintext metadata document with all quote (") characters escaped by backslashes.  
Describe response: `"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`   
LoginWithAmazon  
Create or update request: `"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`   
Describe response: `"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`   
Google  
Create or update request: `"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`   
Describe response: `"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`   
SignInWithApple  
Create or update request: `"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`   
Describe response: `"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`   
Facebook  
Create or update request: `"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`   
Describe response: `"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }` 
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: Yes

 ** [ProviderName](#API_CreateIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-CreateIdentityProvider-request-ProviderName"></a>
The name that you want to assign to the IdP. You can pass the identity provider name in the `identity_provider` query parameter of requests to the [Authorize endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) to silently redirect to sign-in with the associated IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 32.  
Pattern: `[^_\p{Z}][\p{L}\p{M}\p{S}\p{N}\p{P}][^_\p{Z}]+`   
Required: Yes

 ** [ProviderType](#API_CreateIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-CreateIdentityProvider-request-ProviderType"></a>
The type of IdP that you want to add. Amazon Cognito supports OIDC, SAML 2.0, Login With Amazon, Sign In With Apple, Google, and Facebook IdPs.  
Type: String  
Valid Values: `SAML | Facebook | Google | LoginWithAmazon | SignInWithApple | OIDC`   
Required: Yes

 ** [UserPoolId](#API_CreateIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-CreateIdentityProvider-request-UserPoolId"></a>
The Id of the user pool where you want to create an IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "IdentityProvider": { 
      "AttributeMapping": { 
         "string" : "string" 
      },
      "CreationDate": number,
      "IdpIdentifiers": [ "string" ],
      "LastModifiedDate": number,
      "ProviderDetails": { 
         "string" : "string" 
      },
      "ProviderName": "string",
      "ProviderType": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [IdentityProvider](#API_CreateIdentityProvider_ResponseSyntax) **   <a name="CognitoUserPools-CreateIdentityProvider-response-IdentityProvider"></a>
The details of the new user pool IdP.  
Type: [IdentityProviderType](API_IdentityProviderType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** DuplicateProviderException **   
This exception is thrown when the provider is already supported by the user pool.  
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


This request adds a SAML IdP named `MySAMLIdP` to a user pool. The IdP is identified by a static `MetadataFile` in this request. Note the escape characters before the double-quotes in the metadata XML. You can also add a dynamic metadata source with `MetadataURL`. The SAML provider supports single logout (SLO) and provides the SLO endpoint in the metadata. Additionally, the SAML provider supports IdP-initiated SAML and encrypted responses. 

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CreateIdentityProvider
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
   "AttributeMapping": {
      "email" : "idp_email",
      "email_verified" : "idp_email_verified"
   },
   "IdpIdentifiers": [ "platform" ],
   "ProviderDetails": {
      "MetadataFile": "<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.example.com/saml\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>CERTIFICATE_DATA</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://example.com/slo/saml\"/><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://example.com/slo/saml\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://example.com/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://example.com/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
      "IDPSignout" : "true",
      "RequestSigningAlgorithm" : "rsa-sha256",
      "EncryptedResponses" : "true",
      "IDPInit" : "true"
   },
   "ProviderName": "MySAMLIdP",
   "ProviderType": "SAML",
   "UserPoolId": "us-east-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
	"IdentityProvider": {
		"AttributeMapping": {
		   "email": "idp_email",
		   "email_verified": "idp_email_verified"
		},
		"CreationDate": 1701128513.249,
		"IdpIdentifiers": [
		   "example.com"
		],
		"LastModifiedDate": 1701128513.249,
		"ProviderDetails": {
           "MetadataFile": "<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.example.com/saml\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>CERTIFICATE_DATA</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://example.com/slo/saml\"/><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://example.com/slo/saml\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://example.com/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://example.com/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
           "IDPSignout" : "true",
           "RequestSigningAlgorithm" : "rsa-sha256",
           "EncryptedResponses" : "true",
           "IDPInit" : "true"
		},
		"ProviderName": "MySAMLIdP",
		"ProviderType": "SAML",
		"UserPoolId": "us-east-1_EXAMPLE"
	}
}
```

### Example


This request adds an OIDC IdP named `MyOIDCIdP` to a user pool. In this request, we have chosen not to discover the issuer endpoints with `oidc_issuer` but instead to enter them manually.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CreateIdentityProvider
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
   "AttributeMapping": {
      "email" : "idp_email",
      "email_verified" : "idp_email_verified"
   },
   "IdpIdentifiers": [ "station" ],
   "ProviderDetails": {
        "attributes_request_method": "GET",
        "attributes_url": "https://example.com/userInfo",
        "attributes_url_add_attributes": "false",
        "authorize_scopes": "openid profile",
        "authorize_url": "https://example.com/authorize",
        "client_id": "idpexampleclient123",
        "client_secret": "idpexamplesecret456",
        "jwks_uri": "https://example.com/.well-known/jwks.json",
        "oidc_issuer": "https://example.com",
        "token_url": "https://example.com/token"
   },
   "ProviderName": "MyOIDCIdP",
   "ProviderType": "OIDC",
   "UserPoolId": "us-east-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
	"IdentityProvider": {
		"AttributeMapping": {
			"email": "idp_email",
			"email_verified": "idp_email_verified",
			"username": "sub"
		},
		"CreationDate": 1701129701.653,
		"IdpIdentifiers": [
			"station"
		],
		"LastModifiedDate": 1701129701.653,
		"ProviderDetails": {
			"attributes_request_method": "GET",
			"attributes_url": "https://example.com/userInfo",
			"attributes_url_add_attributes": "false",
			"authorize_scopes": "openid profile",
			"authorize_url": "https://example.com/authorize",
			"client_id": "idpexampleclient123",
			"client_secret": "idpexamplesecret456",
			"jwks_uri": "https://example.com/.well-known/jwks.json",
			"oidc_issuer": "https://example.com",
			"token_url": "https://example.com/token"
		},
		"ProviderName": "MyOIDCIdP",
		"ProviderType": "OIDC",
		"UserPoolId": "us-east-1_EXAMPLE"
	}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/CreateIdentityProvider) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/CreateIdentityProvider) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/CreateIdentityProvider) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/CreateIdentityProvider) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CreateIdentityProvider) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/CreateIdentityProvider) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/CreateIdentityProvider) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/CreateIdentityProvider) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/CreateIdentityProvider) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/CreateIdentityProvider) 

# CreateManagedLoginBranding


Creates a new set of branding settings for a user pool style and associates it with an app client. This operation is the programmatic option for the creation of a new style in the branding editor.

Provides values for UI customization in a `Settings` JSON object and image files in an `Assets` array. To send the JSON object `Document` type parameter in `Settings`, you might need to update to the most recent version of your AWS SDK. To create a new style with default settings, set `UseCognitoProvidedValues` to `true` and don't provide values for any other options.

 This operation has a 2-megabyte request-size limit and include the CSS settings and image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito doesn't require that you pass all parameters in one request and preserves existing style settings that you don't specify. If your request is larger than 2MB, separate it into multiple requests, each with a size smaller than the limit. 

As a best practice, modify the output of [DescribeManagedLoginBrandingByClient](API_DescribeManagedLoginBrandingByClient.md) into the request parameters for this operation. To get all settings, set `ReturnMergedResources` to `true`. For more information, see [API and SDK operations for managed login branding](https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-brandingeditor.html#branding-designer-api).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Assets": [ 
      { 
         "Bytes": blob,
         "Category": "string",
         "ColorMode": "string",
         "Extension": "string",
         "ResourceId": "string"
      }
   ],
   "ClientId": "string",
   "Settings": JSON value,
   "UseCognitoProvidedValues": boolean,
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Assets](#API_CreateManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-CreateManagedLoginBranding-request-Assets"></a>
An array of image files that you want to apply to functions like backgrounds, logos, and icons. Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.  
Type: Array of [AssetType](API_AssetType.md) objects  
Array Members: Minimum number of 0 items. Maximum number of 40 items.  
Required: No

 ** [ClientId](#API_CreateManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-CreateManagedLoginBranding-request-ClientId"></a>
The app client that you want to create the branding style for. Each style is linked to an app client until you delete it.  
To change the style for an app client, delete the existing style with [DeleteManagedLoginBranding](API_DeleteManagedLoginBranding.md) and create a new one.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [Settings](#API_CreateManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-CreateManagedLoginBranding-request-Settings"></a>
A JSON file, encoded as a `Document` type, with the the settings that you want to apply to your style.  
The following components are not currently implemented and reserved for future use:  
+  `signUp` 
+  `instructions` 
+  `sessionTimerDisplay` 
+  `languageSelector` (for localization, see [Managed login localization)](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-localization) 
Type: JSON value  
Required: No

 ** [UseCognitoProvidedValues](#API_CreateManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-CreateManagedLoginBranding-request-UseCognitoProvidedValues"></a>
When true, applies the default branding style options. These default options are managed by Amazon Cognito. You can modify them later in the branding editor.  
When you specify `true` for this option, you must also omit values for `Settings` and `Assets` in the request.  
Type: Boolean  
Required: No

 ** [UserPoolId](#API_CreateManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-CreateManagedLoginBranding-request-UserPoolId"></a>
The ID of the user pool where you want to create a new branding style.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "ManagedLoginBranding": { 
      "Assets": [ 
         { 
            "Bytes": blob,
            "Category": "string",
            "ColorMode": "string",
            "Extension": "string",
            "ResourceId": "string"
         }
      ],
      "CreationDate": number,
      "LastModifiedDate": number,
      "ManagedLoginBrandingId": "string",
      "Settings": JSON value,
      "UseCognitoProvidedValues": boolean,
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [ManagedLoginBranding](#API_CreateManagedLoginBranding_ResponseSyntax) **   <a name="CognitoUserPools-CreateManagedLoginBranding-response-ManagedLoginBranding"></a>
The details of the branding style that you created.  
Type: [ManagedLoginBrandingType](API_ManagedLoginBrandingType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** ManagedLoginBrandingExistsException **   
This exception is thrown when you attempt to apply a managed login branding style to an app client that already has an assigned style.  
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example creates a new managed login branding style for the app client with ID `1example23456789`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.ca-central-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CreateManagedLoginBranding
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>


{
    "Assets": [
        {
            "Bytes": "PHN2ZyB3aWR0aD0iMjAwMDAiIGhlaWdodD0iNDAwIiB2aWV3Qm94PSIwIDAgMjAwMDAgNDAwIiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8ZyBjbGlwLXBhdGg9InVybCgjY2xpcDBfMTcyNTlfMjM2Njc0KSI+CjxyZWN0IHdpZHRoPSIyMDAwMCIgaGVpZ2h0PSI0MDAiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl8xNzI1OV8yMzY2NzQpIi8+CjxwYXRoIGQ9Ik0wIDBIMjAwMDBWNDAwSDBWMFoiIGZpbGw9IiMxMjIwMzciIGZpbGwtb3BhY2l0eT0iMC41Ii8+CjwvZz4KPGRlZnM+CjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQwX2xpbmVhcl8xNzI1OV8yMzY2NzQiIHgxPSItODk0LjI0OSIgeTE9IjE5OS45MzEiIHgyPSIxODAzNC41IiB5Mj0iLTU4OTkuNTciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KPHN0b3Agc3RvcC1jb2xvcj0iI0JGODBGRiIvPgo8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiNGRjhGQUIiLz4KPC9saW5lYXJHcmFkaWVudD4KPGNsaXBQYXRoIGlkPSJjbGlwMF8xNzI1OV8yMzY2NzQiPgo8cmVjdCB3aWR0aD0iMjAwMDAiIGhlaWdodD0iNDAwIiBmaWxsPSJ3aGl0ZSIvPgo8L2NsaXBQYXRoPgo8L2RlZnM+Cjwvc3ZnPgo=",
            "Category": "PAGE_FOOTER_BACKGROUND",
            "ColorMode": "DARK",
            "Extension": "SVG"
        }
    ],
    "ClientId": "1example23456789",
    "Settings": {
        "categories": {
            "auth": {
                "authMethodOrder": [
                    [
                        {
                            "display": "BUTTON",
                            "type": "FEDERATED"
                        },
                        {
                            "display": "INPUT",
                            "type": "USERNAME_PASSWORD"
                        }
                    ]
                ],
                "federation": {
                    "interfaceStyle": "BUTTON_LIST",
                    "order": [
                    ]
                }
            },
            "form": {
                "displayGraphics": true,
                "instructions": {
                    "enabled": false
                },
                "languageSelector": {
                    "enabled": false
                },
                "location": {
                    "horizontal": "CENTER",
                    "vertical": "CENTER"
                },
                "sessionTimerDisplay": "NONE"
            },
            "global": {
                "colorSchemeMode": "LIGHT",
                "pageFooter": {
                    "enabled": false
                },
                "pageHeader": {
                    "enabled": false
                },
                "spacingDensity": "REGULAR"
            },
            "signUp": {
                "acceptanceElements": [
                    {
                        "enforcement": "NONE",
                        "textKey": "en"
                    }
                ]
            }
        },
        "componentClasses": {
            "buttons": {
                "borderRadius": 8.0
            },
            "divider": {
                "darkMode": {
                    "borderColor": "232b37ff"
                },
                "lightMode": {
                    "borderColor": "ebebf0ff"
                }
            },
            "dropDown": {
                "borderRadius": 8.0,
                "darkMode": {
                    "defaults": {
                        "itemBackgroundColor": "192534ff"
                    },
                    "hover": {
                        "itemBackgroundColor": "081120ff",
                        "itemBorderColor": "5f6b7aff",
                        "itemTextColor": "e9ebedff"
                    },
                    "match": {
                        "itemBackgroundColor": "d1d5dbff",
                        "itemTextColor": "89bdeeff"
                    }
                },
                "lightMode": {
                    "defaults": {
                        "itemBackgroundColor": "ffffffff"
                    },
                    "hover": {
                        "itemBackgroundColor": "f4f4f4ff",
                        "itemBorderColor": "7d8998ff",
                        "itemTextColor": "000716ff"
                    },
                    "match": {
                        "itemBackgroundColor": "414d5cff",
                        "itemTextColor": "0972d3ff"
                    }
                }
            },
            "focusState": {
                "darkMode": {
                    "borderColor": "539fe5ff"
                },
                "lightMode": {
                    "borderColor": "0972d3ff"
                }
            },
            "idpButtons": {
                "icons": {
                    "enabled": true
                }
            },
            "input": {
                "borderRadius": 8.0,
                "darkMode": {
                    "defaults": {
                        "backgroundColor": "0f1b2aff",
                        "borderColor": "5f6b7aff"
                    },
                    "placeholderColor": "8d99a8ff"
                },
                "lightMode": {
                    "defaults": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "7d8998ff"
                    },
                    "placeholderColor": "5f6b7aff"
                }
            },
            "inputDescription": {
                "darkMode": {
                    "textColor": "8d99a8ff"
                },
                "lightMode": {
                    "textColor": "5f6b7aff"
                }
            },
            "inputLabel": {
                "darkMode": {
                    "textColor": "d1d5dbff"
                },
                "lightMode": {
                    "textColor": "000716ff"
                }
            },
            "link": {
                "darkMode": {
                    "defaults": {
                        "textColor": "539fe5ff"
                    },
                    "hover": {
                        "textColor": "89bdeeff"
                    }
                },
                "lightMode": {
                    "defaults": {
                        "textColor": "0972d3ff"
                    },
                    "hover": {
                        "textColor": "033160ff"
                    }
                }
            },
            "optionControls": {
                "darkMode": {
                    "defaults": {
                        "backgroundColor": "0f1b2aff",
                        "borderColor": "7d8998ff"
                    },
                    "selected": {
                        "backgroundColor": "539fe5ff",
                        "foregroundColor": "000716ff"
                    }
                },
                "lightMode": {
                    "defaults": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "7d8998ff"
                    },
                    "selected": {
                        "backgroundColor": "0972d3ff",
                        "foregroundColor": "ffffffff"
                    }
                }
            },
            "statusIndicator": {
                "darkMode": {
                    "error": {
                        "backgroundColor": "1a0000ff",
                        "borderColor": "eb6f6fff",
                        "indicatorColor": "eb6f6fff"
                    },
                    "pending": {
                        "indicatorColor": "AAAAAAAA"
                    },
                    "success": {
                        "backgroundColor": "001a02ff",
                        "borderColor": "29ad32ff",
                        "indicatorColor": "29ad32ff"
                    },
                    "warning": {
                        "backgroundColor": "1d1906ff",
                        "borderColor": "e0ca57ff",
                        "indicatorColor": "e0ca57ff"
                    }
                },
                "lightMode": {
                    "error": {
                        "backgroundColor": "fff7f7ff",
                        "borderColor": "d91515ff",
                        "indicatorColor": "d91515ff"
                    },
                    "pending": {
                        "indicatorColor": "AAAAAAAA"
                    },
                    "success": {
                        "backgroundColor": "f2fcf3ff",
                        "borderColor": "037f0cff",
                        "indicatorColor": "037f0cff"
                    },
                    "warning": {
                        "backgroundColor": "fffce9ff",
                        "borderColor": "8d6605ff",
                        "indicatorColor": "8d6605ff"
                    }
                }
            }
        },
        "components": {
            "alert": {
                "borderRadius": 12.0,
                "darkMode": {
                    "error": {
                        "backgroundColor": "1a0000ff",
                        "borderColor": "eb6f6fff"
                    }
                },
                "lightMode": {
                    "error": {
                        "backgroundColor": "fff7f7ff",
                        "borderColor": "d91515ff"
                    }
                }
            },
            "favicon": {
                "enabledTypes": [
                    "ICO",
                    "SVG"
                ]
            },
            "form": {
                "backgroundImage": {
                    "enabled": false
                },
                "borderRadius": 8.0,
                "darkMode": {
                    "backgroundColor": "0f1b2aff",
                    "borderColor": "424650ff"
                },
                "lightMode": {
                    "backgroundColor": "ffffffff",
                    "borderColor": "c6c6cdff"
                },
                "logo": {
                    "enabled": false,
                    "formInclusion": "IN",
                    "location": "CENTER",
                    "position": "TOP"
                }
            },
            "idpButton": {
                "custom": {
                },
                "standard": {
                    "darkMode": {
                        "active": {
                            "backgroundColor": "354150ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        },
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "c6c6cdff",
                            "textColor": "c6c6cdff"
                        },
                        "hover": {
                            "backgroundColor": "192534ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "active": {
                            "backgroundColor": "d3e7f9ff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        },
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "424650ff",
                            "textColor": "424650ff"
                        },
                        "hover": {
                            "backgroundColor": "f2f8fdff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        }
                    }
                }
            },
            "pageBackground": {
                "darkMode": {
                    "color": "0f1b2aff"
                },
                "image": {
                    "enabled": true
                },
                "lightMode": {
                    "color": "ffffffff"
                }
            },
            "pageFooter": {
                "backgroundImage": {
                    "enabled": false
                },
                "darkMode": {
                    "background": {
                        "color": "0f141aff"
                    },
                    "borderColor": "424650ff"
                },
                "lightMode": {
                    "background": {
                        "color": "fafafaff"
                    },
                    "borderColor": "d5dbdbff"
                },
                "logo": {
                    "enabled": false,
                    "location": "START"
                }
            },
            "pageHeader": {
                "backgroundImage": {
                    "enabled": false
                },
                "darkMode": {
                    "background": {
                        "color": "0f141aff"
                    },
                    "borderColor": "424650ff"
                },
                "lightMode": {
                    "background": {
                        "color": "fafafaff"
                    },
                    "borderColor": "d5dbdbff"
                },
                "logo": {
                    "enabled": false,
                    "location": "START"
                }
            },
            "pageText": {
                "darkMode": {
                    "bodyColor": "b6bec9ff",
                    "descriptionColor": "b6bec9ff",
                    "headingColor": "d1d5dbff"
                },
                "lightMode": {
                    "bodyColor": "414d5cff",
                    "descriptionColor": "414d5cff",
                    "headingColor": "000716ff"
                }
            },
            "phoneNumberSelector": {
                "displayType": "TEXT"
            },
            "primaryButton": {
                "darkMode": {
                    "active": {
                        "backgroundColor": "539fe5ff",
                        "textColor": "000716ff"
                    },
                    "defaults": {
                        "backgroundColor": "539fe5ff",
                        "textColor": "000716ff"
                    },
                    "disabled": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "ffffffff"
                    },
                    "hover": {
                        "backgroundColor": "89bdeeff",
                        "textColor": "000716ff"
                    }
                },
                "lightMode": {
                    "active": {
                        "backgroundColor": "033160ff",
                        "textColor": "ffffffff"
                    },
                    "defaults": {
                        "backgroundColor": "0972d3ff",
                        "textColor": "ffffffff"
                    },
                    "disabled": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "ffffffff"
                    },
                    "hover": {
                        "backgroundColor": "033160ff",
                        "textColor": "ffffffff"
                    }
                }
            },
            "secondaryButton": {
                "darkMode": {
                    "active": {
                        "backgroundColor": "354150ff",
                        "borderColor": "89bdeeff",
                        "textColor": "89bdeeff"
                    },
                    "defaults": {
                        "backgroundColor": "0f1b2aff",
                        "borderColor": "539fe5ff",
                        "textColor": "539fe5ff"
                    },
                    "hover": {
                        "backgroundColor": "192534ff",
                        "borderColor": "89bdeeff",
                        "textColor": "89bdeeff"
                    }
                },
                "lightMode": {
                    "active": {
                        "backgroundColor": "d3e7f9ff",
                        "borderColor": "033160ff",
                        "textColor": "033160ff"
                    },
                    "defaults": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "0972d3ff",
                        "textColor": "0972d3ff"
                    },
                    "hover": {
                        "backgroundColor": "f2f8fdff",
                        "borderColor": "033160ff",
                        "textColor": "033160ff"
                    }
                }
            }
        }
    },
    "UseCognitoProvidedValues": false,
    "UserPoolId": "ca-central-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive


{
    "ManagedLoginBranding": {
        "Assets": [
            {
                "Bytes": "PHN2ZyB3aWR0aD0iMjAwMDAiIGhlaWdodD0iNDAwIiB2aWV3Qm94PSIwIDAgMjAwMDAgNDAwIiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8ZyBjbGlwLXBhdGg9InVybCgjY2xpcDBfMTcyNTlfMjM2Njc0KSI+CjxyZWN0IHdpZHRoPSIyMDAwMCIgaGVpZ2h0PSI0MDAiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl8xNzI1OV8yMzY2NzQpIi8+CjxwYXRoIGQ9Ik0wIDBIMjAwMDBWNDAwSDBWMFoiIGZpbGw9IiMxMjIwMzciIGZpbGwtb3BhY2l0eT0iMC41Ii8+CjwvZz4KPGRlZnM+CjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQwX2xpbmVhcl8xNzI1OV8yMzY2NzQiIHgxPSItODk0LjI0OSIgeTE9IjE5OS45MzEiIHgyPSIxODAzNC41IiB5Mj0iLTU4OTkuNTciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KPHN0b3Agc3RvcC1jb2xvcj0iI0JGODBGRiIvPgo8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiNGRjhGQUIiLz4KPC9saW5lYXJHcmFkaWVudD4KPGNsaXBQYXRoIGlkPSJjbGlwMF8xNzI1OV8yMzY2NzQiPgo8cmVjdCB3aWR0aD0iMjAwMDAiIGhlaWdodD0iNDAwIiBmaWxsPSJ3aGl0ZSIvPgo8L2NsaXBQYXRoPgo8L2RlZnM+Cjwvc3ZnPgo=",
                "Category": "PAGE_FOOTER_BACKGROUND",
                "ColorMode": "DARK",
                "Extension": "SVG"
            }
        ],
        "CreationDate": 1732138490.642,
        "LastModifiedDate": 1732140420.301,
        "ManagedLoginBrandingId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
        "Settings": {
            "categories": {
                "auth": {
                    "authMethodOrder": [
                        [
                            {
                                "display": "BUTTON",
                                "type": "FEDERATED"
                            },
                            {
                                "display": "INPUT",
                                "type": "USERNAME_PASSWORD"
                            }
                        ]
                    ],
                    "federation": {
                        "interfaceStyle": "BUTTON_LIST",
                        "order": [
                        ]
                    }
                },
                "form": {
                    "displayGraphics": true,
                    "instructions": {
                        "enabled": false
                    },
                    "languageSelector": {
                        "enabled": false
                    },
                    "location": {
                        "horizontal": "CENTER",
                        "vertical": "CENTER"
                    },
                    "sessionTimerDisplay": "NONE"
                },
                "global": {
                    "colorSchemeMode": "LIGHT",
                    "pageFooter": {
                        "enabled": false
                    },
                    "pageHeader": {
                        "enabled": false
                    },
                    "spacingDensity": "REGULAR"
                },
                "signUp": {
                    "acceptanceElements": [
                        {
                            "enforcement": "NONE",
                            "textKey": "en"
                        }
                    ]
                }
            },
            "componentClasses": {
                "buttons": {
                    "borderRadius": 8.0
                },
                "divider": {
                    "darkMode": {
                        "borderColor": "232b37ff"
                    },
                    "lightMode": {
                        "borderColor": "ebebf0ff"
                    }
                },
                "dropDown": {
                    "borderRadius": 8.0,
                    "darkMode": {
                        "defaults": {
                            "itemBackgroundColor": "192534ff"
                        },
                        "hover": {
                            "itemBackgroundColor": "081120ff",
                            "itemBorderColor": "5f6b7aff",
                            "itemTextColor": "e9ebedff"
                        },
                        "match": {
                            "itemBackgroundColor": "d1d5dbff",
                            "itemTextColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "itemBackgroundColor": "ffffffff"
                        },
                        "hover": {
                            "itemBackgroundColor": "f4f4f4ff",
                            "itemBorderColor": "7d8998ff",
                            "itemTextColor": "000716ff"
                        },
                        "match": {
                            "itemBackgroundColor": "414d5cff",
                            "itemTextColor": "0972d3ff"
                        }
                    }
                },
                "focusState": {
                    "darkMode": {
                        "borderColor": "539fe5ff"
                    },
                    "lightMode": {
                        "borderColor": "0972d3ff"
                    }
                },
                "idpButtons": {
                    "icons": {
                        "enabled": true
                    }
                },
                "input": {
                    "borderRadius": 8.0,
                    "darkMode": {
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "5f6b7aff"
                        },
                        "placeholderColor": "8d99a8ff"
                    },
                    "lightMode": {
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "7d8998ff"
                        },
                        "placeholderColor": "5f6b7aff"
                    }
                },
                "inputDescription": {
                    "darkMode": {
                        "textColor": "8d99a8ff"
                    },
                    "lightMode": {
                        "textColor": "5f6b7aff"
                    }
                },
                "inputLabel": {
                    "darkMode": {
                        "textColor": "d1d5dbff"
                    },
                    "lightMode": {
                        "textColor": "000716ff"
                    }
                },
                "link": {
                    "darkMode": {
                        "defaults": {
                            "textColor": "539fe5ff"
                        },
                        "hover": {
                            "textColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "textColor": "0972d3ff"
                        },
                        "hover": {
                            "textColor": "033160ff"
                        }
                    }
                },
                "optionControls": {
                    "darkMode": {
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "7d8998ff"
                        },
                        "selected": {
                            "backgroundColor": "539fe5ff",
                            "foregroundColor": "000716ff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "7d8998ff"
                        },
                        "selected": {
                            "backgroundColor": "0972d3ff",
                            "foregroundColor": "ffffffff"
                        }
                    }
                },
                "statusIndicator": {
                    "darkMode": {
                        "error": {
                            "backgroundColor": "1a0000ff",
                            "borderColor": "eb6f6fff",
                            "indicatorColor": "eb6f6fff"
                        },
                        "pending": {
                            "indicatorColor": "AAAAAAAA"
                        },
                        "success": {
                            "backgroundColor": "001a02ff",
                            "borderColor": "29ad32ff",
                            "indicatorColor": "29ad32ff"
                        },
                        "warning": {
                            "backgroundColor": "1d1906ff",
                            "borderColor": "e0ca57ff",
                            "indicatorColor": "e0ca57ff"
                        }
                    },
                    "lightMode": {
                        "error": {
                            "backgroundColor": "fff7f7ff",
                            "borderColor": "d91515ff",
                            "indicatorColor": "d91515ff"
                        },
                        "pending": {
                            "indicatorColor": "AAAAAAAA"
                        },
                        "success": {
                            "backgroundColor": "f2fcf3ff",
                            "borderColor": "037f0cff",
                            "indicatorColor": "037f0cff"
                        },
                        "warning": {
                            "backgroundColor": "fffce9ff",
                            "borderColor": "8d6605ff",
                            "indicatorColor": "8d6605ff"
                        }
                    }
                }
            },
            "components": {
                "alert": {
                    "borderRadius": 12.0,
                    "darkMode": {
                        "error": {
                            "backgroundColor": "1a0000ff",
                            "borderColor": "eb6f6fff"
                        }
                    },
                    "lightMode": {
                        "error": {
                            "backgroundColor": "fff7f7ff",
                            "borderColor": "d91515ff"
                        }
                    }
                },
                "favicon": {
                    "enabledTypes": [
                        "ICO",
                        "SVG"
                    ]
                },
                "form": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "borderRadius": 8.0,
                    "darkMode": {
                        "backgroundColor": "0f1b2aff",
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "c6c6cdff"
                    },
                    "logo": {
                        "enabled": false,
                        "formInclusion": "IN",
                        "location": "CENTER",
                        "position": "TOP"
                    }
                },
                "idpButton": {
                    "custom": {
                    },
                    "standard": {
                        "darkMode": {
                            "active": {
                                "backgroundColor": "354150ff",
                                "borderColor": "89bdeeff",
                                "textColor": "89bdeeff"
                            },
                            "defaults": {
                                "backgroundColor": "0f1b2aff",
                                "borderColor": "c6c6cdff",
                                "textColor": "c6c6cdff"
                            },
                            "hover": {
                                "backgroundColor": "192534ff",
                                "borderColor": "89bdeeff",
                                "textColor": "89bdeeff"
                            }
                        },
                        "lightMode": {
                            "active": {
                                "backgroundColor": "d3e7f9ff",
                                "borderColor": "033160ff",
                                "textColor": "033160ff"
                            },
                            "defaults": {
                                "backgroundColor": "ffffffff",
                                "borderColor": "424650ff",
                                "textColor": "424650ff"
                            },
                            "hover": {
                                "backgroundColor": "f2f8fdff",
                                "borderColor": "033160ff",
                                "textColor": "033160ff"
                            }
                        }
                    }
                },
                "pageBackground": {
                    "darkMode": {
                        "color": "0f1b2aff"
                    },
                    "image": {
                        "enabled": true
                    },
                    "lightMode": {
                        "color": "ffffffff"
                    }
                },
                "pageFooter": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "darkMode": {
                        "background": {
                            "color": "0f141aff"
                        },
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "background": {
                            "color": "fafafaff"
                        },
                        "borderColor": "d5dbdbff"
                    },
                    "logo": {
                        "enabled": false,
                        "location": "START"
                    }
                },
                "pageHeader": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "darkMode": {
                        "background": {
                            "color": "0f141aff"
                        },
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "background": {
                            "color": "fafafaff"
                        },
                        "borderColor": "d5dbdbff"
                    },
                    "logo": {
                        "enabled": false,
                        "location": "START"
                    }
                },
                "pageText": {
                    "darkMode": {
                        "bodyColor": "b6bec9ff",
                        "descriptionColor": "b6bec9ff",
                        "headingColor": "d1d5dbff"
                    },
                    "lightMode": {
                        "bodyColor": "414d5cff",
                        "descriptionColor": "414d5cff",
                        "headingColor": "000716ff"
                    }
                },
                "phoneNumberSelector": {
                    "displayType": "TEXT"
                },
                "primaryButton": {
                    "darkMode": {
                        "active": {
                            "backgroundColor": "539fe5ff",
                            "textColor": "000716ff"
                        },
                        "defaults": {
                            "backgroundColor": "539fe5ff",
                            "textColor": "000716ff"
                        },
                        "disabled": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "ffffffff"
                        },
                        "hover": {
                            "backgroundColor": "89bdeeff",
                            "textColor": "000716ff"
                        }
                    },
                    "lightMode": {
                        "active": {
                            "backgroundColor": "033160ff",
                            "textColor": "ffffffff"
                        },
                        "defaults": {
                            "backgroundColor": "0972d3ff",
                            "textColor": "ffffffff"
                        },
                        "disabled": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "ffffffff"
                        },
                        "hover": {
                            "backgroundColor": "033160ff",
                            "textColor": "ffffffff"
                        }
                    }
                },
                "secondaryButton": {
                    "darkMode": {
                        "active": {
                            "backgroundColor": "354150ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        },
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "539fe5ff",
                            "textColor": "539fe5ff"
                        },
                        "hover": {
                            "backgroundColor": "192534ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "active": {
                            "backgroundColor": "d3e7f9ff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        },
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "0972d3ff",
                            "textColor": "0972d3ff"
                        },
                        "hover": {
                            "backgroundColor": "f2f8fdff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        }
                    }
                }
            }
        },
        "UseCognitoProvidedValues": false,
        "UserPoolId": "ca-central-1_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/CreateManagedLoginBranding) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/CreateManagedLoginBranding) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/CreateManagedLoginBranding) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/CreateManagedLoginBranding) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CreateManagedLoginBranding) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/CreateManagedLoginBranding) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/CreateManagedLoginBranding) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/CreateManagedLoginBranding) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/CreateManagedLoginBranding) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/CreateManagedLoginBranding) 

# CreateResourceServer


Creates a new OAuth2.0 resource server and defines custom scopes within it. Resource servers are associated with custom scopes and machine-to-machine (M2M) authorization. For more information, see [Access control with resource servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Identifier": "string",
   "Name": "string",
   "Scopes": [ 
      { 
         "ScopeDescription": "string",
         "ScopeName": "string"
      }
   ],
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Identifier](#API_CreateResourceServer_RequestSyntax) **   <a name="CognitoUserPools-CreateResourceServer-request-Identifier"></a>
A unique resource server identifier for the resource server. The identifier can be an API friendly name like `solar-system-data`. You can also set an API URL like `https://solar-system-data-api.example.com` as your identifier.  
Amazon Cognito represents scopes in the access token in the format `$resource-server-identifier/$scope`. Longer scope-identifier strings increase the size of your access tokens.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 256.  
Pattern: `[\x21\x23-\x5B\x5D-\x7E]+`   
Required: Yes

 ** [Name](#API_CreateResourceServer_RequestSyntax) **   <a name="CognitoUserPools-CreateResourceServer-request-Name"></a>
A friendly name for the resource server.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 256.  
Pattern: `[\w\s+=,.@-]+`   
Required: Yes

 ** [Scopes](#API_CreateResourceServer_RequestSyntax) **   <a name="CognitoUserPools-CreateResourceServer-request-Scopes"></a>
A list of custom scopes. Each scope is a key-value map with the keys `ScopeName` and `ScopeDescription`. The name of a custom scope is a combination of `ScopeName` and the resource server `Name` in this request, for example `MyResourceServerName/MyScopeName`.  
Type: Array of [ResourceServerScopeType](API_ResourceServerScopeType.md) objects  
Array Members: Maximum number of 100 items.  
Required: No

 ** [UserPoolId](#API_CreateResourceServer_RequestSyntax) **   <a name="CognitoUserPools-CreateResourceServer-request-UserPoolId"></a>
The ID of the user pool where you want to create a resource server.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "ResourceServer": { 
      "Identifier": "string",
      "Name": "string",
      "Scopes": [ 
         { 
            "ScopeDescription": "string",
            "ScopeName": "string"
         }
      ],
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [ResourceServer](#API_CreateResourceServer_ResponseSyntax) **   <a name="CognitoUserPools-CreateResourceServer-response-ResourceServer"></a>
The details of the new resource server.  
Type: [ResourceServerType](API_ResourceServerType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request creates a resource server for the API at `myapi.example.com` with the scopes `myapi.example.com/international.read` and `myapi.example.com/domestic.read`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CreateResourceServer
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "Identifier": "myapi.example.com",
   "Name": "Example API with custom access control scopes",
   "Scopes": [
      {
         "ScopeDescription": "International customers",
         "ScopeName": "international.read"
      },
      {
         "ScopeDescription": "Domestic customers",
         "ScopeName": "domestic.read"
      }
   ],
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"ResourceServer": {
		"Identifier": "myapi.example.com",
		"Name": "Example API with custom access control scopes",
		"Scopes": [
			{
				"ScopeDescription": "International customers",
				"ScopeName": "international.read"
			},
			{
				"ScopeDescription": "Domestic customers",
				"ScopeName": "domestic.read"
			}
		],
		"UserPoolId": "us-west-2_EXAMPLE"
	}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/CreateResourceServer) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/CreateResourceServer) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/CreateResourceServer) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/CreateResourceServer) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CreateResourceServer) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/CreateResourceServer) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/CreateResourceServer) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/CreateResourceServer) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/CreateResourceServer) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/CreateResourceServer) 

# CreateTerms


Creates terms documents for the requested app client. When Terms and conditions and Privacy policy documents are configured, the app client displays links to them in the sign-up page of managed login for the app client.

You can provide URLs for terms documents in the languages that are supported by [managed login localization](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-localization). Amazon Cognito directs users to the terms documents for their current language, with fallback to `default` if no document exists for the language.

Each request accepts one type of terms document and a map of language-to-link for that document type. You must provide both types of terms documents in at least one language before Amazon Cognito displays your terms documents. Supply each type in separate requests.

For more information, see [Terms documents](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-terms-documents).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "ClientId": "string",
   "Enforcement": "string",
   "Links": { 
      "string" : "string" 
   },
   "TermsName": "string",
   "TermsSource": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_CreateTerms_RequestSyntax) **   <a name="CognitoUserPools-CreateTerms-request-ClientId"></a>
The ID of the app client where you want to create terms documents. Must be an app client in the requested user pool.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [Enforcement](#API_CreateTerms_RequestSyntax) **   <a name="CognitoUserPools-CreateTerms-request-Enforcement"></a>
This parameter is reserved for future use and currently accepts only one value.  
Type: String  
Valid Values: `NONE`   
Required: Yes

 ** [Links](#API_CreateTerms_RequestSyntax) **   <a name="CognitoUserPools-CreateTerms-request-Links"></a>
A map of URLs to languages. For each localized language that will view the requested `TermsName`, assign a URL. A selection of `cognito:default` displays for all languages that don't have a language-specific URL.  
For example, `"cognito:default": "https://terms.example.com", "cognito:spanish": "https://terms.example.com/es"`.  
Type: String to string map  
Map Entries: Maximum number of 12 items.  
Key Pattern: `^cognito:(default|english|french|spanish|german|bahasa-indonesia|italian|japanese|korean|portuguese-brazil|chinese-(simplified|traditional))$`   
Value Length Constraints: Minimum length of 1. Maximum length of 1024.  
Value Pattern: `^[\p{L}\p{M}\p{S}\p{N}\p{P}]+$`   
Required: No

 ** [TermsName](#API_CreateTerms_RequestSyntax) **   <a name="CognitoUserPools-CreateTerms-request-TermsName"></a>
A friendly name for the document that you want to create in the current request. Must begin with `terms-of-use` or `privacy-policy` as identification of the document type. Provide URLs for both `terms-of-use` and `privacy-policy` in separate requests.  
Type: String  
Pattern: `^(terms-of-use|privacy-policy)$`   
Required: Yes

 ** [TermsSource](#API_CreateTerms_RequestSyntax) **   <a name="CognitoUserPools-CreateTerms-request-TermsSource"></a>
This parameter is reserved for future use and currently accepts only one value.  
Type: String  
Valid Values: `LINK`   
Required: Yes

 ** [UserPoolId](#API_CreateTerms_RequestSyntax) **   <a name="CognitoUserPools-CreateTerms-request-UserPoolId"></a>
The ID of the user pool where you want to create terms documents.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Terms": { 
      "ClientId": "string",
      "CreationDate": number,
      "Enforcement": "string",
      "LastModifiedDate": number,
      "Links": { 
         "string" : "string" 
      },
      "TermsId": "string",
      "TermsName": "string",
      "TermsSource": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Terms](#API_CreateTerms_ResponseSyntax) **   <a name="CognitoUserPools-CreateTerms-response-Terms"></a>
A summary of your terms documents. Includes a unique identifier for later changes to the terms documents.  
Type: [TermsType](API_TermsType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TermsExistsException **   
Terms document names must be unique to the app client. This exception is thrown when you attempt to create terms documents with a duplicate `TermsName`.  
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example operation creates a privacy policy terms document for app client `1example23456789` with URLs for default, French, and Portuguese (Brazil) languages.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CreateTerms
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
   "ClientId": "1example23456789",
   "Enforcement": "NONE",
   "Links": {
      "cognito:default" : "https://example.com/privacy/",
      "cognito:french" : "https://example.com/fr/privacy/",
      "cognito:portuguese-brazil" : "https://example.com/pt/privacy/"
   },
   "TermsName": "privacy-policy",
   "TermsSource": "LINK",
   "UserPoolId": "us-east-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "Terms": {
        "ClientId": "1example23456789",
        "CreationDate": 1755793809.755,
        "Enforcement": "NONE",
        "LastModifiedDate": 1755793845.123,
        "Links": {
            "cognito:default": "https://example.com/privacy/",
            "cognito:french": "https://example.com/fr/privacy/",
            "cognito:portuguese-brazil": "https://example.com/pt/privacy/"
        },
        "TermsId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
        "TermsName": "privacy-policy",
        "TermsSource": "LINK",
        "UserPoolId": "us-east-1_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/CreateTerms) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/CreateTerms) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/CreateTerms) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/CreateTerms) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CreateTerms) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/CreateTerms) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/CreateTerms) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/CreateTerms) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/CreateTerms) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/CreateTerms) 

# CreateUserImportJob


Creates a user import job. You can import users into user pools from a comma-separated values (CSV) file without adding Amazon Cognito MAU costs to your AWS bill.

To generate a template for your import, see [GetCSVHeader](API_GetCSVHeader.md). To learn more about CSV import, see [Importing users from a CSV file](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "CloudWatchLogsRoleArn": "string",
   "JobName": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [CloudWatchLogsRoleArn](#API_CreateUserImportJob_RequestSyntax) **   <a name="CognitoUserPools-CreateUserImportJob-request-CloudWatchLogsRoleArn"></a>
You must specify an IAM role that has permission to log import-job results to Amazon CloudWatch Logs. This parameter is the ARN of that role.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Pattern: `arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?`   
Required: Yes

 ** [JobName](#API_CreateUserImportJob_RequestSyntax) **   <a name="CognitoUserPools-CreateUserImportJob-request-JobName"></a>
A friendly name for the user import job.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w\s+=,.@-]+`   
Required: Yes

 ** [UserPoolId](#API_CreateUserImportJob_RequestSyntax) **   <a name="CognitoUserPools-CreateUserImportJob-request-UserPoolId"></a>
The ID of the user pool that you want to import users into.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "UserImportJob": { 
      "CloudWatchLogsRoleArn": "string",
      "CompletionDate": number,
      "CompletionMessage": "string",
      "CreationDate": number,
      "FailedUsers": number,
      "ImportedUsers": number,
      "JobId": "string",
      "JobName": "string",
      "PreSignedUrl": "string",
      "SkippedUsers": number,
      "StartDate": number,
      "Status": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UserImportJob](#API_CreateUserImportJob_ResponseSyntax) **   <a name="CognitoUserPools-CreateUserImportJob-response-UserImportJob"></a>
The details of the user import job. Includes logging destination, status, and the Amazon S3 pre-signed URL for CSV upload.  
Type: [UserImportJobType](API_UserImportJobType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PreconditionNotMetException **   
This exception is thrown when a precondition is not met.    
 ** message **   
The message returned when a precondition is not met.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request creates an import job in user pool `us-west-2_EXAMPLE`. The job will write log output to CloudWatch Logs with the IAM role `arn:aws:iam::123456789012:role/example-cloudwatch-logs-role`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserImportJob
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/example-cloudwatch-logs-role",
   "JobName": "Customer import",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"UserImportJob": {
		"CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/example-cloudwatch-logs-role",
		"CreationDate": 1735241621.022,
		"FailedUsers": 0,
		"ImportedUsers": 0,
		"JobId": "import-mAgUtd8PMm",
		"JobName": "Customer import",
		"PreSignedUrl": "https://aws-cognito-idp-user-import-pdx.s3.us-west-2.amazonaws.com/123456789012/us-west-2_EXAMPLE/import-mAgUtd8PMm?X-Amz-Security-Token=[token]&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20241226T193341Z&X-Amz-SignedHeaders=host%3Bx-amz-server-side-encryption&X-Amz-Expires=899&X-Amz-Credential=[credential]&X-Amz-Signature=[signature]",
		"SkippedUsers": 0,
		"Status": "Created",
		"UserPoolId": "us-west-2_EXAMPLE"
	}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/CreateUserImportJob) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/CreateUserImportJob) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/CreateUserImportJob) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/CreateUserImportJob) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CreateUserImportJob) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/CreateUserImportJob) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/CreateUserImportJob) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/CreateUserImportJob) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/CreateUserImportJob) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/CreateUserImportJob) 

# CreateUserPool


Creates a new Amazon Cognito user pool. This operation sets basic and advanced configuration options.

You can create a user pool in the Amazon Cognito console to your preferences and use the output of [DescribeUserPool](API_DescribeUserPool.md) to generate requests from that baseline.

**Important**  
If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "AccountRecoverySetting": { 
      "RecoveryMechanisms": [ 
         { 
            "Name": "string",
            "Priority": number
         }
      ]
   },
   "AdminCreateUserConfig": { 
      "AllowAdminCreateUserOnly": boolean,
      "InviteMessageTemplate": { 
         "EmailMessage": "string",
         "EmailSubject": "string",
         "SMSMessage": "string"
      },
      "UnusedAccountValidityDays": number
   },
   "AliasAttributes": [ "string" ],
   "AutoVerifiedAttributes": [ "string" ],
   "DeletionProtection": "string",
   "DeviceConfiguration": { 
      "ChallengeRequiredOnNewDevice": boolean,
      "DeviceOnlyRememberedOnUserPrompt": boolean
   },
   "EmailConfiguration": { 
      "ConfigurationSet": "string",
      "EmailSendingAccount": "string",
      "From": "string",
      "ReplyToEmailAddress": "string",
      "SourceArn": "string"
   },
   "EmailVerificationMessage": "string",
   "EmailVerificationSubject": "string",
   "LambdaConfig": { 
      "CreateAuthChallenge": "string",
      "CustomEmailSender": { 
         "LambdaArn": "string",
         "LambdaVersion": "string"
      },
      "CustomMessage": "string",
      "CustomSMSSender": { 
         "LambdaArn": "string",
         "LambdaVersion": "string"
      },
      "DefineAuthChallenge": "string",
      "InboundFederation": { 
         "LambdaArn": "string",
         "LambdaVersion": "string"
      },
      "KMSKeyID": "string",
      "PostAuthentication": "string",
      "PostConfirmation": "string",
      "PreAuthentication": "string",
      "PreSignUp": "string",
      "PreTokenGeneration": "string",
      "PreTokenGenerationConfig": { 
         "LambdaArn": "string",
         "LambdaVersion": "string"
      },
      "UserMigration": "string",
      "VerifyAuthChallengeResponse": "string"
   },
   "MfaConfiguration": "string",
   "Policies": { 
      "PasswordPolicy": { 
         "MinimumLength": number,
         "PasswordHistorySize": number,
         "RequireLowercase": boolean,
         "RequireNumbers": boolean,
         "RequireSymbols": boolean,
         "RequireUppercase": boolean,
         "TemporaryPasswordValidityDays": number
      },
      "SignInPolicy": { 
         "AllowedFirstAuthFactors": [ "string" ]
      }
   },
   "PoolName": "string",
   "Schema": [ 
      { 
         "AttributeDataType": "string",
         "DeveloperOnlyAttribute": boolean,
         "Mutable": boolean,
         "Name": "string",
         "NumberAttributeConstraints": { 
            "MaxValue": "string",
            "MinValue": "string"
         },
         "Required": boolean,
         "StringAttributeConstraints": { 
            "MaxLength": "string",
            "MinLength": "string"
         }
      }
   ],
   "SmsAuthenticationMessage": "string",
   "SmsConfiguration": { 
      "ExternalId": "string",
      "SnsCallerArn": "string",
      "SnsRegion": "string"
   },
   "SmsVerificationMessage": "string",
   "UserAttributeUpdateSettings": { 
      "AttributesRequireVerificationBeforeUpdate": [ "string" ]
   },
   "UsernameAttributes": [ "string" ],
   "UsernameConfiguration": { 
      "CaseSensitive": boolean
   },
   "UserPoolAddOns": { 
      "AdvancedSecurityAdditionalFlows": { 
         "CustomAuthMode": "string"
      },
      "AdvancedSecurityMode": "string"
   },
   "UserPoolTags": { 
      "string" : "string" 
   },
   "UserPoolTier": "string",
   "VerificationMessageTemplate": { 
      "DefaultEmailOption": "string",
      "EmailMessage": "string",
      "EmailMessageByLink": "string",
      "EmailSubject": "string",
      "EmailSubjectByLink": "string",
      "SmsMessage": "string"
   }
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccountRecoverySetting](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-AccountRecoverySetting"></a>
The available verified method a user can use to recover their password when they call `ForgotPassword`. You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. Email MFA is also disqualifying for account recovery with email. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred over email.  
As a best practice, configure both `verified_email` and `verified_phone_number`, with one having a higher priority than the other.  
Type: [AccountRecoverySettingType](API_AccountRecoverySettingType.md) object  
Required: No

 ** [AdminCreateUserConfig](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-AdminCreateUserConfig"></a>
The configuration for administrative creation of users. Includes the template for the invitation message for new users, the duration of temporary passwords, and permitting self-service sign-up.  
Type: [AdminCreateUserConfigType](API_AdminCreateUserConfigType.md) object  
Required: No

 ** [AliasAttributes](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-AliasAttributes"></a>
Attributes supported as an alias for this user pool. For more information about alias attributes, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases).  
Type: Array of strings  
Valid Values: `phone_number | email | preferred_username`   
Required: No

 ** [AutoVerifiedAttributes](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-AutoVerifiedAttributes"></a>
The attributes that you want your user pool to automatically verify. For more information, see [Verifying contact information at sign-up](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves).  
Type: Array of strings  
Valid Values: `phone_number | email`   
Required: No

 ** [DeletionProtection](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-DeletionProtection"></a>
When active, `DeletionProtection` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature.  
When you try to delete a protected user pool in a `DeleteUserPool` API request, Amazon Cognito returns an `InvalidParameterException` error. To delete a protected user pool, send a new `DeleteUserPool` request after you deactivate deletion protection in an `UpdateUserPool` API request.  
Type: String  
Valid Values: `ACTIVE | INACTIVE`   
Required: No

 ** [DeviceConfiguration](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-DeviceConfiguration"></a>
The device-remembering configuration for a user pool. Device remembering or device tracking is a "Remember me on this device" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see [Working with user devices in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html). A null value indicates that you have deactivated device remembering in your user pool.  
When you provide a value for any `DeviceConfiguration` field, you activate the Amazon Cognito device-remembering feature. For more information, see [Working with devices](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).
Type: [DeviceConfigurationType](API_DeviceConfigurationType.md) object  
Required: No

 ** [EmailConfiguration](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-EmailConfiguration"></a>
The email configuration of your user pool. The email configuration type sets your preferred sending method, AWS Region, and sender for messages from your user pool.  
Type: [EmailConfigurationType](API_EmailConfigurationType.md) object  
Required: No

 ** [EmailVerificationMessage](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-EmailVerificationMessage"></a>
This parameter is no longer used. See [VerificationMessageTemplateType](API_VerificationMessageTemplateType.md).  
This parameter is no longer used.  
Type: String  
Length Constraints: Minimum length of 6. Maximum length of 20000.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*\{####\}[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*`   
Required: No

 ** [EmailVerificationSubject](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-EmailVerificationSubject"></a>
This parameter is no longer used. See [VerificationMessageTemplateType](API_VerificationMessageTemplateType.md).  
This parameter is no longer used.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 140.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\s]+`   
Required: No

 ** [LambdaConfig](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-LambdaConfig"></a>
A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.  
Type: [LambdaConfigType](API_LambdaConfigType.md) object  
Required: No

 ** [MfaConfiguration](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-MfaConfiguration"></a>
Sets multi-factor authentication (MFA) to be on, off, or optional. When `ON`, all users must set up MFA before they can sign in. When `OPTIONAL`, your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose `OPTIONAL`.  
When `MfaConfiguration` is `OPTIONAL`, managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.  
Type: String  
Valid Values: `OFF | ON | OPTIONAL`   
Required: No

 ** [Policies](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-Policies"></a>
The password policy and sign-in policy in the user pool. The password policy sets options like password complexity requirements and password history. The sign-in policy sets the options available to applications in [choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice).  
Type: [UserPoolPolicyType](API_UserPoolPolicyType.md) object  
Required: No

 ** [PoolName](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-PoolName"></a>
A friendly name for your user pool.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w\s+=,.@-]+`   
Required: Yes

 ** [Schema](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-Schema"></a>
An array of attributes for the new user pool. You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see [Working with user attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html).  
Type: Array of [SchemaAttributeType](API_SchemaAttributeType.md) objects  
Array Members: Minimum number of 1 item. Maximum number of 50 items.  
Required: No

 ** [SmsAuthenticationMessage](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-SmsAuthenticationMessage"></a>
The contents of the SMS message that your user pool sends to users in SMS OTP and MFA authentication.  
Type: String  
Length Constraints: Minimum length of 6. Maximum length of 140.  
Pattern: `.*\{####\}.*`   
Required: No

 ** [SmsConfiguration](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-SmsConfiguration"></a>
The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account. For more information see [SMS message settings](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html).  
Type: [SmsConfigurationType](API_SmsConfigurationType.md) object  
Required: No

 ** [SmsVerificationMessage](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-SmsVerificationMessage"></a>
This parameter is no longer used. See [VerificationMessageTemplateType](API_VerificationMessageTemplateType.md).  
This parameter is no longer used.  
Type: String  
Length Constraints: Minimum length of 6. Maximum length of 140.  
Pattern: `.*\{####\}.*`   
Required: No

 ** [UserAttributeUpdateSettings](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-UserAttributeUpdateSettings"></a>
The settings for updates to user attributes. These settings include the property `AttributesRequireVerificationBeforeUpdate`, a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see [ Verifying updates to email addresses and phone numbers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates).  
Type: [UserAttributeUpdateSettingsType](API_UserAttributeUpdateSettingsType.md) object  
Required: No

 ** [UsernameAttributes](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-UsernameAttributes"></a>
Specifies whether a user can use an email address or phone number as a username when they sign up. For more information, see [Customizing sign-in attributes](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases).  
Type: Array of strings  
Valid Values: `phone_number | email`   
Required: No

 ** [UsernameConfiguration](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-UsernameConfiguration"></a>
Sets the case sensitivity option for sign-in usernames. When `CaseSensitive` is `false` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, `username`, `USERNAME`, or `UserName`, or for email, `email@example.com` or `EMaiL@eXamplE.Com`. For most use cases, set case sensitivity to `false` as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.  
When `CaseSensitive` is `true` (case sensitive), Amazon Cognito interprets `USERNAME` and `UserName` as distinct users.  
This configuration is immutable after you set it.  
Type: [UsernameConfigurationType](API_UsernameConfigurationType.md) object  
Required: No

 ** [UserPoolAddOns](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-UserPoolAddOns"></a>
Contains settings for activation of threat protection, including the operating mode and additional authentication types. To log user security information but take no action, set to `AUDIT`. To configure automatic security responses to potentially unwanted traffic to your user pool, set to `ENFORCED`.  
For more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html). To activate this setting, your user pool must be on the [ Plus tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html).  
Type: [UserPoolAddOnsType](API_UserPoolAddOnsType.md) object  
Required: No

 ** [UserPoolTags](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-UserPoolTags"></a>
The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.  
Type: String to string map  
Key Length Constraints: Minimum length of 1. Maximum length of 128.  
Value Length Constraints: Minimum length of 0. Maximum length of 256.  
Required: No

 ** [UserPoolTier](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-UserPoolTier"></a>
The user pool [feature plan](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html), or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to `ESSENTIALS`.  
Type: String  
Valid Values: `LITE | ESSENTIALS | PLUS`   
Required: No

 ** [VerificationMessageTemplate](#API_CreateUserPool_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPool-request-VerificationMessageTemplate"></a>
The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.  
Set the email message type that corresponds to your `DefaultEmailOption` selection. For `CONFIRM_WITH_LINK`, specify an `EmailMessageByLink` and leave `EmailMessage` blank. For `CONFIRM_WITH_CODE`, specify an `EmailMessage` and leave `EmailMessageByLink` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.  
Type: [VerificationMessageTemplateType](API_VerificationMessageTemplateType.md) object  
Required: No

## Response Syntax


```
{
   "UserPool": { 
      "AccountRecoverySetting": { 
         "RecoveryMechanisms": [ 
            { 
               "Name": "string",
               "Priority": number
            }
         ]
      },
      "AdminCreateUserConfig": { 
         "AllowAdminCreateUserOnly": boolean,
         "InviteMessageTemplate": { 
            "EmailMessage": "string",
            "EmailSubject": "string",
            "SMSMessage": "string"
         },
         "UnusedAccountValidityDays": number
      },
      "AliasAttributes": [ "string" ],
      "Arn": "string",
      "AutoVerifiedAttributes": [ "string" ],
      "CreationDate": number,
      "CustomDomain": "string",
      "DeletionProtection": "string",
      "DeviceConfiguration": { 
         "ChallengeRequiredOnNewDevice": boolean,
         "DeviceOnlyRememberedOnUserPrompt": boolean
      },
      "Domain": "string",
      "EmailConfiguration": { 
         "ConfigurationSet": "string",
         "EmailSendingAccount": "string",
         "From": "string",
         "ReplyToEmailAddress": "string",
         "SourceArn": "string"
      },
      "EmailConfigurationFailure": "string",
      "EmailVerificationMessage": "string",
      "EmailVerificationSubject": "string",
      "EstimatedNumberOfUsers": number,
      "Id": "string",
      "LambdaConfig": { 
         "CreateAuthChallenge": "string",
         "CustomEmailSender": { 
            "LambdaArn": "string",
            "LambdaVersion": "string"
         },
         "CustomMessage": "string",
         "CustomSMSSender": { 
            "LambdaArn": "string",
            "LambdaVersion": "string"
         },
         "DefineAuthChallenge": "string",
         "InboundFederation": { 
            "LambdaArn": "string",
            "LambdaVersion": "string"
         },
         "KMSKeyID": "string",
         "PostAuthentication": "string",
         "PostConfirmation": "string",
         "PreAuthentication": "string",
         "PreSignUp": "string",
         "PreTokenGeneration": "string",
         "PreTokenGenerationConfig": { 
            "LambdaArn": "string",
            "LambdaVersion": "string"
         },
         "UserMigration": "string",
         "VerifyAuthChallengeResponse": "string"
      },
      "LastModifiedDate": number,
      "MfaConfiguration": "string",
      "Name": "string",
      "Policies": { 
         "PasswordPolicy": { 
            "MinimumLength": number,
            "PasswordHistorySize": number,
            "RequireLowercase": boolean,
            "RequireNumbers": boolean,
            "RequireSymbols": boolean,
            "RequireUppercase": boolean,
            "TemporaryPasswordValidityDays": number
         },
         "SignInPolicy": { 
            "AllowedFirstAuthFactors": [ "string" ]
         }
      },
      "SchemaAttributes": [ 
         { 
            "AttributeDataType": "string",
            "DeveloperOnlyAttribute": boolean,
            "Mutable": boolean,
            "Name": "string",
            "NumberAttributeConstraints": { 
               "MaxValue": "string",
               "MinValue": "string"
            },
            "Required": boolean,
            "StringAttributeConstraints": { 
               "MaxLength": "string",
               "MinLength": "string"
            }
         }
      ],
      "SmsAuthenticationMessage": "string",
      "SmsConfiguration": { 
         "ExternalId": "string",
         "SnsCallerArn": "string",
         "SnsRegion": "string"
      },
      "SmsConfigurationFailure": "string",
      "SmsVerificationMessage": "string",
      "Status": "string",
      "UserAttributeUpdateSettings": { 
         "AttributesRequireVerificationBeforeUpdate": [ "string" ]
      },
      "UsernameAttributes": [ "string" ],
      "UsernameConfiguration": { 
         "CaseSensitive": boolean
      },
      "UserPoolAddOns": { 
         "AdvancedSecurityAdditionalFlows": { 
            "CustomAuthMode": "string"
         },
         "AdvancedSecurityMode": "string"
      },
      "UserPoolTags": { 
         "string" : "string" 
      },
      "UserPoolTier": "string",
      "VerificationMessageTemplate": { 
         "DefaultEmailOption": "string",
         "EmailMessage": "string",
         "EmailMessageByLink": "string",
         "EmailSubject": "string",
         "EmailSubjectByLink": "string",
         "SmsMessage": "string"
      }
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UserPool](#API_CreateUserPool_ResponseSyntax) **   <a name="CognitoUserPools-CreateUserPool-response-UserPool"></a>
The details of the created user pool.  
Type: [UserPoolType](API_UserPoolType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** FeatureUnavailableInTierException **   
This exception is thrown when a feature you attempted to configure isn't available in your current feature plan.  
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** TierChangeNotAllowedException **   
This exception is thrown when you've attempted to change your feature plan but the operation isn't permitted.  
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserPoolTaggingException **   
This exception is thrown when a user pool tag can't be set or updated.  
HTTP Status Code: 400

## Examples


### Example


The following example creates a user pool with all configurable properties set to an example value. The resulting user pool allows sign-in with username or email address, has optional MFA, and has a Lambda function assigned to each possible trigger.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserPool
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "AccountRecoverySetting": {
        "RecoveryMechanisms": [
            {
                "Name": "verified_email",
                "Priority": 1
            }
        ]
    },
    "AdminCreateUserConfig": {
        "AllowAdminCreateUserOnly": false,
        "InviteMessageTemplate": {
            "EmailMessage": "Your username is {username} and temporary password is {####}.",
            "EmailSubject": "Your sign-in information",
            "SMSMessage": "Your username is {username} and temporary password is {####}."
        }
    },
    "AliasAttributes": [
        "email"
    ],
    "AutoVerifiedAttributes": [
        "email"
    ],
    "DeviceConfiguration": {
        "ChallengeRequiredOnNewDevice": true,
        "DeviceOnlyRememberedOnUserPrompt": true
    },
    "DeletionProtection": "ACTIVE",
    "EmailConfiguration": {
        "ConfigurationSet": "my-test-ses-configuration-set",
        "EmailSendingAccount": "DEVELOPER",
        "From": "support@example.com",
        "ReplyToEmailAddress": "support@example.com",
        "SourceArn": "arn:aws:ses:us-east-1:123456789012:identity/support@example.com"
    },
    "EmailVerificationMessage": "Your verification code is {####}.",
    "EmailVerificationSubject": "Verify your email address",
    "LambdaConfig": {
        "KMSKeyID": "arn:aws:kms:us-east-1:123456789012:key/a6c4f8e2-0c45-47db-925f-87854bc9e357",
        "CustomEmailSender": {
            "LambdaArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "LambdaVersion": "V1_0"
        },
        "CustomSMSSender": {
            "LambdaArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "LambdaVersion": "V1_0"
        },
        "CustomMessage": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
        "DefineAuthChallenge": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
        "PostAuthentication": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
        "PostConfirmation": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
        "PreAuthentication": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
        "PreSignUp": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
        "PreTokenGeneration": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
        "UserMigration": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
        "VerifyAuthChallengeResponse": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
        "InboundFederation": {
            "LambdaArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "LambdaVersion": "V1_0"
        }
    },
    "MfaConfiguration": "OPTIONAL",
    "Policies": {
        "PasswordPolicy": {
            "MinimumLength": 6,
            "RequireLowercase": true,
            "RequireNumbers": true,
            "RequireSymbols": true,
            "RequireUppercase": true,
            "TemporaryPasswordValidityDays": 7
        },
        "SignInPolicy": {
            "AllowedFirstAuthFactors": [
                "PASSWORD",
                "EMAIL_OTP",
                "WEB_AUTHN"
            ]
        }
    },
    "PoolName": "my-test-user-pool",
    "Schema": [
        {
            "AttributeDataType": "Number",
            "DeveloperOnlyAttribute": true,
            "Mutable": true,
            "Name": "mydev",
            "NumberAttributeConstraints": {
                "MaxValue": "99",
                "MinValue": "1"
            },
            "Required": false,
            "StringAttributeConstraints": {
                "MaxLength": "99",
                "MinLength": "1"
            }
        }
    ],
    "SmsAuthenticationMessage": "Your verification code is {####}.",
    "SmsConfiguration": {
        "ExternalId": "my-role-external-id",
        "SnsCallerArn": "arn:aws:iam::123456789012:role/service-role/test-cognito-SMS-Role"
    },
    "SmsVerificationMessage": "Your verification code is {####}.",
    "UserAttributeUpdateSettings": {
        "AttributesRequireVerificationBeforeUpdate": [
            "email"
        ]
    },
    "UsernameConfiguration": {
        "CaseSensitive": true
    },
    "UserPoolAddOns": {
        "AdvancedSecurityMode": "OFF"
    },
    "UserPoolTags": {
        "my-test-tag-key": "my-test-tag-key"
    },
    "UserPoolTier": "ESSENTIALS",
    "VerificationMessageTemplate": {
        "DefaultEmailOption": "CONFIRM_WITH_CODE",
        "EmailMessage": "Your confirmation code is {####}",
        "EmailMessageByLink": "Choose this link to {##verify your email##}",
        "EmailSubject": "Here is your confirmation code",
        "EmailSubjectByLink": "Here is your confirmation link",
        "SmsMessage": "Your confirmation code is {####}"
    }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "UserPool": {
        "AccountRecoverySetting": {
            "RecoveryMechanisms": [
                {
                    "Name": "verified_email",
                    "Priority": 1
                }
            ]
        },
        "AdminCreateUserConfig": {
            "AllowAdminCreateUserOnly": false,
            "InviteMessageTemplate": {
                "EmailMessage": "Your username is {username} and temporary password is {####}.",
                "EmailSubject": "Your sign-in information",
                "SMSMessage": "Your username is {username} and temporary password is {####}."
            },
            "UnusedAccountValidityDays": 7
        },
        "AliasAttributes": [
            "email"
        ],
        "Arn": "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_EXAMPLE",
        "AutoVerifiedAttributes": [
            "email"
        ],
        "CreationDate": 1689721665.239,
        "DeletionProtection": "ACTIVE",
        "DeviceConfiguration": {
            "ChallengeRequiredOnNewDevice": true,
            "DeviceOnlyRememberedOnUserPrompt": true
        },
        "EmailConfiguration": {
            "ConfigurationSet": "my-test-ses-configuration-set",
            "EmailSendingAccount": "DEVELOPER",
            "From": "support@example.com",
            "ReplyToEmailAddress": "support@example.com",
            "SourceArn": "arn:aws:ses:us-east-1:123456789012:identity/support@example.com"
        },
        "EmailVerificationMessage": "Your verification code is {####}.",
        "EmailVerificationSubject": "Verify your email address",
        "EstimatedNumberOfUsers": 0,
        "Id": "us-east-1_EXAMPLE",
        "LambdaConfig": {
            "CustomEmailSender": {
                "LambdaArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
                "LambdaVersion": "V1_0"
            },
            "CustomMessage": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "CustomSMSSender": {
                "LambdaArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
                "LambdaVersion": "V1_0"
            },
            "DefineAuthChallenge": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "KMSKeyID": "arn:aws:kms:us-east-1:767671399759:key/4d43904c-8edf-4bb4-9fca-fb1a80e41cbe",
            "PostAuthentication": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "PostConfirmation": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "PreAuthentication": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "PreSignUp": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "PreTokenGeneration": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "UserMigration": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "VerifyAuthChallengeResponse": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "InboundFederation": {
                "LambdaArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
                "LambdaVersion": "V1_0"
            }
        },
        "LastModifiedDate": 1689721665.239,
        "MfaConfiguration": "OPTIONAL",
        "Name": "my-test-user-pool",
        "Policies": {
            "PasswordPolicy": {
                "MinimumLength": 6,
                "RequireLowercase": true,
                "RequireNumbers": true,
                "RequireSymbols": true,
                "RequireUppercase": true,
                "TemporaryPasswordValidityDays": 7
            }
        },
        "SchemaAttributes": [
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": false,
                "Name": "sub",
                "Required": true,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "1"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "name",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "given_name",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "family_name",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "middle_name",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "nickname",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "preferred_username",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "profile",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "picture",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "website",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "email",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "Boolean",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "email_verified",
                "Required": false
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "gender",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "birthdate",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "10",
                    "MinLength": "10"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "zoneinfo",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "locale",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "phone_number",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "Boolean",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "phone_number_verifie",
                "Required": false
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "address",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "Number",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "updated_at",
                "NumberAttributeConstraints": {
                    "MinValue": "0"
                },
                "Required": false
            },
            {
                "AttributeDataType": "Number",
                "DeveloperOnlyAttribute": true,
                "Mutable": true,
                "Name": "dev:custom:mydev",
                "NumberAttributeConstraints": {
                    "MaxValue": "99",
                    "MinValue": "1"
                },
                "Required": false
            }
        ],
        "SmsAuthenticationMessage": "Your verification code is {####}.",
        "SmsConfiguration": {
            "ExternalId": "my-role-external-id",
            "SnsCallerArn": "arn:aws:iam::123456789012:role/service-role/test-cognito-SMS-Role",
            "SnsRegion": "us-east-1"
        },
        "SmsVerificationMessage": "Your verification code is {####}.",
        "UserAttributeUpdateSettings": {
            "AttributesRequireVerificationBeforeUpdate": [
                "email"
            ]
        },
        "UserPoolAddOns": {
            "AdvancedSecurityMode": "OFF"
        },
        "UserPoolTags": {
            "my-test-tag-key": "my-test-tag-value"
        },
        "UserPoolTier": "ESSENTIALS",
        "UsernameConfiguration": {
            "CaseSensitive": true
        },
        "VerificationMessageTemplate": {
            "DefaultEmailOption": "CONFIRM_WITH_CODE",
            "EmailMessage": "Your confirmation code is {####}",
            "EmailMessageByLink": "Choose this link to {##verify your email##}",
            "EmailSubject": "Here is your confirmation code",
            "EmailSubjectByLink": "Here is your confirmation link",
            "SmsMessage": "Your confirmation code is {####}"
        }
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/CreateUserPool) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/CreateUserPool) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/CreateUserPool) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/CreateUserPool) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CreateUserPool) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/CreateUserPool) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/CreateUserPool) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/CreateUserPool) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/CreateUserPool) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/CreateUserPool) 

# CreateUserPoolClient


Creates an app client in a user pool. This operation sets basic and advanced configuration options.

You can create an app client in the Amazon Cognito console to your preferences and use the output of [DescribeUserPoolClient](API_DescribeUserPoolClient.md) to generate requests from that baseline.

New app clients activate token revocation by default. For more information about revoking tokens, see [RevokeToken](API_RevokeToken.md).

Unlike app clients created in the console, Amazon Cognito doesn't automatically assign a branding style to app clients that you configure with this API operation. Managed login and classic hosted UI pages aren't available for your client until after you apply a branding style.

Apply a branding style with the [CreateManagedLoginBranding](API_CreateManagedLoginBranding.md) operation. For more information, see [Managed login branding](https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-branding.html). 

**Important**  
If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "AccessTokenValidity": number,
   "AllowedOAuthFlows": [ "string" ],
   "AllowedOAuthFlowsUserPoolClient": boolean,
   "AllowedOAuthScopes": [ "string" ],
   "AnalyticsConfiguration": { 
      "ApplicationArn": "string",
      "ApplicationId": "string",
      "ExternalId": "string",
      "RoleArn": "string",
      "UserDataShared": boolean
   },
   "AuthSessionValidity": number,
   "CallbackURLs": [ "string" ],
   "ClientName": "string",
   "ClientSecret": "string",
   "DefaultRedirectURI": "string",
   "EnablePropagateAdditionalUserContextData": boolean,
   "EnableTokenRevocation": boolean,
   "ExplicitAuthFlows": [ "string" ],
   "GenerateSecret": boolean,
   "IdTokenValidity": number,
   "LogoutURLs": [ "string" ],
   "PreventUserExistenceErrors": "string",
   "ReadAttributes": [ "string" ],
   "RefreshTokenRotation": { 
      "Feature": "string",
      "RetryGracePeriodSeconds": number
   },
   "RefreshTokenValidity": number,
   "SupportedIdentityProviders": [ "string" ],
   "TokenValidityUnits": { 
      "AccessToken": "string",
      "IdToken": "string",
      "RefreshToken": "string"
   },
   "UserPoolId": "string",
   "WriteAttributes": [ "string" ]
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessTokenValidity](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-AccessTokenValidity"></a>
The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`, set a `TokenValidityUnits` value in your API request.  
For example, when you set `AccessTokenValidity` to `10` and `TokenValidityUnits` to `hours`, your user can authorize access with their access token for 10 hours.  
The default time unit for `AccessTokenValidity` in an API request is hours. *Valid range* is displayed below in seconds.  
If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 86400.  
Required: No

 ** [AllowedOAuthFlows](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-AllowedOAuthFlows"></a>
The OAuth grant types that you want your app client to generate for clients in managed login authentication. To create an app client that generates client credentials grants, you must add `client_credentials` as the only allowed OAuth flow.    
code  
Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.  
implicit  
Issue the access token, and the ID token when scopes like `openid` and `profile` are requested, directly to your user.  
client\$1credentials  
Issue the access token from the `/oauth2/token` endpoint directly to a non-person user, authorized by a combination of the client ID and client secret.
Type: Array of strings  
Array Members: Minimum number of 0 items. Maximum number of 3 items.  
Valid Values: `code | implicit | client_credentials`   
Required: No

 ** [AllowedOAuthFlowsUserPoolClient](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-AllowedOAuthFlowsUserPoolClient"></a>
Set to `true` to use OAuth 2.0 authorization server features in your app client.  
This parameter must have a value of `true` before you can configure the following features in your app client.  
+  `CallBackURLs`: Callback URLs.
+  `LogoutURLs`: Sign-out redirect URLs.
+  `AllowedOAuthScopes`: OAuth 2.0 scopes.
+  `AllowedOAuthFlows`: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.
To use authorization server features, configure one of these features in the Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API request. If you don't set a value for `AllowedOAuthFlowsUserPoolClient` in a request with the AWS CLI or SDKs, it defaults to `false`. When `false`, only SDK-based API sign-in is permitted.  
Type: Boolean  
Required: No

 ** [AllowedOAuthScopes](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-AllowedOAuthScopes"></a>
The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with. Scopes govern access control to user pool self-service API operations, user data from the `userInfo` endpoint, and third-party APIs. Scope values include `phone`, `email`, `openid`, and `profile`. The `aws.cognito.signin.user.admin` scope authorizes user self-service operations. Custom scopes with resource servers authorize access to external APIs.  
Type: Array of strings  
Array Members: Maximum number of 50 items.  
Length Constraints: Minimum length of 1. Maximum length of 256.  
Pattern: `[\x21\x23-\x5B\x5D-\x7E]+`   
Required: No

 ** [AnalyticsConfiguration](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-AnalyticsConfiguration"></a>
The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.  
In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see [Using Amazon Pinpoint analytics](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html).  
Type: [AnalyticsConfigurationType](API_AnalyticsConfigurationType.md) object  
Required: No

 ** [AuthSessionValidity](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-AuthSessionValidity"></a>
Amazon Cognito creates a session token for each API request in an authentication flow. `AuthSessionValidity` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.  
Type: Integer  
Valid Range: Minimum value of 3. Maximum value of 15.  
Required: No

 ** [CallbackURLs](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-CallbackURLs"></a>
A list of allowed redirect, or callback, URLs for managed login authentication. These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes.  
A redirect URI must meet the following requirements:  
+ Be an absolute URI.
+ Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with `redirect_uri` values that aren't in the list of `CallbackURLs` that you provide in this parameter.
+ Not include a fragment component.
See [OAuth 2.0 - Redirection Endpoint](https://tools.ietf.org/html/rfc6749#section-3.1.2).  
Amazon Cognito requires HTTPS over HTTP except for callback URLs to `http://localhost`, `http://127.0.0.1` and `http://[::1]`. These callback URLs are for testing purposes only. You can specify custom TCP ports for your callback URLs.  
App callback URLs such as `myapp://example` are also supported.  
Type: Array of strings  
Array Members: Minimum number of 0 items. Maximum number of 100 items.  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: No

 ** [ClientName](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-ClientName"></a>
A friendly name for the app client that you want to create.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w\s+=,.@-]+`   
Required: Yes

 ** [ClientSecret](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-ClientSecret"></a>
A custom client secret that you want to use for the app client. You cannot specify both GenerateSecret as true and provide a ClientSecret value.  
Type: String  
Length Constraints: Minimum length of 24. Maximum length of 64.  
Pattern: `[\w+]+`   
Required: No

 ** [DefaultRedirectURI](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-DefaultRedirectURI"></a>
The default redirect URI. In app clients with one assigned IdP, replaces `redirect_uri` in authentication requests. Must be in the `CallbackURLs` list.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: No

 ** [EnablePropagateAdditionalUserContextData](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-EnablePropagateAdditionalUserContextData"></a>
When `true`, your application can include additional `UserContextData` in authentication requests. This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see [Adding session data to API requests](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint). If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate `EnablePropagateAdditionalUserContextData` in an app client that has a client secret.  
Type: Boolean  
Required: No

 ** [EnableTokenRevocation](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-EnableTokenRevocation"></a>
Activates or deactivates [token revocation](https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html) in the target app client.  
Revoke tokens with [RevokeToken](API_RevokeToken.md).  
If you don't include this parameter, token revocation is automatically activated for the new user pool client.  
Type: Boolean  
Required: No

 ** [ExplicitAuthFlows](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-ExplicitAuthFlows"></a>
The [authentication flows](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html) that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.  
If you don't specify a value for `ExplicitAuthFlows`, your app client supports `ALLOW_REFRESH_TOKEN_AUTH`, `ALLOW_USER_SRP_AUTH`, and `ALLOW_CUSTOM_AUTH`. 
The values for authentication flow options include the following.  
+  `ALLOW_USER_AUTH`: Enable selection-based sign-in with `USER_AUTH`. This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other `ExplicitAuthFlows` permitting them. For example users can complete an SRP challenge through `USER_AUTH` without the flow `USER_SRP_AUTH` being active for the app client. This flow doesn't include `CUSTOM_AUTH`. 

  To activate this setting, your user pool must be in the [ Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.
+  `ALLOW_ADMIN_USER_PASSWORD_AUTH`: Enable admin based user password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password.
+  `ALLOW_CUSTOM_AUTH`: Enable Lambda trigger based authentication.
+  `ALLOW_USER_PASSWORD_AUTH`: Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords.
+  `ALLOW_USER_SRP_AUTH`: Enable SRP-based authentication.
+  `ALLOW_REFRESH_TOKEN_AUTH`: Enable authflow to refresh tokens.
In some environments, you will see the values `ADMIN_NO_SRP_AUTH`, `CUSTOM_AUTH_FLOW_ONLY`, or `USER_PASSWORD_AUTH`. You can't assign these legacy `ExplicitAuthFlows` values to user pool clients at the same time as values that begin with `ALLOW_`, like `ALLOW_USER_SRP_AUTH`.  
Type: Array of strings  
Valid Values: `ADMIN_NO_SRP_AUTH | CUSTOM_AUTH_FLOW_ONLY | USER_PASSWORD_AUTH | ALLOW_ADMIN_USER_PASSWORD_AUTH | ALLOW_CUSTOM_AUTH | ALLOW_USER_PASSWORD_AUTH | ALLOW_USER_SRP_AUTH | ALLOW_REFRESH_TOKEN_AUTH | ALLOW_USER_AUTH`   
Required: No

 ** [GenerateSecret](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-GenerateSecret"></a>
When `true`, generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. Client secrets are automatically generated; you can't specify a secret value. For more information, see [App client types](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types).  
Type: Boolean  
Required: No

 ** [IdTokenValidity](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-IdTokenValidity"></a>
The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for `IdTokenValidity` as `seconds`, `minutes`, `hours`, or `days`, set a `TokenValidityUnits` value in your API request.  
For example, when you set `IdTokenValidity` as `10` and `TokenValidityUnits` as `hours`, your user can authenticate their session with their ID token for 10 hours.  
The default time unit for `IdTokenValidity` in an API request is hours. *Valid range* is displayed below in seconds.  
If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 86400.  
Required: No

 ** [LogoutURLs](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-LogoutURLs"></a>
A list of allowed logout URLs for managed login authentication. When you pass `logout_uri` and `client_id` parameters to `/logout`, Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of `logout_uri`. A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see [Logout endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html).  
Type: Array of strings  
Array Members: Minimum number of 0 items. Maximum number of 100 items.  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: No

 ** [PreventUserExistenceErrors](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-PreventUserExistenceErrors"></a>
When `ENABLED`, suppresses messages that might indicate a valid user exists when someone attempts sign-in. This parameters sets your preference for the errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to `ENABLED` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY`, those APIs return a `UserNotFoundException` exception if the user doesn't exist in the user pool.  
Defaults to `LEGACY`.  
This setting affects the behavior of the following API operations.  
+  [AdminInitiateAuth](API_AdminInitiateAuth.md) 
+  [AdminRespondToAuthChallenge](API_AdminRespondToAuthChallenge.md) 
+  [InitiateAuth](API_InitiateAuth.md) 
+  [RespondToAuthChallenge](API_RespondToAuthChallenge.md) 
+  [ForgotPassword](API_ForgotPassword.md) 
+  [ConfirmForgotPassword](API_ConfirmForgotPassword.md) 
+  [ConfirmSignUp](API_ConfirmSignUp.md) 
+  [ResendConfirmationCode](API_ResendConfirmationCode.md) 
Type: String  
Valid Values: `LEGACY | ENABLED`   
Required: No

 ** [ReadAttributes](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-ReadAttributes"></a>
The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list.  
An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a [GetUser](API_GetUser.md) API request to retrieve and display your user's profile data.  
When you don't specify the `ReadAttributes` for your app client, your app can read the values of `email_verified`, `phone_number_verified`, and the standard attributes of your user pool. When your user pool app client has read access to these default attributes, `ReadAttributes` doesn't return any information. Amazon Cognito only populates `ReadAttributes` in the API response if you have specified your own custom set of read attributes.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Required: No

 ** [RefreshTokenRotation](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-RefreshTokenRotation"></a>
The configuration of your app client for refresh token rotation. When enabled, your app client issues new ID, access, and refresh tokens when users renew their sessions with refresh tokens. When disabled, token refresh issues only ID and access tokens.  
Refresh token rotation must be completed with [GetTokensFromRefreshToken](API_GetTokensFromRefreshToken.md). With refresh token rotation disabled, you can complete token refresh with `GetTokensFromRefreshToken` and with `REFRESH_TOKEN_AUTH` in [InitiateAuth:AuthFlow](API_InitiateAuth.md#CognitoUserPools-InitiateAuth-request-AuthFlow) and [AdminInitiateAuth:AuthFlow](API_AdminInitiateAuth.md#CognitoUserPools-AdminInitiateAuth-request-AuthFlow).  
Type: [RefreshTokenRotationType](API_RefreshTokenRotationType.md) object  
Required: No

 ** [RefreshTokenValidity](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-RefreshTokenValidity"></a>
The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`, set a `TokenValidityUnits` value in your API request.  
For example, when you set `RefreshTokenValidity` as `10` and `TokenValidityUnits` as `days`, your user can refresh their session and retrieve new access and ID tokens for 10 days.  
The default time unit for `RefreshTokenValidity` in an API request is days. You can't set `RefreshTokenValidity` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds.  
If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 315360000.  
Required: No

 ** [SupportedIdentityProviders](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-SupportedIdentityProviders"></a>
A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: `COGNITO`, `Facebook`, `Google`, `SignInWithApple`, and `LoginWithAmazon`. You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example `MySAMLIdP` or `MyOIDCIdP`.  
This parameter sets the IdPs that [managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html) will display on the login page for your app client. The removal of `COGNITO` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a [AWS WAF rule](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html).   
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 32.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\p{Z}]+`   
Required: No

 ** [TokenValidityUnits](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-TokenValidityUnits"></a>
The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.  
Type: [TokenValidityUnitsType](API_TokenValidityUnitsType.md) object  
Required: No

 ** [UserPoolId](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-UserPoolId"></a>
The ID of the user pool where you want to create an app client.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

 ** [WriteAttributes](#API_CreateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-request-WriteAttributes"></a>
The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list.  
An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an [UpdateUserAttributes](API_UpdateUserAttributes.md) API request and sets `family_name` to the new value.   
When you don't specify the `WriteAttributes` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, `WriteAttributes` doesn't return any information. Amazon Cognito only populates `WriteAttributes` in the API response if you have specified your own custom set of write attributes.  
If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html).  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Required: No

## Response Syntax


```
{
   "UserPoolClient": { 
      "AccessTokenValidity": number,
      "AllowedOAuthFlows": [ "string" ],
      "AllowedOAuthFlowsUserPoolClient": boolean,
      "AllowedOAuthScopes": [ "string" ],
      "AnalyticsConfiguration": { 
         "ApplicationArn": "string",
         "ApplicationId": "string",
         "ExternalId": "string",
         "RoleArn": "string",
         "UserDataShared": boolean
      },
      "AuthSessionValidity": number,
      "CallbackURLs": [ "string" ],
      "ClientId": "string",
      "ClientName": "string",
      "ClientSecret": "string",
      "CreationDate": number,
      "DefaultRedirectURI": "string",
      "EnablePropagateAdditionalUserContextData": boolean,
      "EnableTokenRevocation": boolean,
      "ExplicitAuthFlows": [ "string" ],
      "IdTokenValidity": number,
      "LastModifiedDate": number,
      "LogoutURLs": [ "string" ],
      "PreventUserExistenceErrors": "string",
      "ReadAttributes": [ "string" ],
      "RefreshTokenRotation": { 
         "Feature": "string",
         "RetryGracePeriodSeconds": number
      },
      "RefreshTokenValidity": number,
      "SupportedIdentityProviders": [ "string" ],
      "TokenValidityUnits": { 
         "AccessToken": "string",
         "IdToken": "string",
         "RefreshToken": "string"
      },
      "UserPoolId": "string",
      "WriteAttributes": [ "string" ]
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UserPoolClient](#API_CreateUserPoolClient_ResponseSyntax) **   <a name="CognitoUserPools-CreateUserPoolClient-response-UserPoolClient"></a>
The details of the new app client.  
Type: [UserPoolClientType](API_UserPoolClientType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** FeatureUnavailableInTierException **   
This exception is thrown when a feature you attempted to configure isn't available in your current feature plan.  
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidOAuthFlowException **   
This exception is thrown when the specified OAuth flow is not valid.  
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** ScopeDoesNotExistException **   
This exception is thrown when the specified scope doesn't exist.  
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example creates an app client with all configurable properties set to an example value. The resulting user pool client connects to an analytics client, allows sign-in with username and password, and has two external identity providers associated with it.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserPoolClient
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
    "AccessTokenValidity": 6,
    "AllowedOAuthFlows": [
        "code"
    ],
    "AllowedOAuthFlowsUserPoolClient": true,
    "AllowedOAuthScopes": [
        "aws.cognito.signin.user.admin",
        "openid"
    ],
    "AnalyticsConfiguration": {
        "ApplicationId": "d70b2ba36a8c4dc5a04a0451a31a1e12",
        "ExternalId": "my-external-id",
        "RoleArn": "arn:aws:iam::123456789012:role/test-cognitouserpool-role",
        "UserDataShared": true
    },
    "CallbackURLs": [
        "https://example.com",
        "http://localhost",
        "myapp://example"
    ],
    "ClientName": "my-test-app-client",
    "DefaultRedirectURI": "https://example.com",
    "ExplicitAuthFlows": [
        "ALLOW_USER_AUTH",
        "ALLOW_ADMIN_USER_PASSWORD_AUTH",
        "ALLOW_USER_PASSWORD_AUTH",
        "ALLOW_REFRESH_TOKEN_AUTH"
    ],
    "GenerateSecret": true,
    "IdTokenValidity": 6,
    "LogoutURLs": [
        "https://example.com/logout"
    ],
    "PreventUserExistenceErrors": "ENABLED",
    "ReadAttributes": [
        "email",
        "address",
        "preferred_username"
    ],
    "RefreshTokenValidity": 6,
    "SupportedIdentityProviders": [
        "SignInWithApple",
        "MySSO"
    ],
    "TokenValidityUnits": {
        "AccessToken": "hours",
        "IdToken": "minutes",
        "RefreshToken": "days"
    },
    "UserPoolId": "us-east-1_EXAMPLE",
    "WriteAttributes": [
        "family_name",
        "email"
    ]
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
      "UserPoolClient": {
        "AccessTokenValidity": 6,
        "AllowedOAuthFlows": [
          "code"
        ],
        "AllowedOAuthFlowsUserPoolClient": true,
        "AllowedOAuthScopes": [
          "aws.cognito.signin.user.admin",
          "openid"
        ],
        "AnalyticsConfiguration": {
          "ApplicationId": "d70b2ba36a8c4dc5a04a0451a31a1e12",
          "ExternalId": "my-external-id",
          "RoleArn": "arn:aws:iam::123456789012:role/test-cognitouserpool-role",
          "UserDataShared": true
        },
        "AuthSessionValidity": 3,
        "CallbackURLs": [
          "https://example.com",
          "http://localhost",
          "myapp://example"
        ],
        "ClientId": "1example23456789",
        "ClientName": "my-test-app-client",
        "ClientSecret": "13ka4h7u28d9oo44tqpq9djqsfvhvu8rk4d2ighvpu0k8fj1c2r9",
        "CreationDate": 1689885426.107,
        "DefaultRedirectURI": "https://example.com",
        "EnablePropagateAdditionalUserContextData": false,
        "EnableTokenRevocation": true,
        "ExplicitAuthFlows": [
          "ALLOW_USER_AUTH",
          "ALLOW_USER_PASSWORD_AUTH",
          "ALLOW_ADMIN_USER_PASSWORD_AUTH",
          "ALLOW_REFRESH_TOKEN_AUTH"
        ],
        "IdTokenValidity": 6,
        "LastModifiedDate": 1689885426.107,
        "LogoutURLs": [
          "https://example.com/logout"
        ],
        "PreventUserExistenceErrors": "ENABLED",
        "ReadAttributes": [
          "address",
          "preferred_username",
          "email"
        ],
        "RefreshTokenValidity": 6,
        "SupportedIdentityProviders": [
          "SignInWithApple",
          "MySSO"
        ],
        "TokenValidityUnits": {
          "AccessToken": "hours",
          "IdToken": "minutes",
          "RefreshToken": "days"
        },
        "UserPoolId": "us-east-1_EXAMPLE",
        "WriteAttributes": [
          "family_name",
          "email"
        ]
      }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/CreateUserPoolClient) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/CreateUserPoolClient) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/CreateUserPoolClient) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/CreateUserPoolClient) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CreateUserPoolClient) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/CreateUserPoolClient) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/CreateUserPoolClient) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/CreateUserPoolClient) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/CreateUserPoolClient) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/CreateUserPoolClient) 

# CreateUserPoolDomain


A user pool domain hosts managed login, an authorization server and web server for authentication in your application. This operation creates a new user pool prefix domain or custom domain and sets the managed login branding version. Set the branding version to `1` for hosted UI (classic) or `2` for managed login. When you choose a custom domain, you must provide an SSL certificate in the US East (N. Virginia) AWS Region in your request.

Your prefix domain might take up to one minute to take effect. Your custom domain is online within five minutes, but it can take up to one hour to distribute your SSL certificate.

For more information about adding a custom domain to your user pool, see [Configuring a user pool domain](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "CustomDomainConfig": { 
      "CertificateArn": "string"
   },
   "Domain": "string",
   "ManagedLoginVersion": number,
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [CustomDomainConfig](#API_CreateUserPoolDomain_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolDomain-request-CustomDomainConfig"></a>
The configuration for a custom domain. Configures your domain with an AWS Certificate Manager certificate in the `us-east-1` Region.  
Provide this parameter only if you want to use a [custom domain](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html) for your user pool. Otherwise, you can omit this parameter and use a [prefix domain](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain-prefix.html) instead.  
When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.  
Update the RP ID in a [SetUserPoolMfaConfig](API_SetUserPoolMfaConfig.md) request.  
Type: [CustomDomainConfigType](API_CustomDomainConfigType.md) object  
Required: No

 ** [Domain](#API_CreateUserPoolDomain_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolDomain-request-Domain"></a>
The domain string. For custom domains, this is the fully-qualified domain name, such as `auth.example.com`. For prefix domains, this is the prefix alone, such as `myprefix`. A prefix value of `myprefix` for a user pool in the `us-east-1` Region results in a domain of `myprefix.auth.us-east-1.amazoncognito.com`.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 63.  
Pattern: `^[a-z0-9](?:[a-z0-9\-]{0,61}[a-z0-9])?$`   
Required: Yes

 ** [ManagedLoginVersion](#API_CreateUserPoolDomain_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolDomain-request-ManagedLoginVersion"></a>
The version of managed login branding that you want to apply to your domain. A value of `1` indicates hosted UI (classic) and a version of `2` indicates managed login.  
Managed login requires that your user pool be configured for any [feature plan](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html) other than `Lite`.  
Type: Integer  
Required: No

 ** [UserPoolId](#API_CreateUserPoolDomain_RequestSyntax) **   <a name="CognitoUserPools-CreateUserPoolDomain-request-UserPoolId"></a>
The ID of the user pool where you want to add a domain.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "CloudFrontDomain": "string",
   "ManagedLoginVersion": number
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [CloudFrontDomain](#API_CreateUserPoolDomain_ResponseSyntax) **   <a name="CognitoUserPools-CreateUserPoolDomain-response-CloudFrontDomain"></a>
The fully-qualified domain name (FQDN) of the Amazon CloudFront distribution that hosts your managed login or classic hosted UI pages. Your domain-name authority must have an alias record that points requests for your custom domain to this FQDN. Amazon Cognito returns this value if you set a custom domain with `CustomDomainConfig`. If you set an Amazon Cognito prefix domain, this parameter returns null.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 63.  
Pattern: `^[a-z0-9](?:[a-z0-9\-]{0,61}[a-z0-9])?$` 

 ** [ManagedLoginVersion](#API_CreateUserPoolDomain_ResponseSyntax) **   <a name="CognitoUserPools-CreateUserPoolDomain-response-ManagedLoginVersion"></a>
The version of managed login branding applied your domain. A value of `1` indicates hosted UI (classic) and a version of `2` indicates managed login.  
Type: Integer

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** FeatureUnavailableInTierException **   
This exception is thrown when a feature you attempted to configure isn't available in your current feature plan.  
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

## Examples


### Example


The following example creates a user pool custom domain. Amazon Cognito creates resources for the resulting domain `auth.example.com` at the CloudFront distribution `example.cloudfront.net`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.ca-central-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserPoolDomain
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "CustomDomainConfig": {
      "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
   },
   "Domain": "auth.example.com",
   "ManagedLoginVersion": 2,
   "UserPoolId": "ca-central-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"CloudFrontDomain": "example.cloudfront.net",
	"ManagedLoginVersion": 2
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/CreateUserPoolDomain) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/CreateUserPoolDomain) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/CreateUserPoolDomain) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/CreateUserPoolDomain) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CreateUserPoolDomain) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/CreateUserPoolDomain) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/CreateUserPoolDomain) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/CreateUserPoolDomain) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/CreateUserPoolDomain) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/CreateUserPoolDomain) 

# DeleteGroup


Deletes a group from the specified user pool. When you delete a group, that group no longer contributes to users' `cognito:preferred_group` or `cognito:groups` claims, and no longer influence access-control decision that are based on group membership. For more information about user pool groups, see [Adding groups to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "GroupName": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [GroupName](#API_DeleteGroup_RequestSyntax) **   <a name="CognitoUserPools-DeleteGroup-request-GroupName"></a>
The name of the group that you want to delete.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_DeleteGroup_RequestSyntax) **   <a name="CognitoUserPools-DeleteGroup-request-UserPoolId"></a>
The ID of the user pool where you want to delete the group.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request deletes the group `ExampleGroup` in the user pool `us-west-2_EXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteGroup
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "GroupName": "ExampleGroup",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteGroup) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteGroup) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteGroup) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteGroup) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteGroup) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteGroup) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteGroup) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteGroup) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteGroup) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteGroup) 

# DeleteIdentityProvider


Deletes a user pool identity provider (IdP). After you delete an IdP, users can no longer sign in to your user pool through that IdP. For more information about user pool IdPs, see [Third-party IdP sign-in](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "ProviderName": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ProviderName](#API_DeleteIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-DeleteIdentityProvider-request-ProviderName"></a>
The name of the IdP that you want to delete.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 32.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\p{Z}]+`   
Required: Yes

 ** [UserPoolId](#API_DeleteIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-DeleteIdentityProvider-request-UserPoolId"></a>
The ID of the user pool where you want to delete the identity provider.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnsupportedIdentityProviderException **   
This exception is thrown when the specified identifier isn't supported.  
HTTP Status Code: 400

## Examples


### Example


The following example request deletes the IdP `MyIdP` in user pool `us-west-2_EXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteIdentityProvider
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ProviderName": "MyIdP",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteIdentityProvider) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteIdentityProvider) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteIdentityProvider) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteIdentityProvider) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteIdentityProvider) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteIdentityProvider) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteIdentityProvider) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteIdentityProvider) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteIdentityProvider) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteIdentityProvider) 

# DeleteManagedLoginBranding


Deletes a managed login branding style. When you delete a style, you delete the branding association for an app client. When an app client doesn't have a style assigned, your managed login pages for that app client are nonfunctional until you create a new style or switch the domain branding version.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "ManagedLoginBrandingId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ManagedLoginBrandingId](#API_DeleteManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-DeleteManagedLoginBranding-request-ManagedLoginBrandingId"></a>
The ID of the managed login branding style that you want to delete.  
Type: String  
Pattern: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$`   
Required: Yes

 ** [UserPoolId](#API_DeleteManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-DeleteManagedLoginBranding-request-UserPoolId"></a>
The ID of the user pool that contains the managed login branding style that you want to delete.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request deletes the managed login style with ID `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111` from user pool `us-west-2_EXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteManagedLoginBranding
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ManagedLoginBrandingId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteManagedLoginBranding) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteManagedLoginBranding) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteManagedLoginBranding) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteManagedLoginBranding) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteManagedLoginBranding) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteManagedLoginBranding) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteManagedLoginBranding) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteManagedLoginBranding) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteManagedLoginBranding) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteManagedLoginBranding) 

# DeleteResourceServer


Deletes a resource server. After you delete a resource server, users can no longer generate access tokens with scopes that are associate with that resource server.

Resource servers are associated with custom scopes and machine-to-machine (M2M) authorization. For more information, see [Access control with resource servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Identifier": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Identifier](#API_DeleteResourceServer_RequestSyntax) **   <a name="CognitoUserPools-DeleteResourceServer-request-Identifier"></a>
The identifier of the resource server that you want to delete.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 256.  
Pattern: `[\x21\x23-\x5B\x5D-\x7E]+`   
Required: Yes

 ** [UserPoolId](#API_DeleteResourceServer_RequestSyntax) **   <a name="CognitoUserPools-DeleteResourceServer-request-UserPoolId"></a>
The ID of the user pool where you want to delete the resource server.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request deletes the resource server `MyAPI` from user pool `us-west-2_EXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteResourceServer
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "Identifier": "MyAPI",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteResourceServer) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteResourceServer) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteResourceServer) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteResourceServer) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteResourceServer) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteResourceServer) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteResourceServer) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteResourceServer) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteResourceServer) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteResourceServer) 

# DeleteTerms


Deletes the terms documents with the requested ID from your app client.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "TermsId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [TermsId](#API_DeleteTerms_RequestSyntax) **   <a name="CognitoUserPools-DeleteTerms-request-TermsId"></a>
The ID of the terms documents that you want to delete.  
Type: String  
Pattern: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$`   
Required: Yes

 ** [UserPoolId](#API_DeleteTerms_RequestSyntax) **   <a name="CognitoUserPools-DeleteTerms-request-UserPoolId"></a>
The ID of the user pool that contains the terms documents that you want to delete.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example operation deletes a terms document with the specified TermsId.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteTerms
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
   "TermsId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
   "UserPoolId": "us-east-1_EXAMPLE"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteTerms) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteTerms) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteTerms) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteTerms) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteTerms) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteTerms) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteTerms) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteTerms) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteTerms) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteTerms) 

# DeleteUser


Deletes the profile of the currently signed-in user. A deleted user profile can no longer be used to sign in and can't be restored.

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_DeleteUser_RequestSyntax) **   <a name="CognitoUserPools-DeleteUser-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request deletes the user with the access token `eyJra456defEXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteUser) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteUser) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteUser) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteUser) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteUser) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteUser) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteUser) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteUser) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteUser) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteUser) 

# DeleteUserAttributes


Deletes attributes from the currently signed-in user. For example, your application can submit a request to this operation when a user wants to remove their `birthdate` attribute value.

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "UserAttributeNames": [ "string" ]
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_DeleteUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-DeleteUserAttributes-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [UserAttributeNames](#API_DeleteUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-DeleteUserAttributes-request-UserAttributeNames"></a>
An array of strings representing the user attribute names you want to delete.  
For custom attributes, you must prepend the `custom:` prefix to the attribute name, for example `custom:department`.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 32.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\t\n\r ]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request deletes the attributes `nickname` and `middle_name` from the user with the access token `eyJra456defEXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteUserAttributes
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE",
   "UserAttributeNames": [
       "nickname",
       "middle_name"
       ]
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteUserAttributes) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteUserAttributes) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteUserAttributes) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteUserAttributes) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteUserAttributes) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteUserAttributes) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteUserAttributes) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteUserAttributes) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteUserAttributes) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteUserAttributes) 

# DeleteUserPool


Deletes a user pool. After you delete a user pool, users can no longer sign in to any associated applications. 

When you delete a user pool, it's no longer visible or operational in your AWS account. Amazon Cognito retains deleted user pools in an inactive state for 14 days, then begins a cleanup process that fully removes them from AWS systems. In case of accidental deletion, contact Support within 14 days for restoration assistance.

Amazon Cognito begins full deletion of all resources from deleted user pools after 14 days. In the case of large user pools, the cleanup process might take significant additional time before all user data is permanently deleted.

## Request Syntax


```
{
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [UserPoolId](#API_DeleteUserPool_RequestSyntax) **   <a name="CognitoUserPools-DeleteUserPool-request-UserPoolId"></a>
The ID of the user pool that you want to delete.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserImportInProgressException **   
This exception is thrown when you're trying to modify a user pool while a user import job is in progress for that pool.    
 ** message **   
The message returned when the user pool has an import job running.
HTTP Status Code: 400

## Examples


### Example


The following example request doesn't succeed in deletion of the user pool `us-west-2_EXAMPLE` because deletion protection is active.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteUserPool
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"__type": "InvalidParameterException",
	"message": "User pool cannot be deleted. It has a domain configured that should be deleted first."
}
```

### Example


The following example request deletes the user pool `us-west-2_EXAMPLE` after deletion protection is inactive.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteUserPool
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteUserPool) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteUserPool) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteUserPool) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteUserPool) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteUserPool) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteUserPool) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteUserPool) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteUserPool) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteUserPool) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteUserPool) 

# DeleteUserPoolClient


Deletes a user pool app client. After you delete an app client, users can no longer sign in to the associated application.

## Request Syntax


```
{
   "ClientId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_DeleteUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-DeleteUserPoolClient-request-ClientId"></a>
The ID of the user pool app client that you want to delete.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [UserPoolId](#API_DeleteUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-DeleteUserPoolClient-request-UserPoolId"></a>
The ID of the user pool where you want to delete the client.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request deletes the user pool client with ID `1example23456789` from user pool `us-west-2_EXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteUserPoolClient
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ClientId": "1example23456789",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteUserPoolClient) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteUserPoolClient) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteUserPoolClient) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteUserPoolClient) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteUserPoolClient) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteUserPoolClient) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteUserPoolClient) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteUserPoolClient) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteUserPoolClient) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteUserPoolClient) 

# DeleteUserPoolClientSecret


Deletes a specific client secret from a user pool app client. You cannot delete the last remaining secret for an app client.

## Request Syntax


```
{
   "ClientId": "string",
   "ClientSecretId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_DeleteUserPoolClientSecret_RequestSyntax) **   <a name="CognitoUserPools-DeleteUserPoolClientSecret-request-ClientId"></a>
The ID of the app client from which you want to delete the secret.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientSecretId](#API_DeleteUserPoolClientSecret_RequestSyntax) **   <a name="CognitoUserPools-DeleteUserPoolClientSecret-request-ClientSecretId"></a>
The unique identifier of the client secret you want to delete.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Required: Yes

 ** [UserPoolId](#API_DeleteUserPoolClientSecret_RequestSyntax) **   <a name="CognitoUserPools-DeleteUserPoolClientSecret-request-UserPoolId"></a>
The ID of the user pool that contains the app client.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalServerException **   
This exception is thrown when Amazon Cognito encounters an internal server error.  
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteUserPoolClientSecret) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteUserPoolClientSecret) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteUserPoolClientSecret) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteUserPoolClientSecret) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteUserPoolClientSecret) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteUserPoolClientSecret) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteUserPoolClientSecret) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteUserPoolClientSecret) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteUserPoolClientSecret) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteUserPoolClientSecret) 

# DeleteUserPoolDomain


Given a user pool ID and domain identifier, deletes a user pool domain. After you delete a user pool domain, your managed login pages and authorization server are no longer available.

## Request Syntax


```
{
   "Domain": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Domain](#API_DeleteUserPoolDomain_RequestSyntax) **   <a name="CognitoUserPools-DeleteUserPoolDomain-request-Domain"></a>
The domain that you want to delete. For custom domains, this is the fully-qualified domain name like `auth.example.com`. For Amazon Cognito prefix domains, this is the prefix alone, like `myprefix`.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 63.  
Pattern: `^[a-z0-9](?:[a-z0-9\-]{0,61}[a-z0-9])?$`   
Required: Yes

 ** [UserPoolId](#API_DeleteUserPoolDomain_RequestSyntax) **   <a name="CognitoUserPools-DeleteUserPoolDomain-request-UserPoolId"></a>
The ID of the user pool where you want to delete the domain.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

## Examples


### Example


The following example request deletes the Amazon Cognito prefix domain `mytestdomain` from the user pool `us-west-2_EXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteUserPoolDomain
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "Domain": "mytestdomain",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteUserPoolDomain) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteUserPoolDomain) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteUserPoolDomain) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteUserPoolDomain) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteUserPoolDomain) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteUserPoolDomain) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteUserPoolDomain) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteUserPoolDomain) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteUserPoolDomain) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteUserPoolDomain) 

# DeleteWebAuthnCredential


Deletes a registered passkey, or WebAuthn, authenticator for the currently signed-in user.

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "CredentialId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_DeleteWebAuthnCredential_RequestSyntax) **   <a name="CognitoUserPools-DeleteWebAuthnCredential-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [CredentialId](#API_DeleteWebAuthnCredential_RequestSyntax) **   <a name="CognitoUserPools-DeleteWebAuthnCredential-request-CredentialId"></a>
The unique identifier of the passkey that you want to delete.  
Look up registered devices with [ListWebAuthnCredentials](API_ListWebAuthnCredentials.md).  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request deletes the passkey credential with ID `gDHtiE8JgY8mZS_ABDl9sScfjgTG7TPwhlj4et9lxNlR1LTtwnqwE_ObtR1hN_xU` from the user with access token `eyJra456defEXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DeleteWebAuthnCredential
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "AccessToken":"eyJra456defEXAMPLE",
    "CredentialId":"gDHtiE8JgY8mZS_ABDl9sScfjgTG7TPwhlj4et9lxNlR1LTtwnqwE_ObtR1hN_xU"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DeleteWebAuthnCredential) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DeleteWebAuthnCredential) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteWebAuthnCredential) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DeleteWebAuthnCredential) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DeleteWebAuthnCredential) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DeleteWebAuthnCredential) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DeleteWebAuthnCredential) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DeleteWebAuthnCredential) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DeleteWebAuthnCredential) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DeleteWebAuthnCredential) 

# DescribeIdentityProvider


Given a user pool ID and identity provider (IdP) name, returns details about the IdP.

## Request Syntax


```
{
   "ProviderName": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ProviderName](#API_DescribeIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-DescribeIdentityProvider-request-ProviderName"></a>
The name of the IdP that you want to describe.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 32.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\p{Z}]+`   
Required: Yes

 ** [UserPoolId](#API_DescribeIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-DescribeIdentityProvider-request-UserPoolId"></a>
The ID of the user pool that has the IdP that you want to describe..  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "IdentityProvider": { 
      "AttributeMapping": { 
         "string" : "string" 
      },
      "CreationDate": number,
      "IdpIdentifiers": [ "string" ],
      "LastModifiedDate": number,
      "ProviderDetails": { 
         "string" : "string" 
      },
      "ProviderName": "string",
      "ProviderType": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [IdentityProvider](#API_DescribeIdentityProvider_ResponseSyntax) **   <a name="CognitoUserPools-DescribeIdentityProvider-response-IdentityProvider"></a>
The details of the requested IdP.  
Type: [IdentityProviderType](API_IdentityProviderType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request describes a Google IdP.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DescribeIdentityProvider
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ProviderName": "Google",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"IdentityProvider": {
		"AttributeMapping": {
			"email": "email",
			"username": "sub"
		},
		"CreationDate": 1635187122.265,
		"IdpIdentifiers": [],
		"LastModifiedDate": 1697051749.303,
		"ProviderDetails": {
			"attributes_url": "https://people.googleapis.com/v1/people/me?personFields=",
			"attributes_url_add_attributes": "true",
			"authorize_scopes": "email profile openid",
			"authorize_url": "https://accounts.google.com/o/oauth2/v2/auth",
			"client_id": "[client ID].apps.googleusercontent.com",
			"client_secret": "[client secret]",
			"oidc_issuer": "https://accounts.google.com",
			"token_request_method": "POST",
			"token_url": "https://www.googleapis.com/oauth2/v4/token"
		},
		"ProviderName": "Google",
		"ProviderType": "Google",
		"UserPoolId": "us-west-2_EXAMPLE"
	}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DescribeIdentityProvider) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DescribeIdentityProvider) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DescribeIdentityProvider) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DescribeIdentityProvider) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DescribeIdentityProvider) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DescribeIdentityProvider) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DescribeIdentityProvider) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DescribeIdentityProvider) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DescribeIdentityProvider) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DescribeIdentityProvider) 

# DescribeManagedLoginBranding


Given the ID of a managed login branding style, returns detailed information about the style.

## Request Syntax


```
{
   "ManagedLoginBrandingId": "string",
   "ReturnMergedResources": boolean,
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ManagedLoginBrandingId](#API_DescribeManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-DescribeManagedLoginBranding-request-ManagedLoginBrandingId"></a>
The ID of the managed login branding style that you want to get more information about.  
Type: String  
Pattern: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$`   
Required: Yes

 ** [ReturnMergedResources](#API_DescribeManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-DescribeManagedLoginBranding-request-ReturnMergedResources"></a>
When `true`, returns values for branding options that are unchanged from Amazon Cognito defaults. When `false` or when you omit this parameter, returns only values that you customized in your branding style.  
Type: Boolean  
Required: No

 ** [UserPoolId](#API_DescribeManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-DescribeManagedLoginBranding-request-UserPoolId"></a>
The ID of the user pool that contains the managed login branding style that you want to get information about.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "ManagedLoginBranding": { 
      "Assets": [ 
         { 
            "Bytes": blob,
            "Category": "string",
            "ColorMode": "string",
            "Extension": "string",
            "ResourceId": "string"
         }
      ],
      "CreationDate": number,
      "LastModifiedDate": number,
      "ManagedLoginBrandingId": "string",
      "Settings": JSON value,
      "UseCognitoProvidedValues": boolean,
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [ManagedLoginBranding](#API_DescribeManagedLoginBranding_ResponseSyntax) **   <a name="CognitoUserPools-DescribeManagedLoginBranding-response-ManagedLoginBranding"></a>
The details of the requested branding style.  
Type: [ManagedLoginBrandingType](API_ManagedLoginBrandingType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the details of the managed login style with ID `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.ca-central-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DescribeManagedLoginBranding
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ReturnMergedResources": false,
   "UserPoolId": "ca-central-1_EXAMPLE",
   "ManagedLoginBrandingId":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "ManagedLoginBranding": {
        "Assets": [
            {
                "Bytes": "[encoded image file]",
                "Category": "PAGE_FOOTER_LOGO",
                "ColorMode": "LIGHT",
                "Extension": "JPEG"
            }
        ],
        "CreationDate": 1732667944.313,
        "LastModifiedDate": 1732668950.888,
        "ManagedLoginBrandingId": "ef1bb4d9-a28f-4dc6-94c6-49a605de6a6a",
        "Settings": {
            "categories": {
                "auth": {
                    "authMethodOrder": [
                        [
                            {
                                "display": "BUTTON",
                                "type": "FEDERATED"
                            },
                            {
                                "display": "INPUT",
                                "type": "USERNAME_PASSWORD"
                            }
                        ]
                    ],
                    "federation": {
                        "interfaceStyle": "BUTTON_LIST",
                        "order": [
                        ]
                    }
                },
                "form": {
                    "displayGraphics": true,
                    "instructions": {
                        "enabled": false
                    },
                    "languageSelector": {
                        "enabled": false
                    },
                    "location": {
                        "horizontal": "CENTER",
                        "vertical": "CENTER"
                    },
                    "sessionTimerDisplay": "NONE"
                },
                "global": {
                    "colorSchemeMode": "LIGHT",
                    "pageFooter": {
                        "enabled": true
                    },
                    "pageHeader": {
                        "enabled": true
                    },
                    "spacingDensity": "REGULAR"
                },
                "signUp": {
                    "acceptanceElements": [
                        {
                            "enforcement": "NONE",
                            "textKey": "en"
                        }
                    ]
                }
            },
            "componentClasses": {
                "buttons": {
                    "borderRadius": 8.0
                },
                "divider": {
                    "darkMode": {
                        "borderColor": "232b37ff"
                    },
                    "lightMode": {
                        "borderColor": "ebebf0ff"
                    }
                },
                "dropDown": {
                    "borderRadius": 8.0,
                    "darkMode": {
                        "defaults": {
                            "itemBackgroundColor": "192534ff"
                        },
                        "hover": {
                            "itemBackgroundColor": "081120ff",
                            "itemBorderColor": "5f6b7aff",
                            "itemTextColor": "e9ebedff"
                        },
                        "match": {
                            "itemBackgroundColor": "d1d5dbff",
                            "itemTextColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "itemBackgroundColor": "ffffffff"
                        },
                        "hover": {
                            "itemBackgroundColor": "f4f4f4ff",
                            "itemBorderColor": "7d8998ff",
                            "itemTextColor": "000716ff"
                        },
                        "match": {
                            "itemBackgroundColor": "414d5cff",
                            "itemTextColor": "0972d3ff"
                        }
                    }
                },
                "focusState": {
                    "darkMode": {
                        "borderColor": "539fe5ff"
                    },
                    "lightMode": {
                        "borderColor": "0972d3ff"
                    }
                },
                "idpButtons": {
                    "icons": {
                        "enabled": true
                    }
                },
                "input": {
                    "borderRadius": 8.0,
                    "darkMode": {
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "5f6b7aff"
                        },
                        "placeholderColor": "8d99a8ff"
                    },
                    "lightMode": {
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "7d8998ff"
                        },
                        "placeholderColor": "5f6b7aff"
                    }
                },
                "inputDescription": {
                    "darkMode": {
                        "textColor": "8d99a8ff"
                    },
                    "lightMode": {
                        "textColor": "5f6b7aff"
                    }
                },
                "inputLabel": {
                    "darkMode": {
                        "textColor": "d1d5dbff"
                    },
                    "lightMode": {
                        "textColor": "000716ff"
                    }
                },
                "link": {
                    "darkMode": {
                        "defaults": {
                            "textColor": "539fe5ff"
                        },
                        "hover": {
                            "textColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "textColor": "0972d3ff"
                        },
                        "hover": {
                            "textColor": "033160ff"
                        }
                    }
                },
                "optionControls": {
                    "darkMode": {
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "7d8998ff"
                        },
                        "selected": {
                            "backgroundColor": "539fe5ff",
                            "foregroundColor": "000716ff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "7d8998ff"
                        },
                        "selected": {
                            "backgroundColor": "0972d3ff",
                            "foregroundColor": "ffffffff"
                        }
                    }
                },
                "statusIndicator": {
                    "darkMode": {
                        "error": {
                            "backgroundColor": "1a0000ff",
                            "borderColor": "eb6f6fff",
                            "indicatorColor": "eb6f6fff"
                        },
                        "pending": {
                            "indicatorColor": "AAAAAAAA"
                        },
                        "success": {
                            "backgroundColor": "001a02ff",
                            "borderColor": "29ad32ff",
                            "indicatorColor": "29ad32ff"
                        },
                        "warning": {
                            "backgroundColor": "1d1906ff",
                            "borderColor": "e0ca57ff",
                            "indicatorColor": "e0ca57ff"
                        }
                    },
                    "lightMode": {
                        "error": {
                            "backgroundColor": "fff7f7ff",
                            "borderColor": "d91515ff",
                            "indicatorColor": "d91515ff"
                        },
                        "pending": {
                            "indicatorColor": "AAAAAAAA"
                        },
                        "success": {
                            "backgroundColor": "f2fcf3ff",
                            "borderColor": "037f0cff",
                            "indicatorColor": "037f0cff"
                        },
                        "warning": {
                            "backgroundColor": "fffce9ff",
                            "borderColor": "8d6605ff",
                            "indicatorColor": "8d6605ff"
                        }
                    }
                }
            },
            "components": {
                "alert": {
                    "borderRadius": 12.0,
                    "darkMode": {
                        "error": {
                            "backgroundColor": "1a0000ff",
                            "borderColor": "eb6f6fff"
                        }
                    },
                    "lightMode": {
                        "error": {
                            "backgroundColor": "fff7f7ff",
                            "borderColor": "d91515ff"
                        }
                    }
                },
                "favicon": {
                    "enabledTypes": [
                        "ICO",
                        "SVG"
                    ]
                },
                "form": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "borderRadius": 8.0,
                    "darkMode": {
                        "backgroundColor": "0f1b2aff",
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "c6c6cdff"
                    },
                    "logo": {
                        "enabled": false,
                        "formInclusion": "IN",
                        "location": "CENTER",
                        "position": "TOP"
                    }
                },
                "idpButton": {
                    "custom": {
                    },
                    "standard": {
                        "darkMode": {
                            "active": {
                                "backgroundColor": "354150ff",
                                "borderColor": "89bdeeff",
                                "textColor": "89bdeeff"
                            },
                            "defaults": {
                                "backgroundColor": "0f1b2aff",
                                "borderColor": "c6c6cdff",
                                "textColor": "c6c6cdff"
                            },
                            "hover": {
                                "backgroundColor": "192534ff",
                                "borderColor": "89bdeeff",
                                "textColor": "89bdeeff"
                            }
                        },
                        "lightMode": {
                            "active": {
                                "backgroundColor": "d3e7f9ff",
                                "borderColor": "033160ff",
                                "textColor": "033160ff"
                            },
                            "defaults": {
                                "backgroundColor": "ffffffff",
                                "borderColor": "424650ff",
                                "textColor": "424650ff"
                            },
                            "hover": {
                                "backgroundColor": "f2f8fdff",
                                "borderColor": "033160ff",
                                "textColor": "033160ff"
                            }
                        }
                    }
                },
                "pageBackground": {
                    "darkMode": {
                        "color": "0f1b2aff"
                    },
                    "image": {
                        "enabled": true
                    },
                    "lightMode": {
                        "color": "ffffffff"
                    }
                },
                "pageFooter": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "darkMode": {
                        "background": {
                            "color": "0f141aff"
                        },
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "background": {
                            "color": "fafafaff"
                        },
                        "borderColor": "d5dbdbff"
                    },
                    "logo": {
                        "enabled": true,
                        "location": "CENTER"
                    }
                },
                "pageHeader": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "darkMode": {
                        "background": {
                            "color": "0f141aff"
                        },
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "background": {
                            "color": "fafafaff"
                        },
                        "borderColor": "d5dbdbff"
                    },
                    "logo": {
                        "enabled": false,
                        "location": "START"
                    }
                },
                "pageText": {
                    "darkMode": {
                        "bodyColor": "b6bec9ff",
                        "descriptionColor": "b6bec9ff",
                        "headingColor": "d1d5dbff"
                    },
                    "lightMode": {
                        "bodyColor": "414d5cff",
                        "descriptionColor": "414d5cff",
                        "headingColor": "000716ff"
                    }
                },
                "phoneNumberSelector": {
                    "displayType": "TEXT"
                },
                "primaryButton": {
                    "darkMode": {
                        "active": {
                            "backgroundColor": "539fe5ff",
                            "textColor": "000716ff"
                        },
                        "defaults": {
                            "backgroundColor": "539fe5ff",
                            "textColor": "000716ff"
                        },
                        "disabled": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "ffffffff"
                        },
                        "hover": {
                            "backgroundColor": "89bdeeff",
                            "textColor": "000716ff"
                        }
                    },
                    "lightMode": {
                        "active": {
                            "backgroundColor": "033160ff",
                            "textColor": "ffffffff"
                        },
                        "defaults": {
                            "backgroundColor": "0972d3ff",
                            "textColor": "ffffffff"
                        },
                        "disabled": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "ffffffff"
                        },
                        "hover": {
                            "backgroundColor": "033160ff",
                            "textColor": "ffffffff"
                        }
                    }
                },
                "secondaryButton": {
                    "darkMode": {
                        "active": {
                            "backgroundColor": "354150ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        },
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "539fe5ff",
                            "textColor": "539fe5ff"
                        },
                        "hover": {
                            "backgroundColor": "192534ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "active": {
                            "backgroundColor": "d3e7f9ff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        },
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "0972d3ff",
                            "textColor": "0972d3ff"
                        },
                        "hover": {
                            "backgroundColor": "f2f8fdff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        }
                    }
                }
            }
        },
        "UseCognitoProvidedValues": false,
        "UserPoolId": "ca-central-1_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DescribeManagedLoginBranding) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DescribeManagedLoginBranding) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DescribeManagedLoginBranding) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DescribeManagedLoginBranding) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DescribeManagedLoginBranding) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DescribeManagedLoginBranding) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DescribeManagedLoginBranding) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DescribeManagedLoginBranding) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DescribeManagedLoginBranding) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DescribeManagedLoginBranding) 

# DescribeManagedLoginBrandingByClient


Given the ID of a user pool app client, returns detailed information about the style assigned to the app client.

## Request Syntax


```
{
   "ClientId": "string",
   "ReturnMergedResources": boolean,
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_DescribeManagedLoginBrandingByClient_RequestSyntax) **   <a name="CognitoUserPools-DescribeManagedLoginBrandingByClient-request-ClientId"></a>
The app client that's assigned to the branding style that you want more information about.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ReturnMergedResources](#API_DescribeManagedLoginBrandingByClient_RequestSyntax) **   <a name="CognitoUserPools-DescribeManagedLoginBrandingByClient-request-ReturnMergedResources"></a>
When `true`, returns values for branding options that are unchanged from Amazon Cognito defaults. When `false` or when you omit this parameter, returns only values that you customized in your branding style.  
Type: Boolean  
Required: No

 ** [UserPoolId](#API_DescribeManagedLoginBrandingByClient_RequestSyntax) **   <a name="CognitoUserPools-DescribeManagedLoginBrandingByClient-request-UserPoolId"></a>
The ID of the user pool that contains the app client where you want more information about the managed login branding style.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "ManagedLoginBranding": { 
      "Assets": [ 
         { 
            "Bytes": blob,
            "Category": "string",
            "ColorMode": "string",
            "Extension": "string",
            "ResourceId": "string"
         }
      ],
      "CreationDate": number,
      "LastModifiedDate": number,
      "ManagedLoginBrandingId": "string",
      "Settings": JSON value,
      "UseCognitoProvidedValues": boolean,
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [ManagedLoginBranding](#API_DescribeManagedLoginBrandingByClient_ResponseSyntax) **   <a name="CognitoUserPools-DescribeManagedLoginBrandingByClient-response-ManagedLoginBranding"></a>
The details of the requested branding style.  
Type: [ManagedLoginBrandingType](API_ManagedLoginBrandingType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns managed login style details for the app client with ID `1example23456789`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.ca-central-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DescribeManagedLoginBrandingByClient
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ClientId": "1example23456789",
   "ReturnMergedResources": false,
   "UserPoolId": "ca-central-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "ManagedLoginBranding": {
        "Assets": [
            {
                "Bytes": "[encoded image file]",
                "Category": "PAGE_FOOTER_LOGO",
                "ColorMode": "LIGHT",
                "Extension": "JPEG"
            }
        ],
        "CreationDate": 1732667944.313,
        "LastModifiedDate": 1732668950.888,
        "ManagedLoginBrandingId": "ef1bb4d9-a28f-4dc6-94c6-49a605de6a6a",
        "Settings": {
            "categories": {
                "auth": {
                    "authMethodOrder": [
                        [
                            {
                                "display": "BUTTON",
                                "type": "FEDERATED"
                            },
                            {
                                "display": "INPUT",
                                "type": "USERNAME_PASSWORD"
                            }
                        ]
                    ],
                    "federation": {
                        "interfaceStyle": "BUTTON_LIST",
                        "order": [
                        ]
                    }
                },
                "form": {
                    "displayGraphics": true,
                    "instructions": {
                        "enabled": false
                    },
                    "languageSelector": {
                        "enabled": false
                    },
                    "location": {
                        "horizontal": "CENTER",
                        "vertical": "CENTER"
                    },
                    "sessionTimerDisplay": "NONE"
                },
                "global": {
                    "colorSchemeMode": "LIGHT",
                    "pageFooter": {
                        "enabled": true
                    },
                    "pageHeader": {
                        "enabled": true
                    },
                    "spacingDensity": "REGULAR"
                },
                "signUp": {
                    "acceptanceElements": [
                        {
                            "enforcement": "NONE",
                            "textKey": "en"
                        }
                    ]
                }
            },
            "componentClasses": {
                "buttons": {
                    "borderRadius": 8.0
                },
                "divider": {
                    "darkMode": {
                        "borderColor": "232b37ff"
                    },
                    "lightMode": {
                        "borderColor": "ebebf0ff"
                    }
                },
                "dropDown": {
                    "borderRadius": 8.0,
                    "darkMode": {
                        "defaults": {
                            "itemBackgroundColor": "192534ff"
                        },
                        "hover": {
                            "itemBackgroundColor": "081120ff",
                            "itemBorderColor": "5f6b7aff",
                            "itemTextColor": "e9ebedff"
                        },
                        "match": {
                            "itemBackgroundColor": "d1d5dbff",
                            "itemTextColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "itemBackgroundColor": "ffffffff"
                        },
                        "hover": {
                            "itemBackgroundColor": "f4f4f4ff",
                            "itemBorderColor": "7d8998ff",
                            "itemTextColor": "000716ff"
                        },
                        "match": {
                            "itemBackgroundColor": "414d5cff",
                            "itemTextColor": "0972d3ff"
                        }
                    }
                },
                "focusState": {
                    "darkMode": {
                        "borderColor": "539fe5ff"
                    },
                    "lightMode": {
                        "borderColor": "0972d3ff"
                    }
                },
                "idpButtons": {
                    "icons": {
                        "enabled": true
                    }
                },
                "input": {
                    "borderRadius": 8.0,
                    "darkMode": {
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "5f6b7aff"
                        },
                        "placeholderColor": "8d99a8ff"
                    },
                    "lightMode": {
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "7d8998ff"
                        },
                        "placeholderColor": "5f6b7aff"
                    }
                },
                "inputDescription": {
                    "darkMode": {
                        "textColor": "8d99a8ff"
                    },
                    "lightMode": {
                        "textColor": "5f6b7aff"
                    }
                },
                "inputLabel": {
                    "darkMode": {
                        "textColor": "d1d5dbff"
                    },
                    "lightMode": {
                        "textColor": "000716ff"
                    }
                },
                "link": {
                    "darkMode": {
                        "defaults": {
                            "textColor": "539fe5ff"
                        },
                        "hover": {
                            "textColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "textColor": "0972d3ff"
                        },
                        "hover": {
                            "textColor": "033160ff"
                        }
                    }
                },
                "optionControls": {
                    "darkMode": {
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "7d8998ff"
                        },
                        "selected": {
                            "backgroundColor": "539fe5ff",
                            "foregroundColor": "000716ff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "7d8998ff"
                        },
                        "selected": {
                            "backgroundColor": "0972d3ff",
                            "foregroundColor": "ffffffff"
                        }
                    }
                },
                "statusIndicator": {
                    "darkMode": {
                        "error": {
                            "backgroundColor": "1a0000ff",
                            "borderColor": "eb6f6fff",
                            "indicatorColor": "eb6f6fff"
                        },
                        "pending": {
                            "indicatorColor": "AAAAAAAA"
                        },
                        "success": {
                            "backgroundColor": "001a02ff",
                            "borderColor": "29ad32ff",
                            "indicatorColor": "29ad32ff"
                        },
                        "warning": {
                            "backgroundColor": "1d1906ff",
                            "borderColor": "e0ca57ff",
                            "indicatorColor": "e0ca57ff"
                        }
                    },
                    "lightMode": {
                        "error": {
                            "backgroundColor": "fff7f7ff",
                            "borderColor": "d91515ff",
                            "indicatorColor": "d91515ff"
                        },
                        "pending": {
                            "indicatorColor": "AAAAAAAA"
                        },
                        "success": {
                            "backgroundColor": "f2fcf3ff",
                            "borderColor": "037f0cff",
                            "indicatorColor": "037f0cff"
                        },
                        "warning": {
                            "backgroundColor": "fffce9ff",
                            "borderColor": "8d6605ff",
                            "indicatorColor": "8d6605ff"
                        }
                    }
                }
            },
            "components": {
                "alert": {
                    "borderRadius": 12.0,
                    "darkMode": {
                        "error": {
                            "backgroundColor": "1a0000ff",
                            "borderColor": "eb6f6fff"
                        }
                    },
                    "lightMode": {
                        "error": {
                            "backgroundColor": "fff7f7ff",
                            "borderColor": "d91515ff"
                        }
                    }
                },
                "favicon": {
                    "enabledTypes": [
                        "ICO",
                        "SVG"
                    ]
                },
                "form": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "borderRadius": 8.0,
                    "darkMode": {
                        "backgroundColor": "0f1b2aff",
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "c6c6cdff"
                    },
                    "logo": {
                        "enabled": false,
                        "formInclusion": "IN",
                        "location": "CENTER",
                        "position": "TOP"
                    }
                },
                "idpButton": {
                    "custom": {
                    },
                    "standard": {
                        "darkMode": {
                            "active": {
                                "backgroundColor": "354150ff",
                                "borderColor": "89bdeeff",
                                "textColor": "89bdeeff"
                            },
                            "defaults": {
                                "backgroundColor": "0f1b2aff",
                                "borderColor": "c6c6cdff",
                                "textColor": "c6c6cdff"
                            },
                            "hover": {
                                "backgroundColor": "192534ff",
                                "borderColor": "89bdeeff",
                                "textColor": "89bdeeff"
                            }
                        },
                        "lightMode": {
                            "active": {
                                "backgroundColor": "d3e7f9ff",
                                "borderColor": "033160ff",
                                "textColor": "033160ff"
                            },
                            "defaults": {
                                "backgroundColor": "ffffffff",
                                "borderColor": "424650ff",
                                "textColor": "424650ff"
                            },
                            "hover": {
                                "backgroundColor": "f2f8fdff",
                                "borderColor": "033160ff",
                                "textColor": "033160ff"
                            }
                        }
                    }
                },
                "pageBackground": {
                    "darkMode": {
                        "color": "0f1b2aff"
                    },
                    "image": {
                        "enabled": true
                    },
                    "lightMode": {
                        "color": "ffffffff"
                    }
                },
                "pageFooter": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "darkMode": {
                        "background": {
                            "color": "0f141aff"
                        },
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "background": {
                            "color": "fafafaff"
                        },
                        "borderColor": "d5dbdbff"
                    },
                    "logo": {
                        "enabled": true,
                        "location": "CENTER"
                    }
                },
                "pageHeader": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "darkMode": {
                        "background": {
                            "color": "0f141aff"
                        },
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "background": {
                            "color": "fafafaff"
                        },
                        "borderColor": "d5dbdbff"
                    },
                    "logo": {
                        "enabled": false,
                        "location": "START"
                    }
                },
                "pageText": {
                    "darkMode": {
                        "bodyColor": "b6bec9ff",
                        "descriptionColor": "b6bec9ff",
                        "headingColor": "d1d5dbff"
                    },
                    "lightMode": {
                        "bodyColor": "414d5cff",
                        "descriptionColor": "414d5cff",
                        "headingColor": "000716ff"
                    }
                },
                "phoneNumberSelector": {
                    "displayType": "TEXT"
                },
                "primaryButton": {
                    "darkMode": {
                        "active": {
                            "backgroundColor": "539fe5ff",
                            "textColor": "000716ff"
                        },
                        "defaults": {
                            "backgroundColor": "539fe5ff",
                            "textColor": "000716ff"
                        },
                        "disabled": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "ffffffff"
                        },
                        "hover": {
                            "backgroundColor": "89bdeeff",
                            "textColor": "000716ff"
                        }
                    },
                    "lightMode": {
                        "active": {
                            "backgroundColor": "033160ff",
                            "textColor": "ffffffff"
                        },
                        "defaults": {
                            "backgroundColor": "0972d3ff",
                            "textColor": "ffffffff"
                        },
                        "disabled": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "ffffffff"
                        },
                        "hover": {
                            "backgroundColor": "033160ff",
                            "textColor": "ffffffff"
                        }
                    }
                },
                "secondaryButton": {
                    "darkMode": {
                        "active": {
                            "backgroundColor": "354150ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        },
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "539fe5ff",
                            "textColor": "539fe5ff"
                        },
                        "hover": {
                            "backgroundColor": "192534ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "active": {
                            "backgroundColor": "d3e7f9ff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        },
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "0972d3ff",
                            "textColor": "0972d3ff"
                        },
                        "hover": {
                            "backgroundColor": "f2f8fdff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        }
                    }
                }
            }
        },
        "UseCognitoProvidedValues": false,
        "UserPoolId": "ca-central-1_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DescribeManagedLoginBrandingByClient) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DescribeManagedLoginBrandingByClient) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DescribeManagedLoginBrandingByClient) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DescribeManagedLoginBrandingByClient) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DescribeManagedLoginBrandingByClient) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DescribeManagedLoginBrandingByClient) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DescribeManagedLoginBrandingByClient) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DescribeManagedLoginBrandingByClient) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DescribeManagedLoginBrandingByClient) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DescribeManagedLoginBrandingByClient) 

# DescribeResourceServer


Describes a resource server. For more information about resource servers, see [Access control with resource servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html).

## Request Syntax


```
{
   "Identifier": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Identifier](#API_DescribeResourceServer_RequestSyntax) **   <a name="CognitoUserPools-DescribeResourceServer-request-Identifier"></a>
A unique resource server identifier for the resource server. The identifier can be an API friendly name like `solar-system-data`. You can also set an API URL like `https://solar-system-data-api.example.com` as your identifier.  
Amazon Cognito represents scopes in the access token in the format `$resource-server-identifier/$scope`. Longer scope-identifier strings increase the size of your access tokens.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 256.  
Pattern: `[\x21\x23-\x5B\x5D-\x7E]+`   
Required: Yes

 ** [UserPoolId](#API_DescribeResourceServer_RequestSyntax) **   <a name="CognitoUserPools-DescribeResourceServer-request-UserPoolId"></a>
The ID of the user pool that hosts the resource server.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "ResourceServer": { 
      "Identifier": "string",
      "Name": "string",
      "Scopes": [ 
         { 
            "ScopeDescription": "string",
            "ScopeName": "string"
         }
      ],
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [ResourceServer](#API_DescribeResourceServer_ResponseSyntax) **   <a name="CognitoUserPools-DescribeResourceServer-response-ResourceServer"></a>
The details of the requested resource server.  
Type: [ResourceServerType](API_ResourceServerType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns details about the resource server `myapi.example.com` in user pool `us-west-2_EXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DescribeResourceServer
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "Identifier": "myapi.example.com",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"ResourceServer": {
		"Identifier": "myapi.example.com",
		"Name": "Example API with custom access control scopes",
		"Scopes": [
			{
				"ScopeDescription": "International customers",
				"ScopeName": "international.read"
			},
			{
				"ScopeDescription": "Domestic customers",
				"ScopeName": "domestic.read"
			}
		],
		"UserPoolId": "us-west-2_EXAMPLE"
	}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DescribeResourceServer) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DescribeResourceServer) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DescribeResourceServer) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DescribeResourceServer) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DescribeResourceServer) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DescribeResourceServer) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DescribeResourceServer) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DescribeResourceServer) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DescribeResourceServer) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DescribeResourceServer) 

# DescribeRiskConfiguration


Given an app client or user pool ID where threat protection is configured, describes the risk configuration. This operation returns details about adaptive authentication, compromised credentials, and IP-address allow- and denylists. For more information about threat protection, see [Threat protection](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html).

## Request Syntax


```
{
   "ClientId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_DescribeRiskConfiguration_RequestSyntax) **   <a name="CognitoUserPools-DescribeRiskConfiguration-request-ClientId"></a>
The ID of the app client with the risk configuration that you want to inspect. You can apply default risk configuration at the user pool level and further customize it from user pool defaults at the app-client level. Specify `ClientId` to inspect client-level configuration, or `UserPoolId` to inspect pool-level configuration.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: No

 ** [UserPoolId](#API_DescribeRiskConfiguration_RequestSyntax) **   <a name="CognitoUserPools-DescribeRiskConfiguration-request-UserPoolId"></a>
The ID of the user pool with the risk configuration that you want to inspect. You can apply default risk configuration at the user pool level and further customize it from user pool defaults at the app-client level. Specify `ClientId` to inspect client-level configuration, or `UserPoolId` to inspect pool-level configuration.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "RiskConfiguration": { 
      "AccountTakeoverRiskConfiguration": { 
         "Actions": { 
            "HighAction": { 
               "EventAction": "string",
               "Notify": boolean
            },
            "LowAction": { 
               "EventAction": "string",
               "Notify": boolean
            },
            "MediumAction": { 
               "EventAction": "string",
               "Notify": boolean
            }
         },
         "NotifyConfiguration": { 
            "BlockEmail": { 
               "HtmlBody": "string",
               "Subject": "string",
               "TextBody": "string"
            },
            "From": "string",
            "MfaEmail": { 
               "HtmlBody": "string",
               "Subject": "string",
               "TextBody": "string"
            },
            "NoActionEmail": { 
               "HtmlBody": "string",
               "Subject": "string",
               "TextBody": "string"
            },
            "ReplyTo": "string",
            "SourceArn": "string"
         }
      },
      "ClientId": "string",
      "CompromisedCredentialsRiskConfiguration": { 
         "Actions": { 
            "EventAction": "string"
         },
         "EventFilter": [ "string" ]
      },
      "LastModifiedDate": number,
      "RiskExceptionConfiguration": { 
         "BlockedIPRangeList": [ "string" ],
         "SkippedIPRangeList": [ "string" ]
      },
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [RiskConfiguration](#API_DescribeRiskConfiguration_ResponseSyntax) **   <a name="CognitoUserPools-DescribeRiskConfiguration-response-RiskConfiguration"></a>
The details of the requested risk configuration.  
Type: [RiskConfigurationType](API_RiskConfigurationType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserPoolAddOnNotEnabledException **   
This exception is thrown when user pool add-ons aren't enabled.  
HTTP Status Code: 400

## Examples


### Example


The following example request describes the threat protection configuration of the app client with ID `1example23456789`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DescribeRiskConfiguration
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ClientId": "1example23456789",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "RiskConfiguration": {
        "AccountTakeoverRiskConfiguration": {
            "Actions": {
                "HighAction": {
                    "EventAction": "MFA_REQUIRED",
                    "Notify": true
                },
                "LowAction": {
                    "EventAction": "NO_ACTION",
                    "Notify": true
                },
                "MediumAction": {
                    "EventAction": "MFA_IF_CONFIGURED",
                    "Notify": true
                }
            },
            "NotifyConfiguration": {
                "BlockEmail": {
                    "HtmlBody": "<!DOCTYPE html>\n<html>\n<head>\n\t<title>HTML email context</title>\n\t<meta charset=\"utf-8\">\n</head>\n<body>\n<pre>We blocked an unrecognized sign-in to your account with this information:\n<ul>\n<li>Time: {login-time}</li>\n<li>Device: {device-name}</li>\n<li>Location: {city}, {country}</li>\n</ul>\nIf this sign-in was not by you, you should change your password and notify us by clicking on <a href={one-click-link-invalid}>this link</a>\nIf this sign-in was by you, you can follow <a href={one-click-link-valid}>this link</a> to let us know</pre>\n</body>\n</html>",
                    "Subject": "Blocked sign-in attempt",
                    "TextBody": "We blocked an unrecognized sign-in to your account with this information:\nTime: {login-time}\nDevice: {device-name}\nLocation: {city}, {country}\nIf this sign-in was not by you, you should change your password and notify us by clicking on {one-click-link-invalid}\nIf this sign-in was by you, you can follow {one-click-link-valid} to let us know"
                },
                "From": "admin@example.com",
                "MfaEmail": {
                    "HtmlBody": "<!DOCTYPE html>\n<html>\n<head>\n\t<title>HTML email context</title>\n\t<meta charset=\"utf-8\">\n</head>\n<body>\n<pre>We required you to use multi-factor authentication for the following sign-in attempt:\n<ul>\n<li>Time: {login-time}</li>\n<li>Device: {device-name}</li>\n<li>Location: {city}, {country}</li>\n</ul>\nIf this sign-in was not by you, you should change your password and notify us by clicking on <a href={one-click-link-invalid}>this link</a>\nIf this sign-in was by you, you can follow <a href={one-click-link-valid}>this link</a> to let us know</pre>\n</body>\n</html>",
                    "Subject": "New sign-in attempt",
                    "TextBody": "We required you to use multi-factor authentication for the following sign-in attempt:\nTime: {login-time}\nDevice: {device-name}\nLocation: {city}, {country}\nIf this sign-in was not by you, you should change your password and notify us by clicking on {one-click-link-invalid}\nIf this sign-in was by you, you can follow {one-click-link-valid} to let us know"
                },
                "NoActionEmail": {
                    "HtmlBody": "<!DOCTYPE html>\n<html>\n<head>\n\t<title>HTML email context</title>\n\t<meta charset=\"utf-8\">\n</head>\n<body>\n<pre>We observed an unrecognized sign-in to your account with this information:\n<ul>\n<li>Time: {login-time}</li>\n<li>Device: {device-name}</li>\n<li>Location: {city}, {country}</li>\n</ul>\nIf this sign-in was not by you, you should change your password and notify us by clicking on <a href={one-click-link-invalid}>this link</a>\nIf this sign-in was by you, you can follow <a href={one-click-link-valid}>this link</a> to let us know</pre>\n</body>\n</html>",
                    "Subject": "New sign-in attempt",
                    "TextBody": "We observed an unrecognized sign-in to your account with this information:\nTime: {login-time}\nDevice: {device-name}\nLocation: {city}, {country}\nIf this sign-in was not by you, you should change your password and notify us by clicking on {one-click-link-invalid}\nIf this sign-in was by you, you can follow {one-click-link-valid} to let us know"
                },
                "ReplyTo": "admin@example.com",
                "SourceArn": "arn:aws:ses:us-east-1:123456789012:identity/admin@example.com"
            }
        },
        "ClientId": "1example23456789",
        "CompromisedCredentialsRiskConfiguration": {
            "Actions": {
                "EventAction": "BLOCK"
            },
            "EventFilter": [
                "PASSWORD_CHANGE",
                "SIGN_UP",
                "SIGN_IN"
            ]
        },
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DescribeRiskConfiguration) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DescribeRiskConfiguration) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DescribeRiskConfiguration) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DescribeRiskConfiguration) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DescribeRiskConfiguration) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DescribeRiskConfiguration) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DescribeRiskConfiguration) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DescribeRiskConfiguration) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DescribeRiskConfiguration) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DescribeRiskConfiguration) 

# DescribeTerms


Returns details for the requested terms documents ID. For more information, see [Terms documents](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-terms-documents).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "TermsId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [TermsId](#API_DescribeTerms_RequestSyntax) **   <a name="CognitoUserPools-DescribeTerms-request-TermsId"></a>
The ID of the terms documents that you want to describe.  
Type: String  
Pattern: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$`   
Required: Yes

 ** [UserPoolId](#API_DescribeTerms_RequestSyntax) **   <a name="CognitoUserPools-DescribeTerms-request-UserPoolId"></a>
The ID of the user pool that contains the terms documents that you want to describe.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Terms": { 
      "ClientId": "string",
      "CreationDate": number,
      "Enforcement": "string",
      "LastModifiedDate": number,
      "Links": { 
         "string" : "string" 
      },
      "TermsId": "string",
      "TermsName": "string",
      "TermsSource": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Terms](#API_DescribeTerms_ResponseSyntax) **   <a name="CognitoUserPools-DescribeTerms-response-Terms"></a>
A summary of the requested terms documents. Includes a unique identifier for later changes to the terms documents.  
Type: [TermsType](API_TermsType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example operation retrieves details for a specific terms document using its TermsId.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DescribeTerms
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
   "TermsId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
   "UserPoolId": "us-east-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "Terms": {
        "ClientId": "1example23456789",
        "CreationDate": 1755794156.892,
        "Enforcement": "NONE",
        "LastModifiedDate": 1755794201.567,
        "Links": {
            "cognito:default": "https://example.com/privacy/",
            "cognito:french": "https://example.com/fr/privacy/",
            "cognito:portuguese-brazil": "https://example.com/pt/privacy/"
        },
        "TermsId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
        "TermsName": "privacy-policy",
        "TermsSource": "LINK",
        "UserPoolId": "us-east-1_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DescribeTerms) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DescribeTerms) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DescribeTerms) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DescribeTerms) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DescribeTerms) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DescribeTerms) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DescribeTerms) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DescribeTerms) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DescribeTerms) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DescribeTerms) 

# DescribeUserImportJob


Describes a user import job. For more information about user CSV import, see [Importing users from a CSV file](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool.html).

## Request Syntax


```
{
   "JobId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [JobId](#API_DescribeUserImportJob_RequestSyntax) **   <a name="CognitoUserPools-DescribeUserImportJob-request-JobId"></a>
The Id of the user import job that you want to describe.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `import-[0-9a-zA-Z-]+`   
Required: Yes

 ** [UserPoolId](#API_DescribeUserImportJob_RequestSyntax) **   <a name="CognitoUserPools-DescribeUserImportJob-request-UserPoolId"></a>
The ID of the user pool that's associated with the import job.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "UserImportJob": { 
      "CloudWatchLogsRoleArn": "string",
      "CompletionDate": number,
      "CompletionMessage": "string",
      "CreationDate": number,
      "FailedUsers": number,
      "ImportedUsers": number,
      "JobId": "string",
      "JobName": "string",
      "PreSignedUrl": "string",
      "SkippedUsers": number,
      "StartDate": number,
      "Status": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UserImportJob](#API_DescribeUserImportJob_ResponseSyntax) **   <a name="CognitoUserPools-DescribeUserImportJob-response-UserImportJob"></a>
The details of the user import job. Includes logging destination, status, and the Amazon S3 pre-signed URL for CSV upload.  
Type: [UserImportJobType](API_UserImportJobType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request describes the user import operation with the ID `import-mAgUtd8PMm`. In this example, the job ran after creation and successfully imported 99 users.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DescribeUserImportJob
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "JobId": "import-mAgUtd8PMm",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"UserImportJob": {
		"CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/example-cloudwatch-logs-role",
		"CreationDate": 1735241621.022,
		"FailedUsers": 1,
		"ImportedUsers": 99,
		"JobId": "import-mAgUtd8PMm",
		"JobName": "Customer import",
		"PreSignedUrl": "https://aws-cognito-idp-user-import-pdx.s3.us-west-2.amazonaws.com/123456789012/us-west-2_EXAMPLE/import-mAgUtd8PMm?X-Amz-Security-Token=[token]&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20241226T193341Z&X-Amz-SignedHeaders=host%3Bx-amz-server-side-encryption&X-Amz-Expires=899&X-Amz-Credential=[credential]&X-Amz-Signature=[signature]",
		"SkippedUsers": 0,
		"Status": "Succeeded",
		"UserPoolId": "us-west-2_EXAMPLE"
	}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DescribeUserImportJob) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DescribeUserImportJob) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DescribeUserImportJob) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DescribeUserImportJob) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DescribeUserImportJob) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DescribeUserImportJob) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DescribeUserImportJob) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DescribeUserImportJob) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DescribeUserImportJob) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DescribeUserImportJob) 

# DescribeUserPool


Given a user pool ID, returns configuration information. This operation is useful when you want to inspect an existing user pool and programmatically replicate the configuration to another user pool.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [UserPoolId](#API_DescribeUserPool_RequestSyntax) **   <a name="CognitoUserPools-DescribeUserPool-request-UserPoolId"></a>
The ID of the user pool you want to describe.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "UserPool": { 
      "AccountRecoverySetting": { 
         "RecoveryMechanisms": [ 
            { 
               "Name": "string",
               "Priority": number
            }
         ]
      },
      "AdminCreateUserConfig": { 
         "AllowAdminCreateUserOnly": boolean,
         "InviteMessageTemplate": { 
            "EmailMessage": "string",
            "EmailSubject": "string",
            "SMSMessage": "string"
         },
         "UnusedAccountValidityDays": number
      },
      "AliasAttributes": [ "string" ],
      "Arn": "string",
      "AutoVerifiedAttributes": [ "string" ],
      "CreationDate": number,
      "CustomDomain": "string",
      "DeletionProtection": "string",
      "DeviceConfiguration": { 
         "ChallengeRequiredOnNewDevice": boolean,
         "DeviceOnlyRememberedOnUserPrompt": boolean
      },
      "Domain": "string",
      "EmailConfiguration": { 
         "ConfigurationSet": "string",
         "EmailSendingAccount": "string",
         "From": "string",
         "ReplyToEmailAddress": "string",
         "SourceArn": "string"
      },
      "EmailConfigurationFailure": "string",
      "EmailVerificationMessage": "string",
      "EmailVerificationSubject": "string",
      "EstimatedNumberOfUsers": number,
      "Id": "string",
      "LambdaConfig": { 
         "CreateAuthChallenge": "string",
         "CustomEmailSender": { 
            "LambdaArn": "string",
            "LambdaVersion": "string"
         },
         "CustomMessage": "string",
         "CustomSMSSender": { 
            "LambdaArn": "string",
            "LambdaVersion": "string"
         },
         "DefineAuthChallenge": "string",
         "InboundFederation": { 
            "LambdaArn": "string",
            "LambdaVersion": "string"
         },
         "KMSKeyID": "string",
         "PostAuthentication": "string",
         "PostConfirmation": "string",
         "PreAuthentication": "string",
         "PreSignUp": "string",
         "PreTokenGeneration": "string",
         "PreTokenGenerationConfig": { 
            "LambdaArn": "string",
            "LambdaVersion": "string"
         },
         "UserMigration": "string",
         "VerifyAuthChallengeResponse": "string"
      },
      "LastModifiedDate": number,
      "MfaConfiguration": "string",
      "Name": "string",
      "Policies": { 
         "PasswordPolicy": { 
            "MinimumLength": number,
            "PasswordHistorySize": number,
            "RequireLowercase": boolean,
            "RequireNumbers": boolean,
            "RequireSymbols": boolean,
            "RequireUppercase": boolean,
            "TemporaryPasswordValidityDays": number
         },
         "SignInPolicy": { 
            "AllowedFirstAuthFactors": [ "string" ]
         }
      },
      "SchemaAttributes": [ 
         { 
            "AttributeDataType": "string",
            "DeveloperOnlyAttribute": boolean,
            "Mutable": boolean,
            "Name": "string",
            "NumberAttributeConstraints": { 
               "MaxValue": "string",
               "MinValue": "string"
            },
            "Required": boolean,
            "StringAttributeConstraints": { 
               "MaxLength": "string",
               "MinLength": "string"
            }
         }
      ],
      "SmsAuthenticationMessage": "string",
      "SmsConfiguration": { 
         "ExternalId": "string",
         "SnsCallerArn": "string",
         "SnsRegion": "string"
      },
      "SmsConfigurationFailure": "string",
      "SmsVerificationMessage": "string",
      "Status": "string",
      "UserAttributeUpdateSettings": { 
         "AttributesRequireVerificationBeforeUpdate": [ "string" ]
      },
      "UsernameAttributes": [ "string" ],
      "UsernameConfiguration": { 
         "CaseSensitive": boolean
      },
      "UserPoolAddOns": { 
         "AdvancedSecurityAdditionalFlows": { 
            "CustomAuthMode": "string"
         },
         "AdvancedSecurityMode": "string"
      },
      "UserPoolTags": { 
         "string" : "string" 
      },
      "UserPoolTier": "string",
      "VerificationMessageTemplate": { 
         "DefaultEmailOption": "string",
         "EmailMessage": "string",
         "EmailMessageByLink": "string",
         "EmailSubject": "string",
         "EmailSubjectByLink": "string",
         "SmsMessage": "string"
      }
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UserPool](#API_DescribeUserPool_ResponseSyntax) **   <a name="CognitoUserPools-DescribeUserPool-response-UserPool"></a>
The details of the requested user pool.  
Type: [UserPoolType](API_UserPoolType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserPoolTaggingException **   
This exception is thrown when a user pool tag can't be set or updated.  
HTTP Status Code: 400

## Examples


### Example


The following example request describes the user pool `us-east-1_EXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DescribeUserPool
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "UserPoolId": "us-east-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "UserPool": {
        "AccountRecoverySetting": {
            "RecoveryMechanisms": [
                {
                    "Name": "verified_email",
                    "Priority": 1
                }
            ]
        },
        "AdminCreateUserConfig": {
            "AllowAdminCreateUserOnly": false,
            "InviteMessageTemplate": {
                "EmailMessage": "Your username is {username} and temporary password is {####}.",
                "EmailSubject": "Your sign-in information",
                "SMSMessage": "Your username is {username} and temporary password is {####}."
            },
            "UnusedAccountValidityDays": 7
        },
        "AliasAttributes": [
            "email"
        ],
        "Arn": "arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_EXAMPLE",
        "AutoVerifiedAttributes": [
            "email"
        ],
        "CreationDate": 1689721665.239,
        "DeletionProtection": "ACTIVE",
        "DeviceConfiguration": {
            "ChallengeRequiredOnNewDevice": true,
            "DeviceOnlyRememberedOnUserPrompt": true
        },
        "EmailConfiguration": {
            "ConfigurationSet": "my-test-ses-configuration-set",
            "EmailSendingAccount": "DEVELOPER",
            "From": "support@example.com",
            "ReplyToEmailAddress": "support@example.com",
            "SourceArn": "arn:aws:ses:us-east-1:123456789012:identity/support@example.com"
        },
        "EmailVerificationMessage": "Your verification code is {####}.",
        "EmailVerificationSubject": "Verify your email address",
        "EstimatedNumberOfUsers": 0,
        "Id": "us-east-1_EXAMPLE",
        "LambdaConfig": {
            "CustomEmailSender": {
                "LambdaArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
                "LambdaVersion": "V1_0"
            },
            "CustomMessage": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "CustomSMSSender": {
                "LambdaArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
                "LambdaVersion": "V1_0"
            },
            "DefineAuthChallenge": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "KMSKeyID": "arn:aws:kms:us-east-1:767671399759:key/4d43904c-8edf-4bb4-9fca-fb1a80e41cbe",
            "PostAuthentication": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "PostConfirmation": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "PreAuthentication": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "PreSignUp": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "PreTokenGeneration": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "UserMigration": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "VerifyAuthChallengeResponse": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
            "InboundFederation": {
                "LambdaArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
                "LambdaVersion": "V1_0"
            }
        },
        "LastModifiedDate": 1689721665.239,
        "MfaConfiguration": "OPTIONAL",
        "Name": "my-test-user-pool",
        "Policies": {
            "PasswordPolicy": {
                "MinimumLength": 6,
                "RequireLowercase": true,
                "RequireNumbers": true,
                "RequireSymbols": true,
                "RequireUppercase": true,
                "TemporaryPasswordValidityDays": 7
            }
        },
        "SchemaAttributes": [
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": false,
                "Name": "sub",
                "Required": true,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "1"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "name",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "given_name",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "family_name",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "middle_name",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "nickname",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "preferred_username",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "profile",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "picture",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "website",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "email",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "Boolean",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "email_verified",
                "Required": false
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "gender",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "birthdate",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "10",
                    "MinLength": "10"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "zoneinfo",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "locale",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "phone_number",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "Boolean",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "phone_number_verifie",
                "Required": false
            },
            {
                "AttributeDataType": "String",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "address",
                "Required": false,
                "StringAttributeConstraints": {
                    "MaxLength": "2048",
                    "MinLength": "0"
                }
            },
            {
                "AttributeDataType": "Number",
                "DeveloperOnlyAttribute": false,
                "Mutable": true,
                "Name": "updated_at",
                "NumberAttributeConstraints": {
                    "MinValue": "0"
                },
                "Required": false
            },
            {
                "AttributeDataType": "Number",
                "DeveloperOnlyAttribute": true,
                "Mutable": true,
                "Name": "dev:custom:mydev",
                "NumberAttributeConstraints": {
                    "MaxValue": "99",
                    "MinValue": "1"
                },
                "Required": false
            }
        ],
        "SmsAuthenticationMessage": "Your verification code is {####}.",
        "SmsConfiguration": {
            "ExternalId": "my-role-external-id",
            "SnsCallerArn": "arn:aws:iam::123456789012:role/service-role/test-cognito-SMS-Role",
            "SnsRegion": "us-east-1"
        },
        "SmsVerificationMessage": "Your verification code is {####}.",
        "UserAttributeUpdateSettings": {
            "AttributesRequireVerificationBeforeUpdate": [
                "email"
            ]
        },
        "UserPoolAddOns": {
            "AdvancedSecurityMode": "OFF"
        },
        "UserPoolTags": {
            "my-test-tag-key": "my-test-tag-value"
        },
        "UserPoolTier": "ESSENTIALS",
        "UsernameConfiguration": {
            "CaseSensitive": true
        },
        "VerificationMessageTemplate": {
            "DefaultEmailOption": "CONFIRM_WITH_CODE",
            "EmailMessage": "Your confirmation code is {####}",
            "EmailMessageByLink": "Choose this link to {##verify your email##}",
            "EmailSubject": "Here is your confirmation code",
            "EmailSubjectByLink": "Here is your confirmation link",
            "SmsMessage": "Your confirmation code is {####}"
        }
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DescribeUserPool) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DescribeUserPool) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DescribeUserPool) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DescribeUserPool) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DescribeUserPool) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DescribeUserPool) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DescribeUserPool) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DescribeUserPool) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DescribeUserPool) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DescribeUserPool) 

# DescribeUserPoolClient


Given an app client ID, returns configuration information. This operation is useful when you want to inspect an existing app client and programmatically replicate the configuration to another app client. For more information about app clients, see [App clients](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "ClientId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_DescribeUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-DescribeUserPoolClient-request-ClientId"></a>
The ID of the app client that you want to describe.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [UserPoolId](#API_DescribeUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-DescribeUserPoolClient-request-UserPoolId"></a>
The ID of the user pool that contains the app client you want to describe.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "UserPoolClient": { 
      "AccessTokenValidity": number,
      "AllowedOAuthFlows": [ "string" ],
      "AllowedOAuthFlowsUserPoolClient": boolean,
      "AllowedOAuthScopes": [ "string" ],
      "AnalyticsConfiguration": { 
         "ApplicationArn": "string",
         "ApplicationId": "string",
         "ExternalId": "string",
         "RoleArn": "string",
         "UserDataShared": boolean
      },
      "AuthSessionValidity": number,
      "CallbackURLs": [ "string" ],
      "ClientId": "string",
      "ClientName": "string",
      "ClientSecret": "string",
      "CreationDate": number,
      "DefaultRedirectURI": "string",
      "EnablePropagateAdditionalUserContextData": boolean,
      "EnableTokenRevocation": boolean,
      "ExplicitAuthFlows": [ "string" ],
      "IdTokenValidity": number,
      "LastModifiedDate": number,
      "LogoutURLs": [ "string" ],
      "PreventUserExistenceErrors": "string",
      "ReadAttributes": [ "string" ],
      "RefreshTokenRotation": { 
         "Feature": "string",
         "RetryGracePeriodSeconds": number
      },
      "RefreshTokenValidity": number,
      "SupportedIdentityProviders": [ "string" ],
      "TokenValidityUnits": { 
         "AccessToken": "string",
         "IdToken": "string",
         "RefreshToken": "string"
      },
      "UserPoolId": "string",
      "WriteAttributes": [ "string" ]
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UserPoolClient](#API_DescribeUserPoolClient_ResponseSyntax) **   <a name="CognitoUserPools-DescribeUserPoolClient-response-UserPoolClient"></a>
The details of the request app client.  
Type: [UserPoolClientType](API_UserPoolClientType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request describes the app client with the ID `1example23456789`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DescribeUserPoolClient
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ClientId": "1example23456789",
   "UserPoolId": "us-east-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
      "UserPoolClient": {
        "AccessTokenValidity": 6,
        "AllowedOAuthFlows": [
          "code"
        ],
        "AllowedOAuthFlowsUserPoolClient": true,
        "AllowedOAuthScopes": [
          "aws.cognito.signin.user.admin",
          "openid"
        ],
        "AnalyticsConfiguration": {
          "ApplicationId": "d70b2ba36a8c4dc5a04a0451a31a1e12",
          "ExternalId": "my-external-id",
          "RoleArn": "arn:aws:iam::123456789012:role/test-cognitouserpool-role",
          "UserDataShared": true
        },
        "AuthSessionValidity": 3,
        "CallbackURLs": [
          "https://example.com",
          "http://localhost",
          "myapp://example"
        ],
        "ClientId": "1example23456789",
        "ClientName": "my-test-app-client",
        "ClientSecret": "13ka4h7u28d9oo44tqpq9djqsfvhvu8rk4d2ighvpu0k8fj1c2r9",
        "CreationDate": 1689885426.107,
        "DefaultRedirectURI": "https://example.com",
        "EnablePropagateAdditionalUserContextData": false,
        "EnableTokenRevocation": true,
        "ExplicitAuthFlows": [
          "ALLOW_USER_AUTH",
          "ALLOW_USER_PASSWORD_AUTH",
          "ALLOW_ADMIN_USER_PASSWORD_AUTH",
          "ALLOW_REFRESH_TOKEN_AUTH"
        ],
        "IdTokenValidity": 6,
        "LastModifiedDate": 1689885426.107,
        "LogoutURLs": [
          "https://example.com/logout"
        ],
        "PreventUserExistenceErrors": "ENABLED",
        "ReadAttributes": [
          "address",
          "preferred_username",
          "email"
        ],
        "RefreshTokenValidity": 6,
        "SupportedIdentityProviders": [
          "SignInWithApple",
          "MySSO"
        ],
        "TokenValidityUnits": {
          "AccessToken": "hours",
          "IdToken": "minutes",
          "RefreshToken": "days"
        },
        "UserPoolId": "us-east-1_EXAMPLE",
        "WriteAttributes": [
          "family_name",
          "email"
        ]
      }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DescribeUserPoolClient) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DescribeUserPoolClient) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DescribeUserPoolClient) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DescribeUserPoolClient) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DescribeUserPoolClient) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DescribeUserPoolClient) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DescribeUserPoolClient) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DescribeUserPoolClient) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DescribeUserPoolClient) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DescribeUserPoolClient) 

# DescribeUserPoolDomain


Given a user pool domain name, returns information about the domain configuration.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Domain": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Domain](#API_DescribeUserPoolDomain_RequestSyntax) **   <a name="CognitoUserPools-DescribeUserPoolDomain-request-Domain"></a>
The domain that you want to describe. For custom domains, this is the fully-qualified domain name, such as `auth.example.com`. For Amazon Cognito prefix domains, this is the prefix alone, such as `auth`.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 63.  
Pattern: `^[a-z0-9](?:[a-z0-9\-]{0,61}[a-z0-9])?$`   
Required: Yes

## Response Syntax


```
{
   "DomainDescription": { 
      "AWSAccountId": "string",
      "CloudFrontDistribution": "string",
      "CustomDomainConfig": { 
         "CertificateArn": "string"
      },
      "Domain": "string",
      "ManagedLoginVersion": number,
      "S3Bucket": "string",
      "Status": "string",
      "UserPoolId": "string",
      "Version": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [DomainDescription](#API_DescribeUserPoolDomain_ResponseSyntax) **   <a name="CognitoUserPools-DescribeUserPoolDomain-response-DomainDescription"></a>
The details of the requested user pool domain.  
Type: [DomainDescriptionType](API_DomainDescriptionType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

## Examples


### Example


The following example request describes the custom domain `auth.example.com` for the user pool `us-west-2_EXAMPLE`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.DescribeUserPoolDomain
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "Domain": "auth.example.com"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "DomainDescription": {
        "AWSAccountId": "123456789012",
        "CloudFrontDistribution": "example.cloudfront.net",
        "CustomDomainConfig": {
            "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
        },
        "Domain": "auth.example.com",
        "ManagedLoginVersion": 2,
        "S3Bucket": "aws-cognito-prod-pdx-assets",
        "Status": "ACTIVE",
        "UserPoolId": "us-west-2_EXAMPLE",
        "Version": "20241127003837"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/DescribeUserPoolDomain) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/DescribeUserPoolDomain) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DescribeUserPoolDomain) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/DescribeUserPoolDomain) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/DescribeUserPoolDomain) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/DescribeUserPoolDomain) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/DescribeUserPoolDomain) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/DescribeUserPoolDomain) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/DescribeUserPoolDomain) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/DescribeUserPoolDomain) 

# ForgetDevice


Given a device key, deletes a remembered device as the currently signed-in user. For more information about device authentication, see [Working with user devices in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "DeviceKey": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_ForgetDevice_RequestSyntax) **   <a name="CognitoUserPools-ForgetDevice-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: No

 ** [DeviceKey](#API_ForgetDevice_RequestSyntax) **   <a name="CognitoUserPools-ForgetDevice-request-DeviceKey"></a>
The unique identifier, or device key, of the device that the user wants to forget.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-f-]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request .

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ForgetDevice
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
  "AccessToken": "eyJra456defEXAMPLE",
  "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE22222"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ForgetDevice) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ForgetDevice) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ForgetDevice) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ForgetDevice) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ForgetDevice) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ForgetDevice) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ForgetDevice) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ForgetDevice) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ForgetDevice) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ForgetDevice) 

# ForgotPassword


Sends a password-reset confirmation code to the email address or phone number of the requested username. The message delivery method is determined by the user's available attributes and the `AccountRecoverySetting` configuration of the user pool.

For the `Username` parameter, you can use the username or an email, phone, or preferred username alias.

Amazon Cognito sends the code with the delivery method specified by your user pool [CreateUserPool:AccountRecoverySetting](API_CreateUserPool.md#CognitoUserPools-CreateUserPool-request-AccountRecoverySetting) configuration. For more information, see [Recovering user accounts](https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html) in the *Amazon Cognito Developer Guide*. Users must submit the code in a [ConfirmForgotPassword](API_ConfirmForgotPassword.md) request.

If neither a verified phone number nor a verified email exists, Amazon Cognito responds with an `InvalidParameterException` error . If your app client has a client secret and you don't provide a `SECRET_HASH` parameter, this API returns `NotAuthorizedException`.

To use this API operation, your user pool must have self-service account recovery options set in [AccountRecoverySettingType](API_AccountRecoverySettingType.md) and the requested user must be eligible for an available account recovery option. Use [AdminSetUserPassword](API_AdminSetUserPassword.md) if you manage passwords as an administrator.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

## Request Syntax


```
{
   "AnalyticsMetadata": { 
      "AnalyticsEndpointId": "string"
   },
   "ClientId": "string",
   "ClientMetadata": { 
      "string" : "string" 
   },
   "SecretHash": "string",
   "UserContextData": { 
      "EncodedData": "string",
      "IpAddress": "string"
   },
   "Username": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AnalyticsMetadata](#API_ForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ForgotPassword-request-AnalyticsMetadata"></a>
Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone number.  
Type: [AnalyticsMetadataType](API_AnalyticsMetadataType.md) object  
Required: No

 ** [ClientId](#API_ForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ForgotPassword-request-ClientId"></a>
The ID of the user pool app client associated with the current signed-in user.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientMetadata](#API_ForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ForgotPassword-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [SecretHash](#API_ForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ForgotPassword-request-SecretHash"></a>
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message. For more information about `SecretHash`, see [Computing secret hash values](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=/]+`   
Required: No

 ** [UserContextData](#API_ForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ForgotPassword-request-UserContextData"></a>
Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat protection evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.  
For more information, see [Collecting data for threat protection in applications](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-threat-protection-app.html).  
Type: [UserContextDataType](API_UserContextDataType.md) object  
Required: No

 ** [Username](#API_ForgotPassword_RequestSyntax) **   <a name="CognitoUserPools-ForgotPassword-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

## Response Syntax


```
{
   "CodeDeliveryDetails": { 
      "AttributeName": "string",
      "DeliveryMedium": "string",
      "Destination": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [CodeDeliveryDetails](#API_ForgotPassword_ResponseSyntax) **   <a name="CognitoUserPools-ForgotPassword-response-CodeDeliveryDetails"></a>
Information about the phone number or email address that Amazon Cognito sent the password-recovery code to.  
Type: [CodeDeliveryDetailsType](API_CodeDeliveryDetailsType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** CodeDeliveryFailureException **   
This exception is thrown when a verification code fails to deliver successfully.    
 ** message **   
The message sent when a verification code fails to deliver successfully.
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request requests a forgot-password code for the user "testuser". Amazon Cognito responds with confirmation that it has delivered the code in an email message.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ForgotPassword
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ClientId": "1example23456789",
   "Username": "testuser"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
   "CodeDeliveryDetails": {
        "AttributeName": "email",
        "DeliveryMedium": "EMAIL",
        "Destination": "a***@e***"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ForgotPassword) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ForgotPassword) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ForgotPassword) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ForgotPassword) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ForgotPassword) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ForgotPassword) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ForgotPassword) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ForgotPassword) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ForgotPassword) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ForgotPassword) 

# GetCSVHeader


Given a user pool ID, generates a comma-separated value (CSV) list populated with available user attributes in the user pool. This list is the header for the CSV file that determines the users in a user import job. Save the content of `CSVHeader` in the response as a `.csv` file and populate it with the usernames and attributes of users that you want to import. For more information about CSV user import, see [Importing users from a CSV file](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [UserPoolId](#API_GetCSVHeader_RequestSyntax) **   <a name="CognitoUserPools-GetCSVHeader-request-UserPoolId"></a>
The ID of the user pool that you want to import users into.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "CSVHeader": [ "string" ],
   "UserPoolId": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [CSVHeader](#API_GetCSVHeader_ResponseSyntax) **   <a name="CognitoUserPools-GetCSVHeader-response-CSVHeader"></a>
A comma-separated list of attributes from your user pool. Save this output to a `.csv` file and populate it with the attributes of the users that you want to import.  
Type: Array of strings  
Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [UserPoolId](#API_GetCSVHeader_ResponseSyntax) **   <a name="CognitoUserPools-GetCSVHeader-response-UserPoolId"></a>
The ID of the requested user pool.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+` 

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request retrieves the attributes from a user pool in CSV format for an import job.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetCSVHeader
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
   "CSVHeader": [
      "name",
      "given_name",
      "family_name",
      "middle_name",
      "nickname",
      "preferred_username",
      "profile",
      "picture",
      "website",
      "email",
      "email_verified",
      "gender",
      "birthdate",
      "zoneinfo",
      "locale",
      "phone_number",
      "phone_number_verified",
      "address",
      "updated_at",
      "custom:costcenter",
      "custom:accesstoken",
      "custom:idtoken",
      "dev:custom:bandwidth",
      "cognito:mfa_enabled",
      "cognito:username"
   ],
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetCSVHeader) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetCSVHeader) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetCSVHeader) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetCSVHeader) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetCSVHeader) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetCSVHeader) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetCSVHeader) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetCSVHeader) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetCSVHeader) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetCSVHeader) 

# GetDevice


Given a device key, returns information about a remembered device for the current user. For more information about device authentication, see [Working with user devices in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "DeviceKey": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_GetDevice_RequestSyntax) **   <a name="CognitoUserPools-GetDevice-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: No

 ** [DeviceKey](#API_GetDevice_RequestSyntax) **   <a name="CognitoUserPools-GetDevice-request-DeviceKey"></a>
The key of the device that you want to get information about.  
You can get device IDs in the response to a [ListDevices](API_ListDevices.md) request.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-f-]+`   
Required: Yes

## Response Syntax


```
{
   "Device": { 
      "DeviceAttributes": [ 
         { 
            "Name": "string",
            "Value": "string"
         }
      ],
      "DeviceCreateDate": number,
      "DeviceKey": "string",
      "DeviceLastAuthenticatedDate": number,
      "DeviceLastModifiedDate": number
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Device](#API_GetDevice_ResponseSyntax) **   <a name="CognitoUserPools-GetDevice-response-Device"></a>
Details of the requested device. Includes device information, last-accessed and created dates, and the device key.  
Type: [DeviceType](API_DeviceType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the details of the requested user device.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetDevice
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE",
   "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
   "Device": {
      "DeviceAttributes": [
         {
            "Name": "device_status",
            "Value": "valid"
         },
         {
            "Name": "device_name",
            "Value": "Dart-device"
         },
         {
            "Name": "last_ip_used",
            "Value": "192.0.2.1"
         }
      ],
      "DeviceCreateDate": 1715100742.022,
      "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
      "DeviceLastAuthenticatedDate": 1715100742.0,
      "DeviceLastModifiedDate": 1723233651.167
   }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetDevice) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetDevice) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetDevice) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetDevice) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetDevice) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetDevice) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetDevice) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetDevice) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetDevice) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetDevice) 

# GetGroup


Given a user pool ID and a group name, returns information about the user group.

This operation doesn't return group membership. For group membership, see [ListUsersInGroup](API_ListUsersInGroup.md) and [AdminListGroupsForUser](API_AdminListGroupsForUser.md).

 For more information about user pool groups, see [Adding groups to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "GroupName": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [GroupName](#API_GetGroup_RequestSyntax) **   <a name="CognitoUserPools-GetGroup-request-GroupName"></a>
The name of the group that you want to get information about.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_GetGroup_RequestSyntax) **   <a name="CognitoUserPools-GetGroup-request-UserPoolId"></a>
The ID of the user pool that contains the group that you want to query.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Group": { 
      "CreationDate": number,
      "Description": "string",
      "GroupName": "string",
      "LastModifiedDate": number,
      "Precedence": number,
      "RoleArn": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Group](#API_GetGroup_ResponseSyntax) **   <a name="CognitoUserPools-GetGroup-response-Group"></a>
A container for the requested group. Includes description, precedence, and IAM role values.  
Type: [GroupType](API_GroupType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the details of the group `testgroup`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetGroup
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "GroupName": "testgroup",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "Group": {
        "CreationDate": 1681422900.933,
        "Description": "This is a user group for testing",
        "GroupName": "testgroup",
        "LastModifiedDate": 1705447583.756,
        "Precedence": 9,
        "RoleArn": "arn:aws:iam::123456789012:role/service-role/my-SMS-Role",
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetGroup) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetGroup) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetGroup) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetGroup) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetGroup) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetGroup) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetGroup) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetGroup) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetGroup) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetGroup) 

# GetIdentityProviderByIdentifier


Given the identifier of an identity provider (IdP), for example `examplecorp`, returns information about the user pool configuration for that IdP. For more information about IdPs, see [Third-party IdP sign-in](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html).

## Request Syntax


```
{
   "IdpIdentifier": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [IdpIdentifier](#API_GetIdentityProviderByIdentifier_RequestSyntax) **   <a name="CognitoUserPools-GetIdentityProviderByIdentifier-request-IdpIdentifier"></a>
The identifier that you assigned to your user pool. The identifier is an alternative name for an IdP that is distinct from the IdP name. For example, an IdP with a name of `MyIdP` might have an identifier of the email domain `example.com`.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 40.  
Pattern: `[\w\s+=.@-]+`   
Required: Yes

 ** [UserPoolId](#API_GetIdentityProviderByIdentifier_RequestSyntax) **   <a name="CognitoUserPools-GetIdentityProviderByIdentifier-request-UserPoolId"></a>
The ID of the user pool where you want to get information about the IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "IdentityProvider": { 
      "AttributeMapping": { 
         "string" : "string" 
      },
      "CreationDate": number,
      "IdpIdentifiers": [ "string" ],
      "LastModifiedDate": number,
      "ProviderDetails": { 
         "string" : "string" 
      },
      "ProviderName": "string",
      "ProviderType": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [IdentityProvider](#API_GetIdentityProviderByIdentifier_ResponseSyntax) **   <a name="CognitoUserPools-GetIdentityProviderByIdentifier-response-IdentityProvider"></a>
The configuration of the IdP in your user pool. Includes additional identifiers, the IdP name and type, and trust-relationship details like the issuer URL.  
Type: [IdentityProviderType](API_IdentityProviderType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the details of the IdP with the identifier `MySSO`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetIdentityProviderByIdentifier
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "IdpIdentifier": "MySSO",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "IdentityProvider": {
        "AttributeMapping": {
            "email": "idp_email"
        },
        "CreationDate": 1643741231.169,
        "IdpIdentifiers": [
            "MySSO"
        ],
        "LastModifiedDate": 1703798328.069,
        "ProviderDetails": {
            "ActiveEncryptionCertificate": "[Certificate text]",
            "IDPSignout": "false",
            "MetadataFile": "<md:EntityDescriptor xmlns:md=\"urn:oasis:names:tc:SAML:2.0:metadata\" entityID=\"http://www.example.com/saml\"><md:IDPSSODescriptor WantAuthnRequestsSigned=\"false\" protocolSupportEnumeration=\"urn:oasis:names:tc:SAML:2.0:protocol\"><md:KeyDescriptor use=\"signing\"><ds:KeyInfo xmlns:ds=\"http://www.w3.org/2000/09/xmldsig#\"><ds:X509Data><ds:X509Certificate>CERTIFICATE_DATA</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://example.com/slo/saml\"/><md:SingleLogoutService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://example.com/slo/saml\"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST\" Location=\"https://example.com/sso/saml\"/><md:SingleSignOnService Binding=\"urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect\" Location=\"https://example.com/sso/saml\"/></md:IDPSSODescriptor></md:EntityDescriptor>",
            "SLORedirectBindingURI": "https://example.com/slo/saml",
            "SSORedirectBindingURI": "https://example.com/sso/saml"
        },
        "ProviderName": "Corp-SSO",
        "ProviderType": "SAML",
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetIdentityProviderByIdentifier) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetIdentityProviderByIdentifier) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetIdentityProviderByIdentifier) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetIdentityProviderByIdentifier) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetIdentityProviderByIdentifier) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetIdentityProviderByIdentifier) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetIdentityProviderByIdentifier) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetIdentityProviderByIdentifier) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetIdentityProviderByIdentifier) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetIdentityProviderByIdentifier) 

# GetLogDeliveryConfiguration


Given a user pool ID, returns the logging configuration. User pools can export message-delivery error and threat-protection activity logs to external AWS services. For more information, see [Exporting user pool logs](https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [UserPoolId](#API_GetLogDeliveryConfiguration_RequestSyntax) **   <a name="CognitoUserPools-GetLogDeliveryConfiguration-request-UserPoolId"></a>
The ID of the user pool that has the logging configuration that you want to view.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "LogDeliveryConfiguration": { 
      "LogConfigurations": [ 
         { 
            "CloudWatchLogsConfiguration": { 
               "LogGroupArn": "string"
            },
            "EventSource": "string",
            "FirehoseConfiguration": { 
               "StreamArn": "string"
            },
            "LogLevel": "string",
            "S3Configuration": { 
               "BucketArn": "string"
            }
         }
      ],
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [LogDeliveryConfiguration](#API_GetLogDeliveryConfiguration_ResponseSyntax) **   <a name="CognitoUserPools-GetLogDeliveryConfiguration-response-LogDeliveryConfiguration"></a>
The logging configuration of the requested user pool. Includes types of logs configured and their destinations.  
Type: [LogDeliveryConfigurationType](API_LogDeliveryConfigurationType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the log delivery configuration for message-delivery errors to CloudWatch Logs and user activity to Amazon S3.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetLogDeliveryConfiguration
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "LogDeliveryConfiguration": {
        "LogConfigurations": [
            {
                "CloudWatchLogsConfiguration": {
                    "LogGroupArn": "arn:aws:logs:us-west-2:123456789012:log-group:cognito-exported"
                },
                "EventSource": "userNotification",
                "LogLevel": "ERROR"
            },
            {
                "EventSource": "userAuthEvents",
                "LogLevel": "INFO",
                "S3Configuration": {
                    "BucketArn": "arn:aws:s3:::amzn-s3-demo-bucket1"
                }
            }
        ],
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetLogDeliveryConfiguration) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetLogDeliveryConfiguration) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetLogDeliveryConfiguration) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetLogDeliveryConfiguration) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetLogDeliveryConfiguration) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetLogDeliveryConfiguration) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetLogDeliveryConfiguration) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetLogDeliveryConfiguration) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetLogDeliveryConfiguration) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetLogDeliveryConfiguration) 

# GetSigningCertificate


Given a user pool ID, returns the signing certificate for SAML 2.0 federation.

Issued certificates are valid for 10 years from the date of issue. Amazon Cognito issues and assigns a new signing certificate annually. This renewal process returns a new value in the response to `GetSigningCertificate`, but doesn't invalidate the original certificate.

For more information, see [Signing SAML requests](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-signing-encryption.html#cognito-user-pools-SAML-signing).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [UserPoolId](#API_GetSigningCertificate_RequestSyntax) **   <a name="CognitoUserPools-GetSigningCertificate-request-UserPoolId"></a>
The ID of the user pool where you want to view the signing certificate.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Certificate": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Certificate](#API_GetSigningCertificate_ResponseSyntax) **   <a name="CognitoUserPools-GetSigningCertificate-response-Certificate"></a>
The x.509 certificate that signs SAML 2.0 authentication requests for your user pool.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the SAML signing certificate for the requested user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetSigningCertificate
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "Certificate": "[Certificate text]"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetSigningCertificate) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetSigningCertificate) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetSigningCertificate) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetSigningCertificate) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetSigningCertificate) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetSigningCertificate) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetSigningCertificate) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetSigningCertificate) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetSigningCertificate) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetSigningCertificate) 

# GetTokensFromRefreshToken


Given a refresh token, issues new ID, access, and optionally refresh tokens for the user who owns the submitted token. This operation issues a new refresh token and invalidates the original refresh token after an optional grace period when refresh token rotation is enabled. If refresh token rotation is disabled, issues new ID and access tokens only.

For information about enabling refresh token rotation and the retry grace period, see [RefreshTokenRotationType](API_RefreshTokenRotationType.md).

This data type is a request parameter of [CreateUserPoolClient](API_CreateUserPoolClient.md) and [UpdateUserPoolClient](API_UpdateUserPoolClient.md), and a response parameter of [DescribeUserPoolClient](API_DescribeUserPoolClient.md).

## Request Syntax


```
{
   "ClientId": "string",
   "ClientMetadata": { 
      "string" : "string" 
   },
   "ClientSecret": "string",
   "DeviceKey": "string",
   "RefreshToken": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_GetTokensFromRefreshToken_RequestSyntax) **   <a name="CognitoUserPools-GetTokensFromRefreshToken-request-ClientId"></a>
The app client that issued the refresh token to the user who wants to request new tokens.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientMetadata](#API_GetTokensFromRefreshToken_RequestSyntax) **   <a name="CognitoUserPools-GetTokensFromRefreshToken-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [ClientSecret](#API_GetTokensFromRefreshToken_RequestSyntax) **   <a name="CognitoUserPools-GetTokensFromRefreshToken-request-ClientSecret"></a>
The client secret of the requested app client, if the client has a secret.  
Type: String  
Length Constraints: Minimum length of 24. Maximum length of 64.  
Pattern: `[\w+]+`   
Required: No

 ** [DeviceKey](#API_GetTokensFromRefreshToken_RequestSyntax) **   <a name="CognitoUserPools-GetTokensFromRefreshToken-request-DeviceKey"></a>
When you enable device remembering, Amazon Cognito issues a device key that you can use for device authentication that bypasses multi-factor authentication (MFA). To implement `GetTokensFromRefreshToken` in a user pool with device remembering, you must capture the device key from the initial authentication request. If your application doesn't provide the key of a registered device, Amazon Cognito issues a new one. You must provide the confirmed device key in this request if device remembering is enabled in your user pool.  
For more information about device remembering, see [Working with devices](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-f-]+`   
Required: No

 ** [RefreshToken](#API_GetTokensFromRefreshToken_RequestSyntax) **   <a name="CognitoUserPools-GetTokensFromRefreshToken-request-RefreshToken"></a>
A valid refresh token that can authorize the request for new tokens. When refresh token rotation is active in the requested app client, this token is invalidated after the request is complete and after an optional grace period.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

## Response Syntax


```
{
   "AuthenticationResult": { 
      "AccessToken": "string",
      "ExpiresIn": number,
      "IdToken": "string",
      "NewDeviceMetadata": { 
         "DeviceGroupKey": "string",
         "DeviceKey": "string"
      },
      "RefreshToken": "string",
      "TokenType": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [AuthenticationResult](#API_GetTokensFromRefreshToken_ResponseSyntax) **   <a name="CognitoUserPools-GetTokensFromRefreshToken-response-AuthenticationResult"></a>
The object that your application receives after authentication. Contains tokens and information for device authentication.  
This data type is a response parameter of authentication operations like [InitiateAuth](API_InitiateAuth.md), [AdminInitiateAuth](API_AdminInitiateAuth.md), [RespondToAuthChallenge](API_RespondToAuthChallenge.md), [AdminRespondToAuthChallenge](API_AdminRespondToAuthChallenge.md), and [GetTokensFromRefreshToken](#API_GetTokensFromRefreshToken). `GetTokensFromRefreshToken` doesn't return `NewDeviceMetadata`.  
Type: [AuthenticationResultType](API_AuthenticationResultType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** RefreshTokenReuseException **   
This exception is throw when your application requests token refresh with a refresh token that has been invalidated by refresh-token rotation.  
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetTokensFromRefreshToken) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetTokensFromRefreshToken) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetTokensFromRefreshToken) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetTokensFromRefreshToken) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetTokensFromRefreshToken) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetTokensFromRefreshToken) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetTokensFromRefreshToken) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetTokensFromRefreshToken) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetTokensFromRefreshToken) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetTokensFromRefreshToken) 

# GetUICustomization


Given a user pool ID or app client, returns information about classic hosted UI branding that you applied, if any. Returns user-pool level branding information if no app client branding is applied, or if you don't specify an app client ID. Returns an empty object if you haven't applied hosted UI branding to either the client or the user pool. For more information, see [Hosted UI (classic) branding](https://docs.aws.amazon.com/cognito/latest/developerguide/hosted-ui-classic-branding.html).

## Request Syntax


```
{
   "ClientId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_GetUICustomization_RequestSyntax) **   <a name="CognitoUserPools-GetUICustomization-request-ClientId"></a>
The ID of the app client that you want to query for branding settings.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: No

 ** [UserPoolId](#API_GetUICustomization_RequestSyntax) **   <a name="CognitoUserPools-GetUICustomization-request-UserPoolId"></a>
The ID of the user pool that you want to query for branding settings.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "UICustomization": { 
      "ClientId": "string",
      "CreationDate": number,
      "CSS": "string",
      "CSSVersion": "string",
      "ImageUrl": "string",
      "LastModifiedDate": number,
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UICustomization](#API_GetUICustomization_ResponseSyntax) **   <a name="CognitoUserPools-GetUICustomization-response-UICustomization"></a>
Information about the classic hosted UI custom CSS and logo-image branding that you applied to the user pool or app client.  
Type: [UICustomizationType](API_UICustomizationType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request is for an app client that doesn't have a specific hosted UI customization and inherits it from the user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetUICustomization
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ClientId": "1example23456789",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "UICustomization": {
        "ClientId": "ALL",
        "CSS": ".logo-customizable {\n\tmax-width: 60%;\n\tmax-height: 30%;\n}\n.banner-customizable {\n\tpadding: 25px 0px 25px 0px;\n\tbackground-color: lightgray;\n}\n.label-customizable {\n\tfont-weight: 400;\n}\n.textDescription-customizable {\n\tpadding-top: 10px;\n\tpadding-bottom: 10px;\n\tdisplay: block;\n\tfont-size: 16px;\n}\n.idpDescription-customizable {\n\tpadding-top: 10px;\n\tpadding-bottom: 10px;\n\tdisplay: block;\n\tfont-size: 16px;\n}\n.legalText-customizable {\n\tcolor: #747474;\n\tfont-size: 11px;\n}\n.submitButton-customizable {\n\tfont-size: 11px;\n\tfont-weight: normal;\n\tmargin: 20px -15px 10px -13px;\n\theight: 40px;\n\twidth: 108%;\n\tcolor: #fff;\n\tbackground-color: #337ab7;\n\ttext-align: center;\n}\n.submitButton-customizable:hover {\n\tcolor: #fff;\n\tbackground-color: #286090;\n}\n.errorMessage-customizable {\n\tpadding: 5px;\n\tfont-size: 14px;\n\twidth: 100%;\n\tbackground: #F5F5F5;\n\tborder: 2px solid #D64958;\n\tcolor: #D64958;\n}\n.inputField-customizable {\n\twidth: 100%;\n\theight: 34px;\n\tcolor: #555;\n\tbackground-color: #fff;\n\tborder: 1px solid #ccc;\n\tborder-radius: 0px;\n}\n.inputField-customizable:focus {\n\tborder-color: #66afe9;\n\toutline: 0;\n}\n.idpButton-customizable {\n\theight: 40px;\n\twidth: 100%;\n\twidth: 100%;\n\ttext-align: center;\n\tmargin-bottom: 15px;\n\tcolor: #fff;\n\tbackground-color: #5bc0de;\n\tborder-color: #46b8da;\n}\n.idpButton-customizable:hover {\n\tcolor: #fff;\n\tbackground-color: #31b0d5;\n}\n.socialButton-customizable {\n\tborder-radius: 2px;\n\theight: 40px;\n\tmargin-bottom: 15px;\n\tpadding: 1px;\n\ttext-align: left;\n\twidth: 100%;\n}\n.redirect-customizable {\n\ttext-align: center;\n}\n.passwordCheck-notValid-customizable {\n\tcolor: #DF3312;\n}\n.passwordCheck-valid-customizable {\n\tcolor: #19BF00;\n}\n.background-customizable {\n\tbackground-color: #fff;\n}\n",
        "CSSUrl": "https://auth.example.com/assets/CSS/custom-css.css",
        "CSSVersion": "20210630174334",
        "ImageUrl": "https://auth.example.com/assets/images/image.jpg",
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetUICustomization) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetUICustomization) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetUICustomization) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetUICustomization) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetUICustomization) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetUICustomization) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetUICustomization) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetUICustomization) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetUICustomization) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetUICustomization) 

# GetUser


Gets user attributes and and MFA settings for the currently signed-in user.

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_GetUser_RequestSyntax) **   <a name="CognitoUserPools-GetUser-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

## Response Syntax


```
{
   "MFAOptions": [ 
      { 
         "AttributeName": "string",
         "DeliveryMedium": "string"
      }
   ],
   "PreferredMfaSetting": "string",
   "UserAttributes": [ 
      { 
         "Name": "string",
         "Value": "string"
      }
   ],
   "UserMFASettingList": [ "string" ],
   "Username": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [MFAOptions](#API_GetUser_ResponseSyntax) **   <a name="CognitoUserPools-GetUser-response-MFAOptions"></a>
 *This response parameter is no longer supported.* It provides information only about SMS MFA configurations. It doesn't provide information about time-based one-time password (TOTP) software token MFA configurations. To look up information about either type of MFA configuration, use UserMFASettingList instead.  
Type: Array of [MFAOptionType](API_MFAOptionType.md) objects

 ** [PreferredMfaSetting](#API_GetUser_ResponseSyntax) **   <a name="CognitoUserPools-GetUser-response-PreferredMfaSetting"></a>
The user's preferred MFA. Users can prefer SMS message, email message, or TOTP MFA.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [UserAttributes](#API_GetUser_ResponseSyntax) **   <a name="CognitoUserPools-GetUser-response-UserAttributes"></a>
An array of name-value pairs representing user attributes.  
Custom attributes are prepended with the `custom:` prefix.  
Type: Array of [AttributeType](API_AttributeType.md) objects

 ** [UserMFASettingList](#API_GetUser_ResponseSyntax) **   <a name="CognitoUserPools-GetUser-response-UserMFASettingList"></a>
The MFA options that are activated for the user. The possible values in this list are `SMS_MFA`, `EMAIL_OTP`, and `SOFTWARE_TOKEN_MFA`.  
Type: Array of strings  
Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [Username](#API_GetUser_ResponseSyntax) **   <a name="CognitoUserPools-GetUser-response-Username"></a>
The name of the user that you requested.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+` 

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the details of the current user.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetUser
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "UserAttributes": [
        {
            "Name": "sub",
            "Value": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
        },
        {
            "Name": "identities",
            "Value": "[{\"userId\":\"a1b2c3d4-5678-90ab-cdef-EXAMPLE22222\",\"providerName\":\"SignInWithApple\",\"providerType\":\"SignInWithApple\",\"issuer\":null,\"primary\":false,\"dateCreated\":1701125599632}]"
        },
        {
            "Name": "email_verified",
            "Value": "true"
        },
        {
            "Name": "custom:state",
            "Value": "Maine"
        },
        {
            "Name": "name",
            "Value": "John Doe"
        },
        {
            "Name": "phone_number_verified",
            "Value": "true"
        },
        {
            "Name": "phone_number",
            "Value": "+12065551212"
        },
        {
            "Name": "preferred_username",
            "Value": "jamesdoe"
        },
        {
            "Name": "locale",
            "Value": "EMEA"
        },
        {
            "Name": "email",
            "Value": "jamesdoe@example.com"
        }
    ],
    "Username": "johndoe"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetUser) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetUser) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetUser) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetUser) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetUser) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetUser) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetUser) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetUser) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetUser) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetUser) 

# GetUserAttributeVerificationCode


Given an attribute name, sends a user attribute verification code for the specified attribute name to the currently signed-in user.

The user must return the code to Amazon Cognito in a [VerifyUserAttribute](API_VerifyUserAttribute.md) request.

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

## Request Syntax


```
{
   "AccessToken": "string",
   "AttributeName": "string",
   "ClientMetadata": { 
      "string" : "string" 
   }
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_GetUserAttributeVerificationCode_RequestSyntax) **   <a name="CognitoUserPools-GetUserAttributeVerificationCode-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [AttributeName](#API_GetUserAttributeVerificationCode_RequestSyntax) **   <a name="CognitoUserPools-GetUserAttributeVerificationCode-request-AttributeName"></a>
The name of the attribute that the user wants to verify, for example `email`.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 32.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\t\n\r ]+`   
Required: Yes

 ** [ClientMetadata](#API_GetUserAttributeVerificationCode_RequestSyntax) **   <a name="CognitoUserPools-GetUserAttributeVerificationCode-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

## Response Syntax


```
{
   "CodeDeliveryDetails": { 
      "AttributeName": "string",
      "DeliveryMedium": "string",
      "Destination": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [CodeDeliveryDetails](#API_GetUserAttributeVerificationCode_ResponseSyntax) **   <a name="CognitoUserPools-GetUserAttributeVerificationCode-response-CodeDeliveryDetails"></a>
Information about the delivery destination of the user attribute verification code.  
Type: [CodeDeliveryDetailsType](API_CodeDeliveryDetailsType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** CodeDeliveryFailureException **   
This exception is thrown when a verification code fails to deliver successfully.    
 ** message **   
The message sent when a verification code fails to deliver successfully.
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request sends a new confirmation code to the current user.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetUserAttributeVerificationCode
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE",
   "AttributeName": "email"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "CodeDeliveryDetails": {
        "AttributeName": "email",
        "DeliveryMedium": "EMAIL",
        "Destination": "t***@e***"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetUserAttributeVerificationCode) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetUserAttributeVerificationCode) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetUserAttributeVerificationCode) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetUserAttributeVerificationCode) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetUserAttributeVerificationCode) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetUserAttributeVerificationCode) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetUserAttributeVerificationCode) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetUserAttributeVerificationCode) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetUserAttributeVerificationCode) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetUserAttributeVerificationCode) 

# GetUserAuthFactors


Lists the authentication options for the currently signed-in user. Returns the following:

1. The user's multi-factor authentication (MFA) preferences.

1. The user's options for choice-based authentication with the `USER_AUTH` flow.

   The list of options in the response to this query are eligible [RespondToAuthChallenge:ChallengeName](API_RespondToAuthChallenge.md#CognitoUserPools-RespondToAuthChallenge-request-ChallengeName) selections for `PREFERRED_CHALLENGE` and are returned in [InitiateAuth:AvailableChallenges](API_InitiateAuth.md#CognitoUserPools-InitiateAuth-response-AvailableChallenges) when you don't request a `PREFERRED_CHALLENGE`. The [InitiateAuth:AuthParameters](API_InitiateAuth.md#CognitoUserPools-InitiateAuth-request-AuthParameters) and [RespondToAuthChallenge:ChallengeResponses](API_RespondToAuthChallenge.md#CognitoUserPools-RespondToAuthChallenge-request-ChallengeResponses) are specific to each challenge.

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_GetUserAuthFactors_RequestSyntax) **   <a name="CognitoUserPools-GetUserAuthFactors-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

## Response Syntax


```
{
   "ConfiguredUserAuthFactors": [ "string" ],
   "PreferredMfaSetting": "string",
   "UserMFASettingList": [ "string" ],
   "Username": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [ConfiguredUserAuthFactors](#API_GetUserAuthFactors_ResponseSyntax) **   <a name="CognitoUserPools-GetUserAuthFactors-response-ConfiguredUserAuthFactors"></a>
The authentication types that are available to the user with `USER_AUTH` sign-in, for example `["PASSWORD", "WEB_AUTHN"]`.  
Type: Array of strings  
Array Members: Minimum number of 0 items. Maximum number of 8 items.  
Valid Values: `PASSWORD | EMAIL_OTP | SMS_OTP | WEB_AUTHN` 

 ** [PreferredMfaSetting](#API_GetUserAuthFactors_ResponseSyntax) **   <a name="CognitoUserPools-GetUserAuthFactors-response-PreferredMfaSetting"></a>
The challenge method that Amazon Cognito returns to the user in response to sign-in requests. Users can prefer SMS message, email message, or TOTP MFA.  
Change preferred MFA methods for a user with [SetUserMFAPreference](API_SetUserMFAPreference.md) or [AdminSetUserMFAPreference](API_AdminSetUserMFAPreference.md).  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [UserMFASettingList](#API_GetUserAuthFactors_ResponseSyntax) **   <a name="CognitoUserPools-GetUserAuthFactors-response-UserMFASettingList"></a>
The MFA options that are activated for the user. The possible values in this list are `SMS_MFA`, `EMAIL_OTP`, and `SOFTWARE_TOKEN_MFA`.  
SMS and email message MFA are always available to users when your user pool is configured with [CreateUserPool:SmsConfiguration](API_CreateUserPool.md#CognitoUserPools-CreateUserPool-request-SmsConfiguration) or [CreateUserPool:EmailConfiguration](API_CreateUserPool.md#CognitoUserPools-CreateUserPool-request-EmailConfiguration) in `DEVELOPER` mode, respectively. Whether Amazon Cognito presents an MFA challenge and the format of the challenge are set by the `PreferredMfa` boolean of [SetUserMFAPreference](API_SetUserMFAPreference.md).  
Type: Array of strings  
Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [Username](#API_GetUserAuthFactors_ResponseSyntax) **   <a name="CognitoUserPools-GetUserAuthFactors-response-Username"></a>
The name of the user who is eligible for the authentication factors in the response.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+` 

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the sign-in factors for the current user. They don't have MFA set up.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetUserAuthFactors
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "ConfiguredUserAuthFactors": [
        "PASSWORD",
        "EMAIL_OTP",
        "SMS_OTP",
        "WEB_AUTHN"
    ],
    "Username": "testuser"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetUserAuthFactors) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetUserAuthFactors) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetUserAuthFactors) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetUserAuthFactors) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetUserAuthFactors) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetUserAuthFactors) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetUserAuthFactors) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetUserAuthFactors) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetUserAuthFactors) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetUserAuthFactors) 

# GetUserPoolMfaConfig


Given a user pool ID, returns configuration for sign-in with WebAuthn authenticators and for multi-factor authentication (MFA). This operation describes the following:
+ The WebAuthn relying party (RP) ID and user-verification settings.
+ The required, optional, or disabled state of MFA for all user pool users.
+ The message templates for email and SMS MFA.
+ The enabled or disabled state of time-based one-time password (TOTP) MFA.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [UserPoolId](#API_GetUserPoolMfaConfig_RequestSyntax) **   <a name="CognitoUserPools-GetUserPoolMfaConfig-request-UserPoolId"></a>
The ID of the user pool where you want to query WebAuthn and MFA configuration.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "EmailMfaConfiguration": { 
      "Message": "string",
      "Subject": "string"
   },
   "MfaConfiguration": "string",
   "SmsMfaConfiguration": { 
      "SmsAuthenticationMessage": "string",
      "SmsConfiguration": { 
         "ExternalId": "string",
         "SnsCallerArn": "string",
         "SnsRegion": "string"
      }
   },
   "SoftwareTokenMfaConfiguration": { 
      "Enabled": boolean
   },
   "WebAuthnConfiguration": { 
      "FactorConfiguration": "string",
      "RelyingPartyId": "string",
      "UserVerification": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [EmailMfaConfiguration](#API_GetUserPoolMfaConfig_ResponseSyntax) **   <a name="CognitoUserPools-GetUserPoolMfaConfig-response-EmailMfaConfiguration"></a>
Shows configuration for user pool email message MFA and sign-in with one-time passwords (OTPs). Includes the subject and body of the email message template for sign-in and MFA messages. To activate this setting, your user pool must be in the [ Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.  
Type: [EmailMfaConfigType](API_EmailMfaConfigType.md) object

 ** [MfaConfiguration](#API_GetUserPoolMfaConfig_ResponseSyntax) **   <a name="CognitoUserPools-GetUserPoolMfaConfig-response-MfaConfiguration"></a>
Displays the state of multi-factor authentication (MFA) as on, off, or optional. When `ON`, all users must set up MFA before they can sign in. When `OPTIONAL`, your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose `OPTIONAL`.  
When `MfaConfiguration` is `OPTIONAL`, managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.  
Type: String  
Valid Values: `OFF | ON | OPTIONAL` 

 ** [SmsMfaConfiguration](#API_GetUserPoolMfaConfig_ResponseSyntax) **   <a name="CognitoUserPools-GetUserPoolMfaConfig-response-SmsMfaConfiguration"></a>
Shows user pool configuration for SMS message MFA. Includes the message template and the SMS message sending configuration for Amazon SNS.  
Type: [SmsMfaConfigType](API_SmsMfaConfigType.md) object

 ** [SoftwareTokenMfaConfiguration](#API_GetUserPoolMfaConfig_ResponseSyntax) **   <a name="CognitoUserPools-GetUserPoolMfaConfig-response-SoftwareTokenMfaConfiguration"></a>
Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes TOTP enabled or disabled state.  
Type: [SoftwareTokenMfaConfigType](API_SoftwareTokenMfaConfigType.md) object

 ** [WebAuthnConfiguration](#API_GetUserPoolMfaConfig_ResponseSyntax) **   <a name="CognitoUserPools-GetUserPoolMfaConfig-response-WebAuthnConfiguration"></a>
Shows user pool configuration for sign-in with passkey authenticators such as biometric devices and security keys. Includes relying-party configuration, user-verification requirements, and whether passkeys can satisfy MFA requirements.  
Type: [WebAuthnConfigurationType](API_WebAuthnConfigurationType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the MFA and WebAuthn configuration for the requested user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GetUserPoolMfaConfig
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "EmailMfaConfiguration": {
        "Message": "Complete your sign-in: use {####}",
        "Subject": "Your sign-in code"
    },
    "MfaConfiguration": "OPTIONAL",
    "SmsMfaConfiguration": {
        "SmsAuthenticationMessage": "Do not share this code with anyone. Your code is {####}.",
        "SmsConfiguration": {
            "ExternalId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
            "SnsCallerArn": "arn:aws:iam::123456789012:role/service-role/cognito-SMS-Role",
            "SnsRegion": "us-west-2"
        }
    },
    "SoftwareTokenMfaConfiguration": {
        "Enabled": true
    },
    "WebAuthnConfiguration": {
        "RelyingPartyId": "auth.example.com",
        "UserVerification": "preferred"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GetUserPoolMfaConfig) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GetUserPoolMfaConfig) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GetUserPoolMfaConfig) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GetUserPoolMfaConfig) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GetUserPoolMfaConfig) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GetUserPoolMfaConfig) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GetUserPoolMfaConfig) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GetUserPoolMfaConfig) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GetUserPoolMfaConfig) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GetUserPoolMfaConfig) 

# GlobalSignOut


Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation when your user signs out of your app. This results in the following behavior. 
+ Amazon Cognito no longer accepts *token-authorized* user operations that you authorize with a signed-out user's access tokens. For more information, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

  Amazon Cognito returns an `Access Token has been revoked` error when your app attempts to authorize a user pools API request with a revoked access token that contains the scope `aws.cognito.signin.user.admin`.
+ Amazon Cognito no longer accepts a signed-out user's ID token in a [GetId ](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html) request to an identity pool with `ServerSideTokenCheck` enabled for its user pool IdP configuration in [CognitoIdentityProvider](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_CognitoIdentityProvider.html).
+ Amazon Cognito no longer accepts a signed-out user's refresh tokens in refresh requests.

Other requests might be valid until your user's token expires. This operation doesn't clear the [managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html) session cookie. To clear the session for a user who signed in with managed login or the classic hosted UI, direct their browser session to the [logout endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html).

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_GlobalSignOut_RequestSyntax) **   <a name="CognitoUserPools-GlobalSignOut-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

## Examples


### Example


The following example request signs out the current user.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.GlobalSignOut
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/GlobalSignOut) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/GlobalSignOut) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/GlobalSignOut) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/GlobalSignOut) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/GlobalSignOut) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/GlobalSignOut) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/GlobalSignOut) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/GlobalSignOut) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/GlobalSignOut) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/GlobalSignOut) 

# InitiateAuth


Declares an authentication flow and initiates sign-in for a user in the Amazon Cognito user directory. Amazon Cognito might respond with an additional challenge or an `AuthenticationResult` that contains the outcome of a successful authentication. You can't sign in a user with a federated IdP with `InitiateAuth`. For more information, see [Authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html).

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

## Request Syntax


```
{
   "AnalyticsMetadata": { 
      "AnalyticsEndpointId": "string"
   },
   "AuthFlow": "string",
   "AuthParameters": { 
      "string" : "string" 
   },
   "ClientId": "string",
   "ClientMetadata": { 
      "string" : "string" 
   },
   "Session": "string",
   "UserContextData": { 
      "EncodedData": "string",
      "IpAddress": "string"
   }
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AnalyticsMetadata](#API_InitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-InitiateAuth-request-AnalyticsMetadata"></a>
Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone number.  
Type: [AnalyticsMetadataType](API_AnalyticsMetadataType.md) object  
Required: No

 ** [AuthFlow](#API_InitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-InitiateAuth-request-AuthFlow"></a>
The authentication flow that you want to initiate. Each `AuthFlow` has linked `AuthParameters` that you must submit. The following are some example flows.  
Include the required [InitiateAuth:AuthParameters](#CognitoUserPools-InitiateAuth-request-AuthParameters) for the flow that you choose.    
USER\$1AUTH  
The entry point for [choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice) with passwords, one-time passwords, and WebAuthn authenticators. Request a preferred authentication type or review available authentication types. From the offered authentication types, select one in a challenge response and then authenticate with that method in an additional challenge response. To activate this setting, your user pool must be in the [ Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.  
USER\$1SRP\$1AUTH  
Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see [Use SRP password verification in custom authentication flow](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow).  
REFRESH\$1TOKEN\$1AUTH and REFRESH\$1TOKEN  
Receive new ID and access tokens when you pass a `REFRESH_TOKEN` parameter with a valid refresh token as the value. For more information, see [Using the refresh token](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html).  
CUSTOM\$1AUTH  
Custom authentication with Lambda triggers. For more information, see [Custom authentication challenge Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html).  
USER\$1PASSWORD\$1AUTH  
Client-side username-password authentication with the password sent directly in the request. For more information about client-side and server-side authentication, see [SDK authorization models](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-public-server-side.html).
 `ADMIN_USER_PASSWORD_AUTH` is a flow type of `AdminInitiateAuth` and isn't valid for InitiateAuth. `ADMIN_NO_SRP_AUTH` is a legacy server-side username-password flow and isn't valid for InitiateAuth.  
Type: String  
Valid Values: `USER_SRP_AUTH | REFRESH_TOKEN_AUTH | REFRESH_TOKEN | CUSTOM_AUTH | ADMIN_NO_SRP_AUTH | USER_PASSWORD_AUTH | ADMIN_USER_PASSWORD_AUTH | USER_AUTH`   
Required: Yes

 ** [AuthParameters](#API_InitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-InitiateAuth-request-AuthParameters"></a>
The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking.  
The following are some authentication flows and their parameters. Add a `SECRET_HASH` parameter if your app client has a client secret. Add `DEVICE_KEY` if you want to bypass multi-factor authentication with a remembered device.     
USER\$1AUTH  
+  `USERNAME` (required)
+  `PREFERRED_CHALLENGE`. If you don't provide a value for `PREFERRED_CHALLENGE`, Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the available sign-in methods.  
USER\$1SRP\$1AUTH  
+  `USERNAME` (required)
+  `SRP_A` (required)  
USER\$1PASSWORD\$1AUTH  
+  `USERNAME` (required)
+  `PASSWORD` (required)  
REFRESH\$1TOKEN\$1AUTH/REFRESH\$1TOKEN  
+  `REFRESH_TOKEN`(required)  
CUSTOM\$1AUTH  
+  `USERNAME` (required)
+  `ChallengeName: SRP_A` (when doing SRP authentication before custom challenges)
+  `SRP_A: (An SRP_A value)` (when doing SRP authentication before custom challenges)
For more information about `SECRET_HASH`, see [Computing secret hash values](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash). For information about `DEVICE_KEY`, see [Working with user devices in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).  
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [ClientId](#API_InitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-InitiateAuth-request-ClientId"></a>
The ID of the app client that your user wants to sign in to.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientMetadata](#API_InitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-InitiateAuth-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
The `ClientMetadata` value is passed as input to the functions for only the following triggers:  
+ Pre signup
+ Pre authentication
+ User migration
This request also invokes the functions for the following triggers, but doesn't pass `ClientMetadata`:  
+ Post authentication
+ Custom message
+ Pre token generation
+ Create auth challenge
+ Define auth challenge
+ Custom email sender
+ Custom SMS sender
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [Session](#API_InitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-InitiateAuth-request-Session"></a>
The optional session ID from a `ConfirmSignUp` API request. You can sign in a user directly from the sign-up process with the `USER_AUTH` authentication flow. When you pass the session ID to `InitiateAuth`, Amazon Cognito assumes the SMS or email message one-time verification password from `ConfirmSignUp` as the primary authentication factor. You're not required to submit this code a second time. This option is only valid for users who have confirmed their sign-up and are signing in for the first time within the authentication flow session duration of the session ID.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** [UserContextData](#API_InitiateAuth_RequestSyntax) **   <a name="CognitoUserPools-InitiateAuth-request-UserContextData"></a>
Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat protection evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.  
For more information, see [Collecting data for threat protection in applications](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-threat-protection-app.html).  
Type: [UserContextDataType](API_UserContextDataType.md) object  
Required: No

## Response Syntax


```
{
   "AuthenticationResult": { 
      "AccessToken": "string",
      "ExpiresIn": number,
      "IdToken": "string",
      "NewDeviceMetadata": { 
         "DeviceGroupKey": "string",
         "DeviceKey": "string"
      },
      "RefreshToken": "string",
      "TokenType": "string"
   },
   "AvailableChallenges": [ "string" ],
   "ChallengeName": "string",
   "ChallengeParameters": { 
      "string" : "string" 
   },
   "Session": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [AuthenticationResult](#API_InitiateAuth_ResponseSyntax) **   <a name="CognitoUserPools-InitiateAuth-response-AuthenticationResult"></a>
The result of a successful and complete authentication request. This result is only returned if the user doesn't need to pass another challenge. If they must pass another challenge before they get tokens, Amazon Cognito returns a challenge in `ChallengeName`, `ChallengeParameters`, and `Session` response parameters.  
Type: [AuthenticationResultType](API_AuthenticationResultType.md) object

 ** [AvailableChallenges](#API_InitiateAuth_ResponseSyntax) **   <a name="CognitoUserPools-InitiateAuth-response-AvailableChallenges"></a>
This response parameter lists the available authentication challenges that users can select from in [choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice). For example, they might be able to choose between passkey authentication, a one-time password from an SMS message, and a traditional password.  
Type: Array of strings  
Valid Values: `SMS_MFA | EMAIL_OTP | SOFTWARE_TOKEN_MFA | SELECT_MFA_TYPE | MFA_SETUP | PASSWORD_VERIFIER | CUSTOM_CHALLENGE | SELECT_CHALLENGE | DEVICE_SRP_AUTH | DEVICE_PASSWORD_VERIFIER | ADMIN_NO_SRP_AUTH | NEW_PASSWORD_REQUIRED | SMS_OTP | PASSWORD | WEB_AUTHN | PASSWORD_SRP` 

 ** [ChallengeName](#API_InitiateAuth_ResponseSyntax) **   <a name="CognitoUserPools-InitiateAuth-response-ChallengeName"></a>
The name of an additional authentication challenge that you must respond to.  
Collect the challenge response from the user and submit it in a [RespondToAuthChallenge](API_RespondToAuthChallenge.md) request. To link this response to the new request, include the `Session` response parameter in the next request.  
Possible challenges include the following:  
All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication.
+  `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and security keys.
+  `PASSWORD`: Respond with the user's password as `PASSWORD`.
+  `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`.
+  `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP`.
+  `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` 
+  `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` 
+  `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` .
+  `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`.
+  `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`.
+  `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response.
+  `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after client-side SRP calculations. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `NEW_PASSWORD_REQUIRED`: For users who are required to change their passwords after successful first login. Respond to this challenge with `NEW_PASSWORD` and any required attributes that Amazon Cognito returned in the `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and that your app client can write.

  Amazon Cognito only returns this challenge for users who have temporary passwords. When you create passwordless users, you must provide values for all required attributes.
**Note**  
In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or `UpdateUserAttributes` API operation to modify the value of any additional attributes.
+  `MFA_SETUP`: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters `MFAS_CAN_SETUP` value. 

  To set up time-based one-time password (TOTP) MFA, use the session returned in this challenge from `InitiateAuth` or `AdminInitiateAuth` as an input to `AssociateSoftwareToken`. Then, use the session returned by `VerifySoftwareToken` as an input to `RespondToAuthChallenge` or `AdminRespondToAuthChallenge` with challenge name `MFA_SETUP` to complete sign-in. 

  To set up SMS or email MFA, collect a `phone_number` or `email` attribute for the user. Then restart the authentication flow with an `InitiateAuth` or `AdminInitiateAuth` request. 
Type: String  
Valid Values: `SMS_MFA | EMAIL_OTP | SOFTWARE_TOKEN_MFA | SELECT_MFA_TYPE | MFA_SETUP | PASSWORD_VERIFIER | CUSTOM_CHALLENGE | SELECT_CHALLENGE | DEVICE_SRP_AUTH | DEVICE_PASSWORD_VERIFIER | ADMIN_NO_SRP_AUTH | NEW_PASSWORD_REQUIRED | SMS_OTP | PASSWORD | WEB_AUTHN | PASSWORD_SRP` 

 ** [ChallengeParameters](#API_InitiateAuth_ResponseSyntax) **   <a name="CognitoUserPools-InitiateAuth-response-ChallengeParameters"></a>
The required parameters of the `ChallengeName` challenge.  
Collect the challenge response from the user and submit it in a [RespondToAuthChallenge](API_RespondToAuthChallenge.md) request. To link this response to the new request, include the `Session` response parameter in the next request.  
All challenges require `USERNAME`. They also require `SECRET_HASH` if your app client has a client secret.  
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [Session](#API_InitiateAuth_ResponseSyntax) **   <a name="CognitoUserPools-InitiateAuth-response-Session"></a>
The session identifier that links a challenge response to the initial authentication request. If the user must pass another challenge, Amazon Cognito returns a session ID and challenge parameters.  
Include this session ID in a [RespondToAuthChallenge](API_RespondToAuthChallenge.md) API request.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UnsupportedOperationException **   
Exception that is thrown when you attempt to perform an operation that isn't enabled for the user pool client.  
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example starts the user `testuser` in the passkey authentication flow. The user pool and app client have password, passkey, and OTP options. User verification is set to `preferred` for the user pool, so the user isn't required to have a passkey with user-verification support.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
    "AuthFlow": "USER_AUTH",
    "ClientId": "1example23456789",
    "AuthParameters": {
        "USERNAME": "testuser",
        "PREFERRED_CHALLENGE": "WEB_AUTHN"
    }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "AvailableChallenges": [
        "PASSWORD_SRP",
        "PASSWORD",
        "EMAIL_OTP",
        "WEB_AUTHN"
    ],
    "ChallengeName": "WEB_AUTHN",
    "ChallengeParameters": {
        "CREDENTIAL_REQUEST_OPTIONS": "{\"challenge\":\"[challenge string]\",\"timeout\":180000,\"rpId\":\"auth.example.com\",\"allowCredentials\":[{\"type\":\"public-key\",\"id\":\"[key ID]\",\"transports\":[]},{\"type\":\"public-key\",\"id\":\"[key ID]\",\"transports\":[\"internal\"]}],\"userVerification\":\"preferred\"}"
    },
    "Session": "AYABeC1-y8qooiuysEv0uM4wAqQAHQABAAdTZXJ2aWNlABBDb2duaXRvVXNlclBvb2xzAAEAB2F3cy1rbXMAS2Fybjphd3M6a21zOnVzLXd..."
}
```

### Example


The following example requests sign-in for the user `testuser` in a user pool where they're eligible for sign in with email OTP.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
    "AuthFlow": "USER_AUTH",
    "ClientId": "1example23456789",
    "AuthParameters": {
        "USERNAME": "testuser",
        "PREFERRED_CHALLENGE": "EMAIL_OTP"
    }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "AvailableChallenges": [
        "PASSWORD_SRP",
        "PASSWORD",
        "EMAIL_OTP",
        "WEB_AUTHN"
    ],
    "ChallengeName": "EMAIL_OTP",
    "ChallengeParameters": {
        "CODE_DELIVERY_DELIVERY_MEDIUM": "EMAIL",
        "CODE_DELIVERY_DESTINATION": "t***@e***"
    },
    "Session": "AYABeC1-y8qooiuysEv0uM4wAqQAHQABAAdTZXJ2aWNlABBDb2duaXRvVXNlclBvb2xzAAEAB2F3cy1rbXMAS2Fybjphd3M6a21zOnVzLXd..."
}
```

### Example


The following example signs in the user `mytestuser` with analytics data, client metadata, and user context data for advanced security.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "AuthFlow": "USER_PASSWORD_AUTH",
    "ClientId": "1example23456789",
    "AuthParameters": {
        "USERNAME": "mytestuser",
        "PASSWORD": "This-is-my-test-99!",
        "SECRET_HASH": "oT5ZkS8ctnrhYeeGsGTvOzPhoc/Jd1cO5fueBWFVmp8="
    },
    "AnalyticsMetadata": {
        "AnalyticsEndpointId": "d70b2ba36a8c4dc5a04a0451a31a1e12"
    },
    "UserContextData": {
        "EncodedData": "AmazonCognitoAdvancedSecurityData_object",
        "IpAddress": "192.0.2.1"
    },
    "ClientMetadata": {
        "MyTestKey": "MyTestValue"
    }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "ChallengeName": "SOFTWARE_TOKEN_MFA",
    "ChallengeParameters": {
        "USER_ID_FOR_SRP": "mytestuser",
        "FRIENDLY_DEVICE_NAME": "mytestauthenticator"
    },
    "Session": "AYABeC1-y8qooiuysEv0uM4wAqQAHQABAAdTZXJ2aWNlABBDb2duaXRvVXNlclBvb2xzAAEAB2F3cy1rbXMAS2Fybjphd3M6a21zOnVzLXd..."
}
```

### Example


The following example exchanges a refresh token for access and ID tokens.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "AuthFlow": "REFRESH_TOKEN",
    "ClientId": "1example23456789",
    "AuthParameters": {
        "REFRESH_TOKEN": "eyJ123abcEXAMPLE",
        "SECRET_HASH": "7P85/EXAMPLE"
    }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "AuthenticationResult": {
        "AccessToken": "eyJra456defEXAMPLE",
        "ExpiresIn": 3600,
        "IdToken": "eyJra789ghiEXAMPLE",
        "TokenType": "Bearer"
    },
    "ChallengeParameters": {}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/InitiateAuth) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/InitiateAuth) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/InitiateAuth) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/InitiateAuth) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/InitiateAuth) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/InitiateAuth) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/InitiateAuth) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/InitiateAuth) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/InitiateAuth) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/InitiateAuth) 

# ListDevices


Lists the devices that Amazon Cognito has registered to the currently signed-in user. For more information about device authentication, see [Working with user devices in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "Limit": number,
   "PaginationToken": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_ListDevices_RequestSyntax) **   <a name="CognitoUserPools-ListDevices-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [Limit](#API_ListDevices_RequestSyntax) **   <a name="CognitoUserPools-ListDevices-request-Limit"></a>
The maximum number of devices that you want Amazon Cognito to return in the response.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 60.  
Required: No

 ** [PaginationToken](#API_ListDevices_RequestSyntax) **   <a name="CognitoUserPools-ListDevices-request-PaginationToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+`   
Required: No

## Response Syntax


```
{
   "Devices": [ 
      { 
         "DeviceAttributes": [ 
            { 
               "Name": "string",
               "Value": "string"
            }
         ],
         "DeviceCreateDate": number,
         "DeviceKey": "string",
         "DeviceLastAuthenticatedDate": number,
         "DeviceLastModifiedDate": number
      }
   ],
   "PaginationToken": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Devices](#API_ListDevices_ResponseSyntax) **   <a name="CognitoUserPools-ListDevices-response-Devices"></a>
An array of devices and their details. Each entry that's returned includes device information, last-accessed and created dates, and the device key.  
Type: Array of [DeviceType](API_DeviceType.md) objects

 ** [PaginationToken](#API_ListDevices_ResponseSyntax) **   <a name="CognitoUserPools-ListDevices-response-PaginationToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+` 

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the two devices registered by the current user.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListDevices
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "Devices": [
        {
            "DeviceAttributes": [
                {
                    "Name": "device_status",
                    "Value": "valid"
                },
                {
                    "Name": "device_name",
                    "Value": "Dart-device"
                },
                {
                    "Name": "last_ip_used",
                    "Value": "192.0.2.1"
                }
            ],
            "DeviceCreateDate": 1715100742.022,
            "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
            "DeviceLastAuthenticatedDate": 1715100742.0,
            "DeviceLastModifiedDate": 1723233651.167
        },
        {
            "DeviceAttributes": [
                {
                    "Name": "device_status",
                    "Value": "valid"
                },
                {
                    "Name": "last_ip_used",
                    "Value": "192.0.2.2"
                }
            ],
            "DeviceCreateDate": 1726856147.993,
            "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE22222",
            "DeviceLastAuthenticatedDate": 1726856147.0,
            "DeviceLastModifiedDate": 1726856147.993
        }
    ]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListDevices) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListDevices) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListDevices) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListDevices) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListDevices) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListDevices) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListDevices) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListDevices) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListDevices) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListDevices) 

# ListGroups


Given a user pool ID, returns user pool groups and their details.

This operation doesn't return group membership. For group membership, see [ListUsersInGroup](API_ListUsersInGroup.md) and [AdminListGroupsForUser](API_AdminListGroupsForUser.md). For more information about user pool groups, see [Adding groups to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Limit": number,
   "NextToken": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Limit](#API_ListGroups_RequestSyntax) **   <a name="CognitoUserPools-ListGroups-request-Limit"></a>
The maximum number of groups that you want Amazon Cognito to return in the response.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 60.  
Required: No

 ** [NextToken](#API_ListGroups_RequestSyntax) **   <a name="CognitoUserPools-ListGroups-request-NextToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+`   
Required: No

 ** [UserPoolId](#API_ListGroups_RequestSyntax) **   <a name="CognitoUserPools-ListGroups-request-UserPoolId"></a>
The ID of the user pool where you want to list user groups.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Groups": [ 
      { 
         "CreationDate": number,
         "Description": "string",
         "GroupName": "string",
         "LastModifiedDate": number,
         "Precedence": number,
         "RoleArn": "string",
         "UserPoolId": "string"
      }
   ],
   "NextToken": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Groups](#API_ListGroups_ResponseSyntax) **   <a name="CognitoUserPools-ListGroups-response-Groups"></a>
An array of groups and their details. Each entry that's returned includes description, precedence, and IAM role values.  
Type: Array of [GroupType](API_GroupType.md) objects

 ** [NextToken](#API_ListGroups_ResponseSyntax) **   <a name="CognitoUserPools-ListGroups-response-NextToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+` 

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request lists two groups in a user pool that has a Facebook identity provider.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListGroups
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "UserPoolId": "us-west-2_EXAMPLE",
   "Limit": 2
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "Groups": [
        {
            "CreationDate": 1681760899.633,
            "Description": "My test group",
            "GroupName": "testgroup",
            "LastModifiedDate": 1681760899.633,
            "Precedence": 1,
            "UserPoolId": "us-west-2_EXAMPLE"
        },
        {
            "CreationDate": 1642632749.051,
            "Description": "Autogenerated group for users who sign in using Facebook",
            "GroupName": "us-west-2_EXAMPLE_Facebook",
            "LastModifiedDate": 1642632749.051,
            "UserPoolId": "us-west-2_EXAMPLE"
        }
    ],
    "NextToken": "[Pagination token]"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListGroups) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListGroups) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListGroups) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListGroups) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListGroups) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListGroups) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListGroups) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListGroups) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListGroups) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListGroups) 

# ListIdentityProviders


Given a user pool ID, returns information about configured identity providers (IdPs). For more information about IdPs, see [Third-party IdP sign-in](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "MaxResults": number,
   "NextToken": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [MaxResults](#API_ListIdentityProviders_RequestSyntax) **   <a name="CognitoUserPools-ListIdentityProviders-request-MaxResults"></a>
The maximum number of IdPs that you want Amazon Cognito to return in the response.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 60.  
Required: No

 ** [NextToken](#API_ListIdentityProviders_RequestSyntax) **   <a name="CognitoUserPools-ListIdentityProviders-request-NextToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+`   
Required: No

 ** [UserPoolId](#API_ListIdentityProviders_RequestSyntax) **   <a name="CognitoUserPools-ListIdentityProviders-request-UserPoolId"></a>
The ID of the user pool where you want to list IdPs.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "NextToken": "string",
   "Providers": [ 
      { 
         "CreationDate": number,
         "LastModifiedDate": number,
         "ProviderName": "string",
         "ProviderType": "string"
      }
   ]
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [NextToken](#API_ListIdentityProviders_ResponseSyntax) **   <a name="CognitoUserPools-ListIdentityProviders-response-NextToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+` 

 ** [Providers](#API_ListIdentityProviders_ResponseSyntax) **   <a name="CognitoUserPools-ListIdentityProviders-response-Providers"></a>
An array of the IdPs in your user pool. For each, the response includes identifiers, the IdP name and type, and trust-relationship details like the issuer URL.  
Type: Array of [ProviderDescription](API_ProviderDescription.md) objects  
Array Members: Minimum number of 0 items. Maximum number of 50 items.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the two configured IdPs in the requested user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListIdentityProviders
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "Providers": [
        {
            "CreationDate": 1619477386.504,
            "LastModifiedDate": 1703798328.142,
            "ProviderName": "Azure",
            "ProviderType": "SAML"
        },
        {
            "CreationDate": 1642698776.175,
            "LastModifiedDate": 1642699086.453,
            "ProviderName": "LoginWithAmazon",
            "ProviderType": "LoginWithAmazon"
        }
    ]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListIdentityProviders) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListIdentityProviders) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListIdentityProviders) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListIdentityProviders) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListIdentityProviders) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListIdentityProviders) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListIdentityProviders) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListIdentityProviders) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListIdentityProviders) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListIdentityProviders) 

# ListResourceServers


Given a user pool ID, returns all resource servers and their details. For more information about resource servers, see [Access control with resource servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "MaxResults": number,
   "NextToken": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [MaxResults](#API_ListResourceServers_RequestSyntax) **   <a name="CognitoUserPools-ListResourceServers-request-MaxResults"></a>
The maximum number of resource servers that you want Amazon Cognito to return in the response.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 50.  
Required: No

 ** [NextToken](#API_ListResourceServers_RequestSyntax) **   <a name="CognitoUserPools-ListResourceServers-request-NextToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+`   
Required: No

 ** [UserPoolId](#API_ListResourceServers_RequestSyntax) **   <a name="CognitoUserPools-ListResourceServers-request-UserPoolId"></a>
The ID of the user pool where you want to list resource servers.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "NextToken": "string",
   "ResourceServers": [ 
      { 
         "Identifier": "string",
         "Name": "string",
         "Scopes": [ 
            { 
               "ScopeDescription": "string",
               "ScopeName": "string"
            }
         ],
         "UserPoolId": "string"
      }
   ]
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [NextToken](#API_ListResourceServers_ResponseSyntax) **   <a name="CognitoUserPools-ListResourceServers-response-NextToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+` 

 ** [ResourceServers](#API_ListResourceServers_ResponseSyntax) **   <a name="CognitoUserPools-ListResourceServers-response-ResourceServers"></a>
An array of resource servers and the details of their configuration. For each, the response includes names, identifiers, and custom scopes.  
Type: Array of [ResourceServerType](API_ResourceServerType.md) objects

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the two configured resource servers in the requested user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListResourceServers
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "ResourceServers": [
        {
            "Identifier": "myapi.example.com",
            "Name": "Example API with custom access control scopes",
            "Scopes": [
                {
                    "ScopeDescription": "International customers",
                    "ScopeName": "international.read"
                },
                {
                    "ScopeDescription": "Domestic customers",
                    "ScopeName": "domestic.read"
                }
            ],
            "UserPoolId": "us-west-2_EXAMPLE"
        },
        {
            "Identifier": "myapi2.example.com",
            "Name": "Another example API for access control",
            "Scopes": [
                {
                    "ScopeDescription": "B2B customers",
                    "ScopeName": "b2b.read"
                }
            ],
            "UserPoolId": "us-west-2_EXAMPLE"
        }
    ]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListResourceServers) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListResourceServers) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListResourceServers) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListResourceServers) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListResourceServers) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListResourceServers) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListResourceServers) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListResourceServers) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListResourceServers) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListResourceServers) 

# ListTagsForResource


Lists the tags that are assigned to an Amazon Cognito user pool. For more information, see [Tagging resources](https://docs.aws.amazon.com/cognito/latest/developerguide/tagging.html).

## Request Syntax


```
{
   "ResourceArn": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ResourceArn](#API_ListTagsForResource_RequestSyntax) **   <a name="CognitoUserPools-ListTagsForResource-request-ResourceArn"></a>
The Amazon Resource Name (ARN) of the user pool that the tags are assigned to.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Pattern: `arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?`   
Required: Yes

## Response Syntax


```
{
   "Tags": { 
      "string" : "string" 
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Tags](#API_ListTagsForResource_ResponseSyntax) **   <a name="CognitoUserPools-ListTagsForResource-response-Tags"></a>
The tags that are assigned to the user pool.  
Type: String to string map  
Key Length Constraints: Minimum length of 1. Maximum length of 128.  
Value Length Constraints: Minimum length of 0. Maximum length of 256.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the tag keys and values for the requested user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListTagsForResource
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ResourceArn": "arn:aws:cognito-idp:us-west-2:123456789012:userpool/us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "Tags": {
        "administrator": "Jie",
        "tenant": "ExampleCorp"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListTagsForResource) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListTagsForResource) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListTagsForResource) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListTagsForResource) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListTagsForResource) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListTagsForResource) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListTagsForResource) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListTagsForResource) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListTagsForResource) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListTagsForResource) 

# ListTerms


Returns details about all terms documents for the requested user pool.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "MaxResults": number,
   "NextToken": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [MaxResults](#API_ListTerms_RequestSyntax) **   <a name="CognitoUserPools-ListTerms-request-MaxResults"></a>
The maximum number of terms documents that you want Amazon Cognito to return in the response.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 60.  
Required: No

 ** [NextToken](#API_ListTerms_RequestSyntax) **   <a name="CognitoUserPools-ListTerms-request-NextToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [UserPoolId](#API_ListTerms_RequestSyntax) **   <a name="CognitoUserPools-ListTerms-request-UserPoolId"></a>
The ID of the user pool where you want to list terms documents.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "NextToken": "string",
   "Terms": [ 
      { 
         "CreationDate": number,
         "Enforcement": "string",
         "LastModifiedDate": number,
         "TermsId": "string",
         "TermsName": "string"
      }
   ]
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [NextToken](#API_ListTerms_ResponseSyntax) **   <a name="CognitoUserPools-ListTerms-response-NextToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [Terms](#API_ListTerms_ResponseSyntax) **   <a name="CognitoUserPools-ListTerms-response-Terms"></a>
A summary of the requested terms documents. Includes unique identifiers for later changes to the terms documents.  
Type: Array of [TermsDescriptionType](API_TermsDescriptionType.md) objects

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example operation lists all terms documents for a user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListTerms
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
   "UserPoolId": "us-east-1_EXAMPLE",
   "MaxResults": 10
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "Terms": [
        {
            "CreationDate": 1755795432.101,
            "Enforcement": "NONE",
            "LastModifiedDate": 1755795478.934,
            "TermsId": "b2c3d4e5-6789-01bc-def0-EXAMPLE22222",
            "TermsName": "terms-of-use"
        },
        {
            "CreationDate": 1755796023.445,
            "Enforcement": "NONE",
            "LastModifiedDate": 1755796089.712,
            "TermsId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
            "TermsName": "privacy-policy"
        }
    ]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListTerms) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListTerms) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListTerms) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListTerms) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListTerms) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListTerms) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListTerms) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListTerms) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListTerms) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListTerms) 

# ListUserImportJobs


Given a user pool ID, returns user import jobs and their details. Import jobs are retained in user pool configuration so that you can stage, stop, start, review, and delete them. For more information about user import, see [Importing users from a CSV file](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "MaxResults": number,
   "PaginationToken": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [MaxResults](#API_ListUserImportJobs_RequestSyntax) **   <a name="CognitoUserPools-ListUserImportJobs-request-MaxResults"></a>
The maximum number of import jobs that you want Amazon Cognito to return in the response.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 60.  
Required: Yes

 ** [PaginationToken](#API_ListUserImportJobs_RequestSyntax) **   <a name="CognitoUserPools-ListUserImportJobs-request-PaginationToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+`   
Required: No

 ** [UserPoolId](#API_ListUserImportJobs_RequestSyntax) **   <a name="CognitoUserPools-ListUserImportJobs-request-UserPoolId"></a>
The ID of the user pool where you want to list import jobs.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "PaginationToken": "string",
   "UserImportJobs": [ 
      { 
         "CloudWatchLogsRoleArn": "string",
         "CompletionDate": number,
         "CompletionMessage": "string",
         "CreationDate": number,
         "FailedUsers": number,
         "ImportedUsers": number,
         "JobId": "string",
         "JobName": "string",
         "PreSignedUrl": "string",
         "SkippedUsers": number,
         "StartDate": number,
         "Status": "string",
         "UserPoolId": "string"
      }
   ]
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [PaginationToken](#API_ListUserImportJobs_ResponseSyntax) **   <a name="CognitoUserPools-ListUserImportJobs-response-PaginationToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+` 

 ** [UserImportJobs](#API_ListUserImportJobs_ResponseSyntax) **   <a name="CognitoUserPools-ListUserImportJobs-response-UserImportJobs"></a>
An array of user import jobs from the requested user pool. For each, the response includes logging destination, status, and the Amazon S3 pre-signed URL for CSV upload.  
Type: Array of [UserImportJobType](API_UserImportJobType.md) objects  
Array Members: Minimum number of 1 item. Maximum number of 50 items.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the first three import jobs in the requested user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListUserImportJobs
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "UserPoolId": "us-west-2_EXAMPLE",
    "MaxResults": 3
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "PaginationToken": "us-west-2_EXAMPLE#import-example3#1667948397084",
    "UserImportJobs": [
        {
            "CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/service-role/Cognito-UserImport-Role",
            "CompletionDate": 1735329786.142,
            "CompletionMessage": "The user import job has expired.",
            "CreationDate": 1735241621.022,
            "FailedUsers": 0,
            "ImportedUsers": 0,
            "JobId": "import-example1",
            "JobName": "Test-import-job-1",
            "PreSignedUrl": "https://aws-cognito-idp-user-import-pdx.s3.us-west-2.amazonaws.com/123456789012/us-west-2_EXAMPLE/import-mAgUtd8PMm?X-Amz-Security-Token=[token]&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20241226T193341Z&X-Amz-SignedHeaders=host%3Bx-amz-server-side-encryption&X-Amz-Expires=899&X-Amz-Credential=[credential]&X-Amz-Signature=[signature]",
            "SkippedUsers": 0,
            "Status": "Expired",
            "UserPoolId": "us-west-2_EXAMPLE"
        },
        {
            "CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/service-role/Cognito-UserImport-Role",
            "CompletionDate": 1681509058.408,
            "CompletionMessage": "Too many users have failed or been skipped during the import.",
            "CreationDate": 1681509001.477,
            "FailedUsers": 1,
            "ImportedUsers": 0,
            "JobId": "import-example2",
            "JobName": "Test-import-job-2",
            "PreSignedUrl": "https://aws-cognito-idp-user-import-pdx.s3.us-west-2.amazonaws.com/123456789012/us-west-2_EXAMPLE/import-mAgUtd8PMm?X-Amz-Security-Token=[token]&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20241226T193341Z&X-Amz-SignedHeaders=host%3Bx-amz-server-side-encryption&X-Amz-Expires=899&X-Amz-Credential=[credential]&X-Amz-Signature=[signature]",
            "SkippedUsers": 0,
            "StartDate": 1681509057.965,
            "Status": "Failed",
            "UserPoolId": "us-west-2_EXAMPLE"
        },
        {
            "CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/service-role/Cognito-UserImport-Role",
            "CompletionDate": 1.667864578676E9,
            "CompletionMessage": "Import Job Completed Successfully.",
            "CreationDate": 1.667864480281E9,
            "FailedUsers": 0,
            "ImportedUsers": 6,
            "JobId": "import-example3",
            "JobName": "Test-import-job-3",
            "PreSignedUrl": "https://aws-cognito-idp-user-import-pdx.s3.us-west-2.amazonaws.com/123456789012/us-west-2_EXAMPLE/import-mAgUtd8PMm?X-Amz-Security-Token=[token]&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20241226T193341Z&X-Amz-SignedHeaders=host%3Bx-amz-server-side-encryption&X-Amz-Expires=899&X-Amz-Credential=[credential]&X-Amz-Signature=[signature]",
            "SkippedUsers": 0,
            "StartDate": 1.667864578167E9,
            "Status": "Succeeded",
            "UserPoolId": "us-west-2_EXAMPLE"
        }
    ]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListUserImportJobs) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListUserImportJobs) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListUserImportJobs) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListUserImportJobs) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListUserImportJobs) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListUserImportJobs) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListUserImportJobs) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListUserImportJobs) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListUserImportJobs) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListUserImportJobs) 

# ListUserPoolClients


Given a user pool ID, lists app clients. App clients are sets of rules for the access that you want a user pool to grant to one application. For more information, see [App clients](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "MaxResults": number,
   "NextToken": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [MaxResults](#API_ListUserPoolClients_RequestSyntax) **   <a name="CognitoUserPools-ListUserPoolClients-request-MaxResults"></a>
The maximum number of app clients that you want Amazon Cognito to return in the response.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 60.  
Required: No

 ** [NextToken](#API_ListUserPoolClients_RequestSyntax) **   <a name="CognitoUserPools-ListUserPoolClients-request-NextToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+`   
Required: No

 ** [UserPoolId](#API_ListUserPoolClients_RequestSyntax) **   <a name="CognitoUserPools-ListUserPoolClients-request-UserPoolId"></a>
The ID of the user pool where you want to list user pool clients.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "NextToken": "string",
   "UserPoolClients": [ 
      { 
         "ClientId": "string",
         "ClientName": "string",
         "UserPoolId": "string"
      }
   ]
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [NextToken](#API_ListUserPoolClients_ResponseSyntax) **   <a name="CognitoUserPools-ListUserPoolClients-response-NextToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+` 

 ** [UserPoolClients](#API_ListUserPoolClients_ResponseSyntax) **   <a name="CognitoUserPools-ListUserPoolClients-response-UserPoolClients"></a>
An array of app clients and their details. Includes app client ID and name.  
To get more information about one app client, retrieve an app client ID and add it to a [DescribeUserPoolClient](API_DescribeUserPoolClient.md) request.  
Type: Array of [UserPoolClientDescription](API_UserPoolClientDescription.md) objects

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns the first three app clients in the requested user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListUserPoolClients
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "MaxResults": 3,
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "NextToken": "[Pagination token]",
    "UserPoolClients": [
        {
            "ClientId": "1example23456789",
            "ClientName": "app-client-1",
            "UserPoolId": "us-west-2_EXAMPLE"
        },
        {
            "ClientId": "2example34567890",
            "ClientName": "app-client-2",
            "UserPoolId": "us-west-2_EXAMPLE"
        },
        {
            "ClientId": "3example45678901",
            "ClientName": "app-client-3",
            "UserPoolId": "us-west-2_EXAMPLE"
        }
    ]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListUserPoolClients) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListUserPoolClients) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListUserPoolClients) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListUserPoolClients) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListUserPoolClients) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListUserPoolClients) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListUserPoolClients) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListUserPoolClients) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListUserPoolClients) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListUserPoolClients) 

# ListUserPoolClientSecrets


Lists all client secrets associated with a user pool app client. Returns metadata about the secrets. The response does not include pagination tokens as there are only 2 secrets at any given time and we return both with every ListUserPoolClientSecrets call. For security reasons, the response never reveals the actual secret value in ClientSecretValue.

## Request Syntax


```
{
   "ClientId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_ListUserPoolClientSecrets_RequestSyntax) **   <a name="CognitoUserPools-ListUserPoolClientSecrets-request-ClientId"></a>
The ID of the app client whose secrets you want to list.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [UserPoolId](#API_ListUserPoolClientSecrets_RequestSyntax) **   <a name="CognitoUserPools-ListUserPoolClientSecrets-request-UserPoolId"></a>
The ID of the user pool that contains the app client.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "ClientSecrets": [ 
      { 
         "ClientSecretCreateDate": number,
         "ClientSecretId": "string"
      }
   ]
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [ClientSecrets](#API_ListUserPoolClientSecrets_ResponseSyntax) **   <a name="CognitoUserPools-ListUserPoolClientSecrets-response-ClientSecrets"></a>
A list of client secret descriptors containing the identifier and creation date for each secret. For security reasons, the response never reveals the actual secret value in ClientSecretValue.  
Type: Array of [ClientSecretListDescriptorType](API_ClientSecretListDescriptorType.md) objects

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalServerException **   
This exception is thrown when Amazon Cognito encounters an internal server error.  
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListUserPoolClientSecrets) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListUserPoolClientSecrets) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListUserPoolClientSecrets) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListUserPoolClientSecrets) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListUserPoolClientSecrets) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListUserPoolClientSecrets) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListUserPoolClientSecrets) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListUserPoolClientSecrets) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListUserPoolClientSecrets) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListUserPoolClientSecrets) 

# ListUserPools


Lists user pools and their details in the current AWS account.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "MaxResults": number,
   "NextToken": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [MaxResults](#API_ListUserPools_RequestSyntax) **   <a name="CognitoUserPools-ListUserPools-request-MaxResults"></a>
The maximum number of user pools that you want Amazon Cognito to return in the response.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 60.  
Required: Yes

 ** [NextToken](#API_ListUserPools_RequestSyntax) **   <a name="CognitoUserPools-ListUserPools-request-NextToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+`   
Required: No

## Response Syntax


```
{
   "NextToken": "string",
   "UserPools": [ 
      { 
         "CreationDate": number,
         "Id": "string",
         "LambdaConfig": { 
            "CreateAuthChallenge": "string",
            "CustomEmailSender": { 
               "LambdaArn": "string",
               "LambdaVersion": "string"
            },
            "CustomMessage": "string",
            "CustomSMSSender": { 
               "LambdaArn": "string",
               "LambdaVersion": "string"
            },
            "DefineAuthChallenge": "string",
            "InboundFederation": { 
               "LambdaArn": "string",
               "LambdaVersion": "string"
            },
            "KMSKeyID": "string",
            "PostAuthentication": "string",
            "PostConfirmation": "string",
            "PreAuthentication": "string",
            "PreSignUp": "string",
            "PreTokenGeneration": "string",
            "PreTokenGenerationConfig": { 
               "LambdaArn": "string",
               "LambdaVersion": "string"
            },
            "UserMigration": "string",
            "VerifyAuthChallengeResponse": "string"
         },
         "LastModifiedDate": number,
         "Name": "string",
         "Status": "string"
      }
   ]
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [NextToken](#API_ListUserPools_ResponseSyntax) **   <a name="CognitoUserPools-ListUserPools-response-NextToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+` 

 ** [UserPools](#API_ListUserPools_ResponseSyntax) **   <a name="CognitoUserPools-ListUserPools-response-UserPools"></a>
An array of user pools and their configuration details.  
Type: Array of [UserPoolDescriptionType](API_UserPoolDescriptionType.md) objects

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request lists the first three user pools in the AWS account associated with the user that signed the request.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListUserPools
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "MaxResults": 3
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "NextToken": "[Pagination token]",
    "UserPools": [
        {
            "CreationDate": 1681502497.741,
            "Id": "us-west-2_EXAMPLE1",
            "LambdaConfig": {
                "CustomMessage": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
                "PreSignUp": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
                "PreTokenGeneration": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
                "PreTokenGenerationConfig": {
                    "LambdaArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
                    "LambdaVersion": "V1_0"
                }
            },
            "LastModifiedDate": 1681502497.741,
            "Name": "user pool 1"
        },
        {
            "CreationDate": 1686064178.717,
            "Id": "us-west-2_EXAMPLE2",
            "LambdaConfig": {
            },
            "LastModifiedDate": 1686064178.873,
            "Name": "user pool 2"
        },
        {
            "CreationDate": 1627681712.237,
            "Id": "us-west-2_EXAMPLE3",
            "LambdaConfig": {
                "UserMigration": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction"
            },
            "LastModifiedDate": 1678486942.479,
            "Name": "user pool 3"
        }
    ]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListUserPools) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListUserPools) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListUserPools) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListUserPools) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListUserPools) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListUserPools) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListUserPools) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListUserPools) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListUserPools) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListUserPools) 

# ListUsers


Given a user pool ID, returns a list of users and their basic details in a user pool.

This operation is eventually consistent. You might experience a delay before results are up-to-date. To validate the existence or configuration of an individual user, use `AdminGetUser`.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "AttributesToGet": [ "string" ],
   "Filter": "string",
   "Limit": number,
   "PaginationToken": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AttributesToGet](#API_ListUsers_RequestSyntax) **   <a name="CognitoUserPools-ListUsers-request-AttributesToGet"></a>
A JSON array of user attribute names, for example `given_name`, that you want Amazon Cognito to include in the response for each user. When you don't provide an `AttributesToGet` parameter, Amazon Cognito returns all attributes for each user.  
Use `AttributesToGet` with required attributes in your user pool, or in conjunction with `Filter`. Amazon Cognito returns an error if not all users in the results have set a value for the attribute you request. Attributes that you can't filter on, including custom attributes, must have a value set in every user profile before an `AttributesToGet` parameter returns results.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 32.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\t\n\r ]+`   
Required: No

 ** [Filter](#API_ListUsers_RequestSyntax) **   <a name="CognitoUserPools-ListUsers-request-Filter"></a>
A filter string of the form `"AttributeName Filter-Type "AttributeValue"`. Quotation marks within the filter string must be escaped using the backslash (`\`) character. For example, `"family_name = \"Reddy\""`.  
+  *AttributeName*: The name of the attribute to search for. You can only search for one attribute at a time.
+  *Filter-Type*: For an exact match, use `=`, for example, "`given_name = \"Jon\"`". For a prefix ("starts with") match, use `^=`, for example, "`given_name ^= \"Jon\"`". 
+  *AttributeValue*: The attribute value that must be matched for each user.
If the filter string is empty, `ListUsers` returns all users in the user pool.  
You can only search for the following standard attributes:  
+  `username` (case-sensitive)
+  `email` 
+  `phone_number` 
+  `name` 
+  `given_name` 
+  `family_name` 
+  `preferred_username` 
+  `cognito:user_status` (called **Status** in the Console) (case-insensitive)
+  `status (called Enabled in the Console) (case-sensitive)` 
+  `sub` 
Custom attributes aren't searchable.  
You can also list users with a client-side filter. The server-side filter matches no more than one attribute. For an advanced search, use a client-side filter with the `--query` parameter of the `list-users` action in the AWS CLI. When you use a client-side filter, ListUsers returns a paginated list of zero or more users. You can receive multiple pages in a row with zero results. Repeat the query with each pagination token that is returned until you receive a null pagination token value, and then review the combined result.   
For more information about server-side and client-side filtering, see [FilteringAWS CLI output](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html) in the [AWS Command Line Interface User Guide](https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html). 
For more information, see [Searching for Users Using the ListUsers API](https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-using-listusers-api) and [Examples of Using the ListUsers API](https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-listusers-api-examples) in the *Amazon Cognito Developer Guide*.  
Type: String  
Length Constraints: Maximum length of 256.  
Required: No

 ** [Limit](#API_ListUsers_RequestSyntax) **   <a name="CognitoUserPools-ListUsers-request-Limit"></a>
The maximum number of users that you want Amazon Cognito to return in the response. In some SDK contexts, this operation might return fewer items than you specify in the `Limit` parameter without having reached the end of the full list. If the response contains a `PaginationToken`, then there are more results.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 60.  
Required: No

 ** [PaginationToken](#API_ListUsers_RequestSyntax) **   <a name="CognitoUserPools-ListUsers-request-PaginationToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+`   
Required: No

 ** [UserPoolId](#API_ListUsers_RequestSyntax) **   <a name="CognitoUserPools-ListUsers-request-UserPoolId"></a>
The ID of the user pool where you want to display or search for users.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "PaginationToken": "string",
   "Users": [ 
      { 
         "Attributes": [ 
            { 
               "Name": "string",
               "Value": "string"
            }
         ],
         "Enabled": boolean,
         "MFAOptions": [ 
            { 
               "AttributeName": "string",
               "DeliveryMedium": "string"
            }
         ],
         "UserCreateDate": number,
         "UserLastModifiedDate": number,
         "Username": "string",
         "UserStatus": "string"
      }
   ]
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [PaginationToken](#API_ListUsers_ResponseSyntax) **   <a name="CognitoUserPools-ListUsers-response-PaginationToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1.  
Pattern: `[\S]+` 

 ** [Users](#API_ListUsers_ResponseSyntax) **   <a name="CognitoUserPools-ListUsers-response-Users"></a>
An array of user pool users who match your query, and their attributes. Between different requests, you might observe variations in the sequence that users in this response object are sorted into. The sort order of users isn't guaranteed to follow a single pattern, but the paginated list from a single chain of requests won't return duplicates.  
Amazon Cognito creates a profile in your user pool for each local user in your user pool and for each unique user ID from your third-party identity providers (IdPs). When you link users with the [AdminLinkProviderForUser](API_AdminLinkProviderForUser.md) API operation, the output of `ListUsers` displays both the IdP user and the local user that you linked. You can identify IdP users in the `Users` object of this API response by the IdP prefix that Amazon Cognito appends to `Username`.
Type: Array of [UserType](API_UserType.md) objects

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


This request submits a value for all possible parameters for ListUsers. By iterating the PaginationToken, you can page through and collect all users in a user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListUsers
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
    "AttributesToGet": [
        "email",
        "sub"
    ],
    "Filter": "\"email\"^=\"testuser\"",
    "Limit": 3,
    "PaginationToken": "abcd1234EXAMPLE",
    "UserPoolId": "us-east-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "PaginationToken": "efgh5678EXAMPLE",
    "Users": [
        {
            "Attributes": [
                {
                    "Name": "sub",
                    "Value": "eaad0219-2117-439f-8d46-4db20e59268f"
                },
                {
                    "Name": "email",
                    "Value": "testuser@example.com"
                }
            ],
            "Enabled": true,
            "UserCreateDate": 1682955829.578,
            "UserLastModifiedDate": 1689030181.63,
            "UserStatus": "CONFIRMED",
            "Username": "testuser"
        },
        {
            "Attributes": [
                {
                    "Name": "sub",
                    "Value": "3b994cfd-0b07-4581-be46-3c82f9a70c90"
                },
                {
                    "Name": "email",
                    "Value": "testuser2@example.com"
                }
            ],
            "Enabled": true,
            "UserCreateDate": 1684427979.201,
            "UserLastModifiedDate": 1684427979.201,
            "UserStatus": "UNCONFIRMED",
            "Username": "testuser2"
        },
        {
            "Attributes": [
                {
                    "Name": "sub",
                    "Value": "5929e0d1-4c34-42d1-9b79-a5ecacfe66f7"
                },
                {
                    "Name": "email",
                    "Value": "testuser3@example.com"
                }
            ],
            "Enabled": true,
            "UserCreateDate": 1684427823.641,
            "UserLastModifiedDate": 1684427823.641,
            "UserStatus": "UNCONFIRMED",
            "Username": "testuser3@example.com"
        }
    ]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListUsers) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListUsers) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListUsers) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListUsers) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListUsers) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListUsers) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListUsers) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListUsers) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListUsers) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListUsers) 

# ListUsersInGroup


Given a user pool ID and a group name, returns a list of users in the group. For more information about user pool groups, see [Adding groups to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "GroupName": "string",
   "Limit": number,
   "NextToken": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [GroupName](#API_ListUsersInGroup_RequestSyntax) **   <a name="CognitoUserPools-ListUsersInGroup-request-GroupName"></a>
The name of the group that you want to query for user membership.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [Limit](#API_ListUsersInGroup_RequestSyntax) **   <a name="CognitoUserPools-ListUsersInGroup-request-Limit"></a>
The maximum number of groups that you want Amazon Cognito to return in the response. In some SDK contexts, this operation might return fewer items than you specify in the `Limit` parameter without having reached the end of the full list. If the response contains a `PaginationToken`, then there are more results.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 60.  
Required: No

 ** [NextToken](#API_ListUsersInGroup_RequestSyntax) **   <a name="CognitoUserPools-ListUsersInGroup-request-NextToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+`   
Required: No

 ** [UserPoolId](#API_ListUsersInGroup_RequestSyntax) **   <a name="CognitoUserPools-ListUsersInGroup-request-UserPoolId"></a>
The ID of the user pool where you want to view the membership of the requested group.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "NextToken": "string",
   "Users": [ 
      { 
         "Attributes": [ 
            { 
               "Name": "string",
               "Value": "string"
            }
         ],
         "Enabled": boolean,
         "MFAOptions": [ 
            { 
               "AttributeName": "string",
               "DeliveryMedium": "string"
            }
         ],
         "UserCreateDate": number,
         "UserLastModifiedDate": number,
         "Username": "string",
         "UserStatus": "string"
      }
   ]
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [NextToken](#API_ListUsersInGroup_ResponseSyntax) **   <a name="CognitoUserPools-ListUsersInGroup-response-NextToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+` 

 ** [Users](#API_ListUsersInGroup_ResponseSyntax) **   <a name="CognitoUserPools-ListUsersInGroup-response-Users"></a>
An array of users who are members in the group, and their attributes.  
Type: Array of [UserType](API_UserType.md) objects

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request lists the two users of the requested group.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListUsersInGroup
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "GroupName": "testgroup",
    "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "Users": [
        {
            "Attributes": [
                {
                    "Name": "sub",
                    "Value": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
                },
                {
                    "Name": "identities",
                    "Value": "[{\"userId\":\"a1b2c3d4-5678-90ab-cdef-EXAMPLE22222\",\"providerName\":\"SignInWithApple\",\"providerType\":\"SignInWithApple\",\"issuer\":null,\"primary\":false,\"dateCreated\":1701125599632}]"
                },
                {
                    "Name": "email_verified",
                    "Value": "true"
                },
                {
                    "Name": "custom:state",
                    "Value": "Maine"
                },
                {
                    "Name": "name",
                    "Value": "John Doe"
                },
                {
                    "Name": "phone_number_verified",
                    "Value": "true"
                },
                {
                    "Name": "phone_number",
                    "Value": "+12065551212"
                },
                {
                    "Name": "preferred_username",
                    "Value": "jamesdoe"
                },
                {
                    "Name": "locale",
                    "Value": "EMEA"
                },
                {
                    "Name": "email",
                    "Value": "jamesdoe@example.com"
                }
            ],
            "Enabled": true,
            "UserCreateDate": 1682955829.578,
            "UserLastModifiedDate": 1736292876.446,
            "Username": "johndoe",
            "UserStatus": "CONFIRMED"
        },
        {
            "Attributes": [
                {
                    "Name": "sub",
                    "Value": "a1b2c3d4-5678-90ab-cdef-EXAMPLE33333"
                },
                {
                    "Name": "website",
                    "Value": "https://example.com"
                },
                {
                    "Name": "email_verified",
                    "Value": "true"
                },
                {
                    "Name": "custom:state",
                    "Value": "New York"
                },
                {
                    "Name": "phone_number_verified",
                    "Value": "true"
                },
                {
                    "Name": "given_name",
                    "Value": "Carlos"
                },
                {
                    "Name": "name",
                    "Value": "Carlos Salazar"
                },
                {
                    "Name": "phone_number",
                    "Value": "+12065551212"
                },
                {
                    "Name": "family_name",
                    "Value": "Salazar"
                },
                {
                    "Name": "email",
                    "Value": "carlos.salazar@example.com"
                }
            ],
            "Enabled": true,
            "UserCreateDate": 1701124862.116,
            "UserLastModifiedDate": 1726695472.107,
            "Username": "salazarc",
            "UserStatus": "CONFIRMED"
        }
    ]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListUsersInGroup) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListUsersInGroup) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListUsersInGroup) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListUsersInGroup) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListUsersInGroup) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListUsersInGroup) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListUsersInGroup) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListUsersInGroup) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListUsersInGroup) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListUsersInGroup) 

# ListWebAuthnCredentials


Generates a list of the currently signed-in user's registered passkey, or WebAuthn, credentials.

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "MaxResults": number,
   "NextToken": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_ListWebAuthnCredentials_RequestSyntax) **   <a name="CognitoUserPools-ListWebAuthnCredentials-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [MaxResults](#API_ListWebAuthnCredentials_RequestSyntax) **   <a name="CognitoUserPools-ListWebAuthnCredentials-request-MaxResults"></a>
The maximum number of the user's passkey credentials that you want to return.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 20.  
Required: No

 ** [NextToken](#API_ListWebAuthnCredentials_RequestSyntax) **   <a name="CognitoUserPools-ListWebAuthnCredentials-request-NextToken"></a>
This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+`   
Required: No

## Response Syntax


```
{
   "Credentials": [ 
      { 
         "AuthenticatorAttachment": "string",
         "AuthenticatorTransports": [ "string" ],
         "CreatedAt": number,
         "CredentialId": "string",
         "FriendlyCredentialName": "string",
         "RelyingPartyId": "string"
      }
   ],
   "NextToken": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Credentials](#API_ListWebAuthnCredentials_ResponseSyntax) **   <a name="CognitoUserPools-ListWebAuthnCredentials-response-Credentials"></a>
A list of registered passkeys for a user.  
Type: Array of [WebAuthnCredentialDescription](API_WebAuthnCredentialDescription.md) objects

 ** [NextToken](#API_ListWebAuthnCredentials_ResponseSyntax) **   <a name="CognitoUserPools-ListWebAuthnCredentials-response-NextToken"></a>
The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 131072.  
Pattern: `[\S]+` 

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request returns details about the one registered passkey for the current user.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ListWebAuthnCredentials
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "Credentials": [
        {
            "AuthenticatorAttachment": "cross-platform",
            "CreatedAt": 1736293876.115,
            "CredentialId": "8LApgk4-lNUFHbhm2w6Und7-uxcc8coJGsPxiogvHoItc64xWQc3r4CEXAMPLE",
            "FriendlyCredentialName": "Roaming passkey",
            "RelyingPartyId": "auth.example.com"
        }
    ]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ListWebAuthnCredentials) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListWebAuthnCredentials) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListWebAuthnCredentials) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ListWebAuthnCredentials) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListWebAuthnCredentials) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ListWebAuthnCredentials) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ListWebAuthnCredentials) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ListWebAuthnCredentials) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListWebAuthnCredentials) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListWebAuthnCredentials) 

# ResendConfirmationCode


Resends the code that confirms a new account for a user who has signed up in your user pool. Amazon Cognito sends confirmation codes to the user attribute in the `AutoVerifiedAttributes` property of your user pool. When you prompt new users for the confirmation code, include a "Resend code" option that generates a call to this API operation.

When users submit their new confirmation code, send it to your user pool in a [ConfirmSignUp](API_ConfirmSignUp.md) request for account confirmation.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

## Request Syntax


```
{
   "AnalyticsMetadata": { 
      "AnalyticsEndpointId": "string"
   },
   "ClientId": "string",
   "ClientMetadata": { 
      "string" : "string" 
   },
   "SecretHash": "string",
   "UserContextData": { 
      "EncodedData": "string",
      "IpAddress": "string"
   },
   "Username": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AnalyticsMetadata](#API_ResendConfirmationCode_RequestSyntax) **   <a name="CognitoUserPools-ResendConfirmationCode-request-AnalyticsMetadata"></a>
Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone number.  
Type: [AnalyticsMetadataType](API_AnalyticsMetadataType.md) object  
Required: No

 ** [ClientId](#API_ResendConfirmationCode_RequestSyntax) **   <a name="CognitoUserPools-ResendConfirmationCode-request-ClientId"></a>
The ID of the user pool app client where the user signed up.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientMetadata](#API_ResendConfirmationCode_RequestSyntax) **   <a name="CognitoUserPools-ResendConfirmationCode-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [SecretHash](#API_ResendConfirmationCode_RequestSyntax) **   <a name="CognitoUserPools-ResendConfirmationCode-request-SecretHash"></a>
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message. For more information about `SecretHash`, see [Computing secret hash values](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=/]+`   
Required: No

 ** [UserContextData](#API_ResendConfirmationCode_RequestSyntax) **   <a name="CognitoUserPools-ResendConfirmationCode-request-UserContextData"></a>
Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat protection evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.  
For more information, see [Collecting data for threat protection in applications](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-threat-protection-app.html).  
Type: [UserContextDataType](API_UserContextDataType.md) object  
Required: No

 ** [Username](#API_ResendConfirmationCode_RequestSyntax) **   <a name="CognitoUserPools-ResendConfirmationCode-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

## Response Syntax


```
{
   "CodeDeliveryDetails": { 
      "AttributeName": "string",
      "DeliveryMedium": "string",
      "Destination": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [CodeDeliveryDetails](#API_ResendConfirmationCode_ResponseSyntax) **   <a name="CognitoUserPools-ResendConfirmationCode-response-CodeDeliveryDetails"></a>
Information about the phone number or email address that Amazon Cognito sent the confirmation code to.  
Type: [CodeDeliveryDetailsType](API_CodeDeliveryDetailsType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** CodeDeliveryFailureException **   
This exception is thrown when a verification code fails to deliver successfully.    
 ** message **   
The message sent when a verification code fails to deliver successfully.
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request sends a new email confirmation code to the requested user.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.ResendConfirmationCode
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ClientId": "1example23456789",
   "Username": "akua_mansa"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "CodeDeliveryDetails": {
        "AttributeName": "email",
        "DeliveryMedium": "EMAIL",
        "Destination": "a***@e***"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/ResendConfirmationCode) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ResendConfirmationCode) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ResendConfirmationCode) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/ResendConfirmationCode) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ResendConfirmationCode) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/ResendConfirmationCode) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/ResendConfirmationCode) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/ResendConfirmationCode) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ResendConfirmationCode) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ResendConfirmationCode) 

# RespondToAuthChallenge


Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge. A `RespondToAuthChallenge` API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.

For more information about custom authentication challenges, see [Custom authentication challenge Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html).

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

## Request Syntax


```
{
   "AnalyticsMetadata": { 
      "AnalyticsEndpointId": "string"
   },
   "ChallengeName": "string",
   "ChallengeResponses": { 
      "string" : "string" 
   },
   "ClientId": "string",
   "ClientMetadata": { 
      "string" : "string" 
   },
   "Session": "string",
   "UserContextData": { 
      "EncodedData": "string",
      "IpAddress": "string"
   }
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AnalyticsMetadata](#API_RespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-RespondToAuthChallenge-request-AnalyticsMetadata"></a>
Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone number.  
Type: [AnalyticsMetadataType](API_AnalyticsMetadataType.md) object  
Required: No

 ** [ChallengeName](#API_RespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-RespondToAuthChallenge-request-ChallengeName"></a>
The name of the challenge that you are responding to.  
You can't respond to an `ADMIN_NO_SRP_AUTH` challenge with this operation.
Possible challenges include the following:  
All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication.
+  `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and security keys.
+  `PASSWORD`: Respond with the user's password as `PASSWORD`.
+  `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`.
+  `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP`.
+  `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` 
+  `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` 
+  `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` .
+  `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`.
+  `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`.
+  `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response.
+  `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after client-side SRP calculations. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `NEW_PASSWORD_REQUIRED`: For users who are required to change their passwords after successful first login. Respond to this challenge with `NEW_PASSWORD` and any required attributes that Amazon Cognito returned in the `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and that your app client can write.

  Amazon Cognito only returns this challenge for users who have temporary passwords. When you create passwordless users, you must provide values for all required attributes.
**Note**  
In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or `UpdateUserAttributes` API operation to modify the value of any additional attributes.
+  `MFA_SETUP`: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters `MFAS_CAN_SETUP` value. 

  To set up time-based one-time password (TOTP) MFA, use the session returned in this challenge from `InitiateAuth` or `AdminInitiateAuth` as an input to `AssociateSoftwareToken`. Then, use the session returned by `VerifySoftwareToken` as an input to `RespondToAuthChallenge` or `AdminRespondToAuthChallenge` with challenge name `MFA_SETUP` to complete sign-in. 

  To set up SMS or email MFA, collect a `phone_number` or `email` attribute for the user. Then restart the authentication flow with an `InitiateAuth` or `AdminInitiateAuth` request. 
Type: String  
Valid Values: `SMS_MFA | EMAIL_OTP | SOFTWARE_TOKEN_MFA | SELECT_MFA_TYPE | MFA_SETUP | PASSWORD_VERIFIER | CUSTOM_CHALLENGE | SELECT_CHALLENGE | DEVICE_SRP_AUTH | DEVICE_PASSWORD_VERIFIER | ADMIN_NO_SRP_AUTH | NEW_PASSWORD_REQUIRED | SMS_OTP | PASSWORD | WEB_AUTHN | PASSWORD_SRP`   
Required: Yes

 ** [ChallengeResponses](#API_RespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-RespondToAuthChallenge-request-ChallengeResponses"></a>
The responses to the challenge that you received in the previous request. Each challenge has its own required response parameters. The following examples are partial JSON request bodies that highlight challenge-response parameters.  
You must provide a SECRET\$1HASH parameter in all challenge responses to an app client that has a client secret. Include a `DEVICE_KEY` for device authentication.  
SELECT\$1CHALLENGE  
 `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "USERNAME": "[username]", "ANSWER": "[Challenge name]"}`   
Available challenges are `PASSWORD`, `PASSWORD_SRP`, `EMAIL_OTP`, `SMS_OTP`, and `WEB_AUTHN`.  
Complete authentication in the `SELECT_CHALLENGE` response for `PASSWORD`, `PASSWORD_SRP`, and `WEB_AUTHN`:  
+  `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "WEB_AUTHN", "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"}` 

  See [ AuthenticationResponseJSON](https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson).
+  `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD", "USERNAME": "[username]", "PASSWORD": "[password]"}` 
+  `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD_SRP", "USERNAME": "[username]", "SRP_A": "[SRP_A]"}` 
For `SMS_OTP` and `EMAIL_OTP`, respond with the username and answer. Your user pool will send a code for the user to submit in the next challenge response.  
+  `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "SMS_OTP", "USERNAME": "[username]"}` 
+  `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "EMAIL_OTP", "USERNAME": "[username]"}`   
WEB\$1AUTHN  
 `"ChallengeName": "WEB_AUTHN", "ChallengeResponses": { "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"}`   
See [ AuthenticationResponseJSON](https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson).  
PASSWORD  
 `"ChallengeName": "PASSWORD", "ChallengeResponses": { "USERNAME": "[username]", "PASSWORD": "[password]"}`   
PASSWORD\$1SRP  
 `"ChallengeName": "PASSWORD_SRP", "ChallengeResponses": { "USERNAME": "[username]", "SRP_A": "[SRP_A]"}`   
SMS\$1OTP  
 `"ChallengeName": "SMS_OTP", "ChallengeResponses": {"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"}`   
EMAIL\$1OTP  
 `"ChallengeName": "EMAIL_OTP", "ChallengeResponses": {"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"}`   
SMS\$1MFA  
 `"ChallengeName": "SMS_MFA", "ChallengeResponses": {"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"}`   
PASSWORD\$1VERIFIER  
This challenge response is part of the SRP flow. Amazon Cognito requires that your application respond to this challenge within a few seconds. When the response time exceeds this period, your user pool returns a `NotAuthorizedException` error.  
 `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses": {"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}`   
CUSTOM\$1CHALLENGE  
 `"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[challenge_answer]"}`   
NEW\$1PASSWORD\$1REQUIRED  
 `"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses": {"NEW_PASSWORD": "[new_password]", "USERNAME": "[username]"}`   
To set any required attributes that `InitiateAuth` returned in an `requiredAttributes` parameter, add `"userAttributes.[attribute_name]": "[attribute_value]"`. This parameter can also set values for writable attributes that aren't required by your user pool.  
In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or `UpdateUserAttributes` API operation to modify the value of any additional attributes.  
SOFTWARE\$1TOKEN\$1MFA  
 `"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses": {"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE": [authenticator_code]}`   
DEVICE\$1SRP\$1AUTH  
 `"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses": {"USERNAME": "[username]", "DEVICE_KEY": "[device_key]", "SRP_A": "[srp_a]"}`   
DEVICE\$1PASSWORD\$1VERIFIER  
 `"ChallengeName": "DEVICE_PASSWORD_VERIFIER", "ChallengeResponses": {"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}`   
MFA\$1SETUP  
 `"ChallengeName": "MFA_SETUP", "ChallengeResponses": {"USERNAME": "[username]"}, "SESSION": "[Session ID from VerifySoftwareToken]"`   
SELECT\$1MFA\$1TYPE  
 `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA|EMAIL_MFA|SOFTWARE_TOKEN_MFA]"}` 
For more information about `SECRET_HASH`, see [Computing secret hash values](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash). For information about `DEVICE_KEY`, see [Working with user devices in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).  
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [ClientId](#API_RespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-RespondToAuthChallenge-request-ClientId"></a>
The ID of the app client where the user is signing in.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientMetadata](#API_RespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-RespondToAuthChallenge-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [Session](#API_RespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-RespondToAuthChallenge-request-Session"></a>
The session identifier that maintains the state of authentication requests and challenge responses. If an `AdminInitiateAuth` or `AdminRespondToAuthChallenge` API request results in a determination that your application must pass another challenge, Amazon Cognito returns a session with other challenge parameters. Send this session identifier, unmodified, to the next `AdminRespondToAuthChallenge` request.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** [UserContextData](#API_RespondToAuthChallenge_RequestSyntax) **   <a name="CognitoUserPools-RespondToAuthChallenge-request-UserContextData"></a>
Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat protection evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.  
For more information, see [Collecting data for threat protection in applications](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-threat-protection-app.html).  
Type: [UserContextDataType](API_UserContextDataType.md) object  
Required: No

## Response Syntax


```
{
   "AuthenticationResult": { 
      "AccessToken": "string",
      "ExpiresIn": number,
      "IdToken": "string",
      "NewDeviceMetadata": { 
         "DeviceGroupKey": "string",
         "DeviceKey": "string"
      },
      "RefreshToken": "string",
      "TokenType": "string"
   },
   "ChallengeName": "string",
   "ChallengeParameters": { 
      "string" : "string" 
   },
   "Session": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [AuthenticationResult](#API_RespondToAuthChallenge_ResponseSyntax) **   <a name="CognitoUserPools-RespondToAuthChallenge-response-AuthenticationResult"></a>
The outcome of a successful authentication process. After your application has passed all challenges, Amazon Cognito returns an `AuthenticationResult` with the JSON web tokens (JWTs) that indicate successful sign-in.  
Type: [AuthenticationResultType](API_AuthenticationResultType.md) object

 ** [ChallengeName](#API_RespondToAuthChallenge_ResponseSyntax) **   <a name="CognitoUserPools-RespondToAuthChallenge-response-ChallengeName"></a>
The name of the next challenge that you must respond to.  
Possible challenges include the following:  
All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication.
+  `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and security keys.
+  `PASSWORD`: Respond with the user's password as `PASSWORD`.
+  `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`.
+  `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP`.
+  `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` 
+  `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` 
+  `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` .
+  `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`.
+  `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`.
+  `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response.
+  `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after client-side SRP calculations. For more information, see [Signing in with a device](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device).
+  `NEW_PASSWORD_REQUIRED`: For users who are required to change their passwords after successful first login. Respond to this challenge with `NEW_PASSWORD` and any required attributes that Amazon Cognito returned in the `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and that your app client can write.

  Amazon Cognito only returns this challenge for users who have temporary passwords. When you create passwordless users, you must provide values for all required attributes.
**Note**  
In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or `UpdateUserAttributes` API operation to modify the value of any additional attributes.
+  `MFA_SETUP`: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters `MFAS_CAN_SETUP` value. 

  To set up time-based one-time password (TOTP) MFA, use the session returned in this challenge from `InitiateAuth` or `AdminInitiateAuth` as an input to `AssociateSoftwareToken`. Then, use the session returned by `VerifySoftwareToken` as an input to `RespondToAuthChallenge` or `AdminRespondToAuthChallenge` with challenge name `MFA_SETUP` to complete sign-in. 

  To set up SMS or email MFA, collect a `phone_number` or `email` attribute for the user. Then restart the authentication flow with an `InitiateAuth` or `AdminInitiateAuth` request. 
Type: String  
Valid Values: `SMS_MFA | EMAIL_OTP | SOFTWARE_TOKEN_MFA | SELECT_MFA_TYPE | MFA_SETUP | PASSWORD_VERIFIER | CUSTOM_CHALLENGE | SELECT_CHALLENGE | DEVICE_SRP_AUTH | DEVICE_PASSWORD_VERIFIER | ADMIN_NO_SRP_AUTH | NEW_PASSWORD_REQUIRED | SMS_OTP | PASSWORD | WEB_AUTHN | PASSWORD_SRP` 

 ** [ChallengeParameters](#API_RespondToAuthChallenge_ResponseSyntax) **   <a name="CognitoUserPools-RespondToAuthChallenge-response-ChallengeParameters"></a>
The parameters that define your response to the next challenge.  
Take the values in `ChallengeParameters` and provide values for them in the `ChallengeResponses` of the next [RespondToAuthChallenge](#API_RespondToAuthChallenge) request.  
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.

 ** [Session](#API_RespondToAuthChallenge_ResponseSyntax) **   <a name="CognitoUserPools-RespondToAuthChallenge-response-Session"></a>
The session identifier that maintains the state of authentication requests and challenge responses. If an `InitiateAuth` or `RespondToAuthChallenge` API request results in a determination that your application must pass another challenge, Amazon Cognito returns a session with other challenge parameters. Send this session identifier, unmodified, to the next `RespondToAuthChallenge` request.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** AliasExistsException **   
This exception is thrown when a user tries to confirm the account with an email address or phone number that has already been supplied as an alias for a different user profile. This exception indicates that an account with this email address or phone already exists in a user pool that you've configured to use email address or phone number as a sign-in alias.    
 ** message **   
The message that Amazon Cognito sends to the user when the value of an alias attribute is already linked to another user profile.
HTTP Status Code: 400

 ** CodeMismatchException **   
This exception is thrown if the provided code doesn't match what the server was expecting.    
 ** message **   
The message provided when the code mismatch exception is thrown.
HTTP Status Code: 400

 ** ExpiredCodeException **   
This exception is thrown if a code has expired.    
 ** message **   
The message returned when the expired code exception is thrown.
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidPasswordException **   
This exception is thrown when Amazon Cognito encounters an invalid password.    
 ** message **   
The message returned when Amazon Cognito throws an invalid user password exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** MFAMethodNotFoundException **   
This exception is thrown when Amazon Cognito can't find a multi-factor authentication (MFA) method.    
 ** message **   
The message returned when Amazon Cognito throws an MFA method not found exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordHistoryPolicyViolationException **   
The message returned when a user's new password matches a previous password and doesn't comply with the password-history policy.  
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** SoftwareTokenMFANotFoundException **   
This exception is thrown when the software token time-based one-time password (TOTP) multi-factor authentication (MFA) isn't activated for the user pool.  
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example completes sign-in for the user `testuser` with an email-message OTP. Because no additional challenges are required, the request returns an `AuthenticationResult` with ID, access, and refresh tokens.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
  "ChallengeName": "EMAIL_OTP",
  "ClientId": "1example23456789",
  "UserPoolId": "us-west-2_EXAMPLE",
  "ChallengeResponses": {
    "USERNAME" : "testuser",
    "EMAIL_OTP_CODE": "12345678"
  },
  "Session": "AYABeC1-y8qooiuysEv0uM4wAqQAHQABAAdTZXJ2aWNlABBDb2duaXRvVXNlclBvb2xzAAEAB2F3cy1rbXMAS2Fybjphd3M6a21zOnVzLXd..."
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "AuthenticationResult": {
        "AccessToken": "eyJra456defEXAMPLE",
        "ExpiresIn": 3600,
        "IdToken": "eyJra789ghiEXAMPLE",
        "RefreshToken": "eyJra123abcEXAMPLE",
        "TokenType": "Bearer"
    },
    "ChallengeParameters": {
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/RespondToAuthChallenge) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/RespondToAuthChallenge) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/RespondToAuthChallenge) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/RespondToAuthChallenge) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/RespondToAuthChallenge) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/RespondToAuthChallenge) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/RespondToAuthChallenge) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/RespondToAuthChallenge) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/RespondToAuthChallenge) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/RespondToAuthChallenge) 

# RevokeToken


Revokes all of the access tokens generated by, and at the same time as, the specified refresh token. After a token is revoked, you can't use the revoked token to access Amazon Cognito user APIs, or to authorize access to your resource server.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "ClientId": "string",
   "ClientSecret": "string",
   "Token": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_RevokeToken_RequestSyntax) **   <a name="CognitoUserPools-RevokeToken-request-ClientId"></a>
The ID of the app client where the token that you want to revoke was issued.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientSecret](#API_RevokeToken_RequestSyntax) **   <a name="CognitoUserPools-RevokeToken-request-ClientSecret"></a>
The client secret of the requested app client, if the client has a secret.  
Type: String  
Length Constraints: Minimum length of 24. Maximum length of 64.  
Pattern: `[\w+]+`   
Required: No

 ** [Token](#API_RevokeToken_RequestSyntax) **   <a name="CognitoUserPools-RevokeToken-request-Token"></a>
The refresh token that you want to revoke.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnauthorizedException **   
Exception that is thrown when the request isn't authorized. This can happen due to an invalid access token in the request.  
HTTP Status Code: 400

 ** UnsupportedOperationException **   
Exception that is thrown when you attempt to perform an operation that isn't enabled for the user pool client.  
HTTP Status Code: 400

 ** UnsupportedTokenTypeException **   
Exception that is thrown when an unsupported token is passed to an operation.  
HTTP Status Code: 400

## Examples


### Example


The following example request revokes the current user's refresh token and access tokens.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.RevokeToken
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ClientId": "1example23456789",
   "Token": "eyJj123abcEXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/RevokeToken) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/RevokeToken) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/RevokeToken) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/RevokeToken) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/RevokeToken) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/RevokeToken) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/RevokeToken) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/RevokeToken) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/RevokeToken) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/RevokeToken) 

# SetLogDeliveryConfiguration


Sets up or modifies the logging configuration of a user pool. User pools can export user notification logs and, when threat protection is active, user-activity logs. For more information, see [Exporting user pool logs](https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html).

## Request Syntax


```
{
   "LogConfigurations": [ 
      { 
         "CloudWatchLogsConfiguration": { 
            "LogGroupArn": "string"
         },
         "EventSource": "string",
         "FirehoseConfiguration": { 
            "StreamArn": "string"
         },
         "LogLevel": "string",
         "S3Configuration": { 
            "BucketArn": "string"
         }
      }
   ],
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [LogConfigurations](#API_SetLogDeliveryConfiguration_RequestSyntax) **   <a name="CognitoUserPools-SetLogDeliveryConfiguration-request-LogConfigurations"></a>
A collection of the logging configurations for a user pool.  
Type: Array of [LogConfigurationType](API_LogConfigurationType.md) objects  
Array Members: Minimum number of 0 items. Maximum number of 2 items.  
Required: Yes

 ** [UserPoolId](#API_SetLogDeliveryConfiguration_RequestSyntax) **   <a name="CognitoUserPools-SetLogDeliveryConfiguration-request-UserPoolId"></a>
The ID of the user pool where you want to configure logging.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "LogDeliveryConfiguration": { 
      "LogConfigurations": [ 
         { 
            "CloudWatchLogsConfiguration": { 
               "LogGroupArn": "string"
            },
            "EventSource": "string",
            "FirehoseConfiguration": { 
               "StreamArn": "string"
            },
            "LogLevel": "string",
            "S3Configuration": { 
               "BucketArn": "string"
            }
         }
      ],
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [LogDeliveryConfiguration](#API_SetLogDeliveryConfiguration_ResponseSyntax) **   <a name="CognitoUserPools-SetLogDeliveryConfiguration-response-LogDeliveryConfiguration"></a>
The logging configuration that you applied to the requested user pool.  
Type: [LogDeliveryConfigurationType](API_LogDeliveryConfigurationType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** FeatureUnavailableInTierException **   
This exception is thrown when a feature you attempted to configure isn't available in your current feature plan.  
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


A `SetLogDeliveryConfiguration` request that exports `userNotification` logs to a log group and `userAuthEvents` logs to an Amazon S3 bucket.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.SetLogDeliveryConfiguration
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "LogConfigurations": [
        {
            "CloudWatchLogsConfiguration": {
                "LogGroupArn": "arn:aws:logs:us-west-2:123456789012:log-group:cognito-exported"
            },
            "EventSource": "userNotification",
            "LogLevel": "ERROR"
        },
        {
            "EventSource": "userAuthEvents",
            "LogLevel": "INFO",
            "S3Configuration": {
                "BucketArn": "arn:aws:s3:::amzn-s3-demo-bucket1"
            }
        }
    ],
    "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
   "LogDeliveryConfiguration": {
      "LogConfigurations": [
        {
            "CloudWatchLogsConfiguration": {
                "LogGroupArn": "arn:aws:logs:us-west-2:123456789012:log-group:cognito-exported"
            },
            "EventSource": "userNotification",
            "LogLevel": "ERROR"
        },
        {
            "EventSource": "userAuthEvents",
            "LogLevel": "INFO",
            "S3Configuration": {
                "BucketArn": "arn:aws:s3:::amzn-s3-demo-bucket1"
            }
        }
    ],
    "UserPoolId": "us-west-2_EXAMPLE"
   }
}
```

### Example


A `SetLogDeliveryConfiguration` request that exports `userAuthEvents` events to a Firehose stream and `userNotification` events to a CloudWatch log group.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.SetLogDeliveryConfiguration
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "LogConfigurations": [
      {
         "EventSource": "userAuthEvents",
         "FirehoseConfiguration": {
            "StreamArn": "arn:aws:firehose:us-west-2:123456789012:deliverystream/example-user-pool-activity-exported"
         },
         "LogLevel": "INFO"
      }
   ],
   [
      {
         "CloudWatchLogsConfiguration": {
            "LogGroupArn": "arn:aws:logs:us-west-2:123456789012:log-group:example-user-pool-error-exported"
         },
         "EventSource": "userNotification",
         "LogLevel": "ERROR"
      }
   ],
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "LogDeliveryConfiguration": {
        "LogConfigurations": [
            {
                "CloudWatchLogsConfiguration": {
                    "LogGroupArn": "arn:aws:firehose:us-west-2:123456789012:deliverystream/example-user-pool-activity-exported"
                },
                "EventSource": "userNotification",
                "LogLevel": "ERROR"
            },
            {
                "EventSource": "userAuthEvents",
                "FirehoseConfiguration": {
                    "StreamArn": "arn:aws:logs:us-west-2:123456789012:log-group:example-user-pool-error-exported"
                },
                "LogLevel": "INFO"
            }
        ],
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/SetLogDeliveryConfiguration) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/SetLogDeliveryConfiguration) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/SetLogDeliveryConfiguration) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/SetLogDeliveryConfiguration) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/SetLogDeliveryConfiguration) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/SetLogDeliveryConfiguration) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/SetLogDeliveryConfiguration) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/SetLogDeliveryConfiguration) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/SetLogDeliveryConfiguration) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/SetLogDeliveryConfiguration) 

# SetRiskConfiguration


Configures threat protection for a user pool or app client. Sets configuration for the following.
+ Responses to risks with adaptive authentication
+ Responses to vulnerable passwords with compromised-credentials detection
+ Notifications to users who have had risky activity detected
+ IP-address denylist and allowlist

To set the risk configuration for the user pool to defaults, send this request with only the `UserPoolId` parameter. To reset the threat protection settings of an app client to be inherited from the user pool, send `UserPoolId` and `ClientId` parameters only. To change threat protection to audit-only or off, update the value of `UserPoolAddOns` in an `UpdateUserPool` request. To activate this setting, your user pool must be on the [ Plus tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html).

## Request Syntax


```
{
   "AccountTakeoverRiskConfiguration": { 
      "Actions": { 
         "HighAction": { 
            "EventAction": "string",
            "Notify": boolean
         },
         "LowAction": { 
            "EventAction": "string",
            "Notify": boolean
         },
         "MediumAction": { 
            "EventAction": "string",
            "Notify": boolean
         }
      },
      "NotifyConfiguration": { 
         "BlockEmail": { 
            "HtmlBody": "string",
            "Subject": "string",
            "TextBody": "string"
         },
         "From": "string",
         "MfaEmail": { 
            "HtmlBody": "string",
            "Subject": "string",
            "TextBody": "string"
         },
         "NoActionEmail": { 
            "HtmlBody": "string",
            "Subject": "string",
            "TextBody": "string"
         },
         "ReplyTo": "string",
         "SourceArn": "string"
      }
   },
   "ClientId": "string",
   "CompromisedCredentialsRiskConfiguration": { 
      "Actions": { 
         "EventAction": "string"
      },
      "EventFilter": [ "string" ]
   },
   "RiskExceptionConfiguration": { 
      "BlockedIPRangeList": [ "string" ],
      "SkippedIPRangeList": [ "string" ]
   },
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccountTakeoverRiskConfiguration](#API_SetRiskConfiguration_RequestSyntax) **   <a name="CognitoUserPools-SetRiskConfiguration-request-AccountTakeoverRiskConfiguration"></a>
The settings for automated responses and notification templates for adaptive authentication with threat protection.  
Type: [AccountTakeoverRiskConfigurationType](API_AccountTakeoverRiskConfigurationType.md) object  
Required: No

 ** [ClientId](#API_SetRiskConfiguration_RequestSyntax) **   <a name="CognitoUserPools-SetRiskConfiguration-request-ClientId"></a>
The ID of the app client where you want to set a risk configuration. If `ClientId` is null, then the risk configuration is mapped to `UserPoolId`. When the client ID is null, the same risk configuration is applied to all the clients in the userPool.  
When you include a `ClientId` parameter, Amazon Cognito maps the configuration to the app client. When you include both `ClientId` and `UserPoolId`, Amazon Cognito maps the configuration to the app client only.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: No

 ** [CompromisedCredentialsRiskConfiguration](#API_SetRiskConfiguration_RequestSyntax) **   <a name="CognitoUserPools-SetRiskConfiguration-request-CompromisedCredentialsRiskConfiguration"></a>
The configuration of automated reactions to detected compromised credentials. Includes settings for blocking future sign-in requests and for the types of password-submission events you want to monitor.  
Type: [CompromisedCredentialsRiskConfigurationType](API_CompromisedCredentialsRiskConfigurationType.md) object  
Required: No

 ** [RiskExceptionConfiguration](#API_SetRiskConfiguration_RequestSyntax) **   <a name="CognitoUserPools-SetRiskConfiguration-request-RiskExceptionConfiguration"></a>
A set of IP-address overrides to threat protection. You can set up IP-address always-block and always-allow lists.  
Type: [RiskExceptionConfigurationType](API_RiskExceptionConfigurationType.md) object  
Required: No

 ** [UserPoolId](#API_SetRiskConfiguration_RequestSyntax) **   <a name="CognitoUserPools-SetRiskConfiguration-request-UserPoolId"></a>
The ID of the user pool where you want to set a risk configuration. If you include `UserPoolId` in your request, don't include `ClientId`. When the client ID is null, the same risk configuration is applied to all the clients in the userPool. When you include both `ClientId` and `UserPoolId`, Amazon Cognito maps the configuration to the app client only.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "RiskConfiguration": { 
      "AccountTakeoverRiskConfiguration": { 
         "Actions": { 
            "HighAction": { 
               "EventAction": "string",
               "Notify": boolean
            },
            "LowAction": { 
               "EventAction": "string",
               "Notify": boolean
            },
            "MediumAction": { 
               "EventAction": "string",
               "Notify": boolean
            }
         },
         "NotifyConfiguration": { 
            "BlockEmail": { 
               "HtmlBody": "string",
               "Subject": "string",
               "TextBody": "string"
            },
            "From": "string",
            "MfaEmail": { 
               "HtmlBody": "string",
               "Subject": "string",
               "TextBody": "string"
            },
            "NoActionEmail": { 
               "HtmlBody": "string",
               "Subject": "string",
               "TextBody": "string"
            },
            "ReplyTo": "string",
            "SourceArn": "string"
         }
      },
      "ClientId": "string",
      "CompromisedCredentialsRiskConfiguration": { 
         "Actions": { 
            "EventAction": "string"
         },
         "EventFilter": [ "string" ]
      },
      "LastModifiedDate": number,
      "RiskExceptionConfiguration": { 
         "BlockedIPRangeList": [ "string" ],
         "SkippedIPRangeList": [ "string" ]
      },
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [RiskConfiguration](#API_SetRiskConfiguration_ResponseSyntax) **   <a name="CognitoUserPools-SetRiskConfiguration-response-RiskConfiguration"></a>
The API response that contains the risk configuration that you set and the timestamp of the most recent change.  
Type: [RiskConfigurationType](API_RiskConfigurationType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** CodeDeliveryFailureException **   
This exception is thrown when a verification code fails to deliver successfully.    
 ** message **   
The message sent when a verification code fails to deliver successfully.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserPoolAddOnNotEnabledException **   
This exception is thrown when user pool add-ons aren't enabled.  
HTTP Status Code: 400

## Examples


### Example


The following example request configures the requested app client with adaptive authentication actions, compromised-credentials behavior, and IP-address exceptions. It also configures user notification templates.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.SetRiskConfiguration
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "AccountTakeoverRiskConfiguration": {
        "Actions": {
            "HighAction": {
                "EventAction": "MFA_REQUIRED",
                "Notify": true
            },
            "LowAction": {
                "EventAction": "NO_ACTION",
                "Notify": true
            },
            "MediumAction": {
                "EventAction": "MFA_IF_CONFIGURED",
                "Notify": true
            }
        },
        "NotifyConfiguration": {
            "BlockEmail": {
                "HtmlBody": "<!DOCTYPE html>\n<html>\n<head>\n\t<title>HTML email context</title>\n\t<meta charset=\"utf-8\">\n</head>\n<body>\n<pre>We blocked an unrecognized sign-in to your account with this information:\n<ul>\n<li>Time: {login-time}</li>\n<li>Device: {device-name}</li>\n<li>Location: {city}, {country}</li>\n</ul>\nIf this sign-in was not by you, you should change your password and notify us by clicking on <a href={one-click-link-invalid}>this link</a>\nIf this sign-in was by you, you can follow <a href={one-click-link-valid}>this link</a> to let us know</pre>\n</body>\n</html>",
                "Subject": "Blocked sign-in attempt",
                "TextBody": "We blocked an unrecognized sign-in to your account with this information:\nTime: {login-time}\nDevice: {device-name}\nLocation: {city}, {country}\nIf this sign-in was not by you, you should change your password and notify us by clicking on {one-click-link-invalid}\nIf this sign-in was by you, you can follow {one-click-link-valid} to let us know"
            },
            "From": "admin@example.com",
            "MfaEmail": {
                "HtmlBody": "<!DOCTYPE html>\n<html>\n<head>\n\t<title>HTML email context</title>\n\t<meta charset=\"utf-8\">\n</head>\n<body>\n<pre>We required you to use multi-factor authentication for the following sign-in attempt:\n<ul>\n<li>Time: {login-time}</li>\n<li>Device: {device-name}</li>\n<li>Location: {city}, {country}</li>\n</ul>\nIf this sign-in was not by you, you should change your password and notify us by clicking on <a href={one-click-link-invalid}>this link</a>\nIf this sign-in was by you, you can follow <a href={one-click-link-valid}>this link</a> to let us know</pre>\n</body>\n</html>",
                "Subject": "New sign-in attempt",
                "TextBody": "We required you to use multi-factor authentication for the following sign-in attempt:\nTime: {login-time}\nDevice: {device-name}\nLocation: {city}, {country}\nIf this sign-in was not by you, you should change your password and notify us by clicking on {one-click-link-invalid}\nIf this sign-in was by you, you can follow {one-click-link-valid} to let us know"
            },
            "NoActionEmail": {
                "HtmlBody": "<!DOCTYPE html>\n<html>\n<head>\n\t<title>HTML email context</title>\n\t<meta charset=\"utf-8\">\n</head>\n<body>\n<pre>We observed an unrecognized sign-in to your account with this information:\n<ul>\n<li>Time: {login-time}</li>\n<li>Device: {device-name}</li>\n<li>Location: {city}, {country}</li>\n</ul>\nIf this sign-in was not by you, you should change your password and notify us by clicking on <a href={one-click-link-invalid}>this link</a>\nIf this sign-in was by you, you can follow <a href={one-click-link-valid}>this link</a> to let us know</pre>\n</body>\n</html>",
                "Subject": "New sign-in attempt",
                "TextBody": "We observed an unrecognized sign-in to your account with this information:\nTime: {login-time}\nDevice: {device-name}\nLocation: {city}, {country}\nIf this sign-in was not by you, you should change your password and notify us by clicking on {one-click-link-invalid}\nIf this sign-in was by you, you can follow {one-click-link-valid} to let us know"
            },
            "ReplyTo": "Administrator <admin@example.com>",
            "SourceArn": "arn:aws:ses:us-west-2:123456789012:identity/admin@example.com"
        }
    },
    "ClientId": "1example23456789",
    "CompromisedCredentialsRiskConfiguration": {
        "Actions": {
            "EventAction": "BLOCK"
        },
        "EventFilter": [
            "PASSWORD_CHANGE",
            "SIGN_UP",
            "SIGN_IN"
        ]
    },
    "RiskExceptionConfiguration": {
        "BlockedIPRangeList": [
            "192.0.2.1/32",
            "192.0.2.2/32"
        ],
        "SkippedIPRangeList": [
            "203.0.113.1/32",
            "203.0.113.2/32"
        ]
    },
    "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "RiskConfiguration": {
        "AccountTakeoverRiskConfiguration": {
            "Actions": {
                "HighAction": {
                    "EventAction": "MFA_REQUIRED",
                    "Notify": true
                },
                "LowAction": {
                    "EventAction": "NO_ACTION",
                    "Notify": true
                },
                "MediumAction": {
                    "EventAction": "MFA_IF_CONFIGURED",
                    "Notify": true
                }
            },
            "NotifyConfiguration": {
                "BlockEmail": {
                    "HtmlBody": "<!DOCTYPE html>\n<html>\n<head>\n\t<title>HTML email context</title>\n\t<meta charset=\"utf-8\">\n</head>\n<body>\n<pre>We blocked an unrecognized sign-in to your account with this information:\n<ul>\n<li>Time: {login-time}</li>\n<li>Device: {device-name}</li>\n<li>Location: {city}, {country}</li>\n</ul>\nIf this sign-in was not by you, you should change your password and notify us by clicking on <a href={one-click-link-invalid}>this link</a>\nIf this sign-in was by you, you can follow <a href={one-click-link-valid}>this link</a> to let us know</pre>\n</body>\n</html>",
                    "Subject": "Blocked sign-in attempt",
                    "TextBody": "We blocked an unrecognized sign-in to your account with this information:\nTime: {login-time}\nDevice: {device-name}\nLocation: {city}, {country}\nIf this sign-in was not by you, you should change your password and notify us by clicking on {one-click-link-invalid}\nIf this sign-in was by you, you can follow {one-click-link-valid} to let us know"
                },
                "From": "admin@example.com",
                "MfaEmail": {
                    "HtmlBody": "<!DOCTYPE html>\n<html>\n<head>\n\t<title>HTML email context</title>\n\t<meta charset=\"utf-8\">\n</head>\n<body>\n<pre>We required you to use multi-factor authentication for the following sign-in attempt:\n<ul>\n<li>Time: {login-time}</li>\n<li>Device: {device-name}</li>\n<li>Location: {city}, {country}</li>\n</ul>\nIf this sign-in was not by you, you should change your password and notify us by clicking on <a href={one-click-link-invalid}>this link</a>\nIf this sign-in was by you, you can follow <a href={one-click-link-valid}>this link</a> to let us know</pre>\n</body>\n</html>",
                    "Subject": "New sign-in attempt",
                    "TextBody": "We required you to use multi-factor authentication for the following sign-in attempt:\nTime: {login-time}\nDevice: {device-name}\nLocation: {city}, {country}\nIf this sign-in was not by you, you should change your password and notify us by clicking on {one-click-link-invalid}\nIf this sign-in was by you, you can follow {one-click-link-valid} to let us know"
                },
                "NoActionEmail": {
                    "HtmlBody": "<!DOCTYPE html>\n<html>\n<head>\n\t<title>HTML email context</title>\n\t<meta charset=\"utf-8\">\n</head>\n<body>\n<pre>We observed an unrecognized sign-in to your account with this information:\n<ul>\n<li>Time: {login-time}</li>\n<li>Device: {device-name}</li>\n<li>Location: {city}, {country}</li>\n</ul>\nIf this sign-in was not by you, you should change your password and notify us by clicking on <a href={one-click-link-invalid}>this link</a>\nIf this sign-in was by you, you can follow <a href={one-click-link-valid}>this link</a> to let us know</pre>\n</body>\n</html>",
                    "Subject": "New sign-in attempt",
                    "TextBody": "We observed an unrecognized sign-in to your account with this information:\nTime: {login-time}\nDevice: {device-name}\nLocation: {city}, {country}\nIf this sign-in was not by you, you should change your password and notify us by clicking on {one-click-link-invalid}\nIf this sign-in was by you, you can follow {one-click-link-valid} to let us know"
                },
                "ReplyTo": "admin@example.com",
                "SourceArn": "arn:aws:ses:us-west-2:123456789012:identity/admin@example.com"
            }
        },
        "ClientId": "1example23456789",
        "CompromisedCredentialsRiskConfiguration": {
            "Actions": {
                "EventAction": "BLOCK"
            },
            "EventFilter": [
                "PASSWORD_CHANGE",
                "SIGN_UP",
                "SIGN_IN"
            ]
        },
        "RiskExceptionConfiguration": {
            "BlockedIPRangeList": [
                "192.0.2.1/32",
                "192.0.2.2/32"
            ],
            "SkippedIPRangeList": [
                "203.0.113.1/32",
                "203.0.113.2/32"
            ]
        },
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

### Example


The following example request clears the threat protection settings of the requested app client.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.SetRiskConfiguration
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "ClientId": "1example23456789",
    "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

### Example


The following example request resets threat protection settings to default for the requested user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.SetRiskConfiguration
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/SetRiskConfiguration) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/SetRiskConfiguration) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/SetRiskConfiguration) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/SetRiskConfiguration) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/SetRiskConfiguration) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/SetRiskConfiguration) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/SetRiskConfiguration) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/SetRiskConfiguration) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/SetRiskConfiguration) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/SetRiskConfiguration) 

# SetUICustomization


Configures UI branding settings for domains with the hosted UI (classic) branding version. Your user pool must have a domain. Configure a domain with [CreateUserPoolDomain](API_CreateUserPoolDomain.md).

Set the default configuration for all clients with a `ClientId` of `ALL`. When the `ClientId` value is an app client ID, the settings you pass in this request apply to that app client and override the default `ALL` configuration.

This operation has no effect on managed login pages. To configure branding for domains with the managed login branding version, see [CreateManagedLoginBranding](API_CreateManagedLoginBranding.md).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "ClientId": "string",
   "CSS": "string",
   "ImageFile": blob,
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ClientId](#API_SetUICustomization_RequestSyntax) **   <a name="CognitoUserPools-SetUICustomization-request-ClientId"></a>
The ID of the app client that you want to customize. To apply a default style to all app clients not configured with client-level branding, set this parameter value to `ALL`.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: No

 ** [CSS](#API_SetUICustomization_RequestSyntax) **   <a name="CognitoUserPools-SetUICustomization-request-CSS"></a>
A plaintext CSS file that contains the custom fields that you want to apply to your user pool or app client. To download a template, go to the Amazon Cognito console. Navigate to your user pool *App clients* tab, select *Login pages*, edit *Hosted UI (classic) style*, and select the link to `CSS template.css`.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [ImageFile](#API_SetUICustomization_RequestSyntax) **   <a name="CognitoUserPools-SetUICustomization-request-ImageFile"></a>
The image that you want to set as your login in the classic hosted UI, as a Base64-formatted binary object.  
Type: Base64-encoded binary data object  
Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [UserPoolId](#API_SetUICustomization_RequestSyntax) **   <a name="CognitoUserPools-SetUICustomization-request-UserPoolId"></a>
The ID of the user pool where you want to apply branding to the classic hosted UI.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "UICustomization": { 
      "ClientId": "string",
      "CreationDate": number,
      "CSS": "string",
      "CSSVersion": "string",
      "ImageUrl": "string",
      "LastModifiedDate": number,
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UICustomization](#API_SetUICustomization_ResponseSyntax) **   <a name="CognitoUserPools-SetUICustomization-response-UICustomization"></a>
Information about the hosted UI branding that you applied.  
Type: [UICustomizationType](API_UICustomizationType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request applies CSS customization and a logo image (the Amazon Cognito logo) to the requested app client.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.SetUICustomization
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ClientId": "1example23456789",
   "CSS": ".logo-customizable {\n\tmax-width: 60%;\n\tmax-height: 30%;\n}\n.banner-customizable {\n\tpadding: 25px 0px 25px 0px;\n\tbackground-color: lightgray;\n}\n.label-customizable {\n\tfont-weight: 400;\n}\n.textDescription-customizable {\n\tpadding-top: 10px;\n\tpadding-bottom: 10px;\n\tdisplay: block;\n\tfont-size: 16px;\n}\n.idpDescription-customizable {\n\tpadding-top: 10px;\n\tpadding-bottom: 10px;\n\tdisplay: block;\n\tfont-size: 16px;\n}\n.legalText-customizable {\n\tcolor: #747474;\n\tfont-size: 11px;\n}\n.submitButton-customizable {\n\tfont-size: 11px;\n\tfont-weight: normal;\n\tmargin: 20px -15px 10px -13px;\n\theight: 40px;\n\twidth: 108%;\n\tcolor: #fff;\n\tbackground-color: #337ab7;\n\ttext-align: center;\n}\n.submitButton-customizable:hover {\n\tcolor: #fff;\n\tbackground-color: #286090;\n}\n.errorMessage-customizable {\n\tpadding: 5px;\n\tfont-size: 14px;\n\twidth: 100%;\n\tbackground: #F5F5F5;\n\tborder: 2px solid #D64958;\n\tcolor: #D64958;\n}\n.inputField-customizable {\n\twidth: 100%;\n\theight: 34px;\n\tcolor: #555;\n\tbackground-color: #fff;\n\tborder: 1px solid #ccc;\n\tborder-radius: 0px;\n}\n.inputField-customizable:focus {\n\tborder-color: #66afe9;\n\toutline: 0;\n}\n.idpButton-customizable {\n\theight: 40px;\n\twidth: 100%;\n\twidth: 100%;\n\ttext-align: center;\n\tmargin-bottom: 15px;\n\tcolor: #fff;\n\tbackground-color: #5bc0de;\n\tborder-color: #46b8da;\n}\n.idpButton-customizable:hover {\n\tcolor: #fff;\n\tbackground-color: #31b0d5;\n}\n.socialButton-customizable {\n\tborder-radius: 2px;\n\theight: 40px;\n\tmargin-bottom: 15px;\n\tpadding: 1px;\n\ttext-align: left;\n\twidth: 100%;\n}\n.redirect-customizable {\n\ttext-align: center;\n}\n.passwordCheck-notValid-customizable {\n\tcolor: #DF3312;\n}\n.passwordCheck-valid-customizable {\n\tcolor: #19BF00;\n}\n.background-customizable {\n\tbackground-color: #fff;\n}\n",
   "ImageFile": "iVBORw0KGgoAAAANSUhEUgAAAFAAAABQCAMAAAC5zwKfAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAA2UExURd00TN9BV/Cmsfvm6f3y9P////fM0uqAj+yNmu6ZpvnZ3eNabuFNYuZneehzhPKzvPTAxwAAAOiMMlkAAAASdFJOU///////////////////////AOK/vxIAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAKDSURBVFhH7ZfpkoMgEISDHKuEw/d/2u2BQWMiBrG29o+fVsKatdPMAeZxc3Nz8w+ISekzmB++sYIw/I/tjHzrPpO2Tx62EbR2PNxFac+jVuKxRaV50IzXkUe76NOCoUuwlvnQKei02gNF0ykotOLRBq/nboeWRxAISx2EbsHFoRhK6Igk2JJlwScfQjgt06dOaWWiTbEDAe/iq8N9kqCw2uCbHkHlYkaXEF8EYeL9RDqT4FhC6XMIIEifdcUwCc4leNyhabadWU6OlKYJE1Oac3NSPhB5rlaXlSgmr/1lww4nPaU/1ylfLGxX1r6Y66ZZkCqvnOlqKWws59ELj7fULc2CubwySYkdDuuiY0/F0L6Q5pZiSG0SfZTSTCOUhxOCH1AdIoCpTTIjtd+VpEjUDDytQH/0Fpc661Aisas/4qmyUItD557pSCOSQQzlx27J+meyDGc5zZgfhWuXE1lGgmVOMwmWdeGdzhjqZV14x5vSj7vsC5JDz/Cl0Vhp56n2NQt1wQIpury1EPbwyaYm+IhmAQKoajkH51wg4cMZ1wQ3QG9efKWWOaDhYWnU6jXjCMdRmm21PArI+Pb5DYoH93hq0ZCPlxeGJho/DI15C6sQc/L2sTC47UFBKZGHT6k+zlXg7WebA0Nr0HTcLMfk/Y4Rc65D3iG6WDd7YLSlVqk87bVhUwhnClrx11RsVQwlAA818Mn+QEs71BhSFU6orsUfKhHp72XMGYXi4q9c64RXRvzkWurRfG2vI2be/VaNcNgpX0Evb/vio7nPMmj5qujkpQgSaPd1UcVqciHFDNZpOcGlcOPyi+AamCbIL9fitxAGeFN2Dl+3vZubm5u/4fH4Bd14HhIPdwZPAAAAAElFTkSuQmCC",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "UICustomization": {
        "ClientId": "1example23456789",
        "CSS": ".logo-customizable {\n\tmax-width: 60%;\n\tmax-height: 30%;\n}\n.banner-customizable {\n\tpadding: 25px 0px 25px 0px;\n\tbackground-color: lightgray;\n}\n.label-customizable {\n\tfont-weight: 400;\n}\n.textDescription-customizable {\n\tpadding-top: 10px;\n\tpadding-bottom: 10px;\n\tdisplay: block;\n\tfont-size: 16px;\n}\n.idpDescription-customizable {\n\tpadding-top: 10px;\n\tpadding-bottom: 10px;\n\tdisplay: block;\n\tfont-size: 16px;\n}\n.legalText-customizable {\n\tcolor: #747474;\n\tfont-size: 11px;\n}\n.submitButton-customizable {\n\tfont-size: 11px;\n\tfont-weight: normal;\n\tmargin: 20px -15px 10px -13px;\n\theight: 40px;\n\twidth: 108%;\n\tcolor: #fff;\n\tbackground-color: #337ab7;\n\ttext-align: center;\n}\n.submitButton-customizable:hover {\n\tcolor: #fff;\n\tbackground-color: #286090;\n}\n.errorMessage-customizable {\n\tpadding: 5px;\n\tfont-size: 14px;\n\twidth: 100%;\n\tbackground: #F5F5F5;\n\tborder: 2px solid #D64958;\n\tcolor: #D64958;\n}\n.inputField-customizable {\n\twidth: 100%;\n\theight: 34px;\n\tcolor: #555;\n\tbackground-color: #fff;\n\tborder: 1px solid #ccc;\n\tborder-radius: 0px;\n}\n.inputField-customizable:focus {\n\tborder-color: #66afe9;\n\toutline: 0;\n}\n.idpButton-customizable {\n\theight: 40px;\n\twidth: 100%;\n\twidth: 100%;\n\ttext-align: center;\n\tmargin-bottom: 15px;\n\tcolor: #fff;\n\tbackground-color: #5bc0de;\n\tborder-color: #46b8da;\n}\n.idpButton-customizable:hover {\n\tcolor: #fff;\n\tbackground-color: #31b0d5;\n}\n.socialButton-customizable {\n\tborder-radius: 2px;\n\theight: 40px;\n\tmargin-bottom: 15px;\n\tpadding: 1px;\n\ttext-align: left;\n\twidth: 100%;\n}\n.redirect-customizable {\n\ttext-align: center;\n}\n.passwordCheck-notValid-customizable {\n\tcolor: #DF3312;\n}\n.passwordCheck-valid-customizable {\n\tcolor: #19BF00;\n}\n.background-customizable {\n\tbackground-color: #fff;\n}\n",
        "CSSUrl": "https://auth.example.com/1example23456789/20250109170543/assets/CSS/custom-css.css",
        "CSSVersion": "20250109170543",
        "ImageUrl": "https://auth.example.com/1example23456789/20250109170543/assets/images/image.jpg",
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/SetUICustomization) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/SetUICustomization) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/SetUICustomization) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/SetUICustomization) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/SetUICustomization) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/SetUICustomization) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/SetUICustomization) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/SetUICustomization) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/SetUICustomization) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/SetUICustomization) 

# SetUserMFAPreference


Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in. If an MFA type is activated for a user, the user will be prompted for MFA during all sign-in attempts unless device tracking is turned on and the device has been trusted. If you want MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users and turn on Adaptive Authentication for the user pool.

This operation doesn't reset an existing TOTP MFA for a user. To register a new TOTP factor for a user, make an [AssociateSoftwareToken](API_AssociateSoftwareToken.md) request. For more information, see [TOTP software token MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html).

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "EmailMfaSettings": { 
      "Enabled": boolean,
      "PreferredMfa": boolean
   },
   "SMSMfaSettings": { 
      "Enabled": boolean,
      "PreferredMfa": boolean
   },
   "SoftwareTokenMfaSettings": { 
      "Enabled": boolean,
      "PreferredMfa": boolean
   },
   "WebAuthnMfaSettings": { 
      "Enabled": boolean
   }
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_SetUserMFAPreference_RequestSyntax) **   <a name="CognitoUserPools-SetUserMFAPreference-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [EmailMfaSettings](#API_SetUserMFAPreference_RequestSyntax) **   <a name="CognitoUserPools-SetUserMFAPreference-request-EmailMfaSettings"></a>
User preferences for email message MFA. Activates or deactivates email MFA and sets it as the preferred MFA method when multiple methods are available. To activate this setting, your user pool must be in the [ Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.  
Type: [EmailMfaSettingsType](API_EmailMfaSettingsType.md) object  
Required: No

 ** [SMSMfaSettings](#API_SetUserMFAPreference_RequestSyntax) **   <a name="CognitoUserPools-SetUserMFAPreference-request-SMSMfaSettings"></a>
User preferences for SMS message MFA. Activates or deactivates SMS MFA and sets it as the preferred MFA method when multiple methods are available.  
Type: [SMSMfaSettingsType](API_SMSMfaSettingsType.md) object  
Required: No

 ** [SoftwareTokenMfaSettings](#API_SetUserMFAPreference_RequestSyntax) **   <a name="CognitoUserPools-SetUserMFAPreference-request-SoftwareTokenMfaSettings"></a>
User preferences for time-based one-time password (TOTP) MFA. Activates or deactivates TOTP MFA and sets it as the preferred MFA method when multiple methods are available. Users must register a TOTP authenticator before they set this as their preferred MFA method.  
Type: [SoftwareTokenMfaSettingsType](API_SoftwareTokenMfaSettingsType.md) object  
Required: No

 ** [WebAuthnMfaSettings](#API_SetUserMFAPreference_RequestSyntax) **   <a name="CognitoUserPools-SetUserMFAPreference-request-WebAuthnMfaSettings"></a>
User preferences for passkey MFA. Activates or deactivates passkey MFA for the user. When activated, passkey authentication requires user verification, and passkey sign-in is available when MFA is required. To activate this setting, the `FactorConfiguration` of your user pool `WebAuthnConfiguration` must be `MULTI_FACTOR_WITH_USER_VERIFICATION`. To activate this setting, your user pool must be in the [ Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.  
Type: [WebAuthnMfaSettingsType](API_WebAuthnMfaSettingsType.md) object  
Required: No

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request sets TOTP, SMS, and email MFA active, and TOTP MFA as preferred for the current user.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.SetUserMFAPreference
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE",
   "SMSMfaSettings": {
      "Enabled": true,
      "PreferredMfa": false
   },
   "EmailMfaSettings": {
      "Enabled": true,
      "PreferredMfa": false
   },
   "SoftwareTokenMfaSettings": {
      "Enabled": true,
      "PreferredMfa": true
   }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/SetUserMFAPreference) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/SetUserMFAPreference) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/SetUserMFAPreference) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/SetUserMFAPreference) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/SetUserMFAPreference) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/SetUserMFAPreference) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/SetUserMFAPreference) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/SetUserMFAPreference) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/SetUserMFAPreference) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/SetUserMFAPreference) 

# SetUserPoolMfaConfig


Sets user pool multi-factor authentication (MFA) and passkey configuration. For more information about user pool MFA, see [Adding MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html). For more information about WebAuthn passkeys see [Authentication flows](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html#amazon-cognito-user-pools-authentication-flow-methods-passkey).

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

## Request Syntax


```
{
   "EmailMfaConfiguration": { 
      "Message": "string",
      "Subject": "string"
   },
   "MfaConfiguration": "string",
   "SmsMfaConfiguration": { 
      "SmsAuthenticationMessage": "string",
      "SmsConfiguration": { 
         "ExternalId": "string",
         "SnsCallerArn": "string",
         "SnsRegion": "string"
      }
   },
   "SoftwareTokenMfaConfiguration": { 
      "Enabled": boolean
   },
   "UserPoolId": "string",
   "WebAuthnConfiguration": { 
      "FactorConfiguration": "string",
      "RelyingPartyId": "string",
      "UserVerification": "string"
   }
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [EmailMfaConfiguration](#API_SetUserPoolMfaConfig_RequestSyntax) **   <a name="CognitoUserPools-SetUserPoolMfaConfig-request-EmailMfaConfiguration"></a>
Sets configuration for user pool email message MFA and sign-in with one-time passwords (OTPs). Includes the subject and body of the email message template for sign-in and MFA messages. To activate this setting, your user pool must be in the [ Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.  
Type: [EmailMfaConfigType](API_EmailMfaConfigType.md) object  
Required: No

 ** [MfaConfiguration](#API_SetUserPoolMfaConfig_RequestSyntax) **   <a name="CognitoUserPools-SetUserPoolMfaConfig-request-MfaConfiguration"></a>
Sets multi-factor authentication (MFA) to be on, off, or optional. When `ON`, all users must set up MFA before they can sign in. When `OPTIONAL`, your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose `OPTIONAL`.  
When `MfaConfiguration` is `OPTIONAL`, managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.  
Type: String  
Valid Values: `OFF | ON | OPTIONAL`   
Required: No

 ** [SmsMfaConfiguration](#API_SetUserPoolMfaConfig_RequestSyntax) **   <a name="CognitoUserPools-SetUserPoolMfaConfig-request-SmsMfaConfiguration"></a>
Configures user pool SMS messages for MFA. Sets the message template and the SMS message sending configuration for Amazon SNS.  
Type: [SmsMfaConfigType](API_SmsMfaConfigType.md) object  
Required: No

 ** [SoftwareTokenMfaConfiguration](#API_SetUserPoolMfaConfig_RequestSyntax) **   <a name="CognitoUserPools-SetUserPoolMfaConfig-request-SoftwareTokenMfaConfiguration"></a>
Configures a user pool for time-based one-time password (TOTP) MFA. Enables or disables TOTP.  
Type: [SoftwareTokenMfaConfigType](API_SoftwareTokenMfaConfigType.md) object  
Required: No

 ** [UserPoolId](#API_SetUserPoolMfaConfig_RequestSyntax) **   <a name="CognitoUserPools-SetUserPoolMfaConfig-request-UserPoolId"></a>
The user pool ID.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

 ** [WebAuthnConfiguration](#API_SetUserPoolMfaConfig_RequestSyntax) **   <a name="CognitoUserPools-SetUserPoolMfaConfig-request-WebAuthnConfiguration"></a>
The configuration of your user pool for passkey, or WebAuthn, authentication and registration. Includes relying-party configuration, user-verification requirements, and whether passkeys can satisfy MFA requirements.  
Type: [WebAuthnConfigurationType](API_WebAuthnConfigurationType.md) object  
Required: No

## Response Syntax


```
{
   "EmailMfaConfiguration": { 
      "Message": "string",
      "Subject": "string"
   },
   "MfaConfiguration": "string",
   "SmsMfaConfiguration": { 
      "SmsAuthenticationMessage": "string",
      "SmsConfiguration": { 
         "ExternalId": "string",
         "SnsCallerArn": "string",
         "SnsRegion": "string"
      }
   },
   "SoftwareTokenMfaConfiguration": { 
      "Enabled": boolean
   },
   "WebAuthnConfiguration": { 
      "FactorConfiguration": "string",
      "RelyingPartyId": "string",
      "UserVerification": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [EmailMfaConfiguration](#API_SetUserPoolMfaConfig_ResponseSyntax) **   <a name="CognitoUserPools-SetUserPoolMfaConfig-response-EmailMfaConfiguration"></a>
Shows configuration for user pool email message MFA and sign-in with one-time passwords (OTPs). Includes the subject and body of the email message template for sign-in and MFA messages. To activate this setting, your user pool must be in the [ Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.  
Type: [EmailMfaConfigType](API_EmailMfaConfigType.md) object

 ** [MfaConfiguration](#API_SetUserPoolMfaConfig_ResponseSyntax) **   <a name="CognitoUserPools-SetUserPoolMfaConfig-response-MfaConfiguration"></a>
Displays multi-factor authentication (MFA) as on, off, or optional. When `ON`, all users must set up MFA before they can sign in. When `OPTIONAL`, your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose `OPTIONAL`.  
When `MfaConfiguration` is `OPTIONAL`, managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.  
Type: String  
Valid Values: `OFF | ON | OPTIONAL` 

 ** [SmsMfaConfiguration](#API_SetUserPoolMfaConfig_ResponseSyntax) **   <a name="CognitoUserPools-SetUserPoolMfaConfig-response-SmsMfaConfiguration"></a>
Shows user pool SMS message configuration for MFA and sign-in with SMS-message OTPs. Includes the message template and the SMS message sending configuration for Amazon SNS.  
Type: [SmsMfaConfigType](API_SmsMfaConfigType.md) object

 ** [SoftwareTokenMfaConfiguration](#API_SetUserPoolMfaConfig_ResponseSyntax) **   <a name="CognitoUserPools-SetUserPoolMfaConfig-response-SoftwareTokenMfaConfiguration"></a>
Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes TOTP enabled or disabled state.  
Type: [SoftwareTokenMfaConfigType](API_SoftwareTokenMfaConfigType.md) object

 ** [WebAuthnConfiguration](#API_SetUserPoolMfaConfig_ResponseSyntax) **   <a name="CognitoUserPools-SetUserPoolMfaConfig-response-WebAuthnConfiguration"></a>
The configuration of your user pool for passkey, or WebAuthn, sign-in with authenticators such as biometric and security-key devices. Includes relying-party configuration and settings for user-verification requirements.  
Type: [WebAuthnConfigurationType](API_WebAuthnConfigurationType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** FeatureUnavailableInTierException **   
This exception is thrown when a feature you attempted to configure isn't available in your current feature plan.  
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request configures optional MFA in the user pool, message configuration and templates, and WebAuthn.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.SetUserPoolMfaConfig
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "EmailMfaConfiguration": {
      "Message": "Your OTP for MFA or sign-in: use {####}",
      "Subject": "OTP test"
   },
   "MfaConfiguration": "OPTIONAL",
   "SmsMfaConfiguration": {
      "SmsAuthenticationMessage": "Your OTP for MFA or sign-in: use {####}.",
      "SmsConfiguration": {
         "ExternalId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
         "SnsCallerArn": "arn:aws:iam::123456789012:role/service-role/test-SMS-Role",
         "SnsRegion": "us-west-2"
      }
   },
   "SoftwareTokenMfaConfiguration": {
      "Enabled": true
   },
   "UserPoolId": "us-west-2_EXAMPLE",
   "WebAuthnConfiguration": {
      "RelyingPartyId": "auth.example.com",
      "UserVerification": "preferred"
   }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "EmailMfaConfiguration": {
        "Message": "Your OTP for MFA or sign-in: use {####}",
        "Subject": "OTP test"
    },
    "MfaConfiguration": "OPTIONAL",
    "SmsMfaConfiguration": {
        "SmsAuthenticationMessage": "Your OTP for MFA or sign-in: use {####}.",
        "SmsConfiguration": {
            "ExternalId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
            "SnsCallerArn": "arn:aws:iam::123456789012:role/service-role/test-SMS-Role",
            "SnsRegion": "us-west-2"
        }
    },
    "SoftwareTokenMfaConfiguration": {
        "Enabled": true
    },
    "WebAuthnConfiguration": {
        "RelyingPartyId": "auth.example.com",
        "UserVerification": "preferred"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/SetUserPoolMfaConfig) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/SetUserPoolMfaConfig) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/SetUserPoolMfaConfig) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/SetUserPoolMfaConfig) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/SetUserPoolMfaConfig) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/SetUserPoolMfaConfig) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/SetUserPoolMfaConfig) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/SetUserPoolMfaConfig) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/SetUserPoolMfaConfig) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/SetUserPoolMfaConfig) 

# SetUserSettings


 *This action is no longer supported.* You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token or email MFA.

To configure any or all of the MFA methods, use [SetUserMFAPreference](API_SetUserMFAPreference.md) instead.

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "MFAOptions": [ 
      { 
         "AttributeName": "string",
         "DeliveryMedium": "string"
      }
   ]
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_SetUserSettings_RequestSyntax) **   <a name="CognitoUserPools-SetUserSettings-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [MFAOptions](#API_SetUserSettings_RequestSyntax) **   <a name="CognitoUserPools-SetUserSettings-request-MFAOptions"></a>
You can use this parameter only to set an SMS configuration that uses SMS for delivery.  
Type: Array of [MFAOptionType](API_MFAOptionType.md) objects  
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/SetUserSettings) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/SetUserSettings) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/SetUserSettings) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/SetUserSettings) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/SetUserSettings) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/SetUserSettings) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/SetUserSettings) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/SetUserSettings) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/SetUserSettings) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/SetUserSettings) 

# SignUp


Registers a user with an app client and requests a user name, password, and user attributes in the user pool.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

You might receive a `LimitExceeded` exception in response to this request if you have exceeded a rate quota for email or SMS messages, and if your user pool automatically verifies email addresses or phone numbers. When you get this exception in the response, the user is successfully created and is in an `UNCONFIRMED` state.

You can send a new code with the [ResendConfirmationCode](API_ResendConfirmationCode.md) request, or confirm the user as an administrator with an [AdminConfirmSignUp](API_AdminConfirmSignUp.md) request.

## Request Syntax


```
{
   "AnalyticsMetadata": { 
      "AnalyticsEndpointId": "string"
   },
   "ClientId": "string",
   "ClientMetadata": { 
      "string" : "string" 
   },
   "Password": "string",
   "SecretHash": "string",
   "UserAttributes": [ 
      { 
         "Name": "string",
         "Value": "string"
      }
   ],
   "UserContextData": { 
      "EncodedData": "string",
      "IpAddress": "string"
   },
   "Username": "string",
   "ValidationData": [ 
      { 
         "Name": "string",
         "Value": "string"
      }
   ]
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AnalyticsMetadata](#API_SignUp_RequestSyntax) **   <a name="CognitoUserPools-SignUp-request-AnalyticsMetadata"></a>
Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone number.  
Type: [AnalyticsMetadataType](API_AnalyticsMetadataType.md) object  
Required: No

 ** [ClientId](#API_SignUp_RequestSyntax) **   <a name="CognitoUserPools-SignUp-request-ClientId"></a>
The ID of the app client where the user wants to sign up.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientMetadata](#API_SignUp_RequestSyntax) **   <a name="CognitoUserPools-SignUp-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [Password](#API_SignUp_RequestSyntax) **   <a name="CognitoUserPools-SignUp-request-Password"></a>
The user's proposed password. The password must comply with the [password requirements](https://docs.aws.amazon.com/cognito/latest/developerguide/managing-users-passwords.html) of your user pool.  
Users can sign up without a password when your user pool supports passwordless sign-in with email or SMS OTPs. To create a user with no password, omit this parameter or submit a blank value. You can only create a passwordless user when passwordless sign-in is available.  
For more information about passwordless options, see [SignInPolicyType](API_SignInPolicyType.md), a property of [CreateUserPool](API_CreateUserPool.md) and [UpdateUserPool](API_UpdateUserPool.md).  
Type: String  
Length Constraints: Maximum length of 256.  
Pattern: `[\S]+`   
Required: No

 ** [SecretHash](#API_SignUp_RequestSyntax) **   <a name="CognitoUserPools-SignUp-request-SecretHash"></a>
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message. For more information about `SecretHash`, see [Computing secret hash values](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+=/]+`   
Required: No

 ** [UserAttributes](#API_SignUp_RequestSyntax) **   <a name="CognitoUserPools-SignUp-request-UserAttributes"></a>
An array of name-value pairs representing user attributes.  
For custom attributes, include a `custom:` prefix in the attribute name, for example `custom:department`.  
Type: Array of [AttributeType](API_AttributeType.md) objects  
Required: No

 ** [UserContextData](#API_SignUp_RequestSyntax) **   <a name="CognitoUserPools-SignUp-request-UserContextData"></a>
Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat protection evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.  
For more information, see [Collecting data for threat protection in applications](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-threat-protection-app.html).  
Type: [UserContextDataType](API_UserContextDataType.md) object  
Required: No

 ** [Username](#API_SignUp_RequestSyntax) **   <a name="CognitoUserPools-SignUp-request-Username"></a>
The username of the user that you want to sign up. The value of this parameter is typically a username, but can be any alias attribute in your user pool.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [ValidationData](#API_SignUp_RequestSyntax) **   <a name="CognitoUserPools-SignUp-request-ValidationData"></a>
Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.  
Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and verify select users or perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs.  
For more information about the pre sign-up Lambda trigger, see [Pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html).  
Type: Array of [AttributeType](API_AttributeType.md) objects  
Required: No

## Response Syntax


```
{
   "CodeDeliveryDetails": { 
      "AttributeName": "string",
      "DeliveryMedium": "string",
      "Destination": "string"
   },
   "Session": "string",
   "UserConfirmed": boolean,
   "UserSub": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [CodeDeliveryDetails](#API_SignUp_ResponseSyntax) **   <a name="CognitoUserPools-SignUp-response-CodeDeliveryDetails"></a>
In user pools that automatically verify and confirm new users, Amazon Cognito sends users a message with a code or link that confirms ownership of the phone number or email address that they entered. The `CodeDeliveryDetails` object is information about the delivery destination for that link or code.  
Collect this code from the user and submit it in a [ConfirmSignUp](API_ConfirmSignUp.md) request.  
Type: [CodeDeliveryDetailsType](API_CodeDeliveryDetailsType.md) object

 ** [Session](#API_SignUp_ResponseSyntax) **   <a name="CognitoUserPools-SignUp-response-Session"></a>
A session Id that you can pass to `ConfirmSignUp` when you want to immediately sign in your user with the `USER_AUTH` flow after they complete sign-up.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.

 ** [UserConfirmed](#API_SignUp_ResponseSyntax) **   <a name="CognitoUserPools-SignUp-response-UserConfirmed"></a>
Indicates whether the user was automatically confirmed. You can auto-confirm users with a [pre sign-up Lambda trigger](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html).  
Type: Boolean

 ** [UserSub](#API_SignUp_ResponseSyntax) **   <a name="CognitoUserPools-SignUp-response-UserSub"></a>
The unique identifier of the new user, for example `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** CodeDeliveryFailureException **   
This exception is thrown when a verification code fails to deliver successfully.    
 ** message **   
The message sent when a verification code fails to deliver successfully.
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidPasswordException **   
This exception is thrown when Amazon Cognito encounters an invalid password.    
 ** message **   
The message returned when Amazon Cognito throws an invalid user password exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UsernameExistsException **   
This exception is thrown when Amazon Cognito encounters a user name that already exists in the user pool.    
 ** message **   
The message returned when Amazon Cognito throws a user name exists exception.
HTTP Status Code: 400

## Examples


### Example


A sign-up request for the user `mary_major`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-east-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.SignUp
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
    "ClientId": "1example23456789",
    "Username": "mary_major",
    "Password": "<Password>",
    "SecretHash": "<Secret hash>",
    "UserAttributes": [
        {
            "Name": "name",
            "Value": "Mary"
        },
        {
            "Name": "email",
            "Value": "mary_major@example.com"
        },
        {
            "Name": "phone_number",
            "Value": "+12065551212"
        }
    ]
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
	"CodeDeliveryDetails": {
		"AttributeName": "email",
		"DeliveryMedium": "EMAIL",
		"Destination": "m***@e***"
	},
	"UserConfirmed": false,
	"UserSub": "44284a5f-66af-4888-b582-fccc213c51fd"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/SignUp) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/SignUp) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/SignUp) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/SignUp) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/SignUp) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/SignUp) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/SignUp) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/SignUp) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/SignUp) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/SignUp) 

# StartUserImportJob


Instructs your user pool to start importing users from a CSV file that contains their usernames and attributes. For more information about importing users from a CSV file, see [Importing users from a CSV file](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool.html).

To create a job that you can start with this request, see [CreateUserImportJob](API_CreateUserImportJob.md). To generate a template for your import, see [GetCSVHeader](API_GetCSVHeader.md).

## Request Syntax


```
{
   "JobId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [JobId](#API_StartUserImportJob_RequestSyntax) **   <a name="CognitoUserPools-StartUserImportJob-request-JobId"></a>
The ID of a user import job that you previously created.  
To get information about jobs that you can start, see [ListUserImportJobs](API_ListUserImportJobs.md).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `import-[0-9a-zA-Z-]+`   
Required: Yes

 ** [UserPoolId](#API_StartUserImportJob_RequestSyntax) **   <a name="CognitoUserPools-StartUserImportJob-request-UserPoolId"></a>
The ID of the user pool that you want to start importing users into.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "UserImportJob": { 
      "CloudWatchLogsRoleArn": "string",
      "CompletionDate": number,
      "CompletionMessage": "string",
      "CreationDate": number,
      "FailedUsers": number,
      "ImportedUsers": number,
      "JobId": "string",
      "JobName": "string",
      "PreSignedUrl": "string",
      "SkippedUsers": number,
      "StartDate": number,
      "Status": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UserImportJob](#API_StartUserImportJob_ResponseSyntax) **   <a name="CognitoUserPools-StartUserImportJob-response-UserImportJob"></a>
The details of the user import job. Includes logging destination, status, and the Amazon S3 pre-signed URL for CSV upload.  
Type: [UserImportJobType](API_UserImportJobType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PreconditionNotMetException **   
This exception is thrown when a precondition is not met.    
 ** message **   
The message returned when a precondition is not met.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request starts the requested import job.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.StartUserImportJob
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "JobId": "import-mAgUtd8PMm",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "UserImportJob": {
        "CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/example-cloudwatch-logs-role",
        "CreationDate": 1736442975.904,
        "FailedUsers": 0,
        "ImportedUsers": 0,
        "JobId": "import-mAgUtd8PMm",
        "JobName": "Customer import",
        "PreSignedUrl": "https://aws-cognito-idp-user-import-pdx.s3.us-west-2.amazonaws.com/123456789012/us-west-2_EXAMPLE/import-mAgUtd8PMm?X-Amz-Security-Token=[token]&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20241226T193341Z&X-Amz-SignedHeaders=host%3Bx-amz-server-side-encryption&X-Amz-Expires=899&X-Amz-Credential=[credential]&X-Amz-Signature=[signature]",
        "SkippedUsers": 0,
        "StartDate": 1736443020.081,
        "Status": "Pending",
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/StartUserImportJob) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/StartUserImportJob) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/StartUserImportJob) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/StartUserImportJob) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/StartUserImportJob) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/StartUserImportJob) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/StartUserImportJob) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/StartUserImportJob) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/StartUserImportJob) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/StartUserImportJob) 

# StartWebAuthnRegistration


Requests credential creation options from your user pool for the currently signed-in user. Returns information about the user pool, the user profile, and authentication requirements. Users must provide this information in their request to enroll your application with their passkey provider.

After users present this data and register with their passkey provider, return the response to your user pool in a [CompleteWebAuthnRegistration](API_CompleteWebAuthnRegistration.md) API request.

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

## Request Syntax


```
{
   "AccessToken": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_StartWebAuthnRegistration_RequestSyntax) **   <a name="CognitoUserPools-StartWebAuthnRegistration-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

## Response Syntax


```
{
   "CredentialCreationOptions": JSON value
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [CredentialCreationOptions](#API_StartWebAuthnRegistration_ResponseSyntax) **   <a name="CognitoUserPools-StartWebAuthnRegistration-response-CredentialCreationOptions"></a>
The information that a user can provide in their request to register with their passkey provider.  
Type: JSON value

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** WebAuthnConfigurationMissingException **   
This exception is thrown when a user pool doesn't have a configured relying party id or a user pool domain.  
HTTP Status Code: 400

 ** WebAuthnNotEnabledException **   
This exception is thrown when the passkey feature isn't enabled for the user pool.  
HTTP Status Code: 400

## Examples


### Example


The following example request gets passkey registration options for the current user.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.StartWebAuthnRegistration
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
    "AccessToken":"eyJra456defEXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "CredentialCreationOptions": {
        "authenticatorSelection": {
            "requireResidentKey": true,
            "residentKey": "required",
            "userVerification": "preferred"
        },
        "challenge": "wxvbDicyqQqvF2EXAMPLE",
        "excludeCredentials": [
            {
                "id": "8LApgk4-lNUFHbhm2w6Und7-uxcc8coJGsPxiogvHoItc64xWQc3r4CEXAMPLE",
                "type": "public-key"
            }
        ],
        "pubKeyCredParams": [
            {
                "alg": -7,
                "type": "public-key"
            },
            {
                "alg": -257,
                "type": "public-key"
            }
        ],
        "rp": {
            "id": "auth.example.com",
            "name": "auth.example.com"
        },
        "timeout": 60000,
        "user": {
            "displayName": "testuser",
            "id": "ZWFhZDAyMTktMjExNy00MzlmLThkNDYtNGRiMjBlNEXAMPLE",
            "name": "testuser"
        }
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/StartWebAuthnRegistration) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/StartWebAuthnRegistration) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/StartWebAuthnRegistration) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/StartWebAuthnRegistration) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/StartWebAuthnRegistration) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/StartWebAuthnRegistration) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/StartWebAuthnRegistration) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/StartWebAuthnRegistration) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/StartWebAuthnRegistration) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/StartWebAuthnRegistration) 

# StopUserImportJob


Instructs your user pool to stop a running job that's importing users from a CSV file that contains their usernames and attributes. For more information about importing users from a CSV file, see [Importing users from a CSV file](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool.html).

To create a new import job, see [CreateUserImportJob](API_CreateUserImportJob.md). To generate a template for your import, see [GetCSVHeader](API_GetCSVHeader.md).

## Request Syntax


```
{
   "JobId": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [JobId](#API_StopUserImportJob_RequestSyntax) **   <a name="CognitoUserPools-StopUserImportJob-request-JobId"></a>
The ID of a running user import job.  
To get information about import jobs, see [ListUserImportJobs](API_ListUserImportJobs.md).  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `import-[0-9a-zA-Z-]+`   
Required: Yes

 ** [UserPoolId](#API_StopUserImportJob_RequestSyntax) **   <a name="CognitoUserPools-StopUserImportJob-request-UserPoolId"></a>
The ID of the user pool that you want to stop.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "UserImportJob": { 
      "CloudWatchLogsRoleArn": "string",
      "CompletionDate": number,
      "CompletionMessage": "string",
      "CreationDate": number,
      "FailedUsers": number,
      "ImportedUsers": number,
      "JobId": "string",
      "JobName": "string",
      "PreSignedUrl": "string",
      "SkippedUsers": number,
      "StartDate": number,
      "Status": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UserImportJob](#API_StopUserImportJob_ResponseSyntax) **   <a name="CognitoUserPools-StopUserImportJob-response-UserImportJob"></a>
The details of the user import job. Includes logging destination, status, and the Amazon S3 pre-signed URL for CSV upload.  
Type: [UserImportJobType](API_UserImportJobType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PreconditionNotMetException **   
This exception is thrown when a precondition is not met.    
 ** message **   
The message returned when a precondition is not met.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request stops the requested import job.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.StopUserImportJob
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "JobId": "import-mAgUtd8PMm",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "UserImportJob": {
        "CloudWatchLogsRoleArn": "arn:aws:iam::123456789012:role/example-cloudwatch-logs-role",
        "CompletionDate": 1736443496.379,
        "CompletionMessage": "The Import Job was stopped by the developer.",
        "CreationDate": 1736443471.781,
        "FailedUsers": 0,
        "ImportedUsers": 0,
        "JobId": "import-mAgUtd8PMm",
        "JobName": "Customer import",
        "PreSignedUrl": "https://aws-cognito-idp-user-import-pdx.s3.us-west-2.amazonaws.com/123456789012/us-west-2_EXAMPLE/import-mAgUtd8PMm?X-Amz-Security-Token=[token]&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20241226T193341Z&X-Amz-SignedHeaders=host%3Bx-amz-server-side-encryption&X-Amz-Expires=899&X-Amz-Credential=[credential]&X-Amz-Signature=[signature]",
        "SkippedUsers": 0,
        "StartDate": 1736443494.154,
        "Status": "Stopped",
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/StopUserImportJob) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/StopUserImportJob) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/StopUserImportJob) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/StopUserImportJob) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/StopUserImportJob) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/StopUserImportJob) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/StopUserImportJob) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/StopUserImportJob) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/StopUserImportJob) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/StopUserImportJob) 

# TagResource


Assigns a set of tags to an Amazon Cognito user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.

Each tag consists of a key and value, both of which you define. A key is a general category for more specific values. For example, if you have two versions of a user pool, one for testing and another for production, you might assign an `Environment` tag key to both user pools. The value of this key might be `Test` for one user pool, and `Production` for the other.

Tags are useful for cost tracking and access control. You can activate your tags so that they appear on the Billing and Cost Management console, where you can track the costs associated with your user pools. In an AWS Identity and Access Management policy, you can constrain permissions for user pools based on specific tags or tag values.

You can use this action up to 5 times per second, per account. A user pool can have as many as 50 tags.

## Request Syntax


```
{
   "ResourceArn": "string",
   "Tags": { 
      "string" : "string" 
   }
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ResourceArn](#API_TagResource_RequestSyntax) **   <a name="CognitoUserPools-TagResource-request-ResourceArn"></a>
The Amazon Resource Name (ARN) of the user pool to assign the tags to.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Pattern: `arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?`   
Required: Yes

 ** [Tags](#API_TagResource_RequestSyntax) **   <a name="CognitoUserPools-TagResource-request-Tags"></a>
An array of tag keys and values that you want to assign to the user pool.  
Type: String to string map  
Key Length Constraints: Minimum length of 1. Maximum length of 128.  
Value Length Constraints: Minimum length of 0. Maximum length of 256.  
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request adds `administrator` and `tenant` tags to the requested user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CognitoOperation
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ResourceArn": "arn:aws:cognito-idp:us-west-2:123456789012:userpool/us-west-2_EXAMPLE",
   "Tags": {
      "administrator": "Jie",
      "tenant": "ExampleCorp"
   }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/TagResource) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/TagResource) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/TagResource) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/TagResource) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/TagResource) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/TagResource) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/TagResource) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/TagResource) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/TagResource) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/TagResource) 

# UntagResource


Given tag IDs that you previously assigned to a user pool, removes them.

## Request Syntax


```
{
   "ResourceArn": "string",
   "TagKeys": [ "string" ]
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [ResourceArn](#API_UntagResource_RequestSyntax) **   <a name="CognitoUserPools-UntagResource-request-ResourceArn"></a>
The Amazon Resource Name (ARN) of the user pool that the tags are assigned to.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Pattern: `arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?`   
Required: Yes

 ** [TagKeys](#API_UntagResource_RequestSyntax) **   <a name="CognitoUserPools-UntagResource-request-TagKeys"></a>
An array of tag keys that you want to remove from the user pool.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request removes the `administrator` and `tenant` tags from the requested user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.UntagResource 
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "ResourceArn": "arn:aws:cognito-idp:us-west-2:123456789012:userpool/us-west-2_EXAMPLE",
   "TagKeys": [
       "administrator",
       "tenant"
    ]
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UntagResource) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UntagResource) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UntagResource) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UntagResource) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UntagResource) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UntagResource) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UntagResource) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UntagResource) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UntagResource) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UntagResource) 

# UpdateAuthEventFeedback


Provides the feedback for an authentication event generated by threat protection features. The user's response indicates that you think that the event either was from a valid user or was an unwanted authentication attempt. This feedback improves the risk evaluation decision for the user pool as part of Amazon Cognito threat protection. To activate this setting, your user pool must be on the [ Plus tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html).

This operation requires a `FeedbackToken` that Amazon Cognito generates and adds to notification emails when users have potentially suspicious authentication events. Users invoke this operation when they select the link that corresponds to `{one-click-link-valid}` or `{one-click-link-invalid}` in your notification template. Because `FeedbackToken` is a required parameter, you can't make requests to `UpdateAuthEventFeedback` without the contents of the notification email message.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "EventId": "string",
   "FeedbackToken": "string",
   "FeedbackValue": "string",
   "Username": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [EventId](#API_UpdateAuthEventFeedback_RequestSyntax) **   <a name="CognitoUserPools-UpdateAuthEventFeedback-request-EventId"></a>
The ID of the authentication event that you want to submit feedback for.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 50.  
Pattern: `[\w+-]+`   
Required: Yes

 ** [FeedbackToken](#API_UpdateAuthEventFeedback_RequestSyntax) **   <a name="CognitoUserPools-UpdateAuthEventFeedback-request-FeedbackToken"></a>
The feedback token, an encrypted object generated by Amazon Cognito and passed to your user in the notification email message from the event.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [FeedbackValue](#API_UpdateAuthEventFeedback_RequestSyntax) **   <a name="CognitoUserPools-UpdateAuthEventFeedback-request-FeedbackValue"></a>
Your feedback to the authentication event. When you provide a `FeedbackValue` value of `valid`, you tell Amazon Cognito that you trust a user session where Amazon Cognito has evaluated some level of risk. When you provide a `FeedbackValue` value of `invalid`, you tell Amazon Cognito that you don't trust a user session, or you don't believe that Amazon Cognito evaluated a high-enough risk level.  
Type: String  
Valid Values: `Valid | Invalid`   
Required: Yes

 ** [Username](#API_UpdateAuthEventFeedback_RequestSyntax) **   <a name="CognitoUserPools-UpdateAuthEventFeedback-request-Username"></a>
The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value must be the `sub` of a local user or the username of a user from a third-party IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [UserPoolId](#API_UpdateAuthEventFeedback_RequestSyntax) **   <a name="CognitoUserPools-UpdateAuthEventFeedback-request-UserPoolId"></a>
The ID of the user pool where you want to update auth event feedback.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

 ** UserPoolAddOnNotEnabledException **   
This exception is thrown when user pool add-ons aren't enabled.  
HTTP Status Code: 400

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UpdateAuthEventFeedback) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UpdateAuthEventFeedback) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UpdateAuthEventFeedback) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UpdateAuthEventFeedback) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UpdateAuthEventFeedback) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UpdateAuthEventFeedback) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UpdateAuthEventFeedback) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UpdateAuthEventFeedback) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UpdateAuthEventFeedback) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UpdateAuthEventFeedback) 

# UpdateDeviceStatus


Updates the status of a the currently signed-in user's device so that it is marked as remembered or not remembered for the purpose of device authentication. Device authentication is a "remember me" mechanism that silently completes sign-in from trusted devices with a device key instead of a user-provided MFA code. This operation changes the status of a device without deleting it, so you can enable it again later. For more information about device authentication, see [Working with devices](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "DeviceKey": "string",
   "DeviceRememberedStatus": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_UpdateDeviceStatus_RequestSyntax) **   <a name="CognitoUserPools-UpdateDeviceStatus-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [DeviceKey](#API_UpdateDeviceStatus_RequestSyntax) **   <a name="CognitoUserPools-UpdateDeviceStatus-request-DeviceKey"></a>
The device key of the device you want to update, for example `us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-f-]+`   
Required: Yes

 ** [DeviceRememberedStatus](#API_UpdateDeviceStatus_RequestSyntax) **   <a name="CognitoUserPools-UpdateDeviceStatus-request-DeviceRememberedStatus"></a>
To enable device authentication with the specified device, set to `remembered`.To disable, set to `not_remembered`.  
Type: String  
Valid Values: `remembered | not_remembered`   
Required: No

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request forgets a remembered device for the current user.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.UpdateDeviceStatus
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE",
   "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
   "DeviceRememberedStatus": "not_remembered"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UpdateDeviceStatus) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UpdateDeviceStatus) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UpdateDeviceStatus) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UpdateDeviceStatus) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UpdateDeviceStatus) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UpdateDeviceStatus) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UpdateDeviceStatus) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UpdateDeviceStatus) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UpdateDeviceStatus) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UpdateDeviceStatus) 

# UpdateGroup


Given the name of a user pool group, updates any of the properties for precedence, IAM role, or description. For more information about user pool groups, see [Adding groups to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Description": "string",
   "GroupName": "string",
   "Precedence": number,
   "RoleArn": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Description](#API_UpdateGroup_RequestSyntax) **   <a name="CognitoUserPools-UpdateGroup-request-Description"></a>
A new description of the existing group.  
Type: String  
Length Constraints: Maximum length of 2048.  
Required: No

 ** [GroupName](#API_UpdateGroup_RequestSyntax) **   <a name="CognitoUserPools-UpdateGroup-request-GroupName"></a>
The name of the group that you want to update.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: Yes

 ** [Precedence](#API_UpdateGroup_RequestSyntax) **   <a name="CognitoUserPools-UpdateGroup-request-Precedence"></a>
A non-negative integer value that specifies the precedence of this group relative to the other groups that a user can belong to in the user pool. Zero is the highest precedence value. Groups with lower `Precedence` values take precedence over groups with higher or null `Precedence` values. If a user belongs to two or more groups, it is the group with the lowest precedence value whose role ARN is given in the user's tokens for the `cognito:roles` and `cognito:preferred_role` claims.  
Two groups can have the same `Precedence` value. If this happens, neither group takes precedence over the other. If two groups with the same `Precedence` have the same role ARN, that role is used in the `cognito:preferred_role` claim in tokens for users in each group. If the two groups have different role ARNs, the `cognito:preferred_role` claim isn't set in users' tokens.  
The default `Precedence` value is null. The maximum `Precedence` value is `2^31-1`.  
Type: Integer  
Valid Range: Minimum value of 0.  
Required: No

 ** [RoleArn](#API_UpdateGroup_RequestSyntax) **   <a name="CognitoUserPools-UpdateGroup-request-RoleArn"></a>
The Amazon Resource Name (ARN) of an IAM role that you want to associate with the group. The role assignment contributes to the `cognito:roles` and `cognito:preferred_role` claims in group members' tokens.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Pattern: `arn:[\w+=/,.@-]+:[\w+=/,.@-]+:([\w+=/,.@-]*)?:[0-9]+:[\w+=/,.@-]+(:[\w+=/,.@-]+)?(:[\w+=/,.@-]+)?`   
Required: No

 ** [UserPoolId](#API_UpdateGroup_RequestSyntax) **   <a name="CognitoUserPools-UpdateGroup-request-UserPoolId"></a>
The ID of the user pool that contains the group you want to update.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Group": { 
      "CreationDate": number,
      "Description": "string",
      "GroupName": "string",
      "LastModifiedDate": number,
      "Precedence": number,
      "RoleArn": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Group](#API_UpdateGroup_ResponseSyntax) **   <a name="CognitoUserPools-UpdateGroup-response-Group"></a>
Contains the updated details of the group, including precedence, IAM role, and description.  
Type: [GroupType](API_GroupType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request sets a description and IAM role for the requested group name.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.UpdateGroup
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "Description": "My example group",
   "GroupName": "testgroup",
   "Precedence": 4,
   "RoleArn": "arn:aws:iam::123456789012:role/example-group-role",
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "Group": {
        "CreationDate": 1681422900.933,
        "Description": "My example group",
        "GroupName": "testgroup",
        "LastModifiedDate": 1736443988.896,
        "Precedence": 4,
        "RoleArn": "arn:aws:iam::123456789012:role/example-group-role",
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UpdateGroup) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UpdateGroup) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UpdateGroup) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UpdateGroup) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UpdateGroup) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UpdateGroup) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UpdateGroup) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UpdateGroup) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UpdateGroup) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UpdateGroup) 

# UpdateIdentityProvider


Modifies the configuration and trust relationship between a third-party identity provider (IdP) and a user pool. Amazon Cognito accepts sign-in with third-party identity providers through managed login and OIDC relying-party libraries. For more information, see [Third-party IdP sign-in](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "AttributeMapping": { 
      "string" : "string" 
   },
   "IdpIdentifiers": [ "string" ],
   "ProviderDetails": { 
      "string" : "string" 
   },
   "ProviderName": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AttributeMapping](#API_UpdateIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-UpdateIdentityProvider-request-AttributeMapping"></a>
A mapping of IdP attributes to standard and custom user pool attributes. Specify a user pool attribute as the key of the key-value pair, and the IdP attribute claim name as the value.  
Type: String to string map  
Key Length Constraints: Minimum length of 1. Maximum length of 32.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [IdpIdentifiers](#API_UpdateIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-UpdateIdentityProvider-request-IdpIdentifiers"></a>
An array of IdP identifiers, for example `"IdPIdentifiers": [ "MyIdP", "MyIdP2" ]`. Identifiers are friendly names that you can pass in the `idp_identifier` query parameter of requests to the [Authorize endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) to silently redirect to sign-in with the associated IdP. Identifiers in a domain format also enable the use of [email-address matching with SAML providers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-naming.html).   
Type: Array of strings  
Array Members: Minimum number of 0 items. Maximum number of 50 items.  
Length Constraints: Minimum length of 1. Maximum length of 40.  
Pattern: `[\w\s+=.@-]+`   
Required: No

 ** [ProviderDetails](#API_UpdateIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-UpdateIdentityProvider-request-ProviderDetails"></a>
The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP `authorize_scopes` values must match the values listed here.    
OpenID Connect (OIDC)  
Amazon Cognito accepts the following elements when it can't discover endpoint URLs from `oidc_issuer`: `attributes_url`, `authorize_url`, `jwks_uri`, `token_url`.  
Create or update request: `"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`   
Describe response: `"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`   
SAML  
Create or update request with Metadata URL: `"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`   
Create or update request with Metadata file: `"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`   
The value of `MetadataFile` must be the plaintext metadata document with all quote (") characters escaped by backslashes.  
Describe response: `"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`   
LoginWithAmazon  
Create or update request: `"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`   
Describe response: `"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`   
Google  
Create or update request: `"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`   
Describe response: `"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`   
SignInWithApple  
Create or update request: `"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`   
Describe response: `"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`   
Facebook  
Create or update request: `"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`   
Describe response: `"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }` 
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [ProviderName](#API_UpdateIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-UpdateIdentityProvider-request-ProviderName"></a>
The name of the IdP that you want to update. You can pass the identity provider name in the `identity_provider` query parameter of requests to the [Authorize endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) to silently redirect to sign-in with the associated IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 32.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\p{Z}]+`   
Required: Yes

 ** [UserPoolId](#API_UpdateIdentityProvider_RequestSyntax) **   <a name="CognitoUserPools-UpdateIdentityProvider-request-UserPoolId"></a>
The Id of the user pool where you want to update your IdP.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "IdentityProvider": { 
      "AttributeMapping": { 
         "string" : "string" 
      },
      "CreationDate": number,
      "IdpIdentifiers": [ "string" ],
      "LastModifiedDate": number,
      "ProviderDetails": { 
         "string" : "string" 
      },
      "ProviderName": "string",
      "ProviderType": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [IdentityProvider](#API_UpdateIdentityProvider_ResponseSyntax) **   <a name="CognitoUserPools-UpdateIdentityProvider-response-IdentityProvider"></a>
The identity provider details.  
Type: [IdentityProviderType](API_IdentityProviderType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnsupportedIdentityProviderException **   
This exception is thrown when the specified identifier isn't supported.  
HTTP Status Code: 400

## Examples


### Example


The following example request updates an OIDC identity provider. Note that this request sets a manual configuration of the OIDC service endpoints. If the `oidc_issuer` URL has a `.well-known/openid-configuration` endpoint, you can specify `oidc_issuer` alone and auto-discover the remaining endpoints.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.UpdateIdentityProvider
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AttributeMapping": {
            "email": "idp_email",
            "email_verified": "idp_email_verified",
            "username": "sub"
        },
        "CreationDate": 1.701129701653E9,
        "IdpIdentifiers": [
            "corp",
            "dev"
        ],
        "LastModifiedDate": 1.701129701653E9,
        "ProviderDetails": {
            "attributes_request_method": "GET",
            "attributes_url": "https://example.com/userInfo",
            "attributes_url_add_attributes": "false",
            "authorize_scopes": "openid profile",
            "authorize_url": "https://example.com/authorize",
            "client_id": "idpexampleclient123",
            "client_secret": "idpexamplesecret456",
            "jwks_uri": "https://example.com/.well-known/jwks.json",
            "oidc_issuer": "https://example.com",
            "token_url": "https://example.com/token"
        },
        "ProviderName": "MyOIDCIdP",
        "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "IdentityProvider": {
        "AttributeMapping": {
            "email": "idp_email",
            "email_verified": "idp_email_verified",
            "username": "sub"
        },
        "CreationDate": 1701129701.653,
        "IdpIdentifiers": [
            "corp",
            "dev"
        ],
        "LastModifiedDate": 1736444278.211,
        "ProviderDetails": {
            "attributes_request_method": "GET",
            "attributes_url": "https://example.com/userInfo",
            "attributes_url_add_attributes": "false",
            "authorize_scopes": "openid profile",
            "authorize_url": "https://example.com/authorize",
            "client_id": "idpexampleclient123",
            "client_secret": "idpexamplesecret456",
            "jwks_uri": "https://example.com/.well-known/jwks.json",
            "oidc_issuer": "https://example.com",
            "token_url": "https://example.com/token"
        },
        "ProviderName": "MyOIDCIdP",
        "ProviderType": "OIDC",
        "UserPoolId": "us-west-2_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UpdateIdentityProvider) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UpdateIdentityProvider) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UpdateIdentityProvider) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UpdateIdentityProvider) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UpdateIdentityProvider) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UpdateIdentityProvider) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UpdateIdentityProvider) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UpdateIdentityProvider) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UpdateIdentityProvider) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UpdateIdentityProvider) 

# UpdateManagedLoginBranding


Configures the branding settings for a user pool style. This operation is the programmatic option for the configuration of a style in the branding editor.

Provides values for UI customization in a `Settings` JSON object and image files in an `Assets` array.

 This operation has a 2-megabyte request-size limit and include the CSS settings and image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito doesn't require that you pass all parameters in one request and preserves existing style settings that you don't specify. If your request is larger than 2MB, separate it into multiple requests, each with a size smaller than the limit.

As a best practice, modify the output of [DescribeManagedLoginBrandingByClient](API_DescribeManagedLoginBrandingByClient.md) into the request parameters for this operation. To get all settings, set `ReturnMergedResources` to `true`. For more information, see [API and SDK operations for managed login branding](https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-brandingeditor.html#branding-designer-api) 

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Assets": [ 
      { 
         "Bytes": blob,
         "Category": "string",
         "ColorMode": "string",
         "Extension": "string",
         "ResourceId": "string"
      }
   ],
   "ManagedLoginBrandingId": "string",
   "Settings": JSON value,
   "UseCognitoProvidedValues": boolean,
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Assets](#API_UpdateManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-UpdateManagedLoginBranding-request-Assets"></a>
An array of image files that you want to apply to roles like backgrounds, logos, and icons. Each object must also indicate whether it is for dark mode, light mode, or browser-adaptive mode.  
Type: Array of [AssetType](API_AssetType.md) objects  
Array Members: Minimum number of 0 items. Maximum number of 40 items.  
Required: No

 ** [ManagedLoginBrandingId](#API_UpdateManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-UpdateManagedLoginBranding-request-ManagedLoginBrandingId"></a>
The ID of the managed login branding style that you want to update.  
Type: String  
Pattern: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$`   
Required: No

 ** [Settings](#API_UpdateManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-UpdateManagedLoginBranding-request-Settings"></a>
A JSON file, encoded as a `Document` type, with the the settings that you want to apply to your style.  
The following components are not currently implemented and reserved for future use:  
+  `signUp` 
+  `instructions` 
+  `sessionTimerDisplay` 
+  `languageSelector` (for localization, see [Managed login localization)](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-localization) 
Type: JSON value  
Required: No

 ** [UseCognitoProvidedValues](#API_UpdateManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-UpdateManagedLoginBranding-request-UseCognitoProvidedValues"></a>
When `true`, applies the default branding style options. This option reverts to default style options that are managed by Amazon Cognito. You can modify them later in the branding editor.  
When you specify `true` for this option, you must also omit values for `Settings` and `Assets` in the request.  
Type: Boolean  
Required: No

 ** [UserPoolId](#API_UpdateManagedLoginBranding_RequestSyntax) **   <a name="CognitoUserPools-UpdateManagedLoginBranding-request-UserPoolId"></a>
The ID of the user pool that contains the managed login branding style that you want to update.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: No

## Response Syntax


```
{
   "ManagedLoginBranding": { 
      "Assets": [ 
         { 
            "Bytes": blob,
            "Category": "string",
            "ColorMode": "string",
            "Extension": "string",
            "ResourceId": "string"
         }
      ],
      "CreationDate": number,
      "LastModifiedDate": number,
      "ManagedLoginBrandingId": "string",
      "Settings": JSON value,
      "UseCognitoProvidedValues": boolean,
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [ManagedLoginBranding](#API_UpdateManagedLoginBranding_ResponseSyntax) **   <a name="CognitoUserPools-UpdateManagedLoginBranding-response-ManagedLoginBranding"></a>
The details of the branding style that you updated.  
Type: [ManagedLoginBrandingType](API_ManagedLoginBrandingType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example updates the branding configuration of the branding style with ID `63f30090-6b1f-4278-b885-2bbb81f8e545`.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.ca-central-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.CreateManagedLoginBranding
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>


{
    "Assets": [
        {
            "Bytes": "PHN2ZyB3aWR0aD0iMjAwMDAiIGhlaWdodD0iNDAwIiB2aWV3Qm94PSIwIDAgMjAwMDAgNDAwIiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8ZyBjbGlwLXBhdGg9InVybCgjY2xpcDBfMTcyNTlfMjM2Njc0KSI+CjxyZWN0IHdpZHRoPSIyMDAwMCIgaGVpZ2h0PSI0MDAiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl8xNzI1OV8yMzY2NzQpIi8+CjxwYXRoIGQ9Ik0wIDBIMjAwMDBWNDAwSDBWMFoiIGZpbGw9IiMxMjIwMzciIGZpbGwtb3BhY2l0eT0iMC41Ii8+CjwvZz4KPGRlZnM+CjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQwX2xpbmVhcl8xNzI1OV8yMzY2NzQiIHgxPSItODk0LjI0OSIgeTE9IjE5OS45MzEiIHgyPSIxODAzNC41IiB5Mj0iLTU4OTkuNTciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KPHN0b3Agc3RvcC1jb2xvcj0iI0JGODBGRiIvPgo8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiNGRjhGQUIiLz4KPC9saW5lYXJHcmFkaWVudD4KPGNsaXBQYXRoIGlkPSJjbGlwMF8xNzI1OV8yMzY2NzQiPgo8cmVjdCB3aWR0aD0iMjAwMDAiIGhlaWdodD0iNDAwIiBmaWxsPSJ3aGl0ZSIvPgo8L2NsaXBQYXRoPgo8L2RlZnM+Cjwvc3ZnPgo=",
            "Category": "PAGE_FOOTER_BACKGROUND",
            "ColorMode": "DARK",
            "Extension": "SVG"
        }
    ],
    "ManagedLoginBrandingId": "63f30090-6b1f-4278-b885-2bbb81f8e545",
    "Settings": {
        "categories": {
            "auth": {
                "authMethodOrder": [
                    [
                        {
                            "display": "BUTTON",
                            "type": "FEDERATED"
                        },
                        {
                            "display": "INPUT",
                            "type": "USERNAME_PASSWORD"
                        }
                    ]
                ],
                "federation": {
                    "interfaceStyle": "BUTTON_LIST",
                    "order": [
                    ]
                }
            },
            "form": {
                "displayGraphics": true,
                "instructions": {
                    "enabled": false
                },
                "languageSelector": {
                    "enabled": false
                },
                "location": {
                    "horizontal": "CENTER",
                    "vertical": "CENTER"
                },
                "sessionTimerDisplay": "NONE"
            },
            "global": {
                "colorSchemeMode": "LIGHT",
                "pageFooter": {
                    "enabled": false
                },
                "pageHeader": {
                    "enabled": false
                },
                "spacingDensity": "REGULAR"
            },
            "signUp": {
                "acceptanceElements": [
                    {
                        "enforcement": "NONE",
                        "textKey": "en"
                    }
                ]
            }
        },
        "componentClasses": {
            "buttons": {
                "borderRadius": 8.0
            },
            "divider": {
                "darkMode": {
                    "borderColor": "232b37ff"
                },
                "lightMode": {
                    "borderColor": "ebebf0ff"
                }
            },
            "dropDown": {
                "borderRadius": 8.0,
                "darkMode": {
                    "defaults": {
                        "itemBackgroundColor": "192534ff"
                    },
                    "hover": {
                        "itemBackgroundColor": "081120ff",
                        "itemBorderColor": "5f6b7aff",
                        "itemTextColor": "e9ebedff"
                    },
                    "match": {
                        "itemBackgroundColor": "d1d5dbff",
                        "itemTextColor": "89bdeeff"
                    }
                },
                "lightMode": {
                    "defaults": {
                        "itemBackgroundColor": "ffffffff"
                    },
                    "hover": {
                        "itemBackgroundColor": "f4f4f4ff",
                        "itemBorderColor": "7d8998ff",
                        "itemTextColor": "000716ff"
                    },
                    "match": {
                        "itemBackgroundColor": "414d5cff",
                        "itemTextColor": "0972d3ff"
                    }
                }
            },
            "focusState": {
                "darkMode": {
                    "borderColor": "539fe5ff"
                },
                "lightMode": {
                    "borderColor": "0972d3ff"
                }
            },
            "idpButtons": {
                "icons": {
                    "enabled": true
                }
            },
            "input": {
                "borderRadius": 8.0,
                "darkMode": {
                    "defaults": {
                        "backgroundColor": "0f1b2aff",
                        "borderColor": "5f6b7aff"
                    },
                    "placeholderColor": "8d99a8ff"
                },
                "lightMode": {
                    "defaults": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "7d8998ff"
                    },
                    "placeholderColor": "5f6b7aff"
                }
            },
            "inputDescription": {
                "darkMode": {
                    "textColor": "8d99a8ff"
                },
                "lightMode": {
                    "textColor": "5f6b7aff"
                }
            },
            "inputLabel": {
                "darkMode": {
                    "textColor": "d1d5dbff"
                },
                "lightMode": {
                    "textColor": "000716ff"
                }
            },
            "link": {
                "darkMode": {
                    "defaults": {
                        "textColor": "539fe5ff"
                    },
                    "hover": {
                        "textColor": "89bdeeff"
                    }
                },
                "lightMode": {
                    "defaults": {
                        "textColor": "0972d3ff"
                    },
                    "hover": {
                        "textColor": "033160ff"
                    }
                }
            },
            "optionControls": {
                "darkMode": {
                    "defaults": {
                        "backgroundColor": "0f1b2aff",
                        "borderColor": "7d8998ff"
                    },
                    "selected": {
                        "backgroundColor": "539fe5ff",
                        "foregroundColor": "000716ff"
                    }
                },
                "lightMode": {
                    "defaults": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "7d8998ff"
                    },
                    "selected": {
                        "backgroundColor": "0972d3ff",
                        "foregroundColor": "ffffffff"
                    }
                }
            },
            "statusIndicator": {
                "darkMode": {
                    "error": {
                        "backgroundColor": "1a0000ff",
                        "borderColor": "eb6f6fff",
                        "indicatorColor": "eb6f6fff"
                    },
                    "pending": {
                        "indicatorColor": "AAAAAAAA"
                    },
                    "success": {
                        "backgroundColor": "001a02ff",
                        "borderColor": "29ad32ff",
                        "indicatorColor": "29ad32ff"
                    },
                    "warning": {
                        "backgroundColor": "1d1906ff",
                        "borderColor": "e0ca57ff",
                        "indicatorColor": "e0ca57ff"
                    }
                },
                "lightMode": {
                    "error": {
                        "backgroundColor": "fff7f7ff",
                        "borderColor": "d91515ff",
                        "indicatorColor": "d91515ff"
                    },
                    "pending": {
                        "indicatorColor": "AAAAAAAA"
                    },
                    "success": {
                        "backgroundColor": "f2fcf3ff",
                        "borderColor": "037f0cff",
                        "indicatorColor": "037f0cff"
                    },
                    "warning": {
                        "backgroundColor": "fffce9ff",
                        "borderColor": "8d6605ff",
                        "indicatorColor": "8d6605ff"
                    }
                }
            }
        },
        "components": {
            "alert": {
                "borderRadius": 12.0,
                "darkMode": {
                    "error": {
                        "backgroundColor": "1a0000ff",
                        "borderColor": "eb6f6fff"
                    }
                },
                "lightMode": {
                    "error": {
                        "backgroundColor": "fff7f7ff",
                        "borderColor": "d91515ff"
                    }
                }
            },
            "favicon": {
                "enabledTypes": [
                    "ICO",
                    "SVG"
                ]
            },
            "form": {
                "backgroundImage": {
                    "enabled": false
                },
                "borderRadius": 8.0,
                "darkMode": {
                    "backgroundColor": "0f1b2aff",
                    "borderColor": "424650ff"
                },
                "lightMode": {
                    "backgroundColor": "ffffffff",
                    "borderColor": "c6c6cdff"
                },
                "logo": {
                    "enabled": false,
                    "formInclusion": "IN",
                    "location": "CENTER",
                    "position": "TOP"
                }
            },
            "idpButton": {
                "custom": {
                },
                "standard": {
                    "darkMode": {
                        "active": {
                            "backgroundColor": "354150ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        },
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "c6c6cdff",
                            "textColor": "c6c6cdff"
                        },
                        "hover": {
                            "backgroundColor": "192534ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "active": {
                            "backgroundColor": "d3e7f9ff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        },
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "424650ff",
                            "textColor": "424650ff"
                        },
                        "hover": {
                            "backgroundColor": "f2f8fdff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        }
                    }
                }
            },
            "pageBackground": {
                "darkMode": {
                    "color": "0f1b2aff"
                },
                "image": {
                    "enabled": true
                },
                "lightMode": {
                    "color": "ffffffff"
                }
            },
            "pageFooter": {
                "backgroundImage": {
                    "enabled": false
                },
                "darkMode": {
                    "background": {
                        "color": "0f141aff"
                    },
                    "borderColor": "424650ff"
                },
                "lightMode": {
                    "background": {
                        "color": "fafafaff"
                    },
                    "borderColor": "d5dbdbff"
                },
                "logo": {
                    "enabled": false,
                    "location": "START"
                }
            },
            "pageHeader": {
                "backgroundImage": {
                    "enabled": false
                },
                "darkMode": {
                    "background": {
                        "color": "0f141aff"
                    },
                    "borderColor": "424650ff"
                },
                "lightMode": {
                    "background": {
                        "color": "fafafaff"
                    },
                    "borderColor": "d5dbdbff"
                },
                "logo": {
                    "enabled": false,
                    "location": "START"
                }
            },
            "pageText": {
                "darkMode": {
                    "bodyColor": "b6bec9ff",
                    "descriptionColor": "b6bec9ff",
                    "headingColor": "d1d5dbff"
                },
                "lightMode": {
                    "bodyColor": "414d5cff",
                    "descriptionColor": "414d5cff",
                    "headingColor": "000716ff"
                }
            },
            "phoneNumberSelector": {
                "displayType": "TEXT"
            },
            "primaryButton": {
                "darkMode": {
                    "active": {
                        "backgroundColor": "539fe5ff",
                        "textColor": "000716ff"
                    },
                    "defaults": {
                        "backgroundColor": "539fe5ff",
                        "textColor": "000716ff"
                    },
                    "disabled": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "ffffffff"
                    },
                    "hover": {
                        "backgroundColor": "89bdeeff",
                        "textColor": "000716ff"
                    }
                },
                "lightMode": {
                    "active": {
                        "backgroundColor": "033160ff",
                        "textColor": "ffffffff"
                    },
                    "defaults": {
                        "backgroundColor": "0972d3ff",
                        "textColor": "ffffffff"
                    },
                    "disabled": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "ffffffff"
                    },
                    "hover": {
                        "backgroundColor": "033160ff",
                        "textColor": "ffffffff"
                    }
                }
            },
            "secondaryButton": {
                "darkMode": {
                    "active": {
                        "backgroundColor": "354150ff",
                        "borderColor": "89bdeeff",
                        "textColor": "89bdeeff"
                    },
                    "defaults": {
                        "backgroundColor": "0f1b2aff",
                        "borderColor": "539fe5ff",
                        "textColor": "539fe5ff"
                    },
                    "hover": {
                        "backgroundColor": "192534ff",
                        "borderColor": "89bdeeff",
                        "textColor": "89bdeeff"
                    }
                },
                "lightMode": {
                    "active": {
                        "backgroundColor": "d3e7f9ff",
                        "borderColor": "033160ff",
                        "textColor": "033160ff"
                    },
                    "defaults": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "0972d3ff",
                        "textColor": "0972d3ff"
                    },
                    "hover": {
                        "backgroundColor": "f2f8fdff",
                        "borderColor": "033160ff",
                        "textColor": "033160ff"
                    }
                }
            }
        }
    },
    "UseCognitoProvidedValues": false,
    "UserPoolId": "ca-central-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive


{
    "ManagedLoginBranding": {
        "Assets": [
            {
                "Bytes": "PHN2ZyB3aWR0aD0iMjAwMDAiIGhlaWdodD0iNDAwIiB2aWV3Qm94PSIwIDAgMjAwMDAgNDAwIiBmaWxsPSJub25lIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgo8ZyBjbGlwLXBhdGg9InVybCgjY2xpcDBfMTcyNTlfMjM2Njc0KSI+CjxyZWN0IHdpZHRoPSIyMDAwMCIgaGVpZ2h0PSI0MDAiIGZpbGw9InVybCgjcGFpbnQwX2xpbmVhcl8xNzI1OV8yMzY2NzQpIi8+CjxwYXRoIGQ9Ik0wIDBIMjAwMDBWNDAwSDBWMFoiIGZpbGw9IiMxMjIwMzciIGZpbGwtb3BhY2l0eT0iMC41Ii8+CjwvZz4KPGRlZnM+CjxsaW5lYXJHcmFkaWVudCBpZD0icGFpbnQwX2xpbmVhcl8xNzI1OV8yMzY2NzQiIHgxPSItODk0LjI0OSIgeTE9IjE5OS45MzEiIHgyPSIxODAzNC41IiB5Mj0iLTU4OTkuNTciIGdyYWRpZW50VW5pdHM9InVzZXJTcGFjZU9uVXNlIj4KPHN0b3Agc3RvcC1jb2xvcj0iI0JGODBGRiIvPgo8c3RvcCBvZmZzZXQ9IjEiIHN0b3AtY29sb3I9IiNGRjhGQUIiLz4KPC9saW5lYXJHcmFkaWVudD4KPGNsaXBQYXRoIGlkPSJjbGlwMF8xNzI1OV8yMzY2NzQiPgo8cmVjdCB3aWR0aD0iMjAwMDAiIGhlaWdodD0iNDAwIiBmaWxsPSJ3aGl0ZSIvPgo8L2NsaXBQYXRoPgo8L2RlZnM+Cjwvc3ZnPgo=",
                "Category": "PAGE_FOOTER_BACKGROUND",
                "ColorMode": "DARK",
                "Extension": "SVG"
            }
        ],
        "CreationDate": 1732138490.642,
        "LastModifiedDate": 1732140420.301,
        "ManagedLoginBrandingId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
        "Settings": {
            "categories": {
                "auth": {
                    "authMethodOrder": [
                        [
                            {
                                "display": "BUTTON",
                                "type": "FEDERATED"
                            },
                            {
                                "display": "INPUT",
                                "type": "USERNAME_PASSWORD"
                            }
                        ]
                    ],
                    "federation": {
                        "interfaceStyle": "BUTTON_LIST",
                        "order": [
                        ]
                    }
                },
                "form": {
                    "displayGraphics": true,
                    "instructions": {
                        "enabled": false
                    },
                    "languageSelector": {
                        "enabled": false
                    },
                    "location": {
                        "horizontal": "CENTER",
                        "vertical": "CENTER"
                    },
                    "sessionTimerDisplay": "NONE"
                },
                "global": {
                    "colorSchemeMode": "LIGHT",
                    "pageFooter": {
                        "enabled": false
                    },
                    "pageHeader": {
                        "enabled": false
                    },
                    "spacingDensity": "REGULAR"
                },
                "signUp": {
                    "acceptanceElements": [
                        {
                            "enforcement": "NONE",
                            "textKey": "en"
                        }
                    ]
                }
            },
            "componentClasses": {
                "buttons": {
                    "borderRadius": 8.0
                },
                "divider": {
                    "darkMode": {
                        "borderColor": "232b37ff"
                    },
                    "lightMode": {
                        "borderColor": "ebebf0ff"
                    }
                },
                "dropDown": {
                    "borderRadius": 8.0,
                    "darkMode": {
                        "defaults": {
                            "itemBackgroundColor": "192534ff"
                        },
                        "hover": {
                            "itemBackgroundColor": "081120ff",
                            "itemBorderColor": "5f6b7aff",
                            "itemTextColor": "e9ebedff"
                        },
                        "match": {
                            "itemBackgroundColor": "d1d5dbff",
                            "itemTextColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "itemBackgroundColor": "ffffffff"
                        },
                        "hover": {
                            "itemBackgroundColor": "f4f4f4ff",
                            "itemBorderColor": "7d8998ff",
                            "itemTextColor": "000716ff"
                        },
                        "match": {
                            "itemBackgroundColor": "414d5cff",
                            "itemTextColor": "0972d3ff"
                        }
                    }
                },
                "focusState": {
                    "darkMode": {
                        "borderColor": "539fe5ff"
                    },
                    "lightMode": {
                        "borderColor": "0972d3ff"
                    }
                },
                "idpButtons": {
                    "icons": {
                        "enabled": true
                    }
                },
                "input": {
                    "borderRadius": 8.0,
                    "darkMode": {
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "5f6b7aff"
                        },
                        "placeholderColor": "8d99a8ff"
                    },
                    "lightMode": {
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "7d8998ff"
                        },
                        "placeholderColor": "5f6b7aff"
                    }
                },
                "inputDescription": {
                    "darkMode": {
                        "textColor": "8d99a8ff"
                    },
                    "lightMode": {
                        "textColor": "5f6b7aff"
                    }
                },
                "inputLabel": {
                    "darkMode": {
                        "textColor": "d1d5dbff"
                    },
                    "lightMode": {
                        "textColor": "000716ff"
                    }
                },
                "link": {
                    "darkMode": {
                        "defaults": {
                            "textColor": "539fe5ff"
                        },
                        "hover": {
                            "textColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "textColor": "0972d3ff"
                        },
                        "hover": {
                            "textColor": "033160ff"
                        }
                    }
                },
                "optionControls": {
                    "darkMode": {
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "7d8998ff"
                        },
                        "selected": {
                            "backgroundColor": "539fe5ff",
                            "foregroundColor": "000716ff"
                        }
                    },
                    "lightMode": {
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "7d8998ff"
                        },
                        "selected": {
                            "backgroundColor": "0972d3ff",
                            "foregroundColor": "ffffffff"
                        }
                    }
                },
                "statusIndicator": {
                    "darkMode": {
                        "error": {
                            "backgroundColor": "1a0000ff",
                            "borderColor": "eb6f6fff",
                            "indicatorColor": "eb6f6fff"
                        },
                        "pending": {
                            "indicatorColor": "AAAAAAAA"
                        },
                        "success": {
                            "backgroundColor": "001a02ff",
                            "borderColor": "29ad32ff",
                            "indicatorColor": "29ad32ff"
                        },
                        "warning": {
                            "backgroundColor": "1d1906ff",
                            "borderColor": "e0ca57ff",
                            "indicatorColor": "e0ca57ff"
                        }
                    },
                    "lightMode": {
                        "error": {
                            "backgroundColor": "fff7f7ff",
                            "borderColor": "d91515ff",
                            "indicatorColor": "d91515ff"
                        },
                        "pending": {
                            "indicatorColor": "AAAAAAAA"
                        },
                        "success": {
                            "backgroundColor": "f2fcf3ff",
                            "borderColor": "037f0cff",
                            "indicatorColor": "037f0cff"
                        },
                        "warning": {
                            "backgroundColor": "fffce9ff",
                            "borderColor": "8d6605ff",
                            "indicatorColor": "8d6605ff"
                        }
                    }
                }
            },
            "components": {
                "alert": {
                    "borderRadius": 12.0,
                    "darkMode": {
                        "error": {
                            "backgroundColor": "1a0000ff",
                            "borderColor": "eb6f6fff"
                        }
                    },
                    "lightMode": {
                        "error": {
                            "backgroundColor": "fff7f7ff",
                            "borderColor": "d91515ff"
                        }
                    }
                },
                "favicon": {
                    "enabledTypes": [
                        "ICO",
                        "SVG"
                    ]
                },
                "form": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "borderRadius": 8.0,
                    "darkMode": {
                        "backgroundColor": "0f1b2aff",
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "backgroundColor": "ffffffff",
                        "borderColor": "c6c6cdff"
                    },
                    "logo": {
                        "enabled": false,
                        "formInclusion": "IN",
                        "location": "CENTER",
                        "position": "TOP"
                    }
                },
                "idpButton": {
                    "custom": {
                    },
                    "standard": {
                        "darkMode": {
                            "active": {
                                "backgroundColor": "354150ff",
                                "borderColor": "89bdeeff",
                                "textColor": "89bdeeff"
                            },
                            "defaults": {
                                "backgroundColor": "0f1b2aff",
                                "borderColor": "c6c6cdff",
                                "textColor": "c6c6cdff"
                            },
                            "hover": {
                                "backgroundColor": "192534ff",
                                "borderColor": "89bdeeff",
                                "textColor": "89bdeeff"
                            }
                        },
                        "lightMode": {
                            "active": {
                                "backgroundColor": "d3e7f9ff",
                                "borderColor": "033160ff",
                                "textColor": "033160ff"
                            },
                            "defaults": {
                                "backgroundColor": "ffffffff",
                                "borderColor": "424650ff",
                                "textColor": "424650ff"
                            },
                            "hover": {
                                "backgroundColor": "f2f8fdff",
                                "borderColor": "033160ff",
                                "textColor": "033160ff"
                            }
                        }
                    }
                },
                "pageBackground": {
                    "darkMode": {
                        "color": "0f1b2aff"
                    },
                    "image": {
                        "enabled": true
                    },
                    "lightMode": {
                        "color": "ffffffff"
                    }
                },
                "pageFooter": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "darkMode": {
                        "background": {
                            "color": "0f141aff"
                        },
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "background": {
                            "color": "fafafaff"
                        },
                        "borderColor": "d5dbdbff"
                    },
                    "logo": {
                        "enabled": false,
                        "location": "START"
                    }
                },
                "pageHeader": {
                    "backgroundImage": {
                        "enabled": false
                    },
                    "darkMode": {
                        "background": {
                            "color": "0f141aff"
                        },
                        "borderColor": "424650ff"
                    },
                    "lightMode": {
                        "background": {
                            "color": "fafafaff"
                        },
                        "borderColor": "d5dbdbff"
                    },
                    "logo": {
                        "enabled": false,
                        "location": "START"
                    }
                },
                "pageText": {
                    "darkMode": {
                        "bodyColor": "b6bec9ff",
                        "descriptionColor": "b6bec9ff",
                        "headingColor": "d1d5dbff"
                    },
                    "lightMode": {
                        "bodyColor": "414d5cff",
                        "descriptionColor": "414d5cff",
                        "headingColor": "000716ff"
                    }
                },
                "phoneNumberSelector": {
                    "displayType": "TEXT"
                },
                "primaryButton": {
                    "darkMode": {
                        "active": {
                            "backgroundColor": "539fe5ff",
                            "textColor": "000716ff"
                        },
                        "defaults": {
                            "backgroundColor": "539fe5ff",
                            "textColor": "000716ff"
                        },
                        "disabled": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "ffffffff"
                        },
                        "hover": {
                            "backgroundColor": "89bdeeff",
                            "textColor": "000716ff"
                        }
                    },
                    "lightMode": {
                        "active": {
                            "backgroundColor": "033160ff",
                            "textColor": "ffffffff"
                        },
                        "defaults": {
                            "backgroundColor": "0972d3ff",
                            "textColor": "ffffffff"
                        },
                        "disabled": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "ffffffff"
                        },
                        "hover": {
                            "backgroundColor": "033160ff",
                            "textColor": "ffffffff"
                        }
                    }
                },
                "secondaryButton": {
                    "darkMode": {
                        "active": {
                            "backgroundColor": "354150ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        },
                        "defaults": {
                            "backgroundColor": "0f1b2aff",
                            "borderColor": "539fe5ff",
                            "textColor": "539fe5ff"
                        },
                        "hover": {
                            "backgroundColor": "192534ff",
                            "borderColor": "89bdeeff",
                            "textColor": "89bdeeff"
                        }
                    },
                    "lightMode": {
                        "active": {
                            "backgroundColor": "d3e7f9ff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        },
                        "defaults": {
                            "backgroundColor": "ffffffff",
                            "borderColor": "0972d3ff",
                            "textColor": "0972d3ff"
                        },
                        "hover": {
                            "backgroundColor": "f2f8fdff",
                            "borderColor": "033160ff",
                            "textColor": "033160ff"
                        }
                    }
                }
            }
        },
        "UseCognitoProvidedValues": false,
        "UserPoolId": "ca-central-1_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UpdateManagedLoginBranding) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UpdateManagedLoginBranding) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UpdateManagedLoginBranding) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UpdateManagedLoginBranding) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UpdateManagedLoginBranding) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UpdateManagedLoginBranding) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UpdateManagedLoginBranding) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UpdateManagedLoginBranding) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UpdateManagedLoginBranding) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UpdateManagedLoginBranding) 

# UpdateResourceServer


Updates the name and scopes of a resource server. All other fields are read-only. For more information about resource servers, see [Access control with resource servers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html).

**Important**  
If you don't provide a value for an attribute, it is set to the default value.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Identifier": "string",
   "Name": "string",
   "Scopes": [ 
      { 
         "ScopeDescription": "string",
         "ScopeName": "string"
      }
   ],
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Identifier](#API_UpdateResourceServer_RequestSyntax) **   <a name="CognitoUserPools-UpdateResourceServer-request-Identifier"></a>
A unique resource server identifier for the resource server. The identifier can be an API friendly name like `solar-system-data`. You can also set an API URL like `https://solar-system-data-api.example.com` as your identifier.  
Amazon Cognito represents scopes in the access token in the format `$resource-server-identifier/$scope`. Longer scope-identifier strings increase the size of your access tokens.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 256.  
Pattern: `[\x21\x23-\x5B\x5D-\x7E]+`   
Required: Yes

 ** [Name](#API_UpdateResourceServer_RequestSyntax) **   <a name="CognitoUserPools-UpdateResourceServer-request-Name"></a>
The updated name of the resource server.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 256.  
Pattern: `[\w\s+=,.@-]+`   
Required: Yes

 ** [Scopes](#API_UpdateResourceServer_RequestSyntax) **   <a name="CognitoUserPools-UpdateResourceServer-request-Scopes"></a>
An array of updated custom scope names and descriptions that you want to associate with your resource server.  
Type: Array of [ResourceServerScopeType](API_ResourceServerScopeType.md) objects  
Array Members: Maximum number of 100 items.  
Required: No

 ** [UserPoolId](#API_UpdateResourceServer_RequestSyntax) **   <a name="CognitoUserPools-UpdateResourceServer-request-UserPoolId"></a>
The ID of the user pool that contains the resource server that you want to update.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "ResourceServer": { 
      "Identifier": "string",
      "Name": "string",
      "Scopes": [ 
         { 
            "ScopeDescription": "string",
            "ScopeName": "string"
         }
      ],
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [ResourceServer](#API_UpdateResourceServer_ResponseSyntax) **   <a name="CognitoUserPools-UpdateResourceServer-response-ResourceServer"></a>
The updated details of the requested resource server.  
Type: [ResourceServerType](API_ResourceServerType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request adds two scopes to the requested resource server.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.UpdateResourceServer
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "Identifier": "myapi.example.com",
   "Name": "Example API with custom access control scopes",
   "Scopes": [
      {
         "ScopeDescription": "International customers",
         "ScopeName": "international.read"
      },
      {
         "ScopeDescription": "Domestic customers",
         "ScopeName": "domestic.read"
      }
   ],
   "UserPoolId": "us-west-2_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"ResourceServer": {
		"Identifier": "myapi.example.com",
		"Name": "Example API with custom access control scopes",
		"Scopes": [
			{
				"ScopeDescription": "International customers",
				"ScopeName": "international.read"
			},
			{
				"ScopeDescription": "Domestic customers",
				"ScopeName": "domestic.read"
			}
		],
		"UserPoolId": "us-west-2_EXAMPLE"
	}
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UpdateResourceServer) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UpdateResourceServer) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UpdateResourceServer) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UpdateResourceServer) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UpdateResourceServer) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UpdateResourceServer) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UpdateResourceServer) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UpdateResourceServer) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UpdateResourceServer) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UpdateResourceServer) 

# UpdateTerms


Modifies existing terms documents for the requested app client. When Terms and conditions and Privacy policy documents are configured, the app client displays links to them in the sign-up page of managed login for the app client.

You can provide URLs for terms documents in the languages that are supported by [managed login localization](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-localization). Amazon Cognito directs users to the terms documents for their current language, with fallback to `default` if no document exists for the language.

Each request accepts one type of terms document and a map of language-to-link for that document type. You must provide both types of terms documents in at least one language before Amazon Cognito displays your terms documents. Supply each type in separate requests.

For more information, see [Terms documents](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-terms-documents).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "Enforcement": "string",
   "Links": { 
      "string" : "string" 
   },
   "TermsId": "string",
   "TermsName": "string",
   "TermsSource": "string",
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [Enforcement](#API_UpdateTerms_RequestSyntax) **   <a name="CognitoUserPools-UpdateTerms-request-Enforcement"></a>
This parameter is reserved for future use and currently accepts only one value.  
Type: String  
Valid Values: `NONE`   
Required: No

 ** [Links](#API_UpdateTerms_RequestSyntax) **   <a name="CognitoUserPools-UpdateTerms-request-Links"></a>
A map of URLs to languages. For each localized language that will view the requested `TermsName`, assign a URL. A selection of `cognito:default` displays for all languages that don't have a language-specific URL.  
For example, `"cognito:default": "https://terms.example.com", "cognito:spanish": "https://terms.example.com/es"`.  
Type: String to string map  
Map Entries: Maximum number of 12 items.  
Key Pattern: `^cognito:(default|english|french|spanish|german|bahasa-indonesia|italian|japanese|korean|portuguese-brazil|chinese-(simplified|traditional))$`   
Value Length Constraints: Minimum length of 1. Maximum length of 1024.  
Value Pattern: `^[\p{L}\p{M}\p{S}\p{N}\p{P}]+$`   
Required: No

 ** [TermsId](#API_UpdateTerms_RequestSyntax) **   <a name="CognitoUserPools-UpdateTerms-request-TermsId"></a>
The ID of the terms document that you want to update.  
Retrieve terms IDs with [DescribeTerms](API_DescribeTerms.md) or [ListTerms](API_ListTerms.md).  
Type: String  
Pattern: `^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$`   
Required: Yes

 ** [TermsName](#API_UpdateTerms_RequestSyntax) **   <a name="CognitoUserPools-UpdateTerms-request-TermsName"></a>
The new name that you want to apply to the requested terms documents.  
Type: String  
Pattern: `^(terms-of-use|privacy-policy)$`   
Required: No

 ** [TermsSource](#API_UpdateTerms_RequestSyntax) **   <a name="CognitoUserPools-UpdateTerms-request-TermsSource"></a>
This parameter is reserved for future use and currently accepts only one value.  
Type: String  
Valid Values: `LINK`   
Required: No

 ** [UserPoolId](#API_UpdateTerms_RequestSyntax) **   <a name="CognitoUserPools-UpdateTerms-request-UserPoolId"></a>
The ID of the user pool that contains the terms that you want to update.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "Terms": { 
      "ClientId": "string",
      "CreationDate": number,
      "Enforcement": "string",
      "LastModifiedDate": number,
      "Links": { 
         "string" : "string" 
      },
      "TermsId": "string",
      "TermsName": "string",
      "TermsSource": "string",
      "UserPoolId": "string"
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Terms](#API_UpdateTerms_ResponseSyntax) **   <a name="CognitoUserPools-UpdateTerms-response-Terms"></a>
A summary of the updates to your terms documents.  
Type: [TermsType](API_TermsType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TermsExistsException **   
Terms document names must be unique to the app client. This exception is thrown when you attempt to create terms documents with a duplicate `TermsName`.  
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example operation updates a privacy policy terms document to add a Japanese language URL.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.UpdateTerms
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>

{
    "TermsId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
    "Enforcement": "NONE",
    "Links": {
        "cognito:default": "https://example.com/privacy/",
        "cognito:french": "https://example.com/fr/privacy/",
        "cognito:portuguese-brazil": "https://example.com/pt/privacy/",
        "cognito:japanese": "https://example.com/ja-JP/privacy"
    },
    "TermsName": "privacy-policy",
    "TermsSource": "LINK",
    "UserPoolId": "us-east-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive

{
    "Terms": {
        "ClientId": "1example23456789",
        "CreationDate": 1755798239.324,
        "Enforcement": "NONE",
        "LastModifiedDate": 1755798384.223,
        "Links": {
            "cognito:default": "https://example.com/privacy/",
            "cognito:french": "https://example.com/fr/privacy",
            "cognito:portuguese-brazil": "https://example.com/pt/privacy/",
            "cognito:japanese": "https://example.com/ja-JP/privacy"
        },
        "TermsId": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
        "TermsName": "privacy-policy",
        "TermsSource": "LINK",
        "UserPoolId": "us-east-1_EXAMPLE"
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UpdateTerms) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UpdateTerms) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UpdateTerms) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UpdateTerms) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UpdateTerms) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UpdateTerms) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UpdateTerms) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UpdateTerms) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UpdateTerms) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UpdateTerms) 

# UpdateUserAttributes


Updates the currently signed-in user's attributes. To delete an attribute from the user, submit the attribute in your API request with a blank value.

For custom attributes, you must add a `custom:` prefix to the attribute name, for example `custom:department`.

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

## Request Syntax


```
{
   "AccessToken": "string",
   "ClientMetadata": { 
      "string" : "string" 
   },
   "UserAttributes": [ 
      { 
         "Name": "string",
         "Value": "string"
      }
   ]
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_UpdateUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserAttributes-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [ClientMetadata](#API_UpdateUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserAttributes-request-ClientMetadata"></a>
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers.  
When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a `clientMetadata` attribute that provides the data that you assigned to the ClientMetadata parameter in your request. In your function code, you can process the `clientMetadata` value to enhance your workflow for your specific needs.  
To review the Lambda trigger types that Amazon Cognito invokes at runtime with API requests, see [ Connecting API actions to Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.html#lambda-triggers-by-event) in the *Amazon Cognito Developer Guide*.  
When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following:  
+ Store the `ClientMetadata` value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the `ClientMetadata` parameter serves no purpose.
+ Validate the `ClientMetadata` value.
+ Encrypt the `ClientMetadata` value. Don't send sensitive information in this parameter.
Type: String to string map  
Key Length Constraints: Minimum length of 0. Maximum length of 131072.  
Value Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [UserAttributes](#API_UpdateUserAttributes_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserAttributes-request-UserAttributes"></a>
An array of name-value pairs representing user attributes.  
For custom attributes, you must add a `custom:` prefix to the attribute name.  
If you have set an attribute to require verification before Amazon Cognito updates its value, this request doesn’t immediately update the value of that attribute. After your user receives and responds to a verification message to verify the new value, Amazon Cognito updates the attribute value. Your user can sign in and receive messages with the original attribute value until they verify the new value.  
Type: Array of [AttributeType](API_AttributeType.md) objects  
Required: Yes

## Response Syntax


```
{
   "CodeDeliveryDetailsList": [ 
      { 
         "AttributeName": "string",
         "DeliveryMedium": "string",
         "Destination": "string"
      }
   ]
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [CodeDeliveryDetailsList](#API_UpdateUserAttributes_ResponseSyntax) **   <a name="CognitoUserPools-UpdateUserAttributes-response-CodeDeliveryDetailsList"></a>
When the attribute-update request includes an email address or phone number attribute, Amazon Cognito sends a message to users with a code that confirms ownership of the new value that they entered. The `CodeDeliveryDetails` object is information about the delivery destination for that link or code. This behavior happens in user pools configured to automatically verify changes to those attributes. For more information, see [Verifying when users change their email or phone number](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#verifying-when-users-change-their-email-or-phone-number).  
Type: Array of [CodeDeliveryDetailsType](API_CodeDeliveryDetailsType.md) objects

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** AliasExistsException **   
This exception is thrown when a user tries to confirm the account with an email address or phone number that has already been supplied as an alias for a different user profile. This exception indicates that an account with this email address or phone already exists in a user pool that you've configured to use email address or phone number as a sign-in alias.    
 ** message **   
The message that Amazon Cognito sends to the user when the value of an alias attribute is already linked to another user profile.
HTTP Status Code: 400

 ** CodeDeliveryFailureException **   
This exception is thrown when a verification code fails to deliver successfully.    
 ** message **   
The message sent when a verification code fails to deliver successfully.
HTTP Status Code: 400

 ** CodeMismatchException **   
This exception is thrown if the provided code doesn't match what the server was expecting.    
 ** message **   
The message provided when the code mismatch exception is thrown.
HTTP Status Code: 400

 ** ExpiredCodeException **   
This exception is thrown if a code has expired.    
 ** message **   
The message returned when the expired code exception is thrown.
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidLambdaResponseException **   
This exception is thrown when Amazon Cognito encounters an invalid AWS Lambda response.    
 ** message **   
The message returned when Amazon Cognito throws an invalid AWS Lambda response exception.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UnexpectedLambdaException **   
This exception is thrown when Amazon Cognito encounters an unexpected exception with AWS Lambda.    
 ** message **   
The message returned when Amazon Cognito returns an unexpected Lambda exception.
HTTP Status Code: 400

 ** UserLambdaValidationException **   
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the AWS Lambda service.    
 ** message **   
The message returned when the Amazon Cognito service returns a user validation exception with the Lambda service.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request updates several attributes for the current user. The change to the user's email address generates a verification code that the user can provide in a `VerifyUserAttributes` request.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.UpdateUserAttributes
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE",
   "UserAttributes": [
      {
         "Name": "email",
         "Value": "johndoe@example.com"
      },
      {
         "Name": "birthdate",
         "Value": "01/01/2025"
      },
      {
         "Name": "custom:costcenter",
         "Value": "mycustomvalue"
      }
   ]
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "CodeDeliveryDetailsList": [
        {
            "AttributeName": "email",
            "DeliveryMedium": "EMAIL",
            "Destination": "j***@e***"
        }
    ]
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UpdateUserAttributes) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UpdateUserAttributes) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UpdateUserAttributes) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UpdateUserAttributes) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UpdateUserAttributes) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UpdateUserAttributes) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UpdateUserAttributes) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UpdateUserAttributes) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UpdateUserAttributes) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UpdateUserAttributes) 

# UpdateUserPool


Updates the configuration of a user pool. To avoid setting parameters to Amazon Cognito defaults, construct this API request to pass the existing configuration of your user pool, modified to include the changes that you want to make.

**Important**  
With the exception of `UserPoolTier`, if you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

You can get a list of the current user pool settings using [DescribeUserPool](API_DescribeUserPool.md).

**Note**  
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with [Amazon Pinpoint](https://console.aws.amazon.com/pinpoint/home/). Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.  
If you have never used SMS text messages with Amazon Cognito or any other AWS service, Amazon Simple Notification Service might place your account in the SMS sandbox. In * [sandbox mode](https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html) *, you can send messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the sandbox and into production. For more information, see [ SMS message settings for Amazon Cognito user pools](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html) in the *Amazon Cognito Developer Guide*.

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "AccountRecoverySetting": { 
      "RecoveryMechanisms": [ 
         { 
            "Name": "string",
            "Priority": number
         }
      ]
   },
   "AdminCreateUserConfig": { 
      "AllowAdminCreateUserOnly": boolean,
      "InviteMessageTemplate": { 
         "EmailMessage": "string",
         "EmailSubject": "string",
         "SMSMessage": "string"
      },
      "UnusedAccountValidityDays": number
   },
   "AutoVerifiedAttributes": [ "string" ],
   "DeletionProtection": "string",
   "DeviceConfiguration": { 
      "ChallengeRequiredOnNewDevice": boolean,
      "DeviceOnlyRememberedOnUserPrompt": boolean
   },
   "EmailConfiguration": { 
      "ConfigurationSet": "string",
      "EmailSendingAccount": "string",
      "From": "string",
      "ReplyToEmailAddress": "string",
      "SourceArn": "string"
   },
   "EmailVerificationMessage": "string",
   "EmailVerificationSubject": "string",
   "LambdaConfig": { 
      "CreateAuthChallenge": "string",
      "CustomEmailSender": { 
         "LambdaArn": "string",
         "LambdaVersion": "string"
      },
      "CustomMessage": "string",
      "CustomSMSSender": { 
         "LambdaArn": "string",
         "LambdaVersion": "string"
      },
      "DefineAuthChallenge": "string",
      "InboundFederation": { 
         "LambdaArn": "string",
         "LambdaVersion": "string"
      },
      "KMSKeyID": "string",
      "PostAuthentication": "string",
      "PostConfirmation": "string",
      "PreAuthentication": "string",
      "PreSignUp": "string",
      "PreTokenGeneration": "string",
      "PreTokenGenerationConfig": { 
         "LambdaArn": "string",
         "LambdaVersion": "string"
      },
      "UserMigration": "string",
      "VerifyAuthChallengeResponse": "string"
   },
   "MfaConfiguration": "string",
   "Policies": { 
      "PasswordPolicy": { 
         "MinimumLength": number,
         "PasswordHistorySize": number,
         "RequireLowercase": boolean,
         "RequireNumbers": boolean,
         "RequireSymbols": boolean,
         "RequireUppercase": boolean,
         "TemporaryPasswordValidityDays": number
      },
      "SignInPolicy": { 
         "AllowedFirstAuthFactors": [ "string" ]
      }
   },
   "PoolName": "string",
   "SmsAuthenticationMessage": "string",
   "SmsConfiguration": { 
      "ExternalId": "string",
      "SnsCallerArn": "string",
      "SnsRegion": "string"
   },
   "SmsVerificationMessage": "string",
   "UserAttributeUpdateSettings": { 
      "AttributesRequireVerificationBeforeUpdate": [ "string" ]
   },
   "UserPoolAddOns": { 
      "AdvancedSecurityAdditionalFlows": { 
         "CustomAuthMode": "string"
      },
      "AdvancedSecurityMode": "string"
   },
   "UserPoolId": "string",
   "UserPoolTags": { 
      "string" : "string" 
   },
   "UserPoolTier": "string",
   "VerificationMessageTemplate": { 
      "DefaultEmailOption": "string",
      "EmailMessage": "string",
      "EmailMessageByLink": "string",
      "EmailSubject": "string",
      "EmailSubjectByLink": "string",
      "SmsMessage": "string"
   }
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccountRecoverySetting](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-AccountRecoverySetting"></a>
The available verified method a user can use to recover their password when they call `ForgotPassword`. You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.  
Type: [AccountRecoverySettingType](API_AccountRecoverySettingType.md) object  
Required: No

 ** [AdminCreateUserConfig](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-AdminCreateUserConfig"></a>
The configuration for administrative creation of users. Includes the template for the invitation message for new users, the duration of temporary passwords, and permitting self-service sign-up.  
Type: [AdminCreateUserConfigType](API_AdminCreateUserConfigType.md) object  
Required: No

 ** [AutoVerifiedAttributes](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-AutoVerifiedAttributes"></a>
The attributes that you want your user pool to automatically verify. Possible values: **email**, **phone\$1number**. For more information see [Verifying contact information at sign-up](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves).  
Type: Array of strings  
Valid Values: `phone_number | email`   
Required: No

 ** [DeletionProtection](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-DeletionProtection"></a>
When active, `DeletionProtection` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature.  
When you try to delete a protected user pool in a `DeleteUserPool` API request, Amazon Cognito returns an `InvalidParameterException` error. To delete a protected user pool, send a new `DeleteUserPool` request after you deactivate deletion protection in an `UpdateUserPool` API request.  
Type: String  
Valid Values: `ACTIVE | INACTIVE`   
Required: No

 ** [DeviceConfiguration](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-DeviceConfiguration"></a>
The device-remembering configuration for a user pool. Device remembering or device tracking is a "Remember me on this device" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see [Working with user devices in your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html). A null value indicates that you have deactivated device remembering in your user pool.  
When you provide a value for any `DeviceConfiguration` field, you activate the Amazon Cognito device-remembering feature. For more information, see [Working with devices](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html).
Type: [DeviceConfigurationType](API_DeviceConfigurationType.md) object  
Required: No

 ** [EmailConfiguration](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-EmailConfiguration"></a>
The email configuration of your user pool. The email configuration type sets your preferred sending method, AWS Region, and sender for email invitation and verification messages from your user pool.  
Type: [EmailConfigurationType](API_EmailConfigurationType.md) object  
Required: No

 ** [EmailVerificationMessage](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-EmailVerificationMessage"></a>
This parameter is no longer used. See [VerificationMessageTemplateType](API_VerificationMessageTemplateType.md).  
This parameter is no longer used.  
Type: String  
Length Constraints: Minimum length of 6. Maximum length of 20000.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*\{####\}[\p{L}\p{M}\p{S}\p{N}\p{P}\s*]*`   
Required: No

 ** [EmailVerificationSubject](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-EmailVerificationSubject"></a>
This parameter is no longer used. See [VerificationMessageTemplateType](API_VerificationMessageTemplateType.md).  
This parameter is no longer used.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 140.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\s]+`   
Required: No

 ** [LambdaConfig](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-LambdaConfig"></a>
A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.  
Type: [LambdaConfigType](API_LambdaConfigType.md) object  
Required: No

 ** [MfaConfiguration](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-MfaConfiguration"></a>
Sets multi-factor authentication (MFA) to be on, off, or optional. When `ON`, all users must set up MFA before they can sign in. When `OPTIONAL`, your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose `OPTIONAL`.  
When `MfaConfiguration` is `OPTIONAL`, managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.  
Type: String  
Valid Values: `OFF | ON | OPTIONAL`   
Required: No

 ** [Policies](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-Policies"></a>
The password policy and sign-in policy in the user pool. The password policy sets options like password complexity requirements and password history. The sign-in policy sets the options available to applications in [choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice).  
Type: [UserPoolPolicyType](API_UserPoolPolicyType.md) object  
Required: No

 ** [PoolName](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-PoolName"></a>
The updated name of your user pool.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w\s+=,.@-]+`   
Required: No

 ** [SmsAuthenticationMessage](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-SmsAuthenticationMessage"></a>
The contents of the SMS message that your user pool sends to users in SMS authentication.  
Type: String  
Length Constraints: Minimum length of 6. Maximum length of 140.  
Pattern: `.*\{####\}.*`   
Required: No

 ** [SmsConfiguration](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-SmsConfiguration"></a>
The SMS configuration with the settings for your Amazon Cognito user pool to send SMS message with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account. For more information see [SMS message settings](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html).  
Type: [SmsConfigurationType](API_SmsConfigurationType.md) object  
Required: No

 ** [SmsVerificationMessage](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-SmsVerificationMessage"></a>
This parameter is no longer used. See [VerificationMessageTemplateType](API_VerificationMessageTemplateType.md).  
This parameter is no longer used.  
Type: String  
Length Constraints: Minimum length of 6. Maximum length of 140.  
Pattern: `.*\{####\}.*`   
Required: No

 ** [UserAttributeUpdateSettings](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-UserAttributeUpdateSettings"></a>
The settings for updates to user attributes. These settings include the property `AttributesRequireVerificationBeforeUpdate`, a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see [ Verifying updates to email addresses and phone numbers](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates).  
Type: [UserAttributeUpdateSettingsType](API_UserAttributeUpdateSettingsType.md) object  
Required: No

 ** [UserPoolAddOns](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-UserPoolAddOns"></a>
Contains settings for activation of threat protection, including the operating mode and additional authentication types. To log user security information but take no action, set to `AUDIT`. To configure automatic security responses to potentially unwanted traffic to your user pool, set to `ENFORCED`.  
For more information, see [Adding advanced security to a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html). To activate this setting, your user pool must be on the [ Plus tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html).  
Type: [UserPoolAddOnsType](API_UserPoolAddOnsType.md) object  
Required: No

 ** [UserPoolId](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-UserPoolId"></a>
The ID of the user pool you want to update.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

 ** [UserPoolTags](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-UserPoolTags"></a>
The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.  
Type: String to string map  
Key Length Constraints: Minimum length of 1. Maximum length of 128.  
Value Length Constraints: Minimum length of 0. Maximum length of 256.  
Required: No

 ** [UserPoolTier](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-UserPoolTier"></a>
The user pool [feature plan](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html), or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to `ESSENTIALS`.  
Type: String  
Valid Values: `LITE | ESSENTIALS | PLUS`   
Required: No

 ** [VerificationMessageTemplate](#API_UpdateUserPool_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPool-request-VerificationMessageTemplate"></a>
The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.  
Set the email message type that corresponds to your `DefaultEmailOption` selection. For `CONFIRM_WITH_LINK`, specify an `EmailMessageByLink` and leave `EmailMessage` blank. For `CONFIRM_WITH_CODE`, specify an `EmailMessage` and leave `EmailMessageByLink` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.  
Type: [VerificationMessageTemplateType](API_VerificationMessageTemplateType.md) object  
Required: No

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** FeatureUnavailableInTierException **   
This exception is thrown when a feature you attempted to configure isn't available in your current feature plan.  
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidEmailRoleAccessPolicyException **   
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.    
 ** message **   
The message returned when you have an unverified email address or the identity policy isn't set on an email address that Amazon Cognito can access.
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidSmsRoleAccessPolicyException **   
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.    
 ** message **   
The message returned when the invalid SMS role access policy exception is thrown.
HTTP Status Code: 400

 ** InvalidSmsRoleTrustRelationshipException **   
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust `cognito-idp.amazonaws.com` or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.    
 ** message **   
The message returned when the role trust relationship for the SMS message is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TierChangeNotAllowedException **   
This exception is thrown when you've attempted to change your feature plan but the operation isn't permitted.  
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserImportInProgressException **   
This exception is thrown when you're trying to modify a user pool while a user import job is in progress for that pool.    
 ** message **   
The message returned when the user pool has an import job running.
HTTP Status Code: 400

 ** UserPoolTaggingException **   
This exception is thrown when a user pool tag can't be set or updated.  
HTTP Status Code: 400

## Examples


### Example


The following `UpdateUserPool` request updates some common features of the target user pool.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.ca-central-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.UpdateUserPool
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>


{
    "AccountRecoverySetting": {
        "RecoveryMechanisms": [
            {
                "Name": "verified_email",
                "Priority": 1
            },
            {
                "Name": "verified_phone_number",
                "Priority": 2
            }
        ]
    },
    "AdminCreateUserConfig": {
        "AllowAdminCreateUserOnly": false,
        "UnusedAccountValidityDays": 7
    },
    "AliasAttributes": [
        "email",
        "phone_number",
        "preferred_username"
    ],
    "Arn": "arn:aws:cognito-idp:ca-central-1:123456789012:userpool/ca-central-1_EXAMPLE",
    "AutoVerifiedAttributes": [
        "email"
    ],
    "DeletionProtection": "ACTIVE",
    "Domain": "cognitoexample",
    "EmailConfiguration": {
        "ConfigurationSet": "my-sesconfigset",
        "EmailSendingAccount": "DEVELOPER",
        "SourceArn": "arn:aws:ses:us-east-1:123456789012:identity/admin@example.com"
    },
    "LambdaConfig": {
        "PreSignUp": "arn:aws:lambda:ca-central-1:123456789012:function:my-function"
    },
    "MfaConfiguration": "OPTIONAL",
    "Name": "my-test-user-pool",
    "Policies": {
        "PasswordPolicy": {
            "MinimumLength": 8,
            "RequireLowercase": true,
            "RequireNumbers": true,
            "RequireSymbols": true,
            "RequireUppercase": true,
            "TemporaryPasswordValidityDays": 7
        },
        "SignInPolicy": {
            "AllowedFirstAuthFactors": [
                "PASSWORD",
                "EMAIL_OTP",
                "WEB_AUTHN"
            ]
        }
    },
    "SmsConfiguration": {
        "ExternalId": "ALPHA-BRAVO",
        "SnsCallerArn": "arn:aws:iam::123456789012:role/My-SMS-Role",
        "SnsRegion": "us-east-1"
    },
    "UserAttributeUpdateSettings": {
        "AttributesRequireVerificationBeforeUpdate": [
            "email"
        ]
    },
    "UsernameConfiguration": {
        "CaseSensitive": false
    },
    "UserPoolAddOns": {
        "AdvancedSecurityAdditionalFlows": {
        },
        "AdvancedSecurityMode": "OFF"
    },
    "UserPoolId": "ca-central-1_EXAMPLE",
    "UserPoolTags": {
    },
    "UserPoolTier": "PLUS",
    "VerificationMessageTemplate": {
        "DefaultEmailOption": "CONFIRM_WITH_CODE"
    }
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UpdateUserPool) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UpdateUserPool) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UpdateUserPool) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UpdateUserPool) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UpdateUserPool) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UpdateUserPool) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UpdateUserPool) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UpdateUserPool) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UpdateUserPool) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UpdateUserPool) 

# UpdateUserPoolClient


Given a user pool app client ID, updates the configuration. To avoid setting parameters to Amazon Cognito defaults, construct this API request to pass the existing configuration of your app client, modified to include the changes that you want to make.

**Important**  
If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

You can get a list of the current app client settings with [DescribeUserPoolClient](API_DescribeUserPoolClient.md).

Unlike app clients created in the console, Amazon Cognito doesn't automatically assign a branding style to app clients that you configure with this API operation. Managed login and classic hosted UI pages aren't available for your client until after you apply a branding style.

Apply a branding style with the [CreateManagedLoginBranding](API_CreateManagedLoginBranding.md) operation. For more information, see [Managed login branding](https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-branding.html). 

You can also use this operation to enable token revocation for user pool clients. For more information about revoking tokens, see [RevokeToken](API_RevokeToken.md).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "AccessTokenValidity": number,
   "AllowedOAuthFlows": [ "string" ],
   "AllowedOAuthFlowsUserPoolClient": boolean,
   "AllowedOAuthScopes": [ "string" ],
   "AnalyticsConfiguration": { 
      "ApplicationArn": "string",
      "ApplicationId": "string",
      "ExternalId": "string",
      "RoleArn": "string",
      "UserDataShared": boolean
   },
   "AuthSessionValidity": number,
   "CallbackURLs": [ "string" ],
   "ClientId": "string",
   "ClientName": "string",
   "DefaultRedirectURI": "string",
   "EnablePropagateAdditionalUserContextData": boolean,
   "EnableTokenRevocation": boolean,
   "ExplicitAuthFlows": [ "string" ],
   "IdTokenValidity": number,
   "LogoutURLs": [ "string" ],
   "PreventUserExistenceErrors": "string",
   "ReadAttributes": [ "string" ],
   "RefreshTokenRotation": { 
      "Feature": "string",
      "RetryGracePeriodSeconds": number
   },
   "RefreshTokenValidity": number,
   "SupportedIdentityProviders": [ "string" ],
   "TokenValidityUnits": { 
      "AccessToken": "string",
      "IdToken": "string",
      "RefreshToken": "string"
   },
   "UserPoolId": "string",
   "WriteAttributes": [ "string" ]
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessTokenValidity](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-AccessTokenValidity"></a>
The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`, set a `TokenValidityUnits` value in your API request.  
For example, when you set `AccessTokenValidity` to `10` and `TokenValidityUnits` to `hours`, your user can authorize access with their access token for 10 hours.  
The default time unit for `AccessTokenValidity` in an API request is hours. *Valid range* is displayed below in seconds.  
If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 86400.  
Required: No

 ** [AllowedOAuthFlows](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-AllowedOAuthFlows"></a>
The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add `client_credentials` as the only allowed OAuth flow.    
code  
Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the `/oauth2/token` endpoint.  
implicit  
Issue the access token (and, optionally, ID token, based on scopes) directly to your user.  
client\$1credentials  
Issue the access token from the `/oauth2/token` endpoint directly to a non-person user using a combination of the client ID and client secret.
Type: Array of strings  
Array Members: Minimum number of 0 items. Maximum number of 3 items.  
Valid Values: `code | implicit | client_credentials`   
Required: No

 ** [AllowedOAuthFlowsUserPoolClient](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-AllowedOAuthFlowsUserPoolClient"></a>
Set to `true` to use OAuth 2.0 authorization server features in your app client.  
This parameter must have a value of `true` before you can configure the following features in your app client.  
+  `CallBackURLs`: Callback URLs.
+  `LogoutURLs`: Sign-out redirect URLs.
+  `AllowedOAuthScopes`: OAuth 2.0 scopes.
+  `AllowedOAuthFlows`: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.
To use authorization server features, configure one of these features in the Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API request. If you don't set a value for `AllowedOAuthFlowsUserPoolClient` in a request with the AWS CLI or SDKs, it defaults to `false`. When `false`, only SDK-based API sign-in is permitted.  
Type: Boolean  
Required: No

 ** [AllowedOAuthScopes](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-AllowedOAuthScopes"></a>
The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with. Scopes govern access control to user pool self-service API operations, user data from the `userInfo` endpoint, and third-party APIs. Scope values include `phone`, `email`, `openid`, and `profile`. The `aws.cognito.signin.user.admin` scope authorizes user self-service operations. Custom scopes with resource servers authorize access to external APIs.  
Type: Array of strings  
Array Members: Maximum number of 50 items.  
Length Constraints: Minimum length of 1. Maximum length of 256.  
Pattern: `[\x21\x23-\x5B\x5D-\x7E]+`   
Required: No

 ** [AnalyticsConfiguration](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-AnalyticsConfiguration"></a>
The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.  
In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see [Using Amazon Pinpoint analytics](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html).  
Type: [AnalyticsConfigurationType](API_AnalyticsConfigurationType.md) object  
Required: No

 ** [AuthSessionValidity](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-AuthSessionValidity"></a>
Amazon Cognito creates a session token for each API request in an authentication flow. `AuthSessionValidity` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.  
Type: Integer  
Valid Range: Minimum value of 3. Maximum value of 15.  
Required: No

 ** [CallbackURLs](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-CallbackURLs"></a>
A list of allowed redirect, or callback, URLs for managed login authentication. These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes.  
A redirect URI must meet the following requirements:  
+ Be an absolute URI.
+ Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with `redirect_uri` values that aren't in the list of `CallbackURLs` that you provide in this parameter.
+ Not include a fragment component.
See [OAuth 2.0 - Redirection Endpoint](https://tools.ietf.org/html/rfc6749#section-3.1.2).  
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.  
App callback URLs such as `myapp://example` are also supported.  
Type: Array of strings  
Array Members: Minimum number of 0 items. Maximum number of 100 items.  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: No

 ** [ClientId](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-ClientId"></a>
The ID of the app client that you want to update.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w+]+`   
Required: Yes

 ** [ClientName](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-ClientName"></a>
A friendly name for the app client.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 128.  
Pattern: `[\w\s+=,.@-]+`   
Required: No

 ** [DefaultRedirectURI](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-DefaultRedirectURI"></a>
The default redirect URI. In app clients with one assigned IdP, replaces `redirect_uri` in authentication requests. Must be in the `CallbackURLs` list.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: No

 ** [EnablePropagateAdditionalUserContextData](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-EnablePropagateAdditionalUserContextData"></a>
When `true`, your application can include additional `UserContextData` in authentication requests. This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see [Adding session data to API requests](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint). If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate `EnablePropagateAdditionalUserContextData` in an app client that has a client secret.  
Type: Boolean  
Required: No

 ** [EnableTokenRevocation](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-EnableTokenRevocation"></a>
Activates or deactivates [token revocation](https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html) in the target app client.  
Revoke tokens with [RevokeToken](API_RevokeToken.md).  
Type: Boolean  
Required: No

 ** [ExplicitAuthFlows](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-ExplicitAuthFlows"></a>
The [authentication flows](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html) that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.  
If you don't specify a value for `ExplicitAuthFlows`, your app client supports `ALLOW_REFRESH_TOKEN_AUTH`, `ALLOW_USER_SRP_AUTH`, and `ALLOW_CUSTOM_AUTH`. 
The values for authentication flow options include the following.  
+  `ALLOW_USER_AUTH`: Enable selection-based sign-in with `USER_AUTH`. This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other `ExplicitAuthFlows` permitting them. For example users can complete an SRP challenge through `USER_AUTH` without the flow `USER_SRP_AUTH` being active for the app client. This flow doesn't include `CUSTOM_AUTH`. 

  To activate this setting, your user pool must be in the [ Essentials tier](https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html) or higher.
+  `ALLOW_ADMIN_USER_PASSWORD_AUTH`: Enable admin based user password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password.
+  `ALLOW_CUSTOM_AUTH`: Enable Lambda trigger based authentication.
+  `ALLOW_USER_PASSWORD_AUTH`: Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords.
+  `ALLOW_USER_SRP_AUTH`: Enable SRP-based authentication.
+  `ALLOW_REFRESH_TOKEN_AUTH`: Enable authflow to refresh tokens.
In some environments, you will see the values `ADMIN_NO_SRP_AUTH`, `CUSTOM_AUTH_FLOW_ONLY`, or `USER_PASSWORD_AUTH`. You can't assign these legacy `ExplicitAuthFlows` values to user pool clients at the same time as values that begin with `ALLOW_`, like `ALLOW_USER_SRP_AUTH`.  
Type: Array of strings  
Valid Values: `ADMIN_NO_SRP_AUTH | CUSTOM_AUTH_FLOW_ONLY | USER_PASSWORD_AUTH | ALLOW_ADMIN_USER_PASSWORD_AUTH | ALLOW_CUSTOM_AUTH | ALLOW_USER_PASSWORD_AUTH | ALLOW_USER_SRP_AUTH | ALLOW_REFRESH_TOKEN_AUTH | ALLOW_USER_AUTH`   
Required: No

 ** [IdTokenValidity](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-IdTokenValidity"></a>
The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for `IdTokenValidity` as `seconds`, `minutes`, `hours`, or `days`, set a `TokenValidityUnits` value in your API request.  
For example, when you set `IdTokenValidity` as `10` and `TokenValidityUnits` as `hours`, your user can authenticate their session with their ID token for 10 hours.  
The default time unit for `IdTokenValidity` in an API request is hours. *Valid range* is displayed below in seconds.  
If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.  
Type: Integer  
Valid Range: Minimum value of 1. Maximum value of 86400.  
Required: No

 ** [LogoutURLs](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-LogoutURLs"></a>
A list of allowed logout URLs for managed login authentication. When you pass `logout_uri` and `client_id` parameters to `/logout`, Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of `logout_uri`. A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see [Logout endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html).  
Type: Array of strings  
Array Members: Minimum number of 0 items. Maximum number of 100 items.  
Length Constraints: Minimum length of 1. Maximum length of 1024.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}]+`   
Required: No

 ** [PreventUserExistenceErrors](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-PreventUserExistenceErrors"></a>
When `ENABLED`, suppresses messages that might indicate a valid user exists when someone attempts sign-in. This parameters sets your preference for the errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to `ENABLED` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to `LEGACY`, those APIs return a `UserNotFoundException` exception if the user doesn't exist in the user pool.  
Defaults to `LEGACY`.  
This setting affects the behavior of the following API operations.  
+  [AdminInitiateAuth](API_AdminInitiateAuth.md) 
+  [AdminRespondToAuthChallenge](API_AdminRespondToAuthChallenge.md) 
+  [InitiateAuth](API_InitiateAuth.md) 
+  [RespondToAuthChallenge](API_RespondToAuthChallenge.md) 
+  [ForgotPassword](API_ForgotPassword.md) 
+  [ConfirmForgotPassword](API_ConfirmForgotPassword.md) 
+  [ConfirmSignUp](API_ConfirmSignUp.md) 
+  [ResendConfirmationCode](API_ResendConfirmationCode.md) 
Type: String  
Valid Values: `LEGACY | ENABLED`   
Required: No

 ** [ReadAttributes](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-ReadAttributes"></a>
The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list.  
An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a [GetUser](API_GetUser.md) API request to retrieve and display your user's profile data.  
When you don't specify the `ReadAttributes` for your app client, your app can read the values of `email_verified`, `phone_number_verified`, and the standard attributes of your user pool. When your user pool app client has read access to these default attributes, `ReadAttributes` doesn't return any information. Amazon Cognito only populates `ReadAttributes` in the API response if you have specified your own custom set of read attributes.  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Required: No

 ** [RefreshTokenRotation](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-RefreshTokenRotation"></a>
The configuration of your app client for refresh token rotation. When enabled, your app client issues new ID, access, and refresh tokens when users renew their sessions with refresh tokens. When disabled, token refresh issues only ID and access tokens.  
Refresh token rotation must be completed with [GetTokensFromRefreshToken](API_GetTokensFromRefreshToken.md). With refresh token rotation disabled, you can complete token refresh with `GetTokensFromRefreshToken` and with `REFRESH_TOKEN_AUTH` in [InitiateAuth:AuthFlow](API_InitiateAuth.md#CognitoUserPools-InitiateAuth-request-AuthFlow) and [AdminInitiateAuth:AuthFlow](API_AdminInitiateAuth.md#CognitoUserPools-AdminInitiateAuth-request-AuthFlow).  
Type: [RefreshTokenRotationType](API_RefreshTokenRotationType.md) object  
Required: No

 ** [RefreshTokenValidity](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-RefreshTokenValidity"></a>
The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`, set a `TokenValidityUnits` value in your API request.  
For example, when you set `RefreshTokenValidity` as `10` and `TokenValidityUnits` as `days`, your user can refresh their session and retrieve new access and ID tokens for 10 days.  
The default time unit for `RefreshTokenValidity` in an API request is days. You can't set `RefreshTokenValidity` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds.  
If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.  
Type: Integer  
Valid Range: Minimum value of 0. Maximum value of 315360000.  
Required: No

 ** [SupportedIdentityProviders](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-SupportedIdentityProviders"></a>
A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: `COGNITO`, `Facebook`, `Google`, `SignInWithApple`, and `LoginWithAmazon`. You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example `MySAMLIdP` or `MyOIDCIdP`.  
This parameter sets the IdPs that [managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html) will display on the login page for your app client. The removal of `COGNITO` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a [AWS WAF rule](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html).   
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 32.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\p{Z}]+`   
Required: No

 ** [TokenValidityUnits](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-TokenValidityUnits"></a>
The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.  
Type: [TokenValidityUnitsType](API_TokenValidityUnitsType.md) object  
Required: No

 ** [UserPoolId](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-UserPoolId"></a>
The ID of the user pool where you want to update the app client.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

 ** [WriteAttributes](#API_UpdateUserPoolClient_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-request-WriteAttributes"></a>
The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list.  
An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an [UpdateUserAttributes](API_UpdateUserAttributes.md) API request and sets `family_name` to the new value.   
When you don't specify the `WriteAttributes` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, `WriteAttributes` doesn't return any information. Amazon Cognito only populates `WriteAttributes` in the API response if you have specified your own custom set of write attributes.  
If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see [Specifying IdP Attribute Mappings for Your user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html).  
Type: Array of strings  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Required: No

## Response Syntax


```
{
   "UserPoolClient": { 
      "AccessTokenValidity": number,
      "AllowedOAuthFlows": [ "string" ],
      "AllowedOAuthFlowsUserPoolClient": boolean,
      "AllowedOAuthScopes": [ "string" ],
      "AnalyticsConfiguration": { 
         "ApplicationArn": "string",
         "ApplicationId": "string",
         "ExternalId": "string",
         "RoleArn": "string",
         "UserDataShared": boolean
      },
      "AuthSessionValidity": number,
      "CallbackURLs": [ "string" ],
      "ClientId": "string",
      "ClientName": "string",
      "ClientSecret": "string",
      "CreationDate": number,
      "DefaultRedirectURI": "string",
      "EnablePropagateAdditionalUserContextData": boolean,
      "EnableTokenRevocation": boolean,
      "ExplicitAuthFlows": [ "string" ],
      "IdTokenValidity": number,
      "LastModifiedDate": number,
      "LogoutURLs": [ "string" ],
      "PreventUserExistenceErrors": "string",
      "ReadAttributes": [ "string" ],
      "RefreshTokenRotation": { 
         "Feature": "string",
         "RetryGracePeriodSeconds": number
      },
      "RefreshTokenValidity": number,
      "SupportedIdentityProviders": [ "string" ],
      "TokenValidityUnits": { 
         "AccessToken": "string",
         "IdToken": "string",
         "RefreshToken": "string"
      },
      "UserPoolId": "string",
      "WriteAttributes": [ "string" ]
   }
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [UserPoolClient](#API_UpdateUserPoolClient_ResponseSyntax) **   <a name="CognitoUserPools-UpdateUserPoolClient-response-UserPoolClient"></a>
The updated details of your app client.  
Type: [UserPoolClientType](API_UserPoolClientType.md) object

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** FeatureUnavailableInTierException **   
This exception is thrown when a feature you attempted to configure isn't available in your current feature plan.  
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidOAuthFlowException **   
This exception is thrown when the specified OAuth flow is not valid.  
HTTP Status Code: 400

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** ScopeDoesNotExistException **   
This exception is thrown when the specified scope doesn't exist.  
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request updates an app client.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.UpdateUserPoolClient
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
        "UserPoolId": "us-west-2_EXAMPLE",
        "ClientName": "my-test-app",
        "ClientId": "1example23456789",
        "RefreshTokenValidity": 30,
        "AccessTokenValidity": 60,
        "IdTokenValidity": 60,
        "TokenValidityUnits": {
            "AccessToken": "minutes",
            "IdToken": "minutes",
            "RefreshToken": "days"
        },
        "ReadAttributes": [
            "address",
            "birthdate",
            "custom:state",
            "custom:accesstoken",
            "custom:idtoken",
            "email",
            "email_verified",
            "family_name",
            "gender",
            "locale",
            "middle_name",
            "name",
            "nickname",
            "phone_number",
            "phone_number_verified",
            "picture",
            "preferred_username",
            "profile",
            "updated_at",
            "website",
            "zoneinfo"
        ],
        "WriteAttributes": [
            "address",
            "birthdate",
            "custom:state",
            "custom:accesstoken",
            "custom:idtoken",
            "email",
            "family_name",
            "gender",
            "locale",
            "middle_name",
            "name",
            "nickname",
            "phone_number",
            "picture",
            "preferred_username",
            "profile",
            "updated_at",
            "website",
            "zoneinfo"
        ],
        "ExplicitAuthFlows": [
            "ALLOW_ADMIN_USER_PASSWORD_AUTH",
            "ALLOW_CUSTOM_AUTH",
            "ALLOW_REFRESH_TOKEN_AUTH",
            "ALLOW_USER_PASSWORD_AUTH",
            "ALLOW_USER_SRP_AUTH"
        ],
        "SupportedIdentityProviders": [
            "MYSSO",
            "COGNITO",
            "Google"
        ],
        "CallbackURLs": [
            "https://www.example.com",
            "https://app2.example.com"
        ],
        "LogoutURLs": [
            "https://auth.example.com/login?client_id=1example23456789&response_type=code&redirect_uri=https%3A%2F%2Fwww.example.com",
            "https://example.com/logout"
        ],
        "AllowedOAuthFlows": [
            "code",
            "implicit"
        ],
        "AllowedOAuthScopes": [
            "aws.cognito.signin.user.admin",
            "email",
            "openid",
            "phone",
            "profile"
        ],
        "AllowedOAuthFlowsUserPoolClient": true,
        "AnalyticsConfiguration": {
            "ApplicationArn": "arn:aws:mobiletargeting:us-west-2:123456789012:apps/555666example",
            "UserDataShared": true
        },
        "PreventUserExistenceErrors": "LEGACY",
        "EnableTokenRevocation": true,
        "EnablePropagateAdditionalUserContextData": false,
        "AuthSessionValidity": 3
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "UserPoolClient": {
        "AccessTokenValidity": 60,
        "AllowedOAuthFlows": [
            "implicit",
            "code"
        ],
        "AllowedOAuthFlowsUserPoolClient": true,
        "AllowedOAuthScopes": [
            "aws.cognito.signin.user.admin",
            "phone",
            "openid",
            "profile",
            "email"
        ],
        "AnalyticsConfiguration": {
            "ApplicationArn": "arn:aws:mobiletargeting:us-west-2:123456789012:apps/555666example",
            "RoleArn": "arn:aws:iam::123456789012:role/aws-service-role/cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdp",
            "UserDataShared": true
        },
        "AuthSessionValidity": 3,
        "CallbackURLs": [
            "https://www.example.com",
            "https://app2.example.com"
        ],
        "ClientId": "1example23456789",
        "ClientName": "my-test-app",
        "CreationDate": 1603840085.621,
        "EnablePropagateAdditionalUserContextData": false,
        "EnableTokenRevocation": true,
        "ExplicitAuthFlows": [
            "ALLOW_CUSTOM_AUTH",
            "ALLOW_USER_PASSWORD_AUTH",
            "ALLOW_ADMIN_USER_PASSWORD_AUTH",
            "ALLOW_USER_SRP_AUTH",
            "ALLOW_REFRESH_TOKEN_AUTH"
        ],
        "IdTokenValidity": 60,
        "LastModifiedDate": 1736445292.513,
        "LogoutURLs": [
            "https://auth.example.com/login?client_id=1example23456789&response_type=code&redirect_uri=https%3A%2F%2Fwww.example.com",
            "https://example.com/logout"
        ],
        "PreventUserExistenceErrors": "LEGACY",
        "ReadAttributes": [
            "address",
            "birthdate",
            "custom:state",
            "custom:accesstoken",
            "custom:idtoken",
            "email",
            "email_verified",
            "family_name",
            "gender",
            "locale",
            "middle_name",
            "name",
            "nickname",
            "phone_number",
            "phone_number_verified",
            "picture",
            "preferred_username",
            "profile",
            "updated_at",
            "website",
            "zoneinfo"
        ],
        "RefreshTokenValidity": 30,
        "SupportedIdentityProviders": [
            "MYSSO",
            "COGNITO",
            "Google"
        ],
        "TokenValidityUnits": {
            "AccessToken": "minutes",
            "IdToken": "minutes",
            "RefreshToken": "days"
        },
        "UserPoolId": "us-west-2_EXAMPLE",
        "WriteAttributes": [
            "address",
            "birthdate",
            "custom:state",
            "custom:accesstoken",
            "custom:idtoken",
            "email",
            "family_name",
            "gender",
            "locale",
            "middle_name",
            "name",
            "nickname",
            "phone_number",
            "picture",
            "preferred_username",
            "profile",
            "updated_at",
            "website",
            "zoneinfo"
        ]
    }
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UpdateUserPoolClient) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UpdateUserPoolClient) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UpdateUserPoolClient) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UpdateUserPoolClient) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UpdateUserPoolClient) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UpdateUserPoolClient) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UpdateUserPoolClient) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UpdateUserPoolClient) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UpdateUserPoolClient) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UpdateUserPoolClient) 

# UpdateUserPoolDomain


A user pool domain hosts managed login, an authorization server and web server for authentication in your application. This operation updates the branding version for user pool domains between `1` for hosted UI (classic) and `2` for managed login. It also updates the SSL certificate for user pool custom domains.

Changes to the domain branding version take up to one minute to take effect for a prefix domain and up to five minutes for a custom domain.

This operation doesn't change the name of your user pool domain. To change your domain, delete it with `DeleteUserPoolDomain` and create a new domain with `CreateUserPoolDomain`.

You can pass the ARN of a new AWS Certificate Manager certificate in this request. Typically, ACM certificates automatically renew and you user pool can continue to use the same ARN. But if you generate a new certificate for your custom domain name, replace the original configuration with the new ARN in this request.

ACM certificates for custom domains must be in the US East (N. Virginia) AWS Region. After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new certificate to your custom domain.

For more information about adding a custom domain to your user pool, see [Configuring a user pool domain](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html).

**Note**  
Amazon Cognito evaluates AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM permission in a policy.  
 [Signing AWS API Requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html) 
 [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html) 

## Request Syntax


```
{
   "CustomDomainConfig": { 
      "CertificateArn": "string"
   },
   "Domain": "string",
   "ManagedLoginVersion": number,
   "UserPoolId": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [CustomDomainConfig](#API_UpdateUserPoolDomain_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolDomain-request-CustomDomainConfig"></a>
The configuration for a custom domain that hosts managed login for your application. In an `UpdateUserPoolDomain` request, this parameter specifies an SSL certificate for the managed login hosted webserver. The certificate must be an ACM ARN in `us-east-1`.  
When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.  
Update the RP ID in a [SetUserPoolMfaConfig](API_SetUserPoolMfaConfig.md) request.  
Type: [CustomDomainConfigType](API_CustomDomainConfigType.md) object  
Required: No

 ** [Domain](#API_UpdateUserPoolDomain_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolDomain-request-Domain"></a>
The name of the domain that you want to update. For custom domains, this is the fully-qualified domain name, for example `auth.example.com`. For prefix domains, this is the prefix alone, such as `myprefix`.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 63.  
Pattern: `^[a-z0-9](?:[a-z0-9\-]{0,61}[a-z0-9])?$`   
Required: Yes

 ** [ManagedLoginVersion](#API_UpdateUserPoolDomain_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolDomain-request-ManagedLoginVersion"></a>
A version number that indicates the state of managed login for your domain. Version `1` is hosted UI (classic). Version `2` is the newer managed login with the branding editor. For more information, see [Managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html).  
Type: Integer  
Required: No

 ** [UserPoolId](#API_UpdateUserPoolDomain_RequestSyntax) **   <a name="CognitoUserPools-UpdateUserPoolDomain-request-UserPoolId"></a>
The ID of the user pool that is associated with the domain you're updating.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 55.  
Pattern: `[\w-]+_[0-9a-zA-Z]+`   
Required: Yes

## Response Syntax


```
{
   "CloudFrontDomain": "string",
   "ManagedLoginVersion": number
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [CloudFrontDomain](#API_UpdateUserPoolDomain_ResponseSyntax) **   <a name="CognitoUserPools-UpdateUserPoolDomain-response-CloudFrontDomain"></a>
The fully-qualified domain name (FQDN) of the Amazon CloudFront distribution that hosts your managed login or classic hosted UI pages. You domain-name authority must have an alias record that points requests for your custom domain to this FQDN. Amazon Cognito returns this value if you set a custom domain with `CustomDomainConfig`. If you set an Amazon Cognito prefix domain, this operation returns a blank response.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 63.  
Pattern: `^[a-z0-9](?:[a-z0-9\-]{0,61}[a-z0-9])?$` 

 ** [ManagedLoginVersion](#API_UpdateUserPoolDomain_ResponseSyntax) **   <a name="CognitoUserPools-UpdateUserPoolDomain-response-ManagedLoginVersion"></a>
A version number that indicates the state of managed login for your domain. Version `1` is hosted UI (classic). Version `2` is the newer managed login with the branding editor. For more information, see [Managed login](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html).  
Type: Integer

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** ConcurrentModificationException **   
This exception is thrown if two or more modifications are happening concurrently.    
 ** message **   
The message provided when the concurrent exception is thrown.
HTTP Status Code: 400

 ** FeatureUnavailableInTierException **   
This exception is thrown when a feature you attempted to configure isn't available in your current feature plan.  
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

## Examples


### Example


The following example request configures an ACM certificate and sets the managed login branding version to 2 for a custom domain.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.ca-central-1.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.UpdateUserPoolDomain
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "CustomDomainConfig": {
      "CertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111"
   },
   "Domain": "auth.example.com",
   "ManagedLoginVersion": 2,
   "UserPoolId": "ca-central-1_EXAMPLE"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
    "CloudFrontDomain": "example.cloudfront.net",
    "ManagedLoginVersion": 2
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/UpdateUserPoolDomain) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/UpdateUserPoolDomain) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/UpdateUserPoolDomain) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/UpdateUserPoolDomain) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/UpdateUserPoolDomain) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/UpdateUserPoolDomain) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/UpdateUserPoolDomain) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/UpdateUserPoolDomain) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/UpdateUserPoolDomain) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/UpdateUserPoolDomain) 

# VerifySoftwareToken


Registers the current user's time-based one-time password (TOTP) authenticator with a code generated in their authenticator app from a private key that's supplied by your user pool. Marks the user's software token MFA status as "verified" if successful. The request takes an access token or a session string, but not both.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "FriendlyDeviceName": "string",
   "Session": "string",
   "UserCode": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_VerifySoftwareToken_RequestSyntax) **   <a name="CognitoUserPools-VerifySoftwareToken-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: No

 ** [FriendlyDeviceName](#API_VerifySoftwareToken_RequestSyntax) **   <a name="CognitoUserPools-VerifySoftwareToken-request-FriendlyDeviceName"></a>
A friendly name for the device that's running the TOTP authenticator.  
Type: String  
Length Constraints: Minimum length of 0. Maximum length of 131072.  
Required: No

 ** [Session](#API_VerifySoftwareToken_RequestSyntax) **   <a name="CognitoUserPools-VerifySoftwareToken-request-Session"></a>
The session ID from an `AssociateSoftwareToken` request.  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.  
Required: No

 ** [UserCode](#API_VerifySoftwareToken_RequestSyntax) **   <a name="CognitoUserPools-VerifySoftwareToken-request-UserCode"></a>
A TOTP that the user generated in their configured authenticator app.  
Type: String  
Length Constraints: Fixed length of 6.  
Pattern: `[0-9]+`   
Required: Yes

## Response Syntax


```
{
   "Session": "string",
   "Status": "string"
}
```

## Response Elements


If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

 ** [Session](#API_VerifySoftwareToken_ResponseSyntax) **   <a name="CognitoUserPools-VerifySoftwareToken-response-Session"></a>
This session ID satisfies an `MFA_SETUP` challenge. Supply the session ID in your challenge response.  
Operations that can return an `MFA_SETUP` challenge include [InitiateAuth](API_InitiateAuth.md), [AdminInitiateAuth](API_AdminInitiateAuth.md), [RespondToAuthChallenge](API_RespondToAuthChallenge.md), and [AdminRespondToAuthChallenge](API_AdminRespondToAuthChallenge.md).  
Type: String  
Length Constraints: Minimum length of 20. Maximum length of 2048.

 ** [Status](#API_VerifySoftwareToken_ResponseSyntax) **   <a name="CognitoUserPools-VerifySoftwareToken-response-Status"></a>
Amazon Cognito can accept or reject the code that you provide. This response parameter indicates the success of TOTP verification. Some reasons that this operation might return an error are clock skew on the user's device and excessive retries.  
Type: String  
Valid Values: `SUCCESS | ERROR` 

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** CodeMismatchException **   
This exception is thrown if the provided code doesn't match what the server was expecting.    
 ** message **   
The message provided when the code mismatch exception is thrown.
HTTP Status Code: 400

 ** EnableSoftwareTokenMFAException **   
This exception is thrown when there is a code mismatch and the service fails to configure the software token TOTP multi-factor authentication (MFA).  
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** InvalidUserPoolConfigurationException **   
This exception is thrown when the user pool configuration is not valid.    
 ** message **   
The message returned when the user pool configuration is not valid.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** SoftwareTokenMFANotFoundException **   
This exception is thrown when the software token time-based one-time password (TOTP) multi-factor authentication (MFA) isn't activated for the user pool.  
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request activates TOTP MFA for the current user.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.VerifySoftwareToken
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE",
   "FriendlyDeviceName": "MyAuthenticatorApp",
   "UserCode": "123456"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{
	"Status": "SUCCESS"
}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/VerifySoftwareToken) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/VerifySoftwareToken) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/VerifySoftwareToken) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/VerifySoftwareToken) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/VerifySoftwareToken) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/VerifySoftwareToken) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/VerifySoftwareToken) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/VerifySoftwareToken) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/VerifySoftwareToken) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/VerifySoftwareToken) 

# VerifyUserAttribute


Submits a verification code for a signed-in user who has added or changed a value of an auto-verified attribute. When successful, the user's attribute becomes verified and the attribute `email_verified` or `phone_number_verified` becomes `true`.

 If your user pool requires verification before Amazon Cognito updates the attribute value, this operation updates the affected attribute to its pending value.

See also [UserAttributeUpdateSettingsType](API_UserAttributeUpdateSettingsType.md). 

Authorize this action with a signed-in user's access token. It must include the scope `aws.cognito.signin.user.admin`.

**Note**  
Amazon Cognito doesn't evaluate AWS Identity and Access Management (IAM) policies in requests for this API operation. For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in policies. For more information about authorization models in Amazon Cognito, see [Using the Amazon Cognito user pools API and user pool endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html).

## Request Syntax


```
{
   "AccessToken": "string",
   "AttributeName": "string",
   "Code": "string"
}
```

## Request Parameters


For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).

The request accepts the following data in JSON format.

 ** [AccessToken](#API_VerifyUserAttribute_RequestSyntax) **   <a name="CognitoUserPools-VerifyUserAttribute-request-AccessToken"></a>
A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for `aws.cognito.signin.user.admin`.  
Type: String  
Pattern: `[A-Za-z0-9-_=.]+`   
Required: Yes

 ** [AttributeName](#API_VerifyUserAttribute_RequestSyntax) **   <a name="CognitoUserPools-VerifyUserAttribute-request-AttributeName"></a>
The name of the attribute that you want to verify.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 32.  
Pattern: `[\p{L}\p{M}\p{S}\p{N}\p{P}\t\n\r ]+`   
Required: Yes

 ** [Code](#API_VerifyUserAttribute_RequestSyntax) **   <a name="CognitoUserPools-VerifyUserAttribute-request-Code"></a>
The verification code that your user pool sent to the added or changed attribute, for example the user's email address.  
Type: String  
Length Constraints: Minimum length of 1. Maximum length of 2048.  
Pattern: `[\S]+`   
Required: Yes

## Response Elements


If the action is successful, the service sends back an HTTP 200 response with an empty HTTP body.

## Errors


For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).

 ** AliasExistsException **   
This exception is thrown when a user tries to confirm the account with an email address or phone number that has already been supplied as an alias for a different user profile. This exception indicates that an account with this email address or phone already exists in a user pool that you've configured to use email address or phone number as a sign-in alias.    
 ** message **   
The message that Amazon Cognito sends to the user when the value of an alias attribute is already linked to another user profile.
HTTP Status Code: 400

 ** CodeMismatchException **   
This exception is thrown if the provided code doesn't match what the server was expecting.    
 ** message **   
The message provided when the code mismatch exception is thrown.
HTTP Status Code: 400

 ** ExpiredCodeException **   
This exception is thrown if a code has expired.    
 ** message **   
The message returned when the expired code exception is thrown.
HTTP Status Code: 400

 ** ForbiddenException **   
This exception is thrown when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.    
 ** message **   
The message returned when AWS WAF doesn't allow your request based on a web ACL that's associated with your user pool.
HTTP Status Code: 400

 ** InternalErrorException **   
This exception is thrown when Amazon Cognito encounters an internal error.    
 ** message **   
The message returned when Amazon Cognito throws an internal error exception.
HTTP Status Code: 500

 ** InvalidParameterException **   
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.    
 ** message **   
The message returned when the Amazon Cognito service throws an invalid parameter exception.  
 ** reasonCode **   
The reason code of the exception.
HTTP Status Code: 400

 ** LimitExceededException **   
This exception is thrown when a user exceeds the limit for a requested AWS resource.    
 ** message **   
The message returned when Amazon Cognito throws a limit exceeded exception.
HTTP Status Code: 400

 ** NotAuthorizedException **   
This exception is thrown when a user isn't authorized.    
 ** message **   
The message returned when the Amazon Cognito service returns a not authorized exception.
HTTP Status Code: 400

 ** PasswordResetRequiredException **   
This exception is thrown when a password reset is required.    
 ** message **   
The message returned when a password reset is required.
HTTP Status Code: 400

 ** ResourceNotFoundException **   
This exception is thrown when the Amazon Cognito service can't find the requested resource.    
 ** message **   
The message returned when the Amazon Cognito service returns a resource not found exception.
HTTP Status Code: 400

 ** TooManyRequestsException **   
This exception is thrown when the user has made too many requests for a given operation.    
 ** message **   
The message returned when the Amazon Cognito service returns a too many requests exception.
HTTP Status Code: 400

 ** UserNotConfirmedException **   
This exception is thrown when a user isn't confirmed successfully.    
 ** message **   
The message returned when a user isn't confirmed successfully.
HTTP Status Code: 400

 ** UserNotFoundException **   
This exception is thrown when a user isn't found.    
 ** message **   
The message returned when a user isn't found.
HTTP Status Code: 400

## Examples


### Example


The following example request verifies the email attribute for the current user with a code that was sent in an email message to them.

#### Sample Request


```
POST HTTP/1.1
Host: cognito-idp.us-west-2.amazonaws.com
X-Amz-Date: 20230613T200059Z
Accept-Encoding: gzip, deflate, br
X-Amz-Target: AWSCognitoIdentityProviderService.VerifyUserAttribute
User-Agent: <UserAgentString>
Authorization: AWS4-HMAC-SHA256 Credential=<Credential>, SignedHeaders=<Headers>, Signature=<Signature>
Content-Length: <PayloadSizeBytes>
{
   "AccessToken": "eyJra456defEXAMPLE",
   "AttributeName": "email",
   "Code": "123456"
}
```

#### Sample Response


```
HTTP/1.1 200 OK
Date: Tue, 13 Jun 2023 20:00:59 GMT
Content-Type: application/x-amz-json-1.0
Content-Length: <PayloadSizeBytes>
x-amzn-requestid: a1b2c3d4-e5f6-a1b2-c3d4-EXAMPLE11111
Connection: keep-alive
{}
```

## See Also


For more information about using this API in one of the language-specific AWS SDKs, see the following:
+  [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/cognito-idp-2016-04-18/VerifyUserAttribute) 
+  [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/VerifyUserAttribute) 
+  [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/VerifyUserAttribute) 
+  [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/cognito-idp-2016-04-18/VerifyUserAttribute) 
+  [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/VerifyUserAttribute) 
+  [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/cognito-idp-2016-04-18/VerifyUserAttribute) 
+  [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/cognito-idp-2016-04-18/VerifyUserAttribute) 
+  [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/cognito-idp-2016-04-18/VerifyUserAttribute) 
+  [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/VerifyUserAttribute) 
+  [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/VerifyUserAttribute)