Package-level declarations
Types
With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To authenticate users from third-party identity providers (IdPs) in this API, you can link IdP users to native user profiles. Learn more about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
Functions
Adds additional user attributes to the user pool schema.
Adds a user to a group. A user who is in a group can present a preferred-role claim to an identity pool, and populates a cognito:groups claim to their access and identity tokens.
This IAM-authenticated API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool. After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.
Creates a new user in the specified user pool.
Deletes a user as an administrator. Works on any user.
Deletes the user attributes in a user pool as an administrator. Works on any user.
Prevents the user from signing in with the specified external (SAML or social) identity provider (IdP). If the user that you want to deactivate is a Amazon Cognito user pools native username + password user, they can't use their password to sign in. If the user to deactivate is a linked external IdP user, any link between that user and an existing user is removed. When the external user signs in again, and the user is no longer attached to the previously linked DestinationUser, the user must create a new user account. See AdminLinkProviderForUser.
Deactivates a user and revokes all access tokens for the user. A deactivated user can't sign in, but still appears in the responses to GetUser and ListUsers API requests.
Enables the specified user as an administrator. Works on any user.
Forgets the device, as an administrator.
Gets the device, as an administrator.
Gets the specified user by user name in a user pool as an administrator. Works on any user.
Initiates the authentication flow, as an administrator.
Links an existing user account in a user pool (DestinationUser) to an identity from an external IdP (SourceUser) based on a specified attribute name and value from the external IdP. This allows you to create a link from the existing user account to an external federated user identity that has not yet been used to sign in. You can then use the federated user identity to sign in as the existing user account.
Lists devices, as an administrator.
Lists the groups that a user belongs to.
A history of user activity and any risks detected as part of Amazon Cognito advanced security.
Removes the specified user from the specified group.
Resets the specified user's password in a user pool as an administrator. Works on any user.
Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge. An AdminRespondToAuthChallenge API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.
The user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in.
Sets the specified user's password in a user pool as an administrator. Works on any user.
This action is no longer supported. You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token MFA. To configure either type of MFA, use AdminSetUserMFAPreference instead.
Provides feedback for an authentication event indicating if it was from a valid user. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
Updates the device status as an administrator.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation with your administrative credentials when your user signs out of your app. This results in the following behavior.
Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response. You can authorize an AssociateSoftwareToken request with either the user's access token, or a session string from a challenge response that you received from Amazon Cognito.
Changes the password for a specified user in a user pool.
Confirms tracking of the device. This API call is the call that begins device tracking. For more information about device authentication, see Working with user devices in your user pool.
Allows a user to enter a confirmation code to reset a forgotten password.
This public API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool via the SignUp API operation. After your user enters their code, they confirm ownership of the email address or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, your users will receive their confirmation code in an email or SMS message.
Creates a new group in the specified user pool.
Adds a configuration and trust relationship between a third-party identity provider (IdP) and a user pool.
Creates a new OAuth2.0 resource server and defines custom scopes within it.
Creates a user import job.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
Creates the user pool client.
Creates a new domain for a user pool.
Deletes a group.
Deletes an IdP for a user pool.
Deletes a resource server.
Allows a user to delete their own user profile.
Deletes the attributes for a user.
Deletes the specified Amazon Cognito user pool.
Allows the developer to delete the user pool client.
Deletes a domain for a user pool.
Gets information about a specific IdP.
Describes a resource server.
Describes the risk configuration.
Describes the user import job.
Returns the configuration information and metadata of the specified user pool.
Client method for returning the configuration information and metadata of the specified user pool app client.
Gets information about a domain.
Forgets the specified device. For more information about device authentication, see Working with user devices in your user pool.
Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password. For the Username parameter, you can use the username or user alias. The method used to send the confirmation code is sent according to the specified AccountRecoverySetting. For more information, see Recovering User Accounts in the Amazon Cognito Developer Guide. To use the confirmation code for resetting the password, call ConfirmForgotPassword.
Gets the header information for the comma-separated value (CSV) file to be used as input for the user import job.
Gets the device. For more information about device authentication, see Working with user devices in your user pool.
Gets a group.
Gets the specified IdP.
Gets the detailed activity logging configuration for a user pool.
This method takes a user pool ID, and returns the signing certificate. The issued certificate is valid for 10 years from the date of issue.
Gets the user interface (UI) Customization information for a particular app client's app UI, if any such information exists for the client. If nothing is set for the particular client, but there is an existing pool level customization (the app clientId is ALL), then that information is returned. If nothing is present, then an empty shape is returned.
Gets the user attributes and metadata for a user.
Generates a user attribute verification code for the specified attribute name. Sends a message to a user with a code that they must return in a VerifyUserAttribute request.
Gets the user pool multi-factor authentication (MFA) configuration.
Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user. Call this operation when your user signs out of your app. This results in the following behavior.
Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user with a federated IdP with InitiateAuth. For more information, see Adding user pool sign-in through a third party.
Lists the sign-in devices that Amazon Cognito has registered to the current user. For more information about device authentication, see Working with user devices in your user pool.
Lists the groups associated with a user pool.
Lists information about all IdPs for a user pool.
Lists the resource servers for a user pool.
Lists the tags that are assigned to an Amazon Cognito user pool.
Lists user import jobs for a user pool.
Lists the clients that have been created for the specified user pool.
Lists the user pools associated with an Amazon Web Services account.
Lists users and their basic details in a user pool.
Lists the users in the specified group.
Resends the confirmation (for confirmation of registration) to a specific user in the user pool.
Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge. A RespondToAuthChallenge API request provides the answer to that challenge, like a code or a secure remote password (SRP). The parameters of a response to an authentication challenge vary with the type of challenge.
Revokes all of the access tokens generated by, and at the same time as, the specified refresh token. After a token is revoked, you can't use the revoked token to access Amazon Cognito user APIs, or to authorize access to your resource server.
Sets up or modifies the detailed activity logging configuration of a user pool.
Configures actions on detected risks. To delete the risk configuration for UserPoolId or ClientId, pass null values for all four configuration types.
Sets the user interface (UI) customization information for a user pool's built-in app UI.
Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are activated. If multiple options are activated and no preference is set, a challenge to choose an MFA option will be returned during sign-in. If an MFA type is activated for a user, the user will be prompted for MFA during all sign-in attempts unless device tracking is turned on and the device has been trusted. If you want MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users and turn on Adaptive Authentication for the user pool.
Sets the user pool multi-factor authentication (MFA) configuration.
This action is no longer supported. You can use it to configure only SMS MFA. You can't use it to configure time-based one-time password (TOTP) software token MFA. To configure either type of MFA, use SetUserMFAPreference instead.
Registers the user in the specified user pool and creates a user name, password, and user attributes.
Starts the user import.
Stops the user import job.
Assigns a set of tags to an Amazon Cognito user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
Removes the specified tags from an Amazon Cognito user pool. You can use this action up to 5 times per second, per account.
Provides the feedback for an authentication event, whether it was from a valid user or not. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
Updates the device status. For more information about device authentication, see Working with user devices in your user pool.
Updates the specified group with the specified attributes.
Updates IdP information for a user pool.
Updates the name and scopes of resource server. All other fields are read-only.
With this operation, your users can update one or more of their attributes with their own credentials. You authorize this API request with the user's access token. To delete an attribute from your user, submit the attribute in your API request with a blank value. Custom attribute values in this request must include the custom: prefix.
This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a phone number with Amazon Pinpoint. Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, activate their accounts, or sign in.
Updates the specified user pool app client with the specified attributes. You can get a list of the current user pool app client settings using DescribeUserPoolClient.
Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool.
Use this API to register a user's entered time-based one-time password (TOTP) code and mark the user's software token MFA status as "verified" if successful. The request takes an access token or a session string, but not both.
Verifies the specified user attributes in the user pool.
Create a copy of the client with one or more configuration values overridden. This method allows the caller to perform scoped config overrides for one or more client operations.