Package-level declarations
Types
The settings for user message delivery in forgot-password operations. Contains preference for email or SMS message delivery of password reset codes, or for admin-only password reset.
A list of account-takeover actions for each level of risk that Amazon Cognito might assess with threat protection features.
The automated response to a risk level for adaptive authentication in full-function, or ENFORCED, mode. You can assign an action to each risk level that threat protection evaluates.
The settings for automated responses and notification templates for adaptive authentication with threat protection features.
Represents the request to add custom attributes.
Represents the response from the server for the request to add custom attributes.
Confirm a user's registration as a user pool administrator.
Represents the response from the server for the request to confirm registration.
The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
Creates a new user in the specified user pool.
Represents the response from the server to the request to create the user.
Represents the request to delete user attributes as an administrator.
Represents the response received from the server for a request to delete user attributes.
Represents the request to delete a user as an administrator.
Represents the request to disable the user as an administrator.
Represents the response received from the server to disable the user as an administrator.
Represents the request that enables the user as an administrator.
Represents the response from the server for the request to enable a user as an administrator.
Sends the forgot device request, as an administrator.
Represents the request to get the device, as an administrator.
Gets the device response, as an administrator.
Represents the request to get the specified user as an administrator.
Represents the response from the server from the request to get the specified user as an administrator.
Initiates the authorization request, as an administrator.
Initiates the authentication response, as an administrator.
Represents the request to list devices, as an administrator.
Lists the device's response, as an administrator.
Represents the request to reset a user's password as an administrator.
Represents the response from the server to reset a user password as an administrator.
The request to respond to the authentication challenge, as an administrator.
Responds to the authentication challenge, as an administrator.
You can use this parameter to set an MFA configuration that uses the SMS delivery medium.
Represents the response from the server to set user settings as an administrator.
The request to update the device status, as an administrator.
The status response to the request to update the device, as an administrator.
Represents the request to update the user's attributes as an administrator.
Represents the response from the server for the request to update user attributes as an administrator.
The request to sign out of all devices, as an administrator.
The global sign-out response, as an administrator.
Threat protection configuration options for additional authentication types in your user pool, including custom authentication.
This exception is thrown when a user tries to confirm the account with an email address or phone number that has already been supplied as an alias for a different user profile. This exception indicates that an account with this email address or phone already exists in a user pool that you've configured to use email address or phone number as a sign-in alias.
The settings for Amazon Pinpoint analytics configuration. With an analytics configuration, your application can collect user-activity metrics for user notifications with a Amazon Pinpoint campaign.
Information that your application adds to authentication requests. Applies an endpoint ID to the analytics data that your user pool sends to Amazon Pinpoint.
The name and value of a user attribute.
The object that your application receives after authentication. Contains tokens and information for device authentication.
One authentication event that Amazon Cognito logged in a user pool with threat protection active. Contains user and device metadata and a risk assessment from your user pool.
The responses to the challenge that you received in the previous request. Each challenge has its own required response parameters. The following examples are partial JSON request bodies that highlight challenge-response parameters.
Represents the request to change a user password.
The response from the server to the change password request.
Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with threat protection.
The delivery details for an email or SMS message that Amazon Cognito sent for authentication or verification.
This exception is thrown when a verification code fails to deliver successfully.
This exception is thrown if the provided code doesn't match what the server was expecting.
Base class for all service related exceptions thrown by the CognitoIdentityProvider client
Settings for user pool actions when Amazon Cognito detects compromised credentials with threat protection in full-function ENFORCED mode.
Settings for compromised-credentials actions and authentication-event sources with threat protection in full-function ENFORCED mode.
This exception is thrown if two or more modifications are happening concurrently.
The confirm-device request.
The confirm-device response.
The request representing the confirmation for a password reset.
The response from the server that results from a user's request to retrieve a forgotten password.
Represents the request to confirm registration of a user.
Represents the response from the server for the registration confirmation.
Contextual user data used for evaluating the risk of an authentication event by user pool threat protection.
Represents the request to create the user import job.
Represents the response from the server to the request to create the user import job.
Represents the request to create a user pool client.
Represents the response from the server to create a user pool client.
Represents the request to create a user pool.
Represents the response from the server for the request to create a user pool.
The configuration for a hosted UI custom domain.
The properties of a custom email sender Lambda trigger.
The properties of a custom SMS sender Lambda trigger.
Represents the request to delete user attributes.
Represents the response from the server to delete user attributes.
Represents the request to delete a user pool client.
Represents the request to delete a user pool.
Represents the request to delete a user.
Represents the request to describe the user import job.
Represents the response from the server to the request to describe the user import job.
Represents the request to describe a user pool client.
Represents the response from the server from a request to describe the user pool client.
Represents the request to describe the user pool.
Represents the response to describe the user pool.
The device-remembering configuration for a user pool.
This exception is thrown when a user attempts to confirm a device with a device key that already exists.
A Secure Remote Password (SRP) value that your application generates when you register a user's device. For more information, see Getting a device key.
Information about a user's device that they've registered for device SRP authentication in your application. For more information, see Working with user devices in your user pool.
A container for information about the user pool domain associated with the hosted UI and OAuth endpoints.
This exception is thrown when the provider is already supported by the user pool.
The email configuration of your user pool. The email configuration type sets your preferred sending method, Amazon Web Services Region, and sender for messages from your user pool.
Sets or shows configuration for user pool email message MFA and sign-in with one-time passwords (OTPs). Includes the subject and body of the email message template for sign-in and MFA messages. To activate this setting, your user pool must be in the Essentials tier or higher.
User preferences for multi-factor authentication with email messages. Activates or deactivates email MFA and sets it as the preferred MFA method when multiple methods are available. To activate this setting, your user pool must be in the Essentials tier or higher.
This exception is thrown when there is a code mismatch and the service fails to configure the software token TOTP multi-factor authentication (MFA).
The context data that your application submitted in an authentication request with threat protection, as displayed in an AdminListUserAuthEvents response.
The feedback that your application submitted to a threat protection event log, as displayed in an AdminListUserAuthEvents response.
The risk evaluation by adaptive authentication, as displayed in an AdminListUserAuthEvents response. Contains evaluations of compromised-credentials detection and assessed risk level and action taken by adaptive authentication.
This exception is thrown if a code has expired.
This exception is thrown when a feature you attempted to configure isn't available in your current feature plan.
Configuration for the Amazon Data Firehose stream destination of user activity log export with threat protection.
This exception is thrown when WAF doesn't allow your request based on a web ACL that's associated with your user pool.
Represents the request to forget the device.
Represents the request to reset a user's password.
The response from Amazon Cognito to a request to reset a password.
Represents the request to get the header information of the CSV file for the user import job.
Represents the response from the server to the request to get the header information of the CSV file for the user import job.
Represents the request to get the device.
Gets the device response.
Request to get a signing certificate from Amazon Cognito.
Response from Amazon Cognito for a signing certificate request.
Represents the request to get user attribute verification.
The verification code response returned by the server response to get the user attribute verification code.
Represents the request to get information about the user.
Represents the response from the server from the request to get information about the user.
Represents the request to sign out all devices.
The response to the request to sign out all devices.
This exception is thrown when Amazon Cognito encounters a group that already exists in the user pool.
A user pool group. Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group.
The HTTP header in the ContextData parameter.
A user pool identity provider (IdP). Contains information about a third-party IdP to a user pool, the attributes that it populates to user profiles, and the trust relationship between the IdP and your user pool.
Initiates the authentication request.
Initiates the authentication response.
This exception is thrown when Amazon Cognito encounters an internal error.
This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP status code: 400.
This exception is thrown when Amazon Cognito encounters an invalid Lambda response.
This exception is thrown when the specified OAuth flow is not valid.
This exception is thrown when the Amazon Cognito service encounters an invalid parameter.
This exception is thrown when Amazon Cognito encounters an invalid password.
This exception is returned when the role provided for SMS configuration doesn't have permission to publish using Amazon SNS.
This exception is thrown when the trust relationship is not valid for the role provided for SMS configuration. This can happen if you don't trust cognito-idp.amazonaws.com or the external ID provided in the role does not match what is provided in the SMS configuration for the user pool.
This exception is thrown when the user pool configuration is not valid.
A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of user pool operations. Triggers can modify the outcome of the operations that invoked them.
This exception is thrown when a user exceeds the limit for a requested Amazon Web Services resource.
Represents the request to list the devices.
Represents the response to list devices.
Represents the request to list the user import jobs.
Represents the response from the server to the request to list the user import jobs.
Represents the request to list the user pool clients.
Represents the response from the server that lists user pool clients.
Represents the request to list user pools.
Represents the response to list user pools.
Represents the request to list users.
The response from the request to list users.
The configuration of user event logs to an external Amazon Web Services service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs.
The logging parameters of a user pool, as returned in the response to a GetLogDeliveryConfiguration request.
This exception is thrown when you attempt to apply a managed login branding style to an app client that already has an assigned style.
A managed login branding style that's assigned to a user pool app client.
The message template structure.
This exception is thrown when Amazon Cognito can't find a multi-factor authentication (MFA) method.
This data type is no longer supported. Applies only to SMS multi-factor authentication (MFA) configurations. Does not apply to time-based one-time password (TOTP) software token MFA configurations.
Information that your user pool responds with in AuthenticationResultwhen you configure it to remember devices and a user signs in with an unrecognized device. Amazon Cognito presents a new device key that you can use to set up device authentication in a "Remember me on this device" authentication model.
This exception is thrown when a user isn't authorized.
The configuration for Amazon SES email messages that threat protection sends to a user when your adaptive authentication automated response has a Notify action.
The template for email messages that threat protection sends to a user when your threat protection automated response has a Notify action.
The minimum and maximum values of an attribute that is of the number type, for example custom:age.
The message returned when a user's new password matches a previous password and doesn't comply with the password-history policy.
The password policy settings for a user pool, including complexity, history, and length requirements.
This exception is thrown when a password reset is required.
This exception is thrown when a precondition is not met.
The properties of a pre token generation Lambda trigger.
The details of a user pool identity provider (IdP), including name and type.
The characteristics of a source or destination user for linking a federated user profile to a local user profile.
A recovery option for a user. The AccountRecoverySettingType data type is an array of this object. Each RecoveryOptionType has a priority property that determines whether it is a primary or secondary option.
This exception is throw when your application requests token refresh with a refresh token that has been invalidated by refresh-token rotation.
The configuration of your app client for refresh token rotation. When enabled, your app client issues new ID, access, and refresh tokens when users renew their sessions with refresh tokens. When disabled, token refresh issues only ID and access tokens.
Represents the request to resend the confirmation code.
The response from the server when Amazon Cognito makes the request to resend a confirmation code.
This exception is thrown when the Amazon Cognito service can't find the requested resource.
One custom scope associated with a user pool resource server. This data type is a member of ResourceServerScopeType. For more information, see Scopes, M2M, and API authorization with resource servers.
The details of a resource server configuration and associated custom scopes in a user pool.
The request to respond to an authentication challenge.
The response to respond to the authentication challenge.
The settings of risk configuration for threat protection with threat protection in a user pool.
Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
Configuration for the Amazon S3 bucket destination of user activity log export with threat protection.
A list of the user attributes and their properties in your user pool. The attribute schema contains standard attributes, custom attributes with a custom: prefix, and developer attributes with a dev: prefix. For more information, see User pool attributes.
This exception is thrown when the specified scope doesn't exist.
Represents the request to set user settings.
The response from the server for a set user settings request.
The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the Essentials tier or higher.
Represents the request to register a user.
The response from the server for a registration request.
User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an Identity and Access Management (IAM) role in your Amazon Web Services account.
The configuration of multi-factor authentication (MFA) with SMS messages in a user pool.
A user's preference for using SMS message multi-factor authentication (MFA). Turns SMS MFA on and off, and can set SMS as preferred when other MFA options are available. You can't turn off SMS MFA for any of your users when MFA is required in your user pool; you can only set the type that your user prefers.
Settings for time-based one-time password (TOTP) multi-factor authentication (MFA) in a user pool. Enables and disables availability of this feature.
This exception is thrown when the software token time-based one-time password (TOTP) multi-factor authentication (MFA) isn't activated for the user pool.
A user's preference for using time-based one-time password (TOTP) multi-factor authentication (MFA). Turns TOTP MFA on and off, and can set TOTP as preferred when other MFA options are available. You can't turn off TOTP MFA for any of your users when MFA is required in your user pool; you can only set the type that your user prefers.
Represents the request to start the user import job.
Represents the response from the server to the request to start the user import job.
Represents the request to stop the user import job.
Represents the response from the server to the request to stop the user import job.
The minimum and maximum length values of an attribute that is of the string type, for example custom:department.
This exception is thrown when you've attempted to change your feature plan but the operation isn't permitted.
The time units that, with IdTokenValidity, AccessTokenValidity, and RefreshTokenValidity, set and display the duration of ID, access, and refresh tokens for an app client. You can assign a separate token validity unit to each type of token.
This exception is thrown when the user has made too many failed attempts for a given action, such as sign-in.
This exception is thrown when the user has made too many requests for a given operation.
A container for the UI customization information for the hosted UI in a user pool.
Exception that is thrown when the request isn't authorized. This can happen due to an invalid access token in the request.
This exception is thrown when Amazon Cognito encounters an unexpected exception with Lambda.
This exception is thrown when the specified identifier isn't supported.
Exception that is thrown when you attempt to perform an operation that isn't enabled for the user pool client.
Exception that is thrown when an unsupported token is passed to an operation.
The request failed because the user is in an unsupported state.
Represents the request to update the device status.
The response to the request to update the device status.
Represents the request to update user attributes.
Represents the response from the server for the request to update user attributes.
Represents the request to update the user pool client.
Represents the response from the server to the request to update the user pool client.
The UpdateUserPoolDomain request input.
The UpdateUserPoolDomain response output.
Represents the request to update the user pool.
Represents the response from the server when you make a request to update the user pool.
The settings for updates to user attributes. These settings include the property AttributesRequireVerificationBeforeUpdate, a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see Verifying updates to email addresses and phone numbers.
Contextual data, such as the user's device fingerprint, IP address, or location, used for evaluating the risk of an unexpected event by Amazon Cognito threat protection.
This exception is thrown when you're trying to modify a user pool while a user import job is in progress for that pool.
A user import job in a user pool. Describes the status of user import with a CSV file. For more information, see Importing users into user pools from a CSV file.
This exception is thrown when the Amazon Cognito service encounters a user validation exception with the Lambda service.
The configuration of a user pool for username case sensitivity.
This exception is thrown when Amazon Cognito encounters a user name that already exists in the user pool.
This exception is thrown when a user isn't confirmed successfully.
This exception is thrown when a user isn't found.
This exception is thrown when user pool add-ons aren't enabled.
Contains settings for activation of threat protection, including the operating mode and additional authentication types. To log user security information but take no action, set to AUDIT. To configure automatic security responses to potentially unwanted traffic to your user pool, set to ENFORCED.
A short description of a user pool app client.
The configuration of a user pool client.
A short description of a user pool.
A list of user pool policies. Contains the policy that sets password-complexity requirements.
This exception is thrown when a user pool tag can't be set or updated.
The configuration of a user pool.
The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.
Represents the request to verify user attributes.
A container representing the response from the server from the request to verify user attributes.
This exception is thrown when the challenge from StartWebAuthn registration has expired.
This exception is thrown when the access token is for a different client than the one in the original StartWebAuthnRegistration request.
This exception is thrown when a user pool doesn't have a configured relying party id or a user pool domain.
Settings for authentication (MFA) with passkey, or webauthN, biometric and security-key devices in a user pool. Configures the following:
The details of a passkey, or webauthN, biometric or security-key authentication factor for a user.
This exception is thrown when a user presents passkey credentials from an unsupported device or provider.
This exception is thrown when the passkey feature isn't enabled for the user pool.
This exception is thrown when the passkey credential's registration origin does not align with the user pool relying party id.
This exception is thrown when the given passkey credential is associated with a different relying party ID than the user pool relying party ID.