With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To authenticate users from third-party identity providers (IdPs) in this API, you can link IdP users to native user profiles. Learn more about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.
This API reference provides detailed information about API operations and object types in Amazon Cognito.
Along with resource management operations, the Amazon Cognito user pools API includes classes of operations and authorization models for client-side and server-side authentication of users. You can interact with operations in the Amazon Cognito user pools API as any of the following subjects.
An administrator who wants to configure user pools, app clients, users, groups, or other user pool functions.
A server-side app, like a web application, that wants to use its Amazon Web Services privileges to manage, authenticate, or authorize a user.
A client-side app, like a mobile app, that wants to make unauthenticated requests to manage, authenticate, or authorize a user.
For more information, see Using the Amazon Cognito user pools API and user pool endpoints in the Amazon Cognito Developer Guide.
With your Amazon Web Services SDK, you can build the logic to support
operational flows in every use case for this API. You can also make
direct REST API requests to Amazon Cognito user pools service endpoints.
The following links can get you started with the
CognitoIdentityProvider
client in other supported Amazon Web Services
SDKs.
To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services SDKs.
cognitoidentityprovider(
config = list(),
credentials = list(),
endpoint = NULL,
region = NULL
)
A client for the service. You can call the service's operations using
syntax like svc$operation(...)
, where svc
is the name you've assigned
to the client. The available operations are listed in the
Operations section.
Optional configuration of credentials, endpoint, and/or region.
credentials:
creds:
access_key_id: AWS access key ID
secret_access_key: AWS secret access key
session_token: AWS temporary session token
profile: The name of a profile to use. If not given, then the default profile is used.
anonymous: Set anonymous credentials.
endpoint: The complete URL to use for the constructed client.
region: The AWS Region used in instantiating the client.
close_connection: Immediately close all HTTP connections.
timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.
s3_force_path_style: Set this to true
to force the request to use path-style addressing, i.e. http://s3.amazonaws.com/BUCKET/KEY
.
sts_regional_endpoint: Set sts regional endpoint resolver to regional or legacy https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html
Optional credentials shorthand for the config parameter
creds:
access_key_id: AWS access key ID
secret_access_key: AWS secret access key
session_token: AWS temporary session token
profile: The name of a profile to use. If not given, then the default profile is used.
anonymous: Set anonymous credentials.
Optional shorthand for complete URL to use for the constructed client.
Optional shorthand for AWS Region used in instantiating the client.
svc <- cognitoidentityprovider(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical",
sts_regional_endpoint = "string"
),
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string"
)
add_custom_attributes | Adds additional user attributes to the user pool schema |
admin_add_user_to_group | Adds a user to a group |
admin_confirm_sign_up | This IAM-authenticated API operation confirms user sign-up as an administrator |
admin_create_user | Creates a new user in the specified user pool |
admin_delete_user | Deletes a user as an administrator |
admin_delete_user_attributes | Deletes the user attributes in a user pool as an administrator |
admin_disable_provider_for_user | Prevents the user from signing in with the specified external (SAML or social) identity provider (IdP) |
admin_disable_user | Deactivates a user and revokes all access tokens for the user |
admin_enable_user | Enables the specified user as an administrator |
admin_forget_device | Forgets the device, as an administrator |
admin_get_device | Gets the device, as an administrator |
admin_get_user | Gets the specified user by user name in a user pool as an administrator |
admin_initiate_auth | Initiates the authentication flow, as an administrator |
admin_link_provider_for_user | Links an existing user account in a user pool (DestinationUser) to an identity from an external IdP (SourceUser) based on a specified attribute name and value from the external IdP |
admin_list_devices | Lists devices, as an administrator |
admin_list_groups_for_user | Lists the groups that a user belongs to |
admin_list_user_auth_events | A history of user activity and any risks detected as part of Amazon Cognito advanced security |
admin_remove_user_from_group | Removes the specified user from the specified group |
admin_reset_user_password | Resets the specified user's password in a user pool as an administrator |
admin_respond_to_auth_challenge | Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge |
admin_set_user_mfa_preference | The user's multi-factor authentication (MFA) preference, including which MFA options are activated, and if any are preferred |
admin_set_user_password | Sets the specified user's password in a user pool as an administrator |
admin_set_user_settings | This action is no longer supported |
admin_update_auth_event_feedback | Provides feedback for an authentication event indicating if it was from a valid user |
admin_update_device_status | Updates the device status as an administrator |
admin_update_user_attributes | This action might generate an SMS text message |
admin_user_global_sign_out | Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user |
associate_software_token | Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA) for a user, with a unique private key that Amazon Cognito generates and returns in the API response |
change_password | Changes the password for a specified user in a user pool |
confirm_device | Confirms tracking of the device |
confirm_forgot_password | Allows a user to enter a confirmation code to reset a forgotten password |
confirm_sign_up | This public API operation provides a code that Amazon Cognito sent to your user when they signed up in your user pool via the SignUp API operation |
create_group | Creates a new group in the specified user pool |
create_identity_provider | Adds a configuration and trust relationship between a third-party identity provider (IdP) and a user pool |
create_resource_server | Creates a new OAuth2 |
create_user_import_job | Creates a user import job |
create_user_pool | This action might generate an SMS text message |
create_user_pool_client | Creates the user pool client |
create_user_pool_domain | Creates a new domain for a user pool |
delete_group | Deletes a group |
delete_identity_provider | Deletes an IdP for a user pool |
delete_resource_server | Deletes a resource server |
delete_user | Allows a user to delete their own user profile |
delete_user_attributes | Deletes the attributes for a user |
delete_user_pool | Deletes the specified Amazon Cognito user pool |
delete_user_pool_client | Allows the developer to delete the user pool client |
delete_user_pool_domain | Deletes a domain for a user pool |
describe_identity_provider | Gets information about a specific IdP |
describe_resource_server | Describes a resource server |
describe_risk_configuration | Describes the risk configuration |
describe_user_import_job | Describes the user import job |
describe_user_pool | Returns the configuration information and metadata of the specified user pool |
describe_user_pool_client | Client method for returning the configuration information and metadata of the specified user pool app client |
describe_user_pool_domain | Gets information about a domain |
forget_device | Forgets the specified device |
forgot_password | Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password |
get_csv_header | Gets the header information for the comma-separated value (CSV) file to be used as input for the user import job |
get_device | Gets the device |
get_group | Gets a group |
get_identity_provider_by_identifier | Gets the specified IdP |
get_log_delivery_configuration | Gets the logging configuration of a user pool |
get_signing_certificate | This method takes a user pool ID, and returns the signing certificate |
get_ui_customization | Gets the user interface (UI) Customization information for a particular app client's app UI, if any such information exists for the client |
get_user | Gets the user attributes and metadata for a user |
get_user_attribute_verification_code | Generates a user attribute verification code for the specified attribute name |
get_user_pool_mfa_config | Gets the user pool multi-factor authentication (MFA) configuration |
global_sign_out | Invalidates the identity, access, and refresh tokens that Amazon Cognito issued to a user |
initiate_auth | Initiates sign-in for a user in the Amazon Cognito user directory |
list_devices | Lists the sign-in devices that Amazon Cognito has registered to the current user |
list_groups | Lists the groups associated with a user pool |
list_identity_providers | Lists information about all IdPs for a user pool |
list_resource_servers | Lists the resource servers for a user pool |
list_tags_for_resource | Lists the tags that are assigned to an Amazon Cognito user pool |
list_user_import_jobs | Lists user import jobs for a user pool |
list_user_pool_clients | Lists the clients that have been created for the specified user pool |
list_user_pools | Lists the user pools associated with an Amazon Web Services account |
list_users | Lists users and their basic details in a user pool |
list_users_in_group | Lists the users in the specified group |
resend_confirmation_code | Resends the confirmation (for confirmation of registration) to a specific user in the user pool |
respond_to_auth_challenge | Some API operations in a user pool generate a challenge, like a prompt for an MFA code, for device authentication that bypasses MFA, or for a custom authentication challenge |
revoke_token | Revokes all of the access tokens generated by, and at the same time as, the specified refresh token |
set_log_delivery_configuration | Sets up or modifies the logging configuration of a user pool |
set_risk_configuration | Configures actions on detected risks |
set_ui_customization | Sets the user interface (UI) customization information for a user pool's built-in app UI |
set_user_mfa_preference | Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are activated and if any are preferred |
set_user_pool_mfa_config | Sets the user pool multi-factor authentication (MFA) configuration |
set_user_settings | This action is no longer supported |
sign_up | Registers the user in the specified user pool and creates a user name, password, and user attributes |
start_user_import_job | Starts the user import |
stop_user_import_job | Stops the user import job |
tag_resource | Assigns a set of tags to an Amazon Cognito user pool |
untag_resource | Removes the specified tags from an Amazon Cognito user pool |
update_auth_event_feedback | Provides the feedback for an authentication event, whether it was from a valid user or not |
update_device_status | Updates the device status |
update_group | Updates the specified group with the specified attributes |
update_identity_provider | Updates IdP information for a user pool |
update_resource_server | Updates the name and scopes of resource server |
update_user_attributes | With this operation, your users can update one or more of their attributes with their own credentials |
update_user_pool | This action might generate an SMS text message |
update_user_pool_client | Updates the specified user pool app client with the specified attributes |
update_user_pool_domain | Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool |
verify_software_token | Use this API to register a user's entered time-based one-time password (TOTP) code and mark the user's software token MFA status as "verified" if successful |
verify_user_attribute | Verifies the specified user attributes in the user pool |
if (FALSE) {
svc <- cognitoidentityprovider()
# This request submits a value for all possible parameters for
# AdminCreateUser.
svc$admin_create_user(
DesiredDeliveryMediums = list(
"SMS"
),
MessageAction = "SUPPRESS",
TemporaryPassword = "This-is-my-test-99!",
UserAttributes = list(
list(
Name = "name",
Value = "John"
),
list(
Name = "phone_number",
Value = "+12065551212"
),
list(
Name = "email",
Value = "testuser@example.com"
)
),
UserPoolId = "us-east-1_EXAMPLE",
Username = "testuser"
)
}
Run the code above in your browser using DataLab