The following table describes important additions to the documentation for Amazon Cognito. We also make frequent minor updates to the documentation in response to the feedback that you send. To submit feedback, locate the Feedback link at the bottom of any page in Amazon Cognito documentation.
Change Description DateUpdates to requirements for IAM role trust policies for identity pools.
You can now make changes to role trust policies for the Amazon Cognito identity pools service principal only when a condition key scopes the audience for OIDC (web identity) federation to one or more identity pools.
August 1, 2025
Amazon Cognito is now available in the Mexico (Central) AWS Region.
You can now create Amazon Cognito resources in the Mexico (Central) Region.
July 24, 2025
Amazon Cognito is now available in the Asia Pacific (Thailand) AWS Region.
You can now create Amazon Cognito resources in the Asia Pacific (Thailand) Region.
July 24, 2025
AWS WAF web ACLs in managed login.
You can now apply AWS WAF web ACL rules to user pool app clients that have the managed login branding version.
June 24, 2025
Updated Lambda trigger examples.
Updated the example function for custom email and SMS sender Lambda triggers to be compatible with Node.js 22.x. The example is also now more accessible for testing.
May 19, 2025
You now have greater control over reauthentication of existing managed login sessions with the prompt parameter. You can also pass values for this parameter to third-party providers.
May 15, 2025
Client metadata for M2M requests.
You can now pass client metadata in client credentials, or machine-to-machine (M2M), requests. Amazon Cognito passes M2M client metadata to the pre token generation Lambda trigger.
April 29, 2025
You can now get new refresh tokens and invalidate the originals in refresh-token requests.
April 22, 2025
Amazon Cognito is now available in the Asia Pacific (Malaysia) AWS Region.
You can now create Amazon Cognito resources in the Asia Pacific (Malaysia) Region.
March 7, 2025
Access token customization for machine identities.
The pre token generation Lambda trigger now has a version three event that modifies access token claims and scopes in client-credentials grants for machine-to-machine (M2M) authorization.
March 3, 2025
Updated information about AmazonCognitoPowerUserAWS managed policy.
Added an AWS End User Messaging SMS operation in the AWS managed policy for Amazon Cognito user pools power users.
February 27, 2025
Updated overview of OpenID Connect (OIDC) integration.
Added a diagram that illustrates how Amazon Cognito authenticates with OIDC identity providers.
February 25, 2025
Added information about MFA logic.
Added a diagram that illustrates how Amazon Cognito applies your user pool multi-factor authentication (MFA) settings to users at runtime.
February 25, 2025
Added Amazon Cognito user pools security best practices.
Added a page about securing secrets and otherwise following security best practices in user pool configuration.
February 25, 2025
Updates to getting-started resources for user pools.
The getting started experience with Amazon Cognito user pools has a new console design and application options.
November 21, 2024
New pricing model with feature plans.
Updated the billing model for user pools. Advanced security features are now threat protection. Components in the advanced security features license are now in the Essentials and Plus feature plans.
November 21, 2024
Launched managed login, an update to the hosted UI.
November 21, 2024
A new authentication method and new authentication flows.
You can now sign in to Amazon Cognito user pools with passkeys and one-time passwords.
November 21, 2024
Updated information about AmazonCognitoUnAuthedIdentitiesSessionPolicy.
Moved AWS Key Management Service operations in the AWS managed policy for scope-down of unauthenticated identities from inline policy to AWS managed policy.
November 1, 2024
You can now add a username hint to authorization requests for the hosted UI, OIDC IdPs, and Google IdPs.
October 3, 2024
New advanced security features for email MFA.
You can now send multi-factor authentication (MFA) codes by email message with advanced security features.
September 12, 2024
Modified titles, removed unneeded content, added scenario-based intros, moved user pools OIDC & hosted UI endpoints reference to user pools section.
September 9, 2024
Updated information about AmazonCognitoUnAuthedIdentitiesSessionPolicy.
The AWS managed policy for scope-down of unauthenticated identities in identity pools now permits Amazon Location Service.
August 9, 2024
New threat prevention for custom authentication with Lambda triggers and enhanced threat detection.
You can now analyze custom authentication sign-in with threat protection and apply adaptive authentication responses. Threat protection also now analyzes sign-in traffic for impossible geographical distance between attempts.
August 8, 2024
New advanced security features for password reuse prevention and user-activity log export.
You can now export user activity logs and set a password-history policy with advanced security features in Amazon Cognito user pools.
August 6, 2024
You can now create Amazon Cognito resources in the Canada West (Calgary)and Asia Pacific (Hong Kong) Regions.
July 9, 2024
Improved description of application behavior for advanced security
Updated information about device context data for advanced security adaptive authentication.
June 10, 2024
Added support for complex objects in pre token Lambda trigger
You can now add arrays and JSON objects to ID and access token claims.
May 30, 2024
Updated information about Verified Permissions and Amazon Cognito.
Amazon Verified Permissions now has more direct integration with Amazon Cognito.
May 15, 2024
Multi-Region Amazon SES verified identities.
In some AWS Regions without Amazon SES, Amazon Cognito user pools load balance email between two remote Regions.
May 10, 2024
Added information about M2M authorization and managing costs.
Learn how to use client credentials grants for machine-to-machine (M2M) use cases with Amazon Cognito user pools.
May 9, 2024
Amazon Cognito is now available in the Europe (Spain) and Asia Pacific (Hyderabad) AWS Regions.
You can now create Amazon Cognito resources in the Europe (Spain) and Asia Pacific (Hyderabad) Regions.
April 15, 2024
Amazon Cognito is now available in the Asia Pacific (Melbourne) AWS Region.
You can now create Amazon Cognito resources in the Asia Pacific (Melbourne) Region.
April 4, 2024
Added an example Android app in Flutter for Amazon Cognito user pools.
You can build a starter mobile app for Amazon Cognito from an example Flutter application on GitHub.
April 4, 2024
Expanded content for getting started, common scenarios, multi-tenant best practices, and accessing resources after sign-in.
April 1, 2024
Amazon Cognito is now available in the Europe (Zurich) AWS Region.
You can now create Amazon Cognito resources in the Europe (Zurich) Region.
March 14, 2024
Amazon Cognito is now available in the Middle East (UAE) AWS Region.
You can now create Amazon Cognito resources in the Middle East (UAE) Region.
March 8, 2024
New SAML features and improved content.
You can now sign SAML requests, encrypt SAML responses, and set up IdP-initiated SAML SSO.
February 1, 2024
You can now purchase additional capacity for Amazon Cognito request-rate quotas.
January 25, 2024
Amazon Cognito identity pools support request rates in Service Quotas.
You can now monitor requests-per-second (RPS) quotas for Amazon Cognito identity pools and request increase in the Service Quotas console.
December 19, 2023
Added a new feature for customization of the contents of access tokens.
You can now add, modify, and remove claims and scopes in user pool access tokens.
December 12, 2023
Improved content about app clients and OAuth scopes.
Clarity edits and corrections to Application-specific settings with app clients and Scopes, M2M, and APIs with resource servers. Removed legacy console instructions.
November 14, 2023
Improved content about devices and device authentication.
New content about the use of device keys and device SRP authentication.
October 18, 2023
Updated AWS Management Console guidance.
Removed user pools console reference and redistributed topics within related subjects, and added guidance to tab-based organization in Amazon Cognito console.
August 30, 2023
De-emphasized direct access to LOGIN endpoint.
Added a visual overview of the user pool Login endpoint and emphasized starting authentication with Authorize endpoint.
August 30, 2023
Amazon Cognito is now available in the Asia Pacific (Osaka) and Israel (Tel Aviv) AWS Regions.
You can now create Amazon Cognito resources in the Asia Pacific (Osaka) and Israel (Tel Aviv) Regions.
August 30, 2023
Introduced information about authorization for Amazon Cognito with Amazon Verified Permissions.
In your app, you can invoke the Verified Permissions API to produce access decisions from a central authority.
August 1, 2023
Added a new feature for logging user pool detailed user activity to Amazon CloudWatch Logs.
You can now log email and SMS message delivery errors to CloudWatch log groups.
August 1, 2023
Updated information about AWS managed policy for identity pool guest users.
Permissions scope-down for identity pool guest users now includes both an inline session policy and an AWS managed session policy.
May 16, 2023
Content improvement and new console instructions for Amazon Cognito identity pools.
Added new console walkthroughs to reflect the new console experience, improved code integration details for identity pools.
May 16, 2023
Additions and improvements to service homepage and user pools homepage.
Updated overview pages for Amazon Cognito and user pools.
May 16, 2023
General improvements to user pool token documentation.
Updated example tokens, added new information about verifying tokens.
February 16, 2023
You can now log Amazon Cognito identity pools data events in AWS CloudTrail.
CloudTrail supports the selection of Amazon Cognito identity pools high-volume API operations in trails that log data events.
February 15, 2023
Updated Lambda trigger examples and descriptions.
Lambda trigger examples are updated to JavaScript version 3. You can now directly correlate Lambda triggers to API actions.
January 31, 2023
Amazon Cognito identity pools apply an AWS managed policy to unauthenticated sessions.
Identity pool users who authenticate using the enhanced flow now have an additional AWS managed policy applied to their session.
January 31, 2023
This guide now includes example code for your Amazon Cognito app in a variety of programming langages.
January 23, 2023
Added information about API models and authentication with Amazon Cognito user pools.
Amazon Cognito user pools have multiple API interfaces and formats for request authorization.
December 15, 2022
Amazon Cognito is now available in the Europe (Milan) AWS Region.
You can now create Amazon Cognito user pools in the Europe (Milan) Region.
December 6, 2022
Added information about user pool deletion protection.
When you create a new user pool with the AWS Management Console, it's now protected against deletion by default.
October 20, 2022
Added a user guide for the hosted UI, and information about TOTP MFA in the hosted UI.
Your users can now register a TOTP MFA device in the Amazon Cognito hosted UI. You can now preview the default hosted UI.
September 8, 2022
Added information about AWS WAF and Amazon Cognito.
You can now associate a AWS WAF web ACL with a Amazon Cognito user pool.
August 3, 2022
Added more example AWS CloudTrail events.
Amazon Cognito now logs federation and hosted UI requests to your trail.
June 15, 2022
Added information about two-step attribute verification.
You can now choose whether your user must verify a new email address or phone number before they can sign in with it.
June 9, 2022
Updated federation documentation. New IP address propagation feature.
Updated walkthroughs for setting up user pool social IdPs. Added information about federated user profiles and attribute mapping. Added new information about device fingerprints for advanced security.
May 31, 2022
Sign in federated users without interaction with the hosted UI
Added a new page about how to bookmark applications so that Amazon Cognito silently directs users to federated sign-in.
May 29, 2022
In-Region SMS and email messaging for Amazon Cognito user pools
You can now use Amazon Simple Notification Service for SMS messages and Amazon Simple Email Service for email messages in the same AWS Region as your user pool.
March 14, 2022
Added and clarified resource and request-rate quotas.
January 10, 2022
New Amazon Cognito user pools console experience
Updated instructions to create and manage user pools in the updated Amazon Cognito console.
November 18, 2021
RevokeToken API and Revocation Endpoint
You can use the RevokeToken operation to revoke a refresh token for a user.
June 10, 2021
Added best practices for multi-tenant applications.
March 4, 2021
Amazon Cognito Identity Pools provide attributes for access control (AFAC) as a way for customers to grant users access to AWS resources. Authorization can be done based on users' attributes from the identity provider which they used to federate with Amazon Cognito.
January 15, 2021
Custom SMS Sender Lambda Trigger and Custom Email Sender Lambda Trigger
The Custom SMS Sender Lambda Trigger and Custom Email Sender Lambda Trigger allow you to enable a third-party provider to send email and SMS notifications to your users from within your Lambda function code.
November 30, 2020
Updated expiration information was added to Access, ID, and Refresh tokens.
October 29, 2020
Service Quotas are available for Amazon Cognito category quotas. You can use the Service Quotas console to view quota usage, request a quota increase, and create CloudWatch alarms to monitor your quota usage. As part of this change the Available CloudWatch Metrics for Amazon Cognito User Pools section was updated to reflect the new information. The new section name is: Tracking quotas and usage in CloudWatch and Service Quotas
October 29, 2020
Amazon Cognito quota categorization
Quota categories are available to help you monitor quota usage and request an increase. The quotas are grouped into categories based on common use cases.
August 17, 2020
Amazon Cognito supported in US AWS GovCLoud
Amazon Cognito is now supported in the AWS GovCloud (US) Region.
May 13, 2020
Amazon Cognito Pinpoint document updates
New service-linked role was added. Instructions were updated on "Using Amazon Pinpoint Analytics with Amazon Cognito User Pools".
May 13, 2020
New Amazon Cognito dedicated security chapter
The Security chapter can help your organization get in-depth information about both the built-in and the configurable security of AWS services. Our new chapters provide information about the security of the cloud and in the cloud.
April 30, 2020
Amazon Cognito Identity Pools now supports Sign in with Apple
Sign in with Apple is available in all regions where Amazon Cognito operates, except cn-north-1 region.
April 7, 2020
Added version selection to Facebook API.
April 3, 2020
Username case insensitivity update
Added recommendation about enabling username case insensitivity before creating a user pool.
February 11, 2020
New information about AWS Amplify
Added information about integrating Amazon Cognito with your web or mobile app by using AWS Amplify SDKs and libraries. Removed information about using the Amazon Cognito SDKs that preceded AWS Amplify.
November 22, 2019
New attribute for user pool triggers
Amazon Cognito now includes a clientMetadata parameter in the event information that it passes to the AWS Lambda functions for most user pool triggers. You can use this parameter to enhance your custom authentication workflow with additional data.
October 4, 2019
The throttling limit for the ListUsers API action is updated.
June 25, 2019
The soft limits for user pools now include a limit for the number of users.
June 17, 2019
Amazon SES email settings for Amazon Cognito user pools
You can configure a user pool so that Amazon Cognito emails your users by using your Amazon SES configuration. This setting allows Amazon Cognito to send email with a higher delivery volume than is otherwise possible.
April 8, 2019
Added information about tagging Amazon Cognito resources.
March 26, 2019
Change the certificate for a custom domain
If you use a custom domain to host the Amazon Cognito hosted UI, you can change the SSL certificate for this domain as needed.
December 19, 2018
A new limit is added for the maximum number of groups that each user can belong to.
December 14, 2018
The soft limits for user pools are updated.
December 11, 2018
Documentation update for verifying email addresses and phone numbers
Added information about configuring your user pool to require email or phone verification when a user signs up in your app.
November 20, 2018
Documentation update for testing emails
Added guidance for initiating emails from Amazon Cognito while you test your app.
November 13, 2018
Amazon Cognito Advanced Security
Added new security features to enable developers to protect their apps and users from malicious bots, secure user accounts against compromised credentials, and automatically adjust the challenges required to sign in based on the calculated risk of the sign in attempt.
June 14, 2018
Custom Domains for Amazon Cognito Hosted UI
Allow developers to use their own fully custom domain for the hosted UI in Amazon Cognito User Pools.
June 4, 2018
Amazon Cognito User Pools OIDC Identity Provider
Added user pool sign-in through an OpenID Connect (OIDC) identity provider such as Salesforce or Ping Identity.
May 17, 2018
Amazon Cognito Lambda Migration Trigger
Added pages covering the Lambda Migration Trigger feature
April 8, 2018
Amazon Cognito Developer Guide Update
Added top level "What is Amazon Cognito" and "Getting Started with Amazon Cognito". Also added common scenarios and reorganized the user pools TOC. Added a new "Getting Started with Amazon Cognito user pools" section.
April 6, 2018
Amazon Cognito Advanced Security Beta
Added new security features to enable developers to protect their apps and users from malicious bots, secure user accounts against credentials in the wild that have been compromised elsewhere on the internet, and automatically adjust the challenges required to sign in based on the calculated risk of the sign in attempt.
November 28, 2017
Added the ability to use Amazon Pinpoint to provide analytics for your Amazon Cognito User Pools apps and to enrich the user data for Amazon Pinpoint campaigns.
September 26, 2017
Federation and built-in app UI features of Amazon Cognito user pools
Added the ability to allow your users to sign in to your user pool through Facebook, Google, Login with Amazon, or a SAML identity provider. Added a customizable built-in app UI and OAuth 2.0 support with custom claims.
August 10, 2017
HIPAA and PCI compliance-related feature changes
Added the ability to allow your users to use a phone number or email address as their user name.
July 6, 2017
User groups and role-based access control features
Added administrative capability to create and manage user groups. Administrators can assign IAM roles to users based on group membership and administrator-created rules.
December 15, 2016
Updated examples that show how to use AWS Lambda triggers with user pools.
November 27, 2016
Updated iOS code examples.
November 18, 2016
Added information about confirmation flow for user accounts.
November 9, 2016
Added administrative capability to create user accounts through the Amazon Cognito console and the API.
October 6, 2016
Added bulk import capability for Cognito User Pools. Use this feature to migrate users from your existing identity provider to an Amazon Cognito user pool.
September 1, 2016
General availability of Cognito User Pools
Added the Cognito User Pools feature. Use this feature to create and maintain a user directory and add sign-up and sign-in to your mobile app or web application using user pools.
July 28, 2016
Added support for authentication with identity providers through Security Assertion Markup Language 2.0 (SAML 2.0).
June 23, 2016
Added integration with AWS CloudTrail.
February 18, 2016
Integration of events with Lambda
Enables you to execute an AWS Lambda function in response to important events in Amazon Cognito.
April 9, 2015
Provides control and insight into your data streams.
March 4, 2015
Enables support for OpenID Connect providers.
November 23, 2014
Enables support for silent push synchronization.
November 6, 2014
Developer-authenticated identities support added
Enables developers who own their own authentication and identity management systems to be treated as an identity provider in Amazon Cognito.
September 29, 2014
Amazon Cognito general availability
July 10, 2014
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4