My todos
+ +
+ Try creating a new todo.
+
+ + Review next step of this tutorial. + +
+ + + Review next step of this tutorial. + +
"
+)
+
+if case .done = finalSignInResult.nextStep {
+ print("Login successful")
+}
+```
+
+#### [Combine]
+
+```swift
+func signInWithUserAuth(username: String, getOTP: @escaping () async -> String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ // Step 1: Initiate UserAuth Sign-In
+ let pluginOptions = AWSAuthSignInOptions(authFlowType: .userAuth)
+ let signInResult = try await Amplify.Auth.signIn(
+ username: username,
+ options: .init(pluginOptions: pluginOptions)
+ )
+
+ // Step 2: Handle factor selection
+ if case .continueSignInWithFirstFactorSelection(let availableFactors) = signInResult.nextStep {
+ print("Available factors to select: \(availableFactors)")
+
+ // For this example, we select emailOTP. You could prompt the user here.
+ let confirmSignInResult = try await Amplify.Auth.confirmSignIn(
+ challengeResponse: AuthFactorType.emailOTP.challengeResponse
+ )
+
+ // Step 3: Handle OTP delivery
+ if case .confirmSignInWithOTP(let deliveryDetails) = confirmSignInResult.nextStep {
+ print("Delivery details: \(deliveryDetails)")
+
+ // Prompt user for OTP code (async closure)
+ let code = await getOTP()
+
+ // Step 4: Complete sign-in with OTP code
+ let finalSignInResult = try await Amplify.Auth.confirmSignIn(
+ challengeResponse: code
+ )
+
+ return finalSignInResult
+ } else {
+ // Handle other next steps if needed
+ return confirmSignInResult
+ }
+ } else {
+ // Handle other next steps or immediate sign-in
+ return signInResult
+ }
+ }
+ .sink(
+ receiveCompletion: { completion in
+ if case let .failure(authError) = completion {
+ print("Sign in failed: \(authError)")
+ }
+ },
+ receiveValue: { result in
+ if result.isSignedIn || (result.nextStep == .done) {
+ print("Sign in succeeded")
+ } else {
+ print("Next step: \(result.nextStep)")
+ }
+ }
+ )
+}
+```
+
+
+
+---
+
+---
+title: "Switching authentication flows"
+section: "build-a-backend/auth/connect-your-frontend"
+platforms: ["angular", "javascript", "nextjs", "react", "react-native", "swift", "vue", "android"]
+gen: 2
+last-updated: "2024-12-09T19:54:14.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/connect-your-frontend/switching-authentication-flows/"
+---
+
+
+`AWSCognitoAuthPlugin` allows you to switch between different auth flows while initiating signIn. You can configure the flow in the `amplify_outputs.json` file or pass the `authFlowType` as a runtime parameter to the `signIn` api call.
+
+For client side authentication there are four different flows that can be configured during runtime:
+
+1. `userSRP`: The `userSRP` flow uses the [SRP protocol (Secure Remote Password)](https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol) where the password never leaves the client and is unknown to the server. This is the recommended flow and is used by default.
+
+2. `userPassword`: The `userPassword` flow will send user credentials unencrypted to the back-end. If you want to migrate users to Cognito using the "Migration" trigger and avoid forcing users to reset their passwords, you will need to use this authentication type because the Lambda function invoked by the trigger needs to verify the supplied credentials.
+
+3. `customWithSRP`: The `customWithSRP` flow is used to start with SRP authentication and then switch to custom authentication. This is useful if you want to use SRP for the initial authentication and then use custom authentication for subsequent authentication attempts.
+
+4. `customWithoutSRP`: The `customWithoutSRP` flow is used to start authentication flow **WITHOUT** SRP and then use a series of challenge and response cycles that can be customized to meet different requirements.
+
+5. `userAuth`: The `userAuth` flow is a choice-based authentication flow that allows the user to choose from the list of available authentication methods. This flow is useful when you want to provide the user with the option to choose the authentication method. The choices that may be available to the user are `emailOTP`, `smsOTP`, `webAuthn`, `password` or `passwordSRP`.
+
+`Auth` can be configured to use the different flows at runtime by calling `signIn` with `AuthSignInOptions`'s `authFlowType` as `AuthFlowType.userPassword`, `AuthFlowType.customAuthWithoutSrp` or `AuthFlowType.customAuthWithSrp`. If you do not specify the `AuthFlowType` in `AuthSignInOptions`, the default flow (`AuthFlowType.userSRP`) will be used.
+
+
+
+Runtime configuration will take precedence and will override any auth flow type configuration present in amplify_outputs.json
+
+
+
+> For more information about authentication flows, please visit [Amazon Cognito developer documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-custom-authentication-flow)
+
+## USER_AUTH (Choice-based authentication) flow
+
+A use case for the `USER_AUTH` authentication flow is to provide the user with the option to choose the authentication method. The choices that may be available to the user are `emailOTP`, `smsOTP`, `webAuthn`, `password` or `passwordSRP`.
+
+```swift
+let pluginOptions = AWSAuthSignInOptions(
+ authFlowType: .userAuth)
+let signInResult = try await Amplify.Auth.signIn(
+ username: username,
+ password: password,
+ options: .init(pluginOptions: pluginOptions))
+guard case .continueSignInWithFirstFactorSelection(let availableFactors) = signInResult.nextStep else {
+ return
+}
+print("Available factors: \(availableFactors)")
+```
+
+The selection of the authentication method is done by the user. The user can choose from the available factors and proceed with the selected factor. You should call the `confirmSignIn` API with the selected factor to continue the sign-in process. Following is an example if you want to proceed with the `emailOTP` factor selection:
+
+```swift
+// Select emailOTP as the factor
+var confirmSignInResult = try await Amplify.Auth.confirmSignIn(
+ challengeResponse: AuthFactorType.emailOTP.challengeResponse)
+```
+
+## USER_PASSWORD_AUTH flow
+
+A use case for the `USER_PASSWORD_AUTH` authentication flow is migrating users into Amazon Cognito
+
+A user migration Lambda trigger helps migrate users from a legacy user management system into your user pool. If you choose the USER_PASSWORD_AUTH authentication flow, users don't have to reset their passwords during user migration. This flow sends your user's password to the service over an encrypted SSL connection during authentication.
+
+When you have migrated all your users, switch flows to the more secure SRP flow. The SRP flow doesn't send any passwords over the network.
+
+```swift
+func signIn(username: String, password: String) async throws {
+
+ let option = AWSAuthSignInOptions(authFlowType: .userPassword)
+ do {
+ let result = try await Amplify.Auth.signIn(
+ username: username,
+ password: password,
+ options: AuthSignInRequest.Options(pluginOptions: option))
+ print("Sign in succeeded with result: \(result)")
+ } catch {
+ print("Failed to sign in with error: \(error)")
+ }
+}
+```
+
+### Migrate users with Amazon Cognito
+
+Amazon Cognito provides a trigger to migrate users from your existing user directory seamlessly into Cognito. You achieve this by configuring your User Pool's "Migration" trigger which invokes a Lambda function whenever a user that does not already exist in the user pool authenticates, or resets their password.
+
+In short, the Lambda function will validate the user credentials against your existing user directory and return a response object containing the user attributes and status on success. An error message will be returned if an error occurs. There's documentation around [how to set up this migration flow](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-import-using-lambda.html) and more detailed instructions on [how the lambda should handle request and response objects](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html#cognito-user-pools-lambda-trigger-syntax-user-migration).
+
+## CUSTOM_AUTH flow
+
+Amazon Cognito User Pools supports customizing the authentication flow to enable custom challenge types, in addition to a password in order to verify the identity of users. The custom authentication flow is a series of challenge and response cycles that can be customized to meet different requirements. These challenge types may include CAPTCHAs or dynamic challenge questions.
+
+To define your challenges for custom authentication flow, you need to implement three Lambda triggers for Amazon Cognito.
+
+The flow is initiated by calling `signIn` with `AuthSignInOptions` configured with `AuthFlowType.customAuthWithSrp` OR `AuthFlowType.customAuthWithoutSrp`.
+
+Follow the instructions in [Custom Auth Sign In](/gen1/[platform]/build-a-backend/auth/sign-in-custom-flow/) to learn about how to integrate custom authentication flow in your application with the Auth APIs.
+
+
+
+For client side authentication there are four different flows:
+
+1. `USER_SRP_AUTH`: The `USER_SRP_AUTH` flow uses the [SRP protocol (Secure Remote Password)](https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol) where the password never leaves the client and is unknown to the server. This is the recommended flow and is used by default.
+
+2. `USER_PASSWORD_AUTH`: The `USER_PASSWORD_AUTH` flow will send user credentials to the backend without applying SRP encryption. If you want to migrate users to Cognito using the "Migration" trigger and avoid forcing users to reset their passwords, you will need to use this authentication type because the Lambda function invoked by the trigger needs to verify the supplied credentials.
+
+3. `CUSTOM_WITH_SRP` & `CUSTOM_WITHOUT_SRP`: Allows for a series of challenge and response cycles that can be customized to meet different requirements.
+
+4. `USER_AUTH`: The `USER_AUTH` flow is a choice-based authentication flow that allows the user to choose from the list of available authentication methods. This flow is useful when you want to provide the user with the option to choose the authentication method. The choices that may be available to the user are `EMAIL_OTP`, `SMS_OTP`, `WEB_AUTHN`, `PASSWORD` or `PASSWORD_SRP`.
+
+The Auth flow can be customized when calling `signIn`, for example:
+
+```ts title="src/main.ts"
+await signIn({
+ username: "hello@mycompany.com",
+ password: "hunter2",
+ options: {
+ authFlowType: 'USER_AUTH'
+ }
+})
+```
+
+> For more information about authentication flows, please visit [AWS Cognito developer documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-custom-authentication-flow)
+
+## USER_AUTH flow
+
+The `USER_AUTH` sign in flow supports the following methods as first factors for authentication: `WEB_AUTHN`, `EMAIL_OTP`, `SMS_OTP`, `PASSWORD`, and `PASSWORD_SRP`.
+
+If the desired first factor is known when authentication is initiated, it can be passed to the `signIn` API as the `preferredChallenge` to initiate the corresponding authentication flow.
+
+```ts
+// PASSWORD_SRP / PASSWORD
+// sign in with preferred challenge as password
+// note password must be provided in same step
+const { nextStep } = await signIn({
+ username: "hello@mycompany.com",
+ password: "hunter2",
+ options: {
+ authFlowType: "USER_AUTH",
+ preferredChallenge: "PASSWORD_SRP" // or "PASSWORD"
+ },
+});
+
+// WEB_AUTHN / EMAIL_OTP / SMS_OTP
+// sign in with preferred passwordless challenge
+// no additional user input required at this step
+const { nextStep } = await signIn({
+ username: "hello@example.com",
+ options: {
+ authFlowType: "USER_AUTH",
+ preferredChallenge: "WEB_AUTHN" // or "EMAIL_OTP" or "SMS_OTP"
+ },
+});
+```
+
+If the desired first factor is not known or you would like to provide users with the available options, `preferredChallenge` can be omitted from the initial `signIn` API call.
+
+This allows you to discover which authentication first factors are available for a user via the `CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION` step. You can then present the available options to the user and use the `confirmSignIn` API to respond with the user's selection.
+
+```ts
+const { nextStep: signInNextStep } = await signIn({
+ username: '+15551234567',
+ options: {
+ authFlowType: 'USER_AUTH',
+ },
+});
+
+if (
+ signInNextStep.signInStep === 'CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION'
+) {
+ // present user with list of available challenges
+ console.log(`Available Challenges: ${signInNextStep.availableChallenges}`);
+
+ // respond with user selection using `confirmSignIn` API
+ const { nextStep: nextConfirmSignInStep } = await confirmSignIn({
+ challengeResponse: 'SMS_OTP', // or 'EMAIL_OTP', 'WEB_AUTHN', 'PASSWORD', 'PASSWORD_SRP'
+ });
+}
+
+```
+Also, note that if the `preferredChallenge` passed to the initial `signIn` API call is unavailable for the user, Amplify will also respond with the `CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION` next step.
+
+
+For more information about determining a first factor, and signing in with passwordless authentication factors, please visit the [Passwordless](/[platform]/build-a-backend/auth/concepts/passwordless/) concepts page.
+
+
+## USER_PASSWORD_AUTH flow
+
+A use case for the `USER_PASSWORD_AUTH` authentication flow is migrating users into Amazon Cognito
+
+### Set up auth backend
+
+In order to use the authentication flow `USER_PASSWORD_AUTH`, your Cognito app client has to be configured to allow it. In the AWS Console, this is done by ticking the checkbox at General settings > App clients > Show Details (for the affected client) > Enable username-password (non-SRP) flow. If you're using the AWS CLI or CloudFormation, update your app client by adding `USER_PASSWORD_AUTH` to the list of "Explicit Auth Flows".
+
+### Migrate users with Amazon Cognito
+
+Amazon Cognito provides a trigger to migrate users from your existing user directory seamlessly into Cognito. You achieve this by configuring your User Pool's "Migration" trigger which invokes a Lambda function whenever a user that does not already exist in the user pool authenticates, or resets their password.
+
+In short, the Lambda function will validate the user credentials against your existing user directory and return a response object containing the user attributes and status on success. An error message will be returned if an error occurs. Visit [Amazon Cognito user pools import guide](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-import-using-lambda.html) for migration flow and more detailed instruction, and [Amazon Cognito Lambda trigger guide](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html#cognito-user-pools-lambda-trigger-syntax-user-migration) on how to set up lambda to handle request and response objects.
+
+## `CUSTOM_WITH_SRP` & `CUSTOM_WITHOUT_SRP` flows
+
+Amazon Cognito user pools supports customizing the authentication flow to enable custom challenge types,
+in addition to a password in order to verify the identity of users. These challenge types may include CAPTCHAs
+or dynamic challenge questions. The `CUSTOM_WITH_SRP` flow requires a password when calling `signIn`. Both of
+these flows map to the `CUSTOM_AUTH` flow in Cognito.
+
+
+
+To define your challenges for custom authentication flow, you need to implement three Lambda triggers for Amazon Cognito. Please visit [AWS Amplify Custom Auth Challenge example](/[platform]/build-a-backend/functions/examples/custom-auth-flows/) for set up instructions.
+
+
+
+
+
+For more information about working with Lambda Triggers for custom authentication challenges, please visit [Amazon Cognito Developer Documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html).
+
+
+
+### Custom authentication flow
+
+To initiate a custom authentication flow in your app, call `signIn` without a password. A custom challenge needs to be answered using the `confirmSignIn` API:
+
+```ts title="src/main.ts"
+import { signIn, confirmSignIn } from 'aws-amplify/auth';
+
+const challengeResponse = 'the answer for the challenge';
+
+const { nextStep } = await signIn({
+ username,
+ options: {
+ authFlowType: 'CUSTOM_WITHOUT_SRP',
+ },
+});
+
+if (nextStep.signInStep === 'CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE') {
+ // to send the answer of the custom challenge
+ await confirmSignIn({ challengeResponse });
+}
+```
+
+### CAPTCHA authentication
+
+To create a CAPTCHA challenge with a Lambda Trigger, please visit [AWS Amplify Google reCAPTCHA challenge example](/[platform]/build-a-backend/functions/examples/google-recaptcha-challenge/) for detailed examples.
+
+
+
+`AWSCognitoAuthPlugin` allows you to switch between different auth flows while initiating signIn. You can configure the flow in the `amplify_outputs.json` file or pass the `authFlowType` as a option to the `signIn` api call.
+
+For client side authentication there are four different flows that can be configured during runtime:
+
+1. `USER_SRP_AUTH`: The `USER_SRP_AUTH` flow uses the [SRP protocol (Secure Remote Password)](https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol) where the password never leaves the client and is unknown to the server. This is the recommended flow and is used by default.
+
+2. `USER_PASSWORD_AUTH`: The `USER_PASSWORD_AUTH` flow will send user credentials unencrypted to the back-end. If you want to migrate users to Cognito using the "Migration" trigger and avoid forcing users to reset their passwords, you will need to use this authentication type because the Lambda function invoked by the trigger needs to verify the supplied credentials.
+
+3. `CUSTOM_AUTH_WITH_SRP`: The `CUSTOM_AUTH_WITH_SRP` flow is used to start with SRP authentication and then switch to custom authentication. This is useful if you want to use SRP for the initial authentication and then use custom authentication for subsequent authentication attempts.
+
+4. `CUSTOM_AUTH_WITHOUT_SRP`: The `CUSTOM_AUTH_WITHOUT_SRP` flow is used to start authentication flow **WITHOUT** SRP and then use a series of challenge and response cycles that can be customized to meet different requirements.
+
+5. `USER_AUTH`: The `USER_AUTH` flow is a choice-based authentication flow that allows the user to choose from the list of available authentication methods. This flow is useful when you want to provide the user with the option to choose the authentication method. The choices that may be available to the user are `EMAIL_OTP`, `SMS_OTP`, `WEB_AUTHN`, `PASSWORD` or `PASSWORD_SRP`.
+
+`Auth` can be configured to use the different flows at runtime by calling `signIn` with `AWSCognitoAuthSignInOptions`'s `authFlowType` as `AuthFlowType.USER_PASSWORD_AUTH`, `AuthFlowType.CUSTOM_AUTH_WITHOUT_SRP`, `AuthFlowType.CUSTOM_AUTH_WITH_SRP`, or `AuthFlowType.USER_AUTH`. If you do not specify the `AuthFlowType` in `AWSCognitoAuthSignInOptions`, the default flow specified in `amplify_outputs.json` will be used.
+
+
+
+Runtime configuration will take precedence and will override any auth flow type configuration present in `amplify_outputs.json`.
+
+
+
+For more information about authentication flows, please visit [Amazon Cognito developer documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-custom-authentication-flow)
+
+## USER_AUTH (Choice-based authentication) flow
+
+A use case for the `USER_AUTH` authentication flow is to provide the user with the option to choose the authentication method. The choices that may be available to the user are `EMAIL_OTP`, `SMS_OTP`, `WEB_AUTHN`, `PASSWORD` or `PASSWORD_SRP`.
+
+
+Amplify requires an `Activity` reference to attach the PassKey UI to your Application's [Task](https://developer.android.com/guide/components/activities/tasks-and-back-stack) when using WebAuthn - if an `Activity` is not supplied then the UI will appear in a separate Task. For this reason, we strongly recommend passing the `callingActivity` option to both the `signIn` and `confirmSignIn` APIs if your application uses the `USER_AUTH` flow.
+
+
+If the desired first factor is known before the sign in flow is initiated it can be passed to the initial sign in call.
+
+#### [Java]
+
+```java
+// PASSWORD_SRP / PASSWORD
+// Sign in with preferred challenge as password
+// NOTE: Password must be provided in the same step
+AuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
+ .callingActivity(activity)
+ .authFlowType(AuthFlowType.USER_AUTH)
+ .preferredFirstFactor(AuthFactorType.PASSWORD_SRP) // or "PASSWORD"
+ .build();
+Amplify.Auth.signIn(
+ username,
+ password,
+ options,
+ result -> Log.i("AuthQuickStart", "Next step for sign in is " + result.getNextStep()),
+ error -> Log.e("AuthQuickStart", "Failed to confirm sign in", error)
+);
+
+// WEB_AUTHN / EMAIL_OTP / SMS_OTP
+// Sign in with preferred passwordless challenge
+// No user input is required at this step
+AuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
+ .callingActivity(activity)
+ .authFlowType(AuthFlowType.USER_AUTH)
+ .preferredFirstFactor(AuthFactorType.WEB_AUTHN) // or "EMAIL_OTP" or "SMS_OTP"
+ .build();
+Amplify.Auth.signIn(
+ username,
+ null,
+ options,
+ result -> Log.i("AuthQuickStart", "Next step for sign in is " + result.getNextStep()),
+ error -> Log.e("AuthQuickStart", "Failed to confirm sign in", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+// PASSWORD_SRP / PASSWORD
+// Sign in with preferred challenge as password
+// NOTE: Password must be provided in the same step
+val options = AWSCognitoAuthSignInOptions.builder()
+ .callingActivity(activity)
+ .authFlowType(AuthFlowType.USER_AUTH)
+ .preferredFirstFactor(AuthFactorType.PASSWORD_SRP) // or "PASSWORD"
+ .build()
+Amplify.Auth.signIn(
+ username,
+ password,
+ options,
+ { result -> Log.i("AuthQuickStart", "Next step for sign in is ${result.nextStep}") },
+ { error -> Log.e("AuthQuickStart", "Failed to confirm sign in", error) }
+)
+
+// WEB_AUTHN / EMAIL_OTP / SMS_OTP
+// Sign in with preferred passwordless challenge
+// No user input is required at this step
+val options = AWSCognitoAuthSignInOptions.builder()
+ .callingActivity(activity)
+ .authFlowType(AuthFlowType.USER_AUTH)
+ .preferredFirstFactor(AuthFactorType.WEB_AUTHN) // or "EMAIL_OTP" or "SMS_OTP"
+ .build()
+Amplify.Auth.signIn(
+ username,
+ null,
+ options,
+ { result -> Log.i("AuthQuickStart", "Next step for sign in is ${result.nextStep}") },
+ { error -> Log.e("AuthQuickStart", "Failed to confirm sign in", error) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+// PASSWORD_SRP / PASSWORD
+// Sign in with preferred challenge as password
+// NOTE: Password must be provided in the same step
+try {
+ val options = AWSCognitoAuthSignInOptions.builder()
+ .callingActivity(activity)
+ .authFlowType(AuthFlowType.USER_AUTH)
+ .preferredFirstFactor(AuthFactorType.PASSWORD_SRP) // or "PASSWORD"
+ .build()
+ val result = Amplify.Auth.signIn(
+ username = "hello@example.com",
+ password = "password",
+ options = options
+ )
+ Log.i("AuthQuickstart", "Next step for sign in is ${result.nextStep}")
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Sign in failed", error)
+}
+
+// WEB_AUTHN / EMAIL_OTP / SMS_OTP
+// Sign in with preferred passwordless challenge
+// No user input is required at this step
+try {
+ val options = AWSCognitoAuthSignInOptions.builder()
+ .callingActivity(activity)
+ .authFlowType(AuthFlowType.USER_AUTH)
+ .preferredFirstFactor(AuthFactorType.WEB_AUTHN) // or "EMAIL_OTP" or "SMS_OTP"
+ .build()
+ val result = Amplify.Auth.signIn(
+ username = "hello@example.com",
+ password = null,
+ options = options
+ )
+ Log.i("AuthQuickstart", "Next step for sign in is ${result.nextStep}")
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Sign in failed", error)
+}
+```
+
+#### [RxJava]
+
+```java
+// PASSWORD_SRP / PASSWORD
+// Sign in with preferred challenge as password
+// NOTE: Password must be provided in the same step
+AuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
+ .callingActivity(activity)
+ .authFlowType(AuthFlowType.USER_AUTH)
+ .preferredFirstFactor(AuthFactorType.PASSWORD_SRP) // or "PASSWORD"
+ .build();
+RxAmplify.Auth.signIn(username, password, options)
+ .subscribe(
+ result -> Log.i("AuthQuickstart", "Next step for sign in is " + result.getNextStep()),
+ error -> Log.e("AuthQuickstart", "Failed to confirm sign in", error))
+ );
+
+// WEB_AUTHN / EMAIL_OTP / SMS_OTP
+// Sign in with preferred passwordless challenge
+// No user input is required at this step
+AuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
+ .callingActivity(activity)
+ .authFlowType(AuthFlowType.USER_AUTH)
+ .preferredFirstFactor(AuthFactorType.WEB_AUTHN) // or "EMAIL_OTP" or "SMS_OTP"
+ .build();
+RxAmplify.Auth.signIn(username, null, options)
+ .subscribe(
+ result -> Log.i("AuthQuickstart", "Next step for sign in is " + result.getNextStep()),
+ error -> Log.e("AuthQuickstart", "Failed to confirm sign in", error))
+ );
+```
+
+If the preferred first factor is not supplied or is unavailable, and the user has multiple factors available, the flow will continue to select an available first factor by returning an `AuthNextSignInStep.signInStep` value of `CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION`, and a list of `AuthNextSignInStep.availableFactors`.
+
+The selection of the authentication method is done by the user. The user can choose from the available factors and proceed with the selected factor. You should call the `confirmSignIn` API with the selected factor to continue the sign-in process. Following is an example if you want to proceed with the `WEB_AUTHN` factor selection:
+
+#### [Java]
+
+```java
+AuthConfirmSignInOptions options = AWSCognitoAuthConfirmSignInOptions.builder()
+ .callingActivity(activity)
+ .build();
+Amplify.Auth.confirmSignIn(
+ AuthFactorType.WEB_AUTHN.getChallengeResponse(),
+ options,
+ result -> Log.i("AuthQuickStart", "Next step for sign in is " + result.getNextStep()),
+ error -> Log.e("AuthQuickStart", "Failed to confirm sign in", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+val options = AWSCognitoAuthConfirmSignInOptions.builder()
+ .callingActivity(activity)
+ .build()
+Amplify.Auth.confirmSignIn(
+ AuthFactorType.WEB_AUTHN.challengeResponse,
+ options,
+ { result -> Log.i("AuthQuickStart", "Next step for sign in is ${result.nextStep}") },
+ { error -> Log.e("AuthQuickStart", "Failed to confirm sign in", error) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val options = AWSCognitoAuthConfirmSignInOptions.builder()
+ .callingActivity(activity)
+ .build()
+ val result = Amplify.Auth.confirmSignIn(
+ challengeResponse = AuthFactorType.WEB_AUTHN.challengeResponse,
+ options = options
+ )
+ Log.i("AuthQuickstart", "Next step for sign in is ${result.nextStep}")
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Sign in failed", error)
+}
+```
+
+#### [RxJava]
+
+```java
+AuthConfirmSignInOptions options = AWSCognitoAuthConfirmSignInOptions.builder()
+ .callingActivity(activity)
+ .build();
+RxAmplify.Auth.confirmSignIn(AuthFactorType.WEB_AUTHN.getChallengeResponse(), options)
+ .subscribe(
+ result -> Log.i("AuthQuickstart", "Next step for sign in is " + result.getNextStep()),
+ error -> Log.e("AuthQuickstart", "Failed to confirm sign in", error))
+ );
+```
+
+## USER_PASSWORD_AUTH flow
+
+A use case for the `USER_PASSWORD_AUTH` authentication flow is migrating users into Amazon Cognito
+
+A user migration Lambda trigger helps migrate users from a legacy user management system into your user pool. If you choose the USER_PASSWORD_AUTH authentication flow, users don't have to reset their passwords during user migration. This flow sends your user's password to the service over an encrypted SSL connection during authentication.
+
+When you have migrated all your users, switch flows to the more secure SRP flow. The SRP flow doesn't send any passwords over the network.
+
+#### [Java]
+
+```java
+AuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.USER_PASSWORD_AUTH)
+ .build();
+Amplify.Auth.signIn(
+ "hello@example.com",
+ "password",
+ options,
+ result -> Log.i("AuthQuickStart", "Sign in succeeded with result " + result),
+ error -> Log.e("AuthQuickStart", "Failed to sign in", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+val options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.USER_PASSWORD_AUTH)
+ .build()
+Amplify.Auth.signIn(
+ "hello@example.com",
+ "password",
+ options,
+ { result ->
+ Log.i("AuthQuickstart", "Next step for sign in is ${result.nextStep}")
+ },
+ { error ->
+ Log.e("AuthQuickstart", "Failed to sign in", error)
+ }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.USER_PASSWORD_AUTH)
+ .build()
+ val result = Amplify.Auth.signIn(
+ username = "hello@example.com",
+ password = "password",
+ options = options
+ )
+ Log.i("AuthQuickstart", "Next step for sign in is ${result.nextStep}")
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Sign in failed", error)
+}
+```
+
+#### [RxJava]
+
+```java
+AuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.USER_PASSWORD_AUTH)
+ .build();
+RxAmplify.Auth.signIn("hello@example.com", "password", options)
+ .subscribe(
+ result -> Log.i("AuthQuickstart", "Next step for sign in is " + result.getNextStep()),
+ error -> Log.e("AuthQuickstart", error.toString())
+ );
+```
+
+### Set up auth backend
+
+In order to use the authentication flow `USER_PASSWORD_AUTH`, your Cognito app client has to be configured to allow it. Amplify Gen 2 enables SRP auth by default. To enable USER_PASSWORD_AUTH, you can update the `backend.ts` file with the following changes:
+
+```ts title="amplify/backend.ts"
+import { defineBackend } from '@aws-amplify/backend'
+import { auth } from './auth/resource'
+import { data } from './data/resource'
+
+const backend = defineBackend({
+ auth,
+ data,
+});
+
+// highlight-start
+backend.auth.resources.cfnResources.cfnUserPoolClient.explicitAuthFlows = [
+ "ALLOW_USER_PASSWORD_AUTH",
+ "ALLOW_USER_SRP_AUTH",
+ "ALLOW_USER_AUTH",
+ "ALLOW_REFRESH_TOKEN_AUTH"
+];
+// highlight-end
+```
+
+### Migrate users with Amazon Cognito
+
+Amazon Cognito provides a trigger to migrate users from your existing user directory seamlessly into Cognito. You achieve this by configuring your User Pool's "Migration" trigger which invokes a Lambda function whenever a user that does not already exist in the user pool authenticates, or resets their password.
+
+In short, the Lambda function will validate the user credentials against your existing user directory and return a response object containing the user attributes and status on success. An error message will be returned if an error occurs. There's documentation around [how to set up this migration flow](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-import-using-lambda.html) and more detailed instructions on [how the lambda should handle request and response objects](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html#cognito-user-pools-lambda-trigger-syntax-user-migration).
+
+## CUSTOM_AUTH flow
+
+Amazon Cognito User Pools supports customizing the authentication flow to enable custom challenge types, in addition to a password in order to verify the identity of users. The custom authentication flow is a series of challenge and response cycles that can be customized to meet different requirements. These challenge types may include CAPTCHAs or dynamic challenge questions.
+
+To define your challenges for custom authentication flow, you need to implement three Lambda triggers for Amazon Cognito.
+
+The flow is initiated by calling `signIn` with `AWSCognitoAuthSignInOptions` configured with `AuthFlowType.CUSTOM_AUTH_WITH_SRP` OR `AuthFlowType.CUSTOM_AUTH_WITHOUT_SRP`.
+
+Follow the instructions in [Custom Auth Sign In](/gen1/[platform]/build-a-backend/auth/sign-in-custom-flow/) to learn about how to integrate custom authentication flow in your application with the Auth APIs.
+
+
+
+
+For more information about working with Lambda Triggers for custom authentication challenges, please visit [Amazon Cognito Developer Documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html).
+
+
+
+---
+
+---
+title: "Sign-out"
+section: "build-a-backend/auth/connect-your-frontend"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-05-21T15:34:09.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/connect-your-frontend/sign-out/"
+---
+
+Amplify provides a client library that enables you to interact with backend resources such as Amplify Auth.
+
+
+> **Info:** The quickest way to get started with Amplify Auth in your frontend application is with the [Authenticator component](https://ui.docs.amplify.aws/react/connected-components/authenticator), which provides a customizable UI and complete authentication flows.
+
+
+
+> **Info:** The quickest way to get started with Amplify Auth in your frontend application is with the [Authenticator component](https://ui.docs.amplify.aws/swift/connected-components/authenticator), which provides a customizable UI and complete authentication flows.
+
+
+
+> **Info:** The quickest way to get started with Amplify Auth in your frontend application is with the [Authenticator component](https://ui.docs.amplify.aws/flutter/connected-components/authenticator), which provides a customizable UI and complete authentication flows.
+
+
+
+> **Info:** The quickest way to get started with Amplify Auth in your frontend application is with the [Authenticator component](https://ui.docs.amplify.aws/android/connected-components/authenticator), which provides a customizable UI and complete authentication flows.
+
+
+To sign a user out of your application use the `signOut` API.
+
+
+```ts
+import { signOut } from 'aws-amplify/auth';
+
+await signOut();
+```
+
+
+```dart
+Future signOutCurrentUser() async {
+ final result = await Amplify.Auth.signOut();
+ if (result is CognitoCompleteSignOut) {
+ safePrint('Sign out completed successfully');
+ } else if (result is CognitoFailedSignOut) {
+ safePrint('Error signing user out: ${result.exception.message}');
+ }
+}
+```
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.signOut( signOutResult -> {
+ if (signOutResult instanceof AWSCognitoAuthSignOutResult.CompleteSignOut) {
+ // Sign Out completed fully and without errors.
+ Log.i("AuthQuickStart", "Signed out successfully");
+ } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.PartialSignOut) {
+ // Sign Out completed with some errors. User is signed out of the device.
+ AWSCognitoAuthSignOutResult.PartialSignOut partialSignOutResult =
+ (AWSCognitoAuthSignOutResult.PartialSignOut) signOutResult;
+
+ HostedUIError hostedUIError = partialSignOutResult.getHostedUIError();
+ if (hostedUIError != null) {
+ Log.e("AuthQuickStart", "HostedUI Error", hostedUIError.getException());
+ // Optional: Re-launch hostedUIError.getUrl() in a Custom tab to clear Cognito web session.
+ }
+
+ GlobalSignOutError globalSignOutError = partialSignOutResult.getGlobalSignOutError();
+ if (globalSignOutError != null) {
+ Log.e("AuthQuickStart", "GlobalSignOut Error", globalSignOutError.getException());
+ // Optional: Use escape hatch to retry revocation of globalSignOutError.getAccessToken().
+ }
+
+ RevokeTokenError revokeTokenError = partialSignOutResult.getRevokeTokenError();
+ if (revokeTokenError != null) {
+ Log.e("AuthQuickStart", "RevokeToken Error", revokeTokenError.getException());
+ // Optional: Use escape hatch to retry revocation of revokeTokenError.getRefreshToken().
+ }
+ } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.FailedSignOut) {
+ AWSCognitoAuthSignOutResult.FailedSignOut failedSignOutResult =
+ (AWSCognitoAuthSignOutResult.FailedSignOut) signOutResult;
+ // Sign Out failed with an exception, leaving the user signed in.
+ Log.e("AuthQuickStart", "Sign out Failed", failedSignOutResult.getException());
+ }
+});
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.signOut { signOutResult ->
+ when(signOutResult) {
+ is AWSCognitoAuthSignOutResult.CompleteSignOut -> {
+ // Sign Out completed fully and without errors.
+ Log.i("AuthQuickStart", "Signed out successfully")
+ }
+ is AWSCognitoAuthSignOutResult.PartialSignOut -> {
+ // Sign Out completed with some errors. User is signed out of the device.
+ signOutResult.hostedUIError?.let {
+ Log.e("AuthQuickStart", "HostedUI Error", it.exception)
+ // Optional: Re-launch it.url in a Custom tab to clear Cognito web session.
+
+ }
+ signOutResult.globalSignOutError?.let {
+ Log.e("AuthQuickStart", "GlobalSignOut Error", it.exception)
+ // Optional: Use escape hatch to retry revocation of it.accessToken.
+ }
+ signOutResult.revokeTokenError?.let {
+ Log.e("AuthQuickStart", "RevokeToken Error", it.exception)
+ // Optional: Use escape hatch to retry revocation of it.refreshToken.
+ }
+ }
+ is AWSCognitoAuthSignOutResult.FailedSignOut -> {
+ // Sign Out failed with an exception, leaving the user signed in.
+ Log.e("AuthQuickStart", "Sign out Failed", signOutResult.exception)
+ }
+ }
+}
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+val signOutResult = Amplify.Auth.signOut()
+when(signOutResult) {
+ is AWSCognitoAuthSignOutResult.CompleteSignOut -> {
+ // Sign Out completed fully and without errors.
+ Log.i("AuthQuickStart", "Signed out successfully")
+ }
+ is AWSCognitoAuthSignOutResult.PartialSignOut -> {
+ // Sign Out completed with some errors. User is signed out of the device.
+ signOutResult.hostedUIError?.let {
+ Log.e("AuthQuickStart", "HostedUI Error", it.exception)
+ // Optional: Re-launch it.url in a Custom tab to clear Cognito web session.
+
+ }
+ signOutResult.globalSignOutError?.let {
+ Log.e("AuthQuickStart", "GlobalSignOut Error", it.exception)
+ // Optional: Use escape hatch to retry revocation of it.accessToken.
+ }
+ signOutResult.revokeTokenError?.let {
+ Log.e("AuthQuickStart", "RevokeToken Error", it.exception)
+ // Optional: Use escape hatch to retry revocation of it.refreshToken.
+ }
+ }
+ is AWSCognitoAuthSignOutResult.FailedSignOut -> {
+ // Sign Out failed with an exception, leaving the user signed in.
+ Log.e("AuthQuickStart", "Sign out Failed", signOutResult.exception)
+ }
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.signOut()
+ .subscribe(signOutResult -> {
+ if (signOutResult instanceof AWSCognitoAuthSignOutResult.CompleteSignOut) {
+ // Sign Out completed fully and without errors.
+ Log.i("AuthQuickStart", "Signed out successfully");
+ } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.PartialSignOut) {
+ // Sign Out completed with some errors. User is signed out of the device.
+ AWSCognitoAuthSignOutResult.PartialSignOut partialSignOutResult =
+ (AWSCognitoAuthSignOutResult.PartialSignOut) signOutResult;
+
+ HostedUIError hostedUIError = partialSignOutResult.getHostedUIError();
+ if (hostedUIError != null) {
+ Log.e("AuthQuickStart", "HostedUI Error", hostedUIError.getException());
+ // Optional: Re-launch hostedUIError.getUrl() in a Custom tab to clear Cognito web session.
+ }
+
+ GlobalSignOutError globalSignOutError = partialSignOutResult.getGlobalSignOutError();
+ if (globalSignOutError != null) {
+ Log.e("AuthQuickStart", "GlobalSignOut Error", globalSignOutError.getException());
+ // Optional: Use escape hatch to retry revocation of globalSignOutError.getAccessToken().
+ }
+
+ RevokeTokenError revokeTokenError = partialSignOutResult.getRevokeTokenError();
+ if (revokeTokenError != null) {
+ Log.e("AuthQuickStart", "RevokeToken Error", revokeTokenError.getException());
+ // Optional: Use escape hatch to retry revocation of revokeTokenError.getRefreshToken().
+ }
+ } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.FailedSignOut) {
+ AWSCognitoAuthSignOutResult.FailedSignOut failedSignOutResult =
+ (AWSCognitoAuthSignOutResult.FailedSignOut) signOutResult;
+ // Sign Out failed with an exception, leaving the user signed in.
+ Log.e("AuthQuickStart", "Sign out Failed", failedSignOutResult.getException());
+ }
+ });
+```
+
+
+
+
+#### [Async/Await]
+
+```swift
+func signOutLocally() async {
+ let result = await Amplify.Auth.signOut()
+ guard let signOutResult = result as? AWSCognitoSignOutResult
+ else {
+ print("Signout failed")
+ return
+ }
+
+ print("Local signout successful: \(signOutResult.signedOutLocally)")
+ switch signOutResult {
+ case .complete:
+ // Sign Out completed fully and without errors.
+ print("Signed out successfully")
+
+ case let .partial(revokeTokenError, globalSignOutError, hostedUIError):
+ // Sign Out completed with some errors. User is signed out of the device.
+
+ if let hostedUIError = hostedUIError {
+ print("HostedUI error \(String(describing: hostedUIError))")
+ }
+
+ if let globalSignOutError = globalSignOutError {
+ // Optional: Use escape hatch to retry revocation of globalSignOutError.accessToken.
+ print("GlobalSignOut error \(String(describing: globalSignOutError))")
+ }
+
+ if let revokeTokenError = revokeTokenError {
+ // Optional: Use escape hatch to retry revocation of revokeTokenError.accessToken.
+ print("Revoke token error \(String(describing: revokeTokenError))")
+ }
+
+ case .failed(let error):
+ // Sign Out failed with an exception, leaving the user signed in.
+ print("SignOut failed with \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func signOutLocally() -> AnyCancellable {
+ Amplify.Publisher.create {
+ await Amplify.Auth.signOut()
+ }.sink(receiveValue: { result in
+ guard let signOutResult = result as? AWSCognitoSignOutResult
+ else {
+ print("Signout failed")
+ return
+ }
+ print("Local signout successful: \(signOutResult.signedOutLocally)")
+ switch signOutResult {
+ case .complete:
+ // Sign Out completed fully and without errors.
+ print("Signed out successfully")
+
+ case let .partial(revokeTokenError, globalSignOutError, hostedUIError):
+ // Sign Out completed with some errors. User is signed out of the device.
+ if let hostedUIError = hostedUIError {
+ print("HostedUI error \(String(describing: hostedUIError))")
+ }
+
+ if let globalSignOutError = globalSignOutError {
+ // Optional: Use escape hatch to retry revocation of globalSignOutError.accessToken.
+ print("GlobalSignOut error \(String(describing: globalSignOutError))")
+ }
+
+ if let revokeTokenError = revokeTokenError {
+ // Optional: Use escape hatch to retry revocation of revokeTokenError.accessToken.
+ print("Revoke token error \(String(describing: revokeTokenError))")
+ }
+
+ case .failed(let error):
+ // Sign Out failed with an exception, leaving the user signed in.
+ print("SignOut failed with \(error)")
+ }
+ })
+}
+```
+
+
+
+You can also sign out users from all devices by performing a global sign-out. This will also invalidate all refresh tokens issued to a user. The user's current access and ID tokens will remain valid on other devices until the refresh token expires (access and ID tokens expire one hour after they are issued).
+
+
+```ts
+import { signOut } from 'aws-amplify/auth';
+
+await signOut({ global: true });
+```
+
+
+```dart
+Future signOutGlobally() async {
+ final result = await Amplify.Auth.signOut(
+ options: const SignOutOptions(globalSignOut: true),
+ );
+ if (result is CognitoCompleteSignOut) {
+ safePrint('Sign out completed successfully');
+ } else if (result is CognitoPartialSignOut) {
+ final globalSignOutException = result.globalSignOutException!;
+ final accessToken = globalSignOutException.accessToken;
+ // Retry the global sign out using the access token, if desired
+ // ...
+ safePrint('Error signing user out: ${globalSignOutException.message}');
+ } else if (result is CognitoFailedSignOut) {
+ safePrint('Error signing user out: ${result.exception.message}');
+ }
+}
+```
+
+
+
+#### [Java]
+
+```java
+AuthSignOutOptions options = AuthSignOutOptions.builder()
+ .globalSignOut(true)
+ .build();
+
+Amplify.Auth.signOut(options, signOutResult -> {
+ if (signOutResult instanceof AWSCognitoAuthSignOutResult.CompleteSignOut) {
+ // handle successful sign out
+ } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.PartialSignOut) {
+ // handle partial sign out
+ } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.FailedSignOut) {
+ // handle failed sign out
+ }
+});
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+val options = AuthSignOutOptions.builder()
+ .globalSignOut(true)
+ .build()
+
+Amplify.Auth.signOut(options) { signOutResult ->
+ when(signOutResult) {
+ is AWSCognitoAuthSignOutResult.CompleteSignOut -> {
+ // handle successful sign out
+ }
+ is AWSCognitoAuthSignOutResult.PartialSignOut -> {
+ // handle partial sign out
+ }
+ is AWSCognitoAuthSignOutResult.FailedSignOut -> {
+ // handle failed sign out
+ }
+ }
+}
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+val options = AuthSignOutOptions.builder()
+ .globalSignOut(true)
+ .build()
+
+val signOutResult = Amplify.Auth.signOut(options)
+
+when(signOutResult) {
+ is AWSCognitoAuthSignOutResult.CompleteSignOut -> {
+ // handle successful sign out
+ }
+ is AWSCognitoAuthSignOutResult.PartialSignOut -> {
+ // handle partial sign out
+ }
+ is AWSCognitoAuthSignOutResult.FailedSignOut -> {
+ // handle failed sign out
+ }
+}
+```
+
+#### [RxJava]
+
+```java
+AuthSignOutOptions options = AuthSignOutOptions.builder()
+ .globalSignOut(true)
+ .build();
+
+RxAmplify.Auth.signOut(options)
+ .subscribe(signOutResult -> {
+ if (signOutResult instanceof AWSCognitoAuthSignOutResult.CompleteSignOut) {
+ // handle successful sign out
+ } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.PartialSignOut) {
+ // handle partial sign out
+ } else if (signOutResult instanceof AWSCognitoAuthSignOutResult.FailedSignOut) {
+ // handle failed sign out
+ }
+ });
+```
+
+
+
+
+#### [Async/Await]
+
+```swift
+import AWSCognitoAuthPlugin
+
+func signOutGlobally() async {
+ let result = await Amplify.Auth.signOut(options: .init(globalSignOut: true))
+ guard let signOutResult = result as? AWSCognitoSignOutResult
+ else {
+ print("Signout failed")
+ return
+ }
+
+ print("Local signout successful: \(signOutResult.signedOutLocally)")
+ switch signOutResult {
+ case .complete:
+ // handle successful sign out
+ case .failed(let error):
+ // handle failed sign out
+ case let .partial(revokeTokenError, globalSignOutError, hostedUIError):
+ // handle partial sign out
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func signOutGlobally() -> AnyCancellable {
+ Amplify.Publisher.create {
+ await Amplify.Auth.signOut(options: .init(globalSignOut: true))
+ }.sink(receiveValue: { result in
+ guard let signOutResult = result as? AWSCognitoSignOutResult
+ else {
+ print("Signout failed")
+ return
+ }
+ print("Local signout successful: \(signOutResult.signedOutLocally)")
+ switch signOutResult {
+ case .complete:
+ // handle successful sign out
+ case .failed(let error):
+ // handle failed sign out
+ case let .partial(revokeTokenError, globalSignOutError, hostedUIError):
+ // handle partial sign out
+ }
+ })
+}
+```
+
+
+
+
+## Practical Example
+
+
+```tsx title="src/App.tsx"
+import { Amplify } from "aws-amplify"
+// highlight-next-line
+import { signOut } from "aws-amplify/auth"
+import outputs from "../amplify_outputs.json"
+
+Amplify.configure(outputs)
+
+export default function App() {
+ async function handleSignOut() {
+ // highlight-next-line
+ await signOut()
+ }
+
+ return (
+
+ )
+}
+```
+
+
+
+---
+
+---
+title: "Manage user sessions"
+section: "build-a-backend/auth/connect-your-frontend"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-10-25T16:39:44.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/connect-your-frontend/manage-user-sessions/"
+---
+
+Amplify Auth provides access to current user sessions and tokens to help you retrieve your user's information to determine if they are signed in with a valid session and control their access to your app.
+
+
+## Retrieve your current authenticated user
+
+You can use the `getCurrentUser` API to get information about the currently authenticated user including the `username`, `userId` and `signInDetails`.
+
+```ts
+import { getCurrentUser } from 'aws-amplify/auth';
+
+const { username, userId, signInDetails } = await getCurrentUser();
+
+console.log("username", username);
+console.log("user id", userId);
+console.log("sign-in details", signInDetails);
+```
+
+This method can be used to check if a user is signed in. It throws an error if the user is not authenticated.
+
+> **Info:** The user's `signInDetails` are not supported when using the `Hosted UI` or the `signInWithRedirect` API.
+
+## Retrieve a user session
+
+Your user's session is their signed-in state, which grants them access to your app. When your users sign in, their credentials are exchanged for temporary access tokens. You can get session details to access these tokens and use this information to validate user access or perform actions unique to that user.
+
+If you only need the session details, you can use the `fetchAuthSession` API which returns a `tokens` object containing the JSON Web Tokens (JWT).
+
+```ts
+import { fetchAuthSession } from 'aws-amplify/auth';
+
+const session = await fetchAuthSession();
+
+console.log("id token", session.tokens.idToken)
+console.log("access token", session.tokens.accessToken)
+```
+
+### Refreshing sessions
+
+The `fetchAuthSession` API automatically refreshes the user's session when the authentication tokens have expired and a valid `refreshToken` is present. Additionally, you can also refresh the session explicitly by calling the `fetchAuthSession` API with the `forceRefresh` flag enabled.
+
+```ts
+import { fetchAuthSession } from 'aws-amplify/auth';
+
+await fetchAuthSession({ forceRefresh: true });
+```
+
+> **Warning:** **Warning:** by default, sessions from external identity providers cannot be refreshed.
+
+
+An intentional decision with Amplify Auth was to avoid any public methods exposing credentials or manipulating them.
+
+With Auth, you simply sign in and it handles everything else needed to keep the credentials up to date and vend them to the other categories.
+
+However, if you need to access them in relation to working with an API outside Amplify or want access to AWS specific identifying information (e.g. IdentityId), you can access these implementation details by calling `fetchAuthSession` on the Cognito Auth Plugin. This will return a `CognitoAuthSession`, which has additional attributes compared to `AuthSession`, which is typically returned by `fetchAuthSession`. See the example below:
+
+```dart
+Future fetchAuthSession() async {
+ try {
+ final result = await Amplify.Auth.fetchAuthSession();
+ safePrint('User is signed in: ${result.isSignedIn}');
+ } on AuthException catch (e) {
+ safePrint('Error retrieving auth session: ${e.message}');
+ }
+}
+```
+
+## Retrieving AWS credentials
+
+Sometimes it can be helpful to retrieve the instance of the underlying plugin which has more specific typing. In case of Cognito, calling `fetchAuthSession` on the Cognito plugin returns AWS-specific values such as the identity ID, AWS credentials, and Cognito User Pool tokens.
+
+```dart
+Future fetchCognitoAuthSession() async {
+ try {
+ final cognitoPlugin = Amplify.Auth.getPlugin(AmplifyAuthCognito.pluginKey);
+ final result = await cognitoPlugin.fetchAuthSession();
+ final identityId = result.identityIdResult.value;
+ safePrint("Current user's identity ID: $identityId");
+ } on AuthException catch (e) {
+ safePrint('Error retrieving auth session: ${e.message}');
+ }
+}
+```
+
+
+An intentional decision with Amplify Auth was to avoid any public methods exposing credentials or manipulating them.
+
+With Auth, you simply sign in and it handles everything else needed to keep the credentials up to date and vend them to the other categories.
+
+However, if you need to access them in relation to working with an API outside Amplify or want access to AWS specific identifying information (e.g. IdentityId), you can access these implementation details by casting the result of `fetchAuthSession` as follows:
+
+#### [Java]
+
+```java
+Amplify.Auth.fetchAuthSession(
+ result -> {
+ AWSCognitoAuthSession cognitoAuthSession = (AWSCognitoAuthSession) result;
+ switch(cognitoAuthSession.getIdentityIdResult().getType()) {
+ case SUCCESS:
+ Log.i("AuthQuickStart", "IdentityId: " + cognitoAuthSession.getIdentityIdResult().getValue());
+ break;
+ case FAILURE:
+ Log.i("AuthQuickStart", "IdentityId not present because: " + cognitoAuthSession.getIdentityIdResult().getError().toString());
+ }
+ },
+ error -> Log.e("AuthQuickStart", error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.fetchAuthSession(
+ {
+ val session = it as AWSCognitoAuthSession
+ when (session.identityIdResult.type) {
+ AuthSessionResult.Type.SUCCESS ->
+ Log.i("AuthQuickStart", "IdentityId = ${session.identityIdResult.value}")
+ AuthSessionResult.Type.FAILURE ->
+ Log.w("AuthQuickStart", "IdentityId not found", session.identityIdResult.error)
+ }
+ },
+ { Log.e("AuthQuickStart", "Failed to fetch session", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val session = Amplify.Auth.fetchAuthSession() as AWSCognitoAuthSession
+ val id = session.identityIdResult
+ if (id.type == AuthSessionResult.Type.SUCCESS) {
+ Log.i("AuthQuickStart", "IdentityId: ${id.value}")
+ } else if (id.type == AuthSessionResult.Type.FAILURE) {
+ Log.i("AuthQuickStart", "IdentityId not present: ${id.error}")
+ }
+} catch (error: AuthException) {
+ Log.e("AuthQuickStart", "Failed to fetch session", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.fetchAuthSession()
+ .subscribe(
+ result -> {
+ AWSCognitoAuthSession cognitoAuthSession = (AWSCognitoAuthSession) result;
+
+ switch (cognitoAuthSession.getIdentityIdResult().getType()) {
+ case SUCCESS:
+ Log.i("AuthQuickStart", "IdentityId: " + cognitoAuthSession.getIdentityIdResult().getValue());
+ break;
+ case FAILURE:
+ Log.i("AuthQuickStart", "IdentityId not present because: " + cognitoAuthSession.getIdentityIdResult().getError().toString());
+ }
+ },
+ error -> Log.e("AuthQuickStart", error.toString())
+ );
+```
+
+## Force refreshing session
+
+Through the plugin, you can force refresh the internal session by setting the `forceRefresh` option when calling the fetchAuthSession API.
+
+#### [Java]
+
+```java
+AuthFetchSessionOptions options = AuthFetchSessionOptions.builder().forceRefresh(true).build();
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+val option = AuthFetchSessionOptions.builder().forceRefresh(true).build()
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+val option = AuthFetchSessionOptions.builder().forceRefresh(true).build()
+```
+
+#### [RxJava]
+
+```java
+AuthFetchSessionOptions options = AuthFetchSessionOptions.builder().forceRefresh(true).build();
+```
+
+
+
+An intentional decision with Amplify Auth was to avoid any public methods exposing credentials or manipulating them.
+
+With Auth, you simply sign in and it handles everything else needed to keep the credentials up to date and vend them to the other categories.
+
+However, if you need to access them in relation to working with an API outside Amplify or want access to AWS specific identifying information (e.g. IdentityId), you can access these implementation details by casting the result of `fetchAuthSession` as follows:
+
+```swift
+import AWSPluginsCore
+
+do {
+ let session = try await Amplify.Auth.fetchAuthSession()
+
+ // Get user sub or identity id
+ if let identityProvider = session as? AuthCognitoIdentityProvider {
+ let usersub = try identityProvider.getUserSub().get()
+ let identityId = try identityProvider.getIdentityId().get()
+ print("User sub - \(usersub) and identity id \(identityId)")
+ }
+
+ // Get AWS credentials
+ if let awsCredentialsProvider = session as? AuthAWSCredentialsProvider {
+ let credentials = try awsCredentialsProvider.getAWSCredentials().get()
+ // Do something with the credentials
+ }
+
+ // Get cognito user pool token
+ if let cognitoTokenProvider = session as? AuthCognitoTokensProvider {
+ let tokens = try cognitoTokenProvider.getCognitoTokens().get()
+ // Do something with the JWT tokens
+ }
+} catch let error as AuthError {
+ print("Fetch auth session failed with error - \(error)")
+} catch {
+}
+```
+If you have enabled guest user in Cognito Identity Pool and no user is signed in, you will be able to access only identityId and AWS credentials. All other session details will give you an error.
+
+```swift
+import AWSPluginsCore
+
+do {
+ let session = try await Amplify.Auth.fetchAuthSession()
+
+ // Get identity id
+ if let identityProvider = session as? AuthCognitoIdentityProvider {
+ let identityId = try identityProvider.getIdentityId().get()
+ print("Identity id \(identityId)")
+ }
+
+ // Get AWS credentials
+ if let awsCredentialsProvider = session as? AuthAWSCredentialsProvider {
+ let credentials = try awsCredentialsProvider.getAWSCredentials().get()
+ // Do something with the credentials
+ }
+} catch let error as AuthError {
+ print("Fetch auth session failed with error - \(error)")
+} catch {
+ print("Unexpected error: \(error)")
+}
+```
+
+## Force refreshing session
+
+Through the plugin, you can force refresh the internal session by passing an api options `forceRefresh` while calling the fetchAuthSession api.
+
+```swift
+Amplify.Auth.fetchAuthSession(options: .forceRefresh())
+
+```
+
+
+---
+
+---
+title: "Manage user attributes"
+section: "build-a-backend/auth/connect-your-frontend"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-11-14T19:12:03.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/connect-your-frontend/manage-user-attributes/"
+---
+
+User attributes such as email address, phone number help you identify individual users. Defining the user attributes you include for your user profiles makes user data easy to manage at scale. This information will help you personalize user journeys, tailor content, provide intuitive account control, and more. You can capture information upfront during sign-up or enable customers to update their profile after sign-up. In this section we take a closer look at working with user attributes, how to set them up and manage them.
+
+
+## Pass user attributes during sign-up
+
+You can create user attributes during sign-up or when the user is authenticated. To do this as part of sign-up you can pass them in the `userAttributes` object of the `signUp` API:
+
+```ts
+import { signUp } from "aws-amplify/auth";
+
+await signUp({
+ username: "jdoe",
+ password: "mysecurerandompassword#123",
+ options: {
+ userAttributes: {
+ email: "me@domain.com",
+ phone_number: "+12128601234", // E.164 number convention
+ given_name: "Jane",
+ family_name: "Doe",
+ nickname: "Jane",
+ },
+ },
+});
+```
+
+
+
+## Configure custom user attributes during sign-up
+
+Custom attributes can be passed in with the `userAttributes` option of the `signUp` API:
+
+
+```ts
+import { signUp } from "aws-amplify/auth";
+
+await signUp({
+ username: 'john.doe@example.com',
+ password: 'hunter2',
+ options: {
+ userAttributes: {
+ 'custom:display_name': 'john_doe123',
+ }
+ }
+});
+```
+
+
+```dart
+Future _signUp({
+ required String username,
+ required String password,
+ required String email,
+ required String customValue,
+}) async {
+ final userAttributes = {
+ AuthUserAttributeKey.email: email,
+ // Create and pass a custom attribute
+ const CognitoUserAttributeKey.custom('my-custom-attribute'): customValue
+ };
+ await Amplify.Auth.signUp(
+ username: username,
+ password: password,
+ options: SignUpOptions(
+ userAttributes: userAttributes,
+ ),
+ );
+}
+```
+
+
+```swift
+func signUp(username: String, password: String, email: String) async {
+ do {
+ let signUpResult = try await Amplify.Auth.signUp(
+ username: username,
+ password: password,
+ options: .init(userAttributes: [
+ AuthUserAttribute(.email, value: email),
+ AuthUserAttribute(.custom("my-custom-attribute"), value: )
+ ])
+ )
+ if case let .confirmUser(deliveryDetails, _, userId) = signUpResult.nextStep {
+ print("Delivery details \(String(describing: deliveryDetails)) for userId: \(String(describing: userId)))")
+ } else {
+ print("SignUp Complete")
+ }
+ } catch let error as AuthError {
+ print("An error occurred while registering a user \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+
+
+## Retrieve user attributes
+
+You can retrieve user attributes for your users to read in their profile using the `fetchUserAttributes` API. This helps you personalize their frontend experience as well as control what they will see.
+
+
+```ts
+import { fetchUserAttributes } from 'aws-amplify/auth';
+
+await fetchUserAttributes();
+```
+
+
+
+#### [Async/Await]
+
+```swift
+func fetchAttributes() async {
+ do {
+ let attributes = try await Amplify.Auth.fetchUserAttributes()
+ print("User attributes - \(attributes)")
+ } catch let error as AuthError{
+ print("Fetching user attributes failed with error \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func fetchAttributes() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.fetchUserAttributes()
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Fetch user attributes failed with error \(authError)")
+ }
+ }
+ receiveValue: { attributes in
+ print("User attributes - \(attributes)")
+ }
+}
+```
+
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.fetchUserAttributes(
+ attributes -> Log.i("AuthDemo", "User attributes = " + attributes.toString()),
+ error -> Log.e("AuthDemo", "Failed to fetch user attributes.", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.fetchUserAttributes(
+ { Log.i("AuthDemo", "User attributes = $it") },
+ { Log.e("AuthDemo", "Failed to fetch user attributes", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val attributes = Amplify.Auth.fetchUserAttributes()
+ Log.i("AuthDemo", "User attributes = $attributes")
+} catch (error: AuthException) {
+ Log.e("AuthDemo", "Failed to fetch user attributes", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.fetchUserAttributes()
+ .doOnSubscribe(() -> Log.i("AuthDemo", "Attributes:"))
+ .flatMapObservable(Observable::fromIterable)
+ .subscribe(
+ eachAttribute -> Log.i("AuthDemo", eachAttribute.toString()),
+ error -> Log.e("AuthDemo", "Failed to fetch attributes.", error)
+ );
+```
+
+
+
+```dart
+Future fetchCurrentUserAttributes() async {
+ try {
+ final result = await Amplify.Auth.fetchUserAttributes();
+ for (final element in result) {
+ safePrint('key: ${element.userAttributeKey}; value: ${element.value}');
+ }
+ } on AuthException catch (e) {
+ safePrint('Error fetching user attributes: ${e.message}');
+ }
+}
+```
+
+
+## Update user attribute
+
+You can use the `updateUserAttribute` API to create or update existing user attributes.
+
+
+
+#### [TypeScript]
+
+```typescript
+import {
+ updateUserAttribute,
+ type UpdateUserAttributeOutput
+} from 'aws-amplify/auth';
+
+async function handleUpdateUserAttribute(attributeKey: string, value: string) {
+ try {
+ const output = await updateUserAttribute({
+ userAttribute: {
+ attributeKey,
+ value
+ }
+ });
+ handleUpdateUserAttributeNextSteps(output);
+ } catch (error) {
+ console.log(error);
+ }
+}
+
+function handleUpdateUserAttributeNextSteps(output: UpdateUserAttributeOutput) {
+ const { nextStep } = output;
+
+ switch (nextStep.updateAttributeStep) {
+ case 'CONFIRM_ATTRIBUTE_WITH_CODE':
+ const codeDeliveryDetails = nextStep.codeDeliveryDetails;
+ console.log(
+ `Confirmation code was sent to ${codeDeliveryDetails?.deliveryMedium}.`
+ );
+ // Collect the confirmation code from the user and pass to confirmUserAttribute.
+ break;
+ case 'DONE':
+ console.log(`attribute was successfully updated.`);
+ break;
+ }
+}
+```
+
+#### [JavaScript]
+
+```javascript
+import { updateUserAttribute } from 'aws-amplify/auth';
+
+async function handleUpdateUserAttribute(attributeKey, value) {
+ try {
+ const output = await updateUserAttribute({
+ userAttribute: {
+ attributeKey,
+ value
+ }
+ });
+ handleUpdateUserAttributeNextSteps(output);
+ } catch (error) {
+ console.log(error);
+ }
+}
+
+function handleUpdateUserAttributeNextSteps(output) {
+ const { nextStep } = output;
+
+ switch (nextStep.updateAttributeStep) {
+ case 'CONFIRM_ATTRIBUTE_WITH_CODE':
+ const codeDeliveryDetails = nextStep.codeDeliveryDetails;
+ console.log(
+ `Confirmation code was sent to ${codeDeliveryDetails?.deliveryMedium}.`
+ );
+ // Collect the confirmation code from the user and pass to confirmUserAttribute.
+ break;
+ case 'DONE':
+ console.log(`attribute was successfully updated.`);
+ break;
+ }
+}
+```
+
+
+ Note: If you change an attribute that requires confirmation (i.e. email or phone_number), the user will receive a confirmation code either to their email or cellphone. This code can be used with the confirmUserAttribute API to confirm the change.
+
+
+
+
+
+#### [Async/Await]
+
+```swift
+func updateAttribute() async {
+ do {
+ let updateResult = try await Amplify.Auth.update(
+ userAttribute: AuthUserAttribute(.phoneNumber, value: "+2223334444")
+ )
+
+ switch updateResult.nextStep {
+ case .confirmAttributeWithCode(let deliveryDetails, let info):
+ print("Confirm the attribute with details send to - \(deliveryDetails) \(String(describing: info))")
+ case .done:
+ print("Update completed")
+ }
+ } catch let error as AuthError {
+ print("Update attribute failed with error \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func updateAttribute() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.update(
+ userAttribute: AuthUserAttribute(.phoneNumber, value: "+2223334444")
+ )
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Update attribute failed with error \(authError)")
+ }
+ }
+ receiveValue: { updateResult in
+ switch updateResult.nextStep {
+ case .confirmAttributeWithCode(let deliveryDetails, let info):
+ print("Confirm the attribute with details send to - \(deliveryDetails) \(info)")
+ case .done:
+ print("Update completed")
+ }
+ }
+}
+```
+
+
+
+
+
+#### [Java]
+
+```java
+AuthUserAttribute userEmail =
+ new AuthUserAttribute(AuthUserAttributeKey.email(), "email@email.com");
+Amplify.Auth.updateUserAttribute(userEmail,
+ result -> Log.i("AuthDemo", "Updated user attribute = " + result.toString()),
+ error -> Log.e("AuthDemo", "Failed to update user attribute.", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.updateUserAttribute(
+ AuthUserAttribute(AuthUserAttributeKey.email(), "email@email.com"),
+ { Log.i("AuthDemo", "Updated user attribute = $it") },
+ { Log.e("AuthDemo", "Failed to update user attribute.", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+val attribute =
+ AuthUserAttribute(AuthUserAttributeKey.email(), "email@email.com")
+try {
+ val result = Amplify.Auth.updateUserAttribute(attribute)
+ Log.i("AuthDemo", "Updated user attribute = $result")
+} catch (error: AuthException) {
+ Log.e("AuthDemo", "Failed to update user attribute.", error)
+}
+```
+
+#### [RxJava]
+
+```java
+AuthUserAttribute userEmail =
+ new AuthUserAttribute(AuthUserAttributeKey.email(), "email@email.com");
+RxAmplify.Auth.updateUserAttribute(userEmail)
+ .subscribe(
+ result -> Log.i("AuthDemo", "Updated user attribute = " + result.toString()),
+ error -> Log.e("AuthDemo", "Failed to update user attribute.", error)
+ );
+```
+
+
+
+
+```dart
+Future updateUserEmail({
+ required String newEmail,
+}) async {
+ try {
+ final result = await Amplify.Auth.updateUserAttribute(
+ userAttributeKey: AuthUserAttributeKey.email,
+ value: newEmail,
+ );
+ _handleUpdateUserAttributeResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error updating user attribute: ${e.message}');
+ }
+}
+```
+
+User attribute updates may require additional verification before they're complete. Check the
+`UpdateUserAttributeResult` returned from `Amplify.Auth.updateUserAttribute` to see which next
+step, if any, is required. When the update is complete, the next step will be `done`.
+
+```dart
+void _handleUpdateUserAttributeResult(
+ UpdateUserAttributeResult result,
+) {
+ switch (result.nextStep.updateAttributeStep) {
+ case AuthUpdateAttributeStep.confirmAttributeWithCode:
+ final codeDeliveryDetails = result.nextStep.codeDeliveryDetails!;
+ _handleCodeDelivery(codeDeliveryDetails);
+ break;
+ case AuthUpdateAttributeStep.done:
+ safePrint('Successfully updated attribute');
+ break;
+ }
+}
+
+void _handleCodeDelivery(AuthCodeDeliveryDetails codeDeliveryDetails) {
+ safePrint(
+ 'A confirmation code has been sent to ${codeDeliveryDetails.destination}. '
+ 'Please check your ${codeDeliveryDetails.deliveryMedium.name} for the code.',
+ );
+}
+```
+
+To update multiple user attributes at a time, call `updateUserAttributes`:
+
+```dart
+Future updateUserAttributes() async {
+ const attributes = [
+ AuthUserAttribute(
+ userAttributeKey: AuthUserAttributeKey.email,
+ value: 'email@email.com',
+ ),
+ AuthUserAttribute(
+ userAttributeKey: AuthUserAttributeKey.familyName,
+ value: 'MyFamilyName',
+ ),
+ ];
+ try {
+ final result = await Amplify.Auth.updateUserAttributes(
+ attributes: attributes,
+ );
+ result.forEach((key, value) {
+ switch (value.nextStep.updateAttributeStep) {
+ case AuthUpdateAttributeStep.confirmAttributeWithCode:
+ final destination = value.nextStep.codeDeliveryDetails?.destination;
+ safePrint('Confirmation code sent to $destination for $key');
+ break;
+ case AuthUpdateAttributeStep.done:
+ safePrint('Update completed for $key');
+ break;
+ }
+ });
+ } on AuthException catch (e) {
+ safePrint('Error updating user attributes: ${e.message}');
+ }
+}
+```
+
+
+
+## Update user attributes
+
+You can use the `updateUserAttributes` API to create or update multiple existing user attributes.
+
+
+```typescript
+import { updateUserAttributes, type UpdateUserAttributesOutput } from "aws-amplify/auth";
+
+await updateUserAttributes({
+ userAttributes: {
+ email: "me@domain.com",
+ name: "Jon Doe",
+ },
+});
+```
+
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.updateUserAttributes(
+ attributes, // attributes is a list of AuthUserAttribute
+ result -> Log.i("AuthDemo", "Updated user attributes = " + result.toString()),
+ error -> Log.e("AuthDemo", "Failed to update user attributes.", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.updateUserAttributes(
+ attributes, // attributes is a list of AuthUserAttribute
+ { Log.i("AuthDemo", "Updated user attributes = $it") },
+ { Log.e("AuthDemo", "Failed to update user attributes", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.updateUserAttributes(attributes)
+ Log.i("AuthDemo", "Updated user attributes = $result")
+} catch (error: AuthException) {
+ Log.e("AuthDemo", "Failed to update user attributes", error)
+}
+```
+
+#### [RxJava]
+
+```java
+// attributes is a list of AuthUserAttribute
+RxAmplify.Auth.updateUserAttributes(attributes)
+ .subscribe(
+ result -> Log.i("AuthDemo", "Updated user attributes = " + result.toString()),
+ error -> Log.e("AuthDemo", "Failed to update user attributes.", error)
+ );
+```
+
+
+
+
+## Verify user attribute
+
+
+Some attributes require confirmation for the attribute update to complete. If the attribute needs to be confirmed, part of the result of the `updateUserAttribute` or `updateUserAttributes` APIs will be `CONFIRM_ATTRIBUTE_WITH_CODE`. A confirmation code will be sent to the delivery medium mentioned in the delivery details. When the user gets the confirmation code, you can present a UI to the user to enter the code and invoke the `confirmUserAttribute` API with their input:
+
+
+
+Some attributes require confirmation for the attribute update to complete. If the attribute needs to be confirmed, part of the result of the `updateUserAttribute` or `updateUserAttributes` APIs will be `confirmAttributeWithCode`. A confirmation code will be sent to the delivery medium mentioned in the delivery details. When the user gets the confirmation code, you can present a UI to the user to enter the code and invoke the `confirmUserAttribute` API with their input:
+
+
+
+```typescript
+import {
+ confirmUserAttribute,
+ type ConfirmUserAttributeInput
+} from 'aws-amplify/auth';
+
+async function handleConfirmUserAttribute({
+ userAttributeKey,
+ confirmationCode
+}: ConfirmUserAttributeInput) {
+ try {
+ await confirmUserAttribute({ userAttributeKey, confirmationCode });
+ } catch (error) {
+ console.log(error);
+ }
+}
+```
+
+
+
+
+#### [Async/Await]
+
+```swift
+func confirmAttribute() async {
+ do {
+ try await Amplify.Auth.confirm(userAttribute: .email, confirmationCode: "390739")
+ print("Attribute verified")
+ } catch let error as AuthError {
+ print("Update attribute failed with error \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func confirmAttribute() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirm(userAttribute: .email, confirmationCode: "390739")
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Update attribute failed with error \(authError)")
+ }
+ }
+ receiveValue: { _ in
+ print("Attribute verified")
+ }
+}
+```
+
+
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.confirmUserAttribute(AuthUserAttributeKey.email(), "344299",
+ () -> Log.i("AuthDemo", "Confirmed user attribute with correct code."),
+ error -> Log.e("AuthDemo", "Failed to confirm user attribute. Bad code?", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.confirmUserAttribute(AuthUserAttributeKey.email(), "344299",
+ { Log.i("AuthDemo", "Confirmed user attribute with correct code.") },
+ { Log.e("AuthDemo", "Failed to confirm user attribute. Bad code?", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ Amplify.Auth.confirmUserAttribute(AuthUserAttributeKey.email(), "344299")
+ Log.i("AuthDemo", "Confirmed user attribute with correct code.")
+} catch (error: AuthException) {
+ Log.e("AuthDemo", "Failed to confirm user attribute. Bade code?", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.confirmUserAttribute(AuthUserAttributeKey.email(), "344299")
+ .subscribe(
+ () -> Log.i("AuthDemo", "Confirmed user attribute using correct code."),
+ error -> Log.e("AuthDemo", "Failed to confirm user attribute. Bad code?", error)
+ );
+```
+
+
+
+
+```dart
+Future verifyAttributeUpdate() async {
+ try {
+ await Amplify.Auth.confirmUserAttribute(
+ userAttributeKey: AuthUserAttributeKey.email,
+ confirmationCode: '390739',
+ );
+ } on AuthException catch (e) {
+ safePrint('Error confirming attribute update: ${e.message}');
+ }
+}
+```
+
+
+## Send user attribute verification code
+
+If an attribute needs to be verified while the user is authenticated, invoke the `sendUserAttributeVerificationCode` API as shown below:
+
+
+```ts
+import {
+ sendUserAttributeVerificationCode,
+ type VerifiableUserAttributeKey
+} from 'aws-amplify/auth';
+
+async function handleSendUserAttributeVerificationCode(
+ key: VerifiableUserAttributeKey
+) {
+ try {
+ await sendUserAttributeVerificationCode({
+ userAttributeKey: key
+ });
+ } catch (error) {
+ console.log(error);
+ }
+}
+```
+
+
+
+
+#### [Async/Await]
+
+```swift
+func sendVerificationCode() async {
+ do {
+ let deliveryDetails = try await Amplify.Auth.sendVerificationCode(forUserAttributeKey: .email)
+ print("Resend code send to - \(deliveryDetails)")
+ } catch let error as AuthError {
+ print("Resend code failed with error \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func sendVerificationCode() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.sendVerificationCode(forUserAttributeKey: .email)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Resend code failed with error \(authError)")
+ }
+ }
+ receiveValue: { deliveryDetails in
+ print("Resend code sent to - \(deliveryDetails)")
+ }
+}
+```
+
+
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.resendUserAttributeConfirmationCode(AuthUserAttributeKey.email(),
+ result -> Log.i("AuthDemo", "Code was sent again: " + result.toString()),
+ error -> Log.e("AuthDemo", "Failed to resend code.", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.resendUserAttributeConfirmationCode(
+ AuthUserAttributeKey.email(),
+ { Log.i("AuthDemo", "Code was sent again: $it") },
+ { Log.e("AuthDemo", "Failed to resend code", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val attr = AuthUserAttributeKey.email()
+ val result = Amplify.Auth.resendUserAttributeConfirmationCode(attr)
+ Log.i("AuthDemo", "Code was sent again: $result."),
+} catch (error: AuthException) {
+ Log.e("AuthDemo", "Failed to resend code.", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.resendUserAttributeConfirmationCode(AuthUserAttributeKey.email())
+ .subscribe(
+ result -> Log.i("AuthDemo", "Code was resent: " + result.toString()),
+ error -> Log.e("AuthDemo", "Failed to resend code.", error)
+ );
+```
+
+
+
+
+```dart
+Future resendVerificationCode() async {
+ try {
+ final result = await Amplify.Auth.resendUserAttributeConfirmationCode(
+ userAttributeKey: AuthUserAttributeKey.email,
+ );
+ _handleCodeDelivery(result.codeDeliveryDetails);
+ } on AuthException catch (e) {
+ safePrint('Error resending code: ${e.message}');
+ }
+}
+```
+
+
+
+## Delete user attributes
+
+The `deleteUserAttributes` API allows to delete one or more user attributes.
+
+```ts
+import {
+ deleteUserAttributes,
+ type DeleteUserAttributesInput
+} from 'aws-amplify/auth';
+
+async function handleDeleteUserAttributes(
+ keys: DeleteUserAttributesInput['userAttributeKeys']
+) {
+ try {
+ await deleteUserAttributes({
+ userAttributeKeys: ['custom:my_custom_attribute', ...keys]
+ });
+ } catch (error) {
+ console.log(error);
+ }
+}
+```
+
+
+## Next Steps
+
+- [Learn how to set up password change and recovery](/[platform]/build-a-backend/auth/manage-users/manage-passwords/)
+- [Learn how to set up custom attributes](/[platform]/build-a-backend/auth/concepts/user-attributes#custom-attributes)
+
+---
+
+---
+title: "Listen to auth events"
+section: "build-a-backend/auth/connect-your-frontend"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-05-16T15:59:30.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/connect-your-frontend/listen-to-auth-events/"
+---
+
+Amplify Auth emits events during authentication flows, which enables you to react to user flows in real time and trigger custom business logic. For example, you may want to capture data, synchronize your app's state, and personalize the user's experience. You can listen to and respond to events across the Auth lifecycle such as sign-in and sign-out.
+
+
+## Expose hub events triggered in response to auth actions
+
+You can use Amplify Hub with its built in Amplify Auth events to subscribe a listener using a publish-subscribe pattern and capture events between different parts of your application. The Amplify Auth category publishes in the `auth` channel when auth events such as `signedIn` or `signedOut` happen independent from your app code.
+
+You can review the Amplify Hub guide to [learn more](/gen1/react/build-a-backend/utilities/hub/).
+
+> **Warning:** Channels are logical group names that help you organize dispatching and listening. However, some channels are protected and cannot be used to publish custom events, and `auth` is one of these channels. Sending unexpected payloads to protected channels can have undesirable side effects such as impacting authentication flows. See the [Amplify Hub](/gen1/react/build-a-backend/utilities/hub/) guide for more protected channels.
+
+Here is a basic example of setting up a listener that logs an event emitted through the `auth` channel:
+
+```js
+import { Hub } from 'aws-amplify/utils';
+
+Hub.listen('auth', (data) => {
+ console.log(data)
+});
+```
+
+Once your app is set up to subscribe and listen to specific event types from the `auth` channel, the listeners will be notified asynchronously when an event occurs. This pattern allows for a one-to-many relationship where one auth event can be shared with many different listeners that have been subscribed. This lets your app react based on the event rather than proactively poll for information.
+
+Additionally, you can set up your listener to extract data from the event payload and execute a callback that you define. For example, you might update UI elements in your app to reflect your user's authenticated state after the `signedIn` or `signedOut` events.
+
+### Listen to and log auth events
+
+One of the most common workflows will be to log events. In this example you can see how you can listen and target specific `auth` events using a `switch` to log your own messages.
+
+```js
+import { Hub } from 'aws-amplify/utils';
+
+Hub.listen('auth', ({ payload }) => {
+ switch (payload.event) {
+ case 'signedIn':
+ console.log('user have been signedIn successfully.');
+ break;
+ case 'signedOut':
+ console.log('user have been signedOut successfully.');
+ break;
+ case 'tokenRefresh':
+ console.log('auth tokens have been refreshed.');
+ break;
+ case 'tokenRefresh_failure':
+ console.log('failure while refreshing auth tokens.');
+ break;
+ case 'signInWithRedirect':
+ console.log('signInWithRedirect API has successfully been resolved.');
+ break;
+ case 'signInWithRedirect_failure':
+ console.log('failure while trying to resolve signInWithRedirect API.');
+ break;
+ case 'customOAuthState':
+ logger.info('custom state returned from CognitoHosted UI');
+ break;
+ }
+});
+```
+
+### Stop listening to events
+
+You can also stop listening for messages by calling the result of the `Hub.listen()` function. This may be useful if you no longer need to receive messages in your application flow. This can also help you avoid any memory leaks on low powered devices when you are sending large amounts of data through Amplify Hub on multiple channels.
+
+To stop listening to a certain event, you need to wrap the listener function with a variable and call it once you no longer need it:
+
+```js
+/* start listening for messages */
+const hubListenerCancelToken = Hub.listen('auth', (data) => {
+ console.log('Listening for all auth events: ', data.payload.data);
+});
+
+/* later */
+hubListenerCancelToken(); // stop listening for messages
+```
+
+You now have a few use cases and examples for listening to and responding to auth events.
+
+
+AWS Cognito Auth Plugin sends important events through Amplify Hub. You can listen to these events like the following:
+
+```dart
+final subscription = Amplify.Hub.listen(HubChannel.Auth, (AuthHubEvent event) {
+ switch (event.type) {
+ case AuthHubEventType.signedIn:
+ safePrint('User is signed in.');
+ break;
+ case AuthHubEventType.signedOut:
+ safePrint('User is signed out.');
+ break;
+ case AuthHubEventType.sessionExpired:
+ safePrint('The session has expired.');
+ break;
+ case AuthHubEventType.userDeleted:
+ safePrint('The user has been deleted.');
+ break;
+ }
+});
+```
+
+
+AWS Cognito Auth Plugin sends important events through Amplify Hub. You can listen to these events like the following:
+
+#### [Java]
+
+```java
+Amplify.Hub.subscribe(HubChannel.AUTH,
+ hubEvent -> {
+ if (hubEvent.getName().equals(InitializationStatus.SUCCEEDED.name())) {
+ Log.i("AuthQuickstart", "Auth successfully initialized");
+ } else if (hubEvent.getName().equals(InitializationStatus.FAILED.name())){
+ Log.i("AuthQuickstart", "Auth failed to succeed");
+ } else {
+ String eventName = hubEvent.getName();
+ if (eventName.equals(SIGNED_IN.name())) {
+ Log.i("AuthQuickstart", "Auth just became signed in.");
+ }
+ else if (eventName.equals(SIGNED_OUT.name())) {
+ Log.i("AuthQuickstart", "Auth just became signed out.");
+ }
+ else if (eventName.equals(SESSION_EXPIRED.name())) {
+ Log.i("AuthQuickstart", "Auth session just expired.");
+ }
+ else if (eventName.equals(USER_DELETED.name())) {
+ Log.i("AuthQuickstart", "User has been deleted.");
+ }
+ else {
+ Log.w("AuthQuickstart", "Unhandled Auth Event: " + eventName);
+ }
+ }
+ }
+);
+
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Hub.subscribe(HubChannel.AUTH) { event ->
+ when (event.name) {
+ InitializationStatus.SUCCEEDED.name ->
+ Log.i("AuthQuickstart", "Auth successfully initialized")
+ InitializationStatus.FAILED.name ->
+ Log.i("AuthQuickstart", "Auth failed to succeed")
+ else -> when (event.name) {
+ AuthChannelEventName.SIGNED_IN.name ->
+ Log.i("AuthQuickstart", "Auth just became signed in")
+ AuthChannelEventName.SIGNED_OUT.name ->
+ Log.i("AuthQuickstart", "Auth just became signed out")
+ AuthChannelEventName.SESSION_EXPIRED.name ->
+ Log.i("AuthQuickstart", "Auth session just expired")
+ AuthChannelEventName.USER_DELETED.name ->
+ Log.i("AuthQuickstart", "User has been deleted")
+ else ->
+ Log.w("AuthQuickstart", "Unhandled Auth Event: ${event.name}")
+ }
+ }
+}
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+Amplify.Hub.subscribe(HubChannel.AUTH).collect {
+ when (it.name) {
+ InitializationStatus.SUCCEEDED.name ->
+ Log.i("AuthQuickstart", "Auth successfully initialized")
+ InitializationStatus.FAILED.name ->
+ Log.i("AuthQuickstart", "Auth failed to succeed")
+ else -> when (it.name) {
+ AuthChannelEventName.SIGNED_IN.name ->
+ Log.i("AuthQuickstart", "Auth just became signed in.")
+ AuthChannelEventName.SIGNED_OUT.name ->
+ Log.i("AuthQuickstart", "Auth just became signed out.")
+ AuthChannelEventName.SESSION_EXPIRED.name ->
+ Log.i("AuthQuickstart", "Auth session just expired.")
+ AuthChannelEventName.USER_DELETED.name ->
+ Log.i("AuthQuickstart", "User has been deleted.")
+ else ->
+ Log.w("AuthQuickstart", "Unhandled Auth Event: ${it.name}")
+ }
+ }
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Hub.on(HubChannel.AUTH)
+ .map(HubEvent::getName)
+ .subscribe(name -> {
+ if (name.equals(InitializationStatus.SUCCEEDED.name())) {
+ Log.i("AuthQuickstart", "Auth successfully initialized");
+ return;
+ } else if (name.equals(InitializationStatus.FAILED.name())) {
+ Log.i("AuthQuickstart", "Auth failed to succeed");
+ return;
+ } else {
+ if (name.equals(SIGNED_IN.name())) {
+ Log.i("AuthQuickstart", "Auth just became signed in.");
+ }
+ else if (name.equals(SIGNED_OUT.name())) {
+ Log.i("AuthQuickstart", "Auth just became signed out.");
+ }
+ else if (name.equals(SESSION_EXPIRED.name())) {
+ Log.i("AuthQuickstart", "Auth session just expired.");
+ }
+ else if (name.equals(USER_DELETED.name())) {
+ Log.i("AuthQuickstart", "User has been deleted.");
+ }
+ else {
+ Log.w("AuthQuickstart", "Unhandled Auth Event: " + hubEvent.getName());
+ }
+ }
+ });
+```
+
+
+
+AWS Cognito Auth Plugin sends important events through Amplify Hub. You can listen to these events like the following:
+
+#### [Listener]
+
+```swift
+override func viewDidLoad() {
+ super.viewDidLoad()
+ // Do any additional setup after loading the view.
+
+ // Assumes `unsubscribeToken` is declared as an instance variable in your view
+ unsubscribeToken = Amplify.Hub.listen(to: .auth) { payload in
+ switch payload.eventName {
+ case HubPayload.EventName.Auth.signedIn:
+ print("User signed in")
+ // Update UI
+
+ case HubPayload.EventName.Auth.sessionExpired:
+ print("Session expired")
+ // Re-authenticate the user
+
+ case HubPayload.EventName.Auth.signedOut:
+ print("User signed out")
+ // Update UI
+
+ case HubPayload.EventName.Auth.userDeleted:
+ print("User deleted")
+ // Update UI
+
+ default:
+ break
+ }
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+override func viewDidLoad() {
+ super.viewDidLoad()
+ // Do any additional setup after loading the view.
+
+ // Assumes `sink` is declared as an instance variable in your view controller
+ sink = Amplify.Hub
+ .publisher(for: .auth)
+ .sink { payload in
+ switch payload.eventName {
+ case HubPayload.EventName.Auth.signedIn:
+ print("User signed in")
+ // Update UI
+
+ case HubPayload.EventName.Auth.sessionExpired:
+ print("Session expired")
+ // Re-authenticate the user
+
+ case HubPayload.EventName.Auth.signedOut:
+ print("User signed out")
+ // Update UI
+
+ case HubPayload.EventName.Auth.userDeleted:
+ print("User deleted")
+ // Update UI
+
+ default:
+ break
+ }
+ }
+}
+```
+
+
+
+---
+
+---
+title: "Delete user account"
+section: "build-a-backend/auth/connect-your-frontend"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-05-16T15:59:30.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/connect-your-frontend/delete-user-account/"
+---
+
+export async function getStaticPaths() {
+ return getCustomStaticPath(meta.platforms);
+}
+
+Empowering users to delete their account can improve trust and transparency. You can programmatically enable self-service account deletion with Amplify Auth.
+
+If you have not yet created an Amplify Gen 2 app, visit the [quickstart](/[platform]/start/quickstart).
+
+## Allow users to delete their account
+
+You can quickly set up account deletion for your users with the Amplify Libraries. Invoking the `deleteUser` API to delete a user from the Auth category will also sign out your user.
+
+If your application uses a Cognito User Pool, which is the default configuration, this action will only delete the user from the Cognito User Pool. It will have no effect if you are federating with a Cognito Identity Pool alone.
+
+> **Warning:** Before invoking the `deleteUser` API, you may need to first delete associated user data that is not stored in Cognito. For example, if you are using Amplify Data to persist user data, you could follow [these instructions](https://gist.github.com/aws-amplify-ops/27954c421bd72930874d48c15c284807) to delete associated user data. This allows you to address any guidelines (such as GDPR) that require your app to delete data associated with a user who deletes their account.
+
+You can enable account deletion using the following method:
+
+
+```ts
+import { deleteUser } from 'aws-amplify/auth';
+
+async function handleDeleteUser() {
+ try {
+ await deleteUser();
+ } catch (error) {
+ console.log(error);
+ }
+}
+```
+
+
+```dart
+Future deleteUser() async {
+ try {
+ await Amplify.Auth.deleteUser();
+ safePrint('Delete user succeeded');
+ } on AuthException catch (e) {
+ safePrint('Delete user failed with error: $e');
+ }
+}
+```
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.deleteUser(
+ () -> Log.i("AuthQuickStart", "Delete user succeeded"),
+ error -> Log.e("AuthQuickStart", "Delete user failed with error " + error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.deleteUser(
+ { Log.i("AuthQuickStart", "Delete user succeeded") },
+ { Log.e("AuthQuickStart", "Delete user failed with error", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ Amplify.Auth.deleteUser()
+ Log.i("AuthQuickStart", "Delete user succeeded")
+} catch (error: AuthException) {
+ Log.e("AuthQuickStart", "Delete user failed with error", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.deleteUser()
+ .subscribe(
+ () -> Log.i("AuthQuickStart", "Delete user succeeded"),
+ error -> Log.e("AuthQuickStart", "Delete user failed with error " + error.toString())
+ );
+```
+
+
+
+
+#### [Async/Await]
+
+```swift
+func deleteUser() async {
+ do {
+ try await Amplify.Auth.deleteUser()
+ print("Successfully deleted user")
+ } catch let error as AuthError {
+ print("Delete user failed with error \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func deleteUser() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.deleteUser()
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Delete user failed with error \(authError)")
+ }
+ }
+ receiveValue: {
+ print("Successfully deleted user")
+ }
+}
+```
+
+
+
+We recommend you update your UI to let your users know that their account is deleted and test the functionality with a test user. Note that your user will be signed out of your application when they delete their account.
+
+---
+
+---
+title: "Multi-step sign-in"
+section: "build-a-backend/auth/connect-your-frontend"
+platforms: ["android", "swift", "flutter", "react", "nextjs", "javascript", "react-native", "vue", "angular"]
+gen: 2
+last-updated: "2024-12-09T19:54:14.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/connect-your-frontend/multi-step-sign-in/"
+---
+
+
+After a user has finished signup, they can proceed to sign in. Amplify Auth signin flows can be multi-step processes. The required steps are determined by the configuration provided when you define your auth resources. See the [multi-factor authentication](/[platform]/build-a-backend/auth/concepts/multi-factor-authentication/) page for more information.
+
+Depending on the configuration, you may need to call various APIs to finish authenticating a user's signin attempt. To identify the next step in a signin flow, inspect the `nextStep` parameter of the signin result.
+
+```typescript
+import {
+ confirmSignIn,
+ confirmSignUp,
+ resetPassword,
+ signIn,
+} from 'aws-amplify/auth';
+
+const { nextStep } = await signIn({
+ username: 'hello@mycompany.com',
+ password: 'hunter2',
+});
+
+if (
+ nextStep.signInStep === 'CONFIRM_SIGN_IN_WITH_SMS_CODE' ||
+ nextStep.signInStep === 'CONFIRM_SIGN_IN_WITH_EMAIL_CODE' ||
+ nextStep.signInStep === 'CONFIRM_SIGN_IN_WITH_TOTP_CODE'
+) {
+ // collect OTP from user
+ await confirmSignIn({
+ challengeResponse: '123456',
+ });
+}
+
+if (nextStep.signInStep === 'CONTINUE_SIGN_IN_WITH_MFA_SELECTION') {
+ // present nextStep.allowedMFATypes to user
+ // collect user selection
+ await confirmSignIn({
+ challengeResponse: 'EMAIL', // 'EMAIL', 'SMS', or 'TOTP'
+ });
+}
+
+if (nextStep.signInStep === 'CONTINUE_SIGN_IN_WITH_MFA_SETUP_SELECTION') {
+ // present nextStep.allowedMFATypes to user
+ // collect user selection
+ await confirmSignIn({
+ challengeResponse: 'EMAIL', // 'EMAIL' or 'TOTP'
+ });
+}
+
+if (nextStep.signInStep === 'CONTINUE_SIGN_IN_WITH_EMAIL_SETUP') {
+ // collect email address from user
+ await confirmSignIn({
+ challengeResponse: 'hello@mycompany.com',
+ });
+}
+
+if (nextStep.signInStep === 'CONTINUE_SIGN_IN_WITH_TOTP_SETUP') {
+ // present nextStep.totpSetupDetails.getSetupUri() to user
+ // collect OTP from user
+ await confirmSignIn({
+ challengeResponse: '123456',
+ });
+}
+
+if (nextStep.signInStep === 'CONFIRM_SIGN_IN_WITH_PASSWORD') {
+ // collect password from user
+ await confirmSignIn({
+ challengeResponse: 'hunter2',
+ });
+}
+
+if (nextStep.signInStep === 'CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION') {
+ // present nextStep.availableChallenges to user
+ // collect user selection
+ await confirmSignIn({
+ challengeResponse: 'SMS_OTP', // or 'EMAIL_OTP', 'WEB_AUTHN', 'PASSWORD', 'PASSWORD_SRP'
+ });
+}
+
+if (nextStep.signInStep === 'CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE') {
+ // collect custom challenge answer from user
+ await confirmSignIn({
+ challengeResponse: 'custom-challenge-answer',
+ });
+}
+
+if (nextStep.signInStep === 'CONFIRM_SIGN_IN_WITH_NEW_PASSWORD_REQUIRED') {
+ // collect new password from user
+ await confirmSignIn({
+ challengeResponse: 'new-password',
+ });
+}
+
+if (nextStep.signInStep === 'RESET_PASSWORD') {
+ // initiate reset password flow
+ await resetPassword({
+ username: 'username',
+ });
+}
+
+if (nextStep.signInStep === 'CONFIRM_SIGN_UP') {
+ // user was not confirmed during sign up process
+ // if user has confirmation code, invoke `confirmSignUp` api
+ // otherwise, invoke `resendSignUpCode` to resend the code
+ await confirmSignUp({
+ username: 'username',
+ confirmationCode: '123456',
+ });
+}
+
+if (nextStep.signInStep === 'DONE') {
+ // signin complete
+}
+```
+
+## Confirm sign-in with SMS MFA
+
+If the next step is `CONFIRM_SIGN_IN_WITH_SMS_CODE`, Amplify Auth has sent the user a random code over SMS and is waiting for the user to verify that code. To handle this step, your app's UI must prompt the user to enter the code. After the user enters the code, pass the value to the `confirmSignIn` API.
+
+
+
+The result includes an `AuthCodeDeliveryDetails` member. It includes additional information about the code delivery, such as the partial phone number of the SMS recipient, which can be used to prompt the user on where to look for the code.
+
+
+
+```ts
+import { type SignInOutput, confirmSignIn } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONFIRM_SIGN_IN_WITH_SMS_CODE': {
+ const { codeDeliveryDetails } = result.nextStep;
+ // OTP has been delivered to user via SMS
+ // Inspect codeDeliveryDetails for additional delivery information
+ console.log(
+ `A confirmation code has been sent to ${codeDeliveryDetails?.destination}`,
+ );
+ console.log(
+ `Please check your ${codeDeliveryDetails?.deliveryMedium} for the code.`,
+ );
+ break;
+ }
+ }
+}
+
+async function confirmMfaCode(mfaCode: string) {
+ const result = await confirmSignIn({ challengeResponse: mfaCode });
+
+ return handleSignInResult(result);
+}
+
+```
+
+## Confirm sign-in with TOTP MFA
+
+If the next step is `CONFIRM_SIGN_IN_WITH_TOTP_CODE`, you should prompt the user to enter the TOTP code from their associated authenticator app during set up. The code is a six-digit number that changes every 30 seconds. The user must enter the code before the 30-second window expires.
+
+After the user enters the code, your implementation must pass the value to Amplify Auth `confirmSignIn` API.
+
+```ts
+import { type SignInOutput, confirmSignIn } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONFIRM_SIGN_IN_WITH_TOTP_CODE': {
+ // Prompt user to open their authenticator app to retrieve the code
+ console.log(
+ `Enter a one-time code from your registered authenticator app`,
+ );
+ break;
+ }
+ }
+}
+// Then, pass the TOTP code to `confirmSignIn`
+async function confirmTotpCode(totpCode: string) {
+ const result = await confirmSignIn({ challengeResponse: totpCode });
+
+ return handleSignInResult(result);
+}
+
+```
+
+## Confirm sign-in with Email MFA
+
+If the next step is `CONFIRM_SIGN_IN_WITH_EMAIL_CODE`, Amplify Auth has sent the user a random code to their email address and is waiting for the user to verify that code. To handle this step, your app's UI must prompt the user to enter the code. After the user enters the code, pass the value to the `confirmSignIn` API.
+
+
+
+The result includes an `AuthCodeDeliveryDetails` member. It includes additional information about the code delivery, such as the partial email address of the recipient, which can be used to prompt the user on where to look for the code.
+
+
+
+```ts
+import { type SignInOutput, confirmSignIn } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONFIRM_SIGN_IN_WITH_EMAIL_CODE': {
+ const { codeDeliveryDetails } = result.nextStep;
+ // OTP has been delivered to user via Email
+ // Inspect codeDeliveryDetails for additional delivery information
+ console.log(
+ `A confirmation code has been sent to ${codeDeliveryDetails?.destination}`,
+ );
+ console.log(
+ `Please check your ${codeDeliveryDetails?.deliveryMedium} for the code.`,
+ );
+ break;
+ }
+ }
+}
+
+async function confirmMfaCode(mfaCode: string) {
+ const result = await confirmSignIn({ challengeResponse: mfaCode });
+
+ return handleSignInResult(result);
+}
+
+```
+
+## Continue sign-in with MFA Selection
+
+If the next step is `CONTINUE_SIGN_IN_WITH_MFA_SELECTION`, the user must select the MFA method to use. Amplify Auth currently supports SMS, TOTP, and EMAIL as MFA methods. After the user selects an MFA method, your implementation must pass the selected MFA method to Amplify Auth using `confirmSignIn` API.
+
+The MFA types which are currently supported by Amplify Auth are:
+
+- `SMS`
+- `TOTP`
+- `EMAIL`
+
+Once Amplify receives the users selection, you can expect to handle a follow up `nextStep` corresponding with the selected MFA type for setup:
+- If `SMS` is selected, `CONFIRM_SIGN_IN_WITH_SMS_CODE` will be the next step.
+- If `TOTP` is selected, `CONFIRM_SIGN_IN_WITH_TOTP_CODE` will be the next step.
+- If `EMAIL` is selected, `CONFIRM_SIGN_IN_WITH_EMAIL_CODE` will be the next step.
+
+```ts
+import { type SignInOutput, confirmSignIn } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONTINUE_SIGN_IN_WITH_MFA_SELECTION': {
+ const { allowedMFATypes } = result.nextStep;
+ // Present available MFA options to user
+ // Prompt for selection
+ console.log(`There are multiple MFA options available for sign in.`);
+ console.log(`Select an MFA type from the allowedMfaTypes list.`);
+ break;
+ }
+ }
+}
+
+type MfaType = 'SMS' | 'TOTP' | 'EMAIL';
+
+async function handleMfaSelection(mfaType: MfaType) {
+ const result = await confirmSignIn({ challengeResponse: mfaType });
+
+ return handleSignInResult(result);
+}
+
+```
+
+## Continue sign-in with Email Setup
+
+If the next step is `CONTINUE_SIGN_IN_WITH_EMAIL_SETUP`, then the user must provide an email address to complete the sign in process. Once this value has been collected from the user, call the `confirmSignIn` API to continue.
+
+```ts
+import { type SignInOutput, confirmSignIn } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONTINUE_SIGN_IN_WITH_EMAIL_SETUP': {
+ // Prompt the user to enter an email address they would like to use for MFA
+ break;
+ }
+ }
+}
+
+// Then, pass the email address to `confirmSignIn`
+async function confirmEmail(email: string) {
+ const result = await confirmSignIn({ challengeResponse: email });
+
+ return handleSignInResult(result);
+}
+
+```
+
+## Continue sign-in with TOTP Setup
+
+The `CONTINUE_SIGN_IN_WITH_TOTP_SETUP` step signifies that the user must set up TOTP before they can sign in. The step returns an associated value of type TOTPSetupDetails which must be used to configure an authenticator app like Microsoft Authenticator or Google Authenticator. TOTPSetupDetails provides a helper method called getSetupURI which generates a URI that can be used, for example, in a button to open the user's installed authenticator app. For more advanced use cases, TOTPSetupDetails also contains a sharedSecret which can be used to either generate a QR code or be manually entered into an authenticator app.
+
+Once the authenticator app is set up, the user can generate a TOTP code and provide it to the library to complete the sign in process.
+
+```ts
+import { type SignInOutput, confirmSignIn } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONTINUE_SIGN_IN_WITH_TOTP_SETUP': {
+ const { totpSetupDetails } = result.nextStep;
+ const appName = 'my_app_name';
+ const setupUri = totpSetupDetails.getSetupUri(appName);
+ // Open setupUri with an authenticator app
+ // Prompt user to enter OTP code to complete setup
+ break;
+ }
+ }
+}
+
+// Then, pass the collected OTP code to `confirmSignIn`
+async function confirmTotpCode(totpCode: string) {
+ const result = await confirmSignIn({ challengeResponse: totpCode });
+
+ return handleSignInResult(result);
+}
+
+```
+
+## Continue sign-in with MFA Setup Selection
+
+If the next step is `CONTINUE_SIGN_IN_WITH_MFA_SETUP_SELECTION`, then the user must indicate which of the available MFA methods they would like to setup. After the user selects an MFA method to setup, your implementation must pass the selected MFA method to the `confirmSignIn` API.
+
+The MFA types which are currently supported by Amplify Auth for setup are:
+
+- `TOTP`
+- `EMAIL`
+
+Once Amplify receives the users selection, you can expect to handle a follow up `nextStep` corresponding with the selected MFA type for setup:
+- If `EMAIL` is selected, `CONTINUE_SIGN_IN_WITH_EMAIL_SETUP` will be the next step.
+- If `TOTP` is selected, `CONTINUE_SIGN_IN_WITH_TOTP_SETUP` will be the next step.
+
+```ts
+import { type SignInOutput, confirmSignIn } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONTINUE_SIGN_IN_WITH_MFA_SETUP_SELECTION': {
+ const { allowedMFATypes } = result.nextStep;
+ // Present available MFA options to user
+ // Prompt for selection
+ console.log(`There are multiple MFA options available for setup.`);
+ console.log(`Select an MFA type from the allowedMFATypes list.`);
+ break;
+ }
+ }
+}
+
+type MfaType = 'SMS' | 'TOTP' | 'EMAIL';
+
+async function handleMfaSelection(mfaType: MfaType) {
+ const result = await confirmSignIn({ challengeResponse: mfaType });
+
+ return handleSignInResult(result);
+}
+
+```
+
+## Confirm sign-in with Password
+
+If the next step is `CONFIRM_SIGN_IN_WITH_PASSWORD`, the user must provide their password as the first factor authentication method. To handle this step, your implementation should prompt the user to enter their password. After the user enters the password, pass the value to the `confirmSignIn` API.
+
+```ts
+import { type SignInOutput, confirmSignIn } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONFIRM_SIGN_IN_WITH_PASSWORD': {
+ // Prompt user to enter their password
+ console.log(`Please enter your password.`);
+ break;
+ }
+ }
+}
+
+async function confirmWithPassword(password: string) {
+ const result = await confirmSignIn({ challengeResponse: password });
+
+ return handleSignInResult(result);
+}
+```
+
+## Continue sign-in with First Factor Selection
+
+If the next step is `CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION`, the user must select a first factor method for authentication. After the user selects an option, your implementation should pass the selected method to the `confirmSignIn` API.
+
+The first factor types which are currently supported by Amplify Auth are:
+- `SMS_OTP`
+- `EMAIL_OTP`
+- `WEB_AUTHN`
+- `PASSWORD`
+- `PASSWORD_SRP`
+
+Depending on your configuration and what factors the user has previously setup, not all options may be available. Only the available options will be presented in `availableChallenges` for selection.
+
+Once Amplify receives the user's selection via the `confirmSignIn` API, you can expect to handle a follow up `nextStep` corresponding with the first factor type selected:
+- If `SMS_OTP` is selected, `CONFIRM_SIGN_IN_WITH_SMS_CODE` will be the next step.
+- If `EMAIL_OTP` is selected, `CONFIRM_SIGN_IN_WITH_EMAIL_CODE` will be the next step.
+- If `PASSWORD` or `PASSWORD_SRP` is selected, `CONFIRM_SIGN_IN_WITH_PASSWORD` will be the next step.
+- If `WEB_AUTHN` is selected, Amplify Auth will initiate the authentication ceremony on the user's device. If successful, the next step will be `DONE`.
+
+```ts
+import { type SignInOutput, confirmSignIn } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION': {
+ const { availableChallenges } = result.nextStep;
+ // Present available first factor options to user
+ // Prompt for selection
+ console.log(
+ `There are multiple first factor options available for sign in.`,
+ );
+ console.log(
+ `Select a first factor type from the availableChallenges list.`,
+ );
+ break;
+ }
+ }
+}
+
+async function handleFirstFactorSelection(firstFactorType: string) {
+ const result = await confirmSignIn({ challengeResponse: firstFactorType });
+
+ return handleSignInResult(result);
+}
+
+```
+
+## Confirm sign-in with custom challenge
+
+If the next step is `CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE`, Amplify Auth is awaiting completion of a custom authentication challenge. The challenge is based on the AWS Lambda trigger you configured as part of a custom sign in flow.
+
+For example, your custom challenge Lambda may pass a prompt to the frontend which requires the user to enter a secret code.
+
+```ts
+import { type SignInOutput, confirmSignIn } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE': {
+ const params = result.nextStep.additionalInfo;
+ const hint = params.hint!;
+ // Prompt user to enter custom challenge response
+ console.log(hint); // `Enter the secret code`
+ break;
+ }
+ }
+}
+
+```
+
+To complete this step, you should prompt the user for the custom challenge answer, and pass the answer to the `confirmSignIn` API.
+
+```ts
+async function confirmCustomChallenge(answer: string) {
+ const result = await confirmSignIn({ challengeResponse: answer });
+
+ return handleSignInResult(result);
+}
+```
+
+> **Warning:** **Special Handling on `confirmSignIn`**
+>
+> If `failAuthentication=true` is returned by the Lambda, Cognito will invalidate the session of the request. This is represented by a `NotAuthorizedException` and requires restarting the sign-in flow by calling `signIn` again.
+
+## Confirm sign-in with new password
+
+If the next step is `CONFIRM_SIGN_IN_WITH_NEW_PASSWORD_REQUIRED`, Amplify Auth requires the user choose a new password they proceeding with the sign in.
+
+Prompt the user for a new password and pass it to the `confirmSignIn` API.
+
+See the [sign-in](/[platform]/build-a-backend/auth/connect-your-frontend/sign-in/) and [manage-password](/[platform]/build-a-backend/auth/manage-users/manage-passwords/) docs for more information.
+
+```ts
+import { type SignInOutput, confirmSignIn } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONFIRM_SIGN_IN_WITH_NEW_PASSWORD_REQUIRED': {
+ // Prompt user to enter a new password
+ console.log(`Please enter a new password.`);
+ break;
+ }
+ }
+}
+
+async function confirmNewPassword(newPassword: string) {
+ const result = await confirmSignIn({ challengeResponse: newPassword });
+
+ return handleSignInResult(result);
+}
+
+```
+
+## Reset password
+
+If the next step is `RESET_PASSWORD`, Amplify Auth requires that the user reset their password before proceeding.
+Use the `resetPassword` API to guide the user through resetting their password, then call `signIn` to restart the sign-in flow.
+
+See the [reset password](/[platform]/build-a-backend/auth/manage-users/manage-passwords/) docs for more information.
+
+```ts
+import {
+ type ResetPasswordOutput,
+ type SignInOutput,
+ resetPassword,
+} from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'RESET_PASSWORD': {
+ const resetPasswordResult = await resetPassword({ username });
+ // initiate reset password flow
+ await handleResetPasswordResult(resetPasswordResult);
+ break;
+ }
+ }
+}
+
+async function handleResetPasswordResult(
+ resetPasswordResult: ResetPasswordOutput,
+) {
+ switch (resetPasswordResult.nextStep.resetPasswordStep) {
+ case 'CONFIRM_RESET_PASSWORD_WITH_CODE': {
+ const { codeDeliveryDetails } = resetPasswordResult.nextStep;
+ console.log(
+ `A confirmation code has been sent to ${codeDeliveryDetails.destination}.`,
+ );
+ console.log(
+ `Please check your ${codeDeliveryDetails.destination} for the code.`,
+ );
+ break;
+ }
+ case 'DONE': {
+ console.log(`Successfully reset password.`);
+ break;
+ }
+ }
+}
+
+```
+
+## Confirm Signup
+
+If the next step is `CONFIRM_SIGN_UP`, Amplify Auth requires that the user confirm their email or phone number before proceeding.
+Use the `resendSignUpCode` API to send a new sign up code to the registered email or phone number, followed by `confirmSignUp` to complete the sign up.
+
+See the [sign up](/[platform]/build-a-backend/auth/connect-your-frontend/sign-up/) docs for more information.
+
+
+
+The result includes an `AuthCodeDeliveryDetails` member. It includes additional information about the code delivery, such as the partial phone number of the SMS recipient, which can be used to prompt the user on where to look for the code.
+
+
+
+```ts
+import {
+ type SignInOutput,
+ confirmSignUp,
+ resendSignUpCode,
+} from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'CONFIRM_SIGN_UP': {
+ // Resend sign up code to the registered user
+ const { destination, deliveryMedium } = await resendSignUpCode({
+ username,
+ });
+ console.log(`A confirmation code has been sent to ${destination}.`);
+ console.log(`Please check your ${deliveryMedium} for the code.`);
+ break;
+ }
+ }
+}
+
+async function handleConfirmSignUp(username: string, confirmationCode: string) {
+ await confirmSignUp({
+ username,
+ confirmationCode,
+ });
+}
+
+```
+
+Once the sign up is confirmed, call `signIn` again to restart the sign-in flow.
+
+## Done
+
+The sign-in flow is complete when the next step is `DONE`, which means the user is successfully authenticated.
+As a convenience, the `SignInResult` also provides the `isSignedIn` property, which will be true if the next step is `DONE`.
+
+```ts
+import { type SignInOutput } from '@aws-amplify/auth';
+
+async function handleSignInResult(result: SignInOutput) {
+ switch (result.nextStep.signInStep) {
+ case 'DONE': {
+ // `result.isSignedIn` is `true`
+ console.log(`Sign in is complete.`);
+ break;
+ }
+ }
+}
+
+```
+
+
+
+After a user has finished signup, they can proceed to sign in. Amplify Auth signin flows can be multi step processes. The required steps are determined by the configuration you provided when you define your auth resources like described on [Manage MFA Settings](/[platform]/build-a-backend/auth/concepts/multi-factor-authentication/) page.
+
+Depending on the configuration, you may need to call various APIs to finish authenticating a user's signin attempt. To identify the next step in a signin flow, inspect the `nextStep` parameter in the signin result.
+
+> **Warning:** *New enumeration values*
+>
+> When Amplify adds a new enumeration value (e.g., a new enum class entry or sealed class subtype in Kotlin, or a new enum value in Swift/Dart/Kotlin), it will publish a new minor version of the Amplify Library. Plugins that switch over enumeration values should include default handlers (an else branch in Kotlin or a default statement in Swift/Dart/Kotlin) to ensure that they are not impacted by new enumeration values.
+
+The `Amplify.Auth.signIn` API returns a `SignInResult` object which indicates whether the sign-in flow is
+complete or whether additional steps are required before the user is signed in.
+
+To see if additional signin steps are required, inspect the sign in result's `nextStep.signInStep` property.
+- If the sign-in step is `done`, the flow is complete and the user is signed in.
+- If the sign-in step is not `done`, one or more additional steps are required. These are explained in detail below.
+
+
+
+The `signInStep` property is an enum of type `AuthSignInStep`. Depending on its value, your code should take one of the actions mentioned on this page.
+
+
+
+```dart
+Future signInWithCognito(
+ String username,
+ String password,
+) async {
+ final SignInResult result = await Amplify.Auth.signIn(
+ username: username,
+ password: password,
+ );
+ return _handleSignInResult(result);
+}
+
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ case AuthSignInStep.continueSignInWithMfaSelection:
+ // Handle select from MFA methods case
+ case AuthSignInStep.continueSignInWithMfaSetupSelection:
+ // Handle select from MFA methods available to setup
+ case AuthSignInStep.continueSignInWithEmailMfaSetup:
+ // Handle email setup case
+ case AuthSignInStep.confirmSignInWithOtpCode:
+ // Handle email MFA case
+ case AuthSignInStep.continueSignInWithTotpSetup:
+ // Handle TOTP setup case
+ case AuthSignInStep.confirmSignInWithTotpMfaCode:
+ // Handle TOTP MFA case
+ case AuthSignInStep.confirmSignInWithSmsMfaCode:
+ // Handle SMS MFA case
+ case AuthSignInStep.confirmSignInWithNewPassword:
+ // Handle new password case
+ case AuthSignInStep.confirmSignInWithCustomChallenge:
+ // Handle custom challenge case
+ case AuthSignInStep.resetPassword:
+ // Handle reset password case
+ case AuthSignInStep.confirmSignUp:
+ // Handle confirm sign up case
+ case AuthSignInStep.done:
+ safePrint('Sign in is complete');
+ }
+}
+```
+## Confirm sign-in with SMS MFA
+
+If the next step is `confirmSignInWithSmsMfaCode`, Amplify Auth has sent the user a random code over SMS and is waiting for the user to verify that code. To handle this step, your app's UI must prompt the user to enter the code. After the user enters the code, pass the value to the `confirmSignIn` API.
+
+
+
+The result includes an `AuthCodeDeliveryDetails` member. It includes additional information about the code delivery, such as the partial phone number of
+the SMS recipient, which can be used to prompt the user on where to look for the code.
+
+
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ case AuthSignInStep.confirmSignInWithSmsMfaCode:
+ final codeDeliveryDetails = result.nextStep.codeDeliveryDetails!;
+ _handleCodeDelivery(codeDeliveryDetails);
+ // ...
+ }
+}
+
+void _handleCodeDelivery(AuthCodeDeliveryDetails codeDeliveryDetails) {
+ safePrint(
+ 'A confirmation code has been sent to ${codeDeliveryDetails.destination}. '
+ 'Please check your ${codeDeliveryDetails.deliveryMedium.name} for the code.',
+ );
+}
+```
+
+```dart
+Future confirmMfaUser(String mfaCode) async {
+ try {
+ final result = await Amplify.Auth.confirmSignIn(
+ confirmationValue: mfaCode,
+ );
+ return _handleSignInResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error confirming MFA code: ${e.message}');
+ }
+}
+```
+
+## Confirm sign-in with TOTP MFA
+
+If the next step is `confirmSignInWithTOTPCode`, you should prompt the user to enter the TOTP code from their associated authenticator app during set up. The code is a six-digit number that changes every 30 seconds. The user must enter the code before the 30-second window expires.
+
+After the user enters the code, your implementation must pass the value to Amplify Auth `confirmSignIn` API.
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ // Β·Β·Β·
+ case AuthSignInStep.confirmSignInWithTotpMfaCode:
+ safePrint('Enter a one-time code from your registered authenticator app');
+ // Β·Β·Β·
+ }
+}
+
+// Then, pass the TOTP code to `confirmSignIn`
+
+Future confirmTotpUser(String totpCode) async {
+ try {
+ final result = await Amplify.Auth.confirmSignIn(
+ confirmationValue: totpCode,
+ );
+ return _handleSignInResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error confirming TOTP code: ${e.message}');
+ }
+}
+```
+
+## Confirm sign-in with Email MFA
+
+If the next step is `confirmSignInWithOtpCode`, Amplify Auth has sent the user a random code to their email address and is waiting for the user to verify that code. To handle this step, your app's UI must prompt the user to enter the code. After the user enters the code, pass the value to the `confirmSignIn` API.
+
+
+
+The result includes an `AuthCodeDeliveryDetails` member. It includes additional information about the code delivery, such as the partial email address of
+the recipient, which can be used to prompt the user on where to look for the code.
+
+
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ case AuthSignInStep.confirmSignInWithOtpCode:
+ final codeDeliveryDetails = result.nextStep.codeDeliveryDetails!;
+ _handleCodeDelivery(codeDeliveryDetails);
+ // ...
+ }
+}
+
+void _handleCodeDelivery(AuthCodeDeliveryDetails codeDeliveryDetails) {
+ safePrint(
+ 'A confirmation code has been sent to ${codeDeliveryDetails.destination}. '
+ 'Please check your ${codeDeliveryDetails.deliveryMedium.name} for the code.',
+ );
+}
+```
+
+```dart
+Future confirmMfaUser(String mfaCode) async {
+ try {
+ final result = await Amplify.Auth.confirmSignIn(
+ confirmationValue: mfaCode,
+ );
+ return _handleSignInResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error confirming MFA code: ${e.message}');
+ }
+}
+```
+
+## Continue sign-in with MFA Selection
+
+If the next step is `continueSignInWithMFASelection`, the user must select the MFA method to use. Amplify Auth currently supports SMS, TOTP, and email as MFA methods. After the user selects an MFA method, your implementation must pass the selected MFA method to Amplify Auth using `confirmSignIn` API.
+
+The MFA types which are currently supported by Amplify Auth are:
+
+- `MfaType.sms`
+- `MfaType.totp`
+- `MfaType.email`
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ // Β·Β·Β·
+ case AuthSignInStep.continueSignInWithMfaSelection:
+ final allowedMfaTypes = result.nextStep.allowedMfaTypes!;
+ final selection = await _promptUserPreference(allowedMfaTypes);
+ return _handleMfaSelection(selection);
+ // Β·Β·Β·
+ }
+}
+
+Future _promptUserPreference(Set allowedTypes) async {
+ // Β·Β·Β·
+}
+
+Future _handleMfaSelection(MfaType selection) async {
+ try {
+ final result = await Amplify.Auth.confirmSignIn(
+ confirmationValue: selection.confirmationValue,
+ );
+ return _handleSignInResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error resending code: ${e.message}');
+ }
+}
+```
+
+## Continue sign-in with Email Setup
+
+If the next step is `continueSignInWithEmailMfaSetup`, then the user must provide an email address to complete the sign in process. Once this value has been collected from the user, call the `confirmSignIn` API to continue.
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ // Β·Β·Β·
+ case AuthSignInStep.continueSignInWithEmailMfaSetup:
+ // Prompt user to enter an email address they would like to use for MFA
+ // Β·Β·Β·
+ }
+}
+
+// Then, pass the email address to `confirmSignIn`
+
+Future confirmEmailUser(String emailAddress) async {
+ try {
+ final result = await Amplify.Auth.confirmSignIn(
+ confirmationValue: emailAddress,
+ );
+ return _handleSignInResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error confirming email address: ${e.message}');
+ }
+}
+```
+
+## Continue sign-in with TOTP Setup
+
+If the next step is `continueSignInWithTOTPSetup`, then the user must provide a TOTP code to complete the sign in process. The step returns an associated value of type `TOTPSetupDetails` which would be used for generating TOTP. `TOTPSetupDetails` provides a helper method called `getSetupURI` that can be used to generate a URI, which can be used by native password managers for TOTP association. For example. if the URI is used on Apple platforms, it will trigger the platform's native password manager to associate TOTP with the account. For more advanced use cases, `TOTPSetupDetails` also contains the `sharedSecret` that will be used to either generate a QR code or can be manually entered into an authenticator app.
+
+Once the authenticator app is set up, the user can generate a TOTP code and provide it to the library to complete the sign in process.
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ // Β·Β·Β·
+ case AuthSignInStep.continueSignInWithTotpSetup:
+ final totpSetupDetails = result.nextStep.totpSetupDetails!;
+ final setupUri = totpSetupDetails.getSetupUri(appName: 'MyApp');
+ safePrint('Open URI to complete setup: $setupUri');
+ // Β·Β·Β·
+ }
+}
+
+// Then, pass the TOTP code to `confirmSignIn`
+
+Future confirmTotpUser(String totpCode) async {
+ try {
+ final result = await Amplify.Auth.confirmSignIn(
+ confirmationValue: totpCode,
+ );
+ return _handleSignInResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error confirming TOTP code: ${e.message}');
+ }
+}
+```
+
+## Continue sign-in with MFA Setup Selection
+If the next step is `continueSignInWithMfaSetupSelection`, then the user must indicate which of the available MFA methods they would like to setup. After the user selects an MFA method to setup, your implementation must pass the selected MFA method to the `confirmSignIn` API.
+
+The MFA types which are currently supported by Amplify Auth are:
+
+- `MfaType.sms`
+- `MfaType.totp`
+- `MfaType.email`
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ // Β·Β·Β·
+ case AuthSignInStep.continueSignInWithMfaSetupSelection:
+ final allowedMfaTypes = result.nextStep.allowedMfaTypes!;
+ final selection = await _promptUserPreference(allowedMfaTypes);
+ return _handleMfaSelection(selection);
+ // Β·Β·Β·
+ }
+}
+
+Future _promptUserPreference(Set allowedTypes) async {
+ // Β·Β·Β·
+}
+
+Future _handleMfaSelection(MfaType selection) async {
+ try {
+ final result = await Amplify.Auth.confirmSignIn(
+ confirmationValue: selection.confirmationValue,
+ );
+ return _handleSignInResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error selecting MFA method: ${e.message}');
+ }
+}
+```
+
+## Confirm sign-in with custom challenge
+
+If the next step is `confirmSignInWithCustomChallenge`, Amplify Auth is awaiting completion of a custom authentication challenge. The challenge is based on the AWS Lambda trigger you configured as part of a [custom sign in flow](/[platform]/build-a-backend/auth/customize-auth-lifecycle/custom-auth-flows/#sign-in-a-user).
+
+For example, your custom challenge Lambda may pass a prompt to the frontend which requires the user to enter a secret code.
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ // ...
+ case AuthSignInStep.confirmSignInWithCustomChallenge:
+ final parameters = result.nextStep.additionalInfo;
+ final hint = parameters['hint']!;
+ safePrint(hint); // "Enter the secret code"
+ // ...
+ }
+}
+```
+
+To complete this step, you should prompt the user for the custom challenge answer, and pass the answer to the `confirmSignIn` API.
+
+```dart
+Future confirmCustomChallenge(String answer) async {
+ try {
+ final result = await Amplify.Auth.confirmSignIn(
+ confirmationValue: answer,
+ );
+ return _handleSignInResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error confirming custom challenge: ${e.message}');
+ }
+}
+```
+
+> **Warning:** **Special Handling on `confirmSignIn`**
+>
+> If `failAuthentication=true` is returned by the Lambda, Cognito will invalidate the session of the request. This is represented by a `NotAuthorizedException` and requires restarting the sign-in flow by calling `Amplify.Auth.signIn` again.
+
+## Confirm sign-in with new password
+If the next step is `confirmSignInWithNewPassword`, Amplify Auth requires the user choose a new password they proceeding with the sign in.
+
+Prompt the user for a new password and pass it to the `confirmSignIn` API.
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ // ...
+ case AuthSignInStep.confirmSignInWithNewPassword:
+ safePrint('Please enter a new password');
+ // ...
+ }
+}
+```
+
+```dart
+Future confirmNewPassword(String newPassword) async {
+ try {
+ final result = await Amplify.Auth.confirmSignIn(
+ confirmationValue: newPassword,
+ );
+ return _handleSignInResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error confirming new password: ${e.message}');
+ }
+}
+```
+
+## Reset password
+If the next step is `resetPassword`, Amplify Auth requires that the user reset their password before proceeding.
+Use the `resetPassword` API to guide the user through resetting their password, then call `Amplify.Auth.signIn`
+when that's complete to restart the sign-in flow.
+
+See the [reset password](/[platform]/build-a-backend/auth/manage-users/manage-passwords/) docs for more information.
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ // ...
+ case AuthSignInStep.resetPassword:
+ final resetResult = await Amplify.Auth.resetPassword(
+ username: username,
+ );
+ await _handleResetPasswordResult(resetResult);
+ // ...
+ }
+}
+
+Future _handleResetPasswordResult(ResetPasswordResult result) async {
+ switch (result.nextStep.updateStep) {
+ case AuthResetPasswordStep.confirmResetPasswordWithCode:
+ final codeDeliveryDetails = result.nextStep.codeDeliveryDetails!;
+ _handleCodeDelivery(codeDeliveryDetails);
+ case AuthResetPasswordStep.done:
+ safePrint('Successfully reset password');
+ }
+}
+
+void _handleCodeDelivery(AuthCodeDeliveryDetails codeDeliveryDetails) {
+ safePrint(
+ 'A confirmation code has been sent to ${codeDeliveryDetails.destination}. '
+ 'Please check your ${codeDeliveryDetails.deliveryMedium.name} for the code.',
+ );
+}
+```
+## Confirm Signup
+If the next step is `resetPassword`, Amplify Auth requires that the user confirm their email or phone number before proceeding.
+Use the `resendSignUpCode` API to send a new sign up code to the registered email or phone number, followed by `confirmSignUp`
+to complete the sign up.
+
+See the [confirm sign up](/[platform]/build-a-backend/auth/connect-your-frontend/sign-up/#confirm-sign-up) docs for more information.
+
+
+
+The result includes an `AuthCodeDeliveryDetails` member. It includes additional information about the code delivery, such as the partial phone number of
+the SMS recipient, which can be used to prompt the user on where to look for the code.
+
+
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ // ...
+ case AuthSignInStep.confirmSignUp:
+ // Resend the sign up code to the registered device.
+ final resendResult = await Amplify.Auth.resendSignUpCode(
+ username: username,
+ );
+ _handleCodeDelivery(resendResult.codeDeliveryDetails);
+ // ...
+ }
+}
+
+void _handleCodeDelivery(AuthCodeDeliveryDetails codeDeliveryDetails) {
+ safePrint(
+ 'A confirmation code has been sent to ${codeDeliveryDetails.destination}. '
+ 'Please check your ${codeDeliveryDetails.deliveryMedium.name} for the code.',
+ );
+}
+```
+
+```dart
+Future confirmSignUp({
+ required String username,
+ required String confirmationCode,
+}) async {
+ try {
+ await Amplify.Auth.confirmSignUp(
+ username: username,
+ confirmationCode: confirmationCode,
+ );
+ } on AuthException catch (e) {
+ safePrint('Error confirming sign up: ${e.message}');
+ }
+}
+```
+
+Once the sign up is confirmed, call `Amplify.Auth.signIn` again to restart the sign-in flow.
+
+## Done
+
+The sign-in flow is complete when the next step is `done`, which means the user is successfully authenticated.
+As a convenience, the `SignInResult` also provides the `isSignedIn` property, which will be true if the next step is `done`.
+
+```dart
+Future _handleSignInResult(SignInResult result) async {
+ switch (result.nextStep.signInStep) {
+ // ...
+ case AuthSignInStep.done:
+ // Could also check that `result.isSignedIn` is `true`
+ safePrint('Sign in is complete');
+ }
+}
+```
+
+
+
+After a user has finished signup, they can proceed to sign in. Amplify Auth signin flows can be multi step processes. The required steps are determined by the configuration you provided when you define your auth resources like described on [Manage MFA Settings](/[platform]/build-a-backend/auth/concepts/multi-factor-authentication/) page.
+
+Depending on the configuration, you may need to call various APIs to finish authenticating a user's signin attempt. To identify the next step in a signin flow, inspect the `nextStep` parameter in the signin result.
+
+> **Warning:** *New enumeration values*
+>
+> When Amplify adds a new enumeration value (e.g., a new enum class entry or sealed class subtype in Kotlin, or a new enum value in Swift/Dart/Kotlin), it will publish a new minor version of the Amplify Library. Plugins that switch over enumeration values should include default handlers (an else branch in Kotlin or a default statement in Swift/Dart/Kotlin) to ensure that they are not impacted by new enumeration values.
+
+When called successfully, the signin APIs will return an `AuthSignInResult`. Inspect the `nextStep` property in the result to see if additional signin steps are required.
+The `nextStep` property is of enum type `AuthSignInStep`. Depending on its value, your code should take one of the following actions:
+
+#### [Java]
+
+```java
+try {
+ Amplify.Auth.signIn(
+ "hello@example.com",
+ "password",
+ result ->
+ {
+ AuthNextSignInStep nextStep = result.getNextStep();
+ switch (nextStep.getSignInStep()) {
+ case CONFIRM_SIGN_IN_WITH_TOTP_CODE: {
+ Log.i("AuthQuickstart", "Received next step as confirm sign in with TOTP code");
+ // Prompt the user to enter the TOTP code generated in their authenticator app
+ // Then invoke `confirmSignIn` api with the code
+ break;
+ }
+ case CONTINUE_SIGN_IN_WITH_MFA_SETUP_SELECTION: {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by selecting an MFA method to setup");
+ Log.i("AuthQuickstart", "Allowed MFA types for setup" + nextStep.getAllowedMFATypes());
+ // Prompt the user to select the MFA type they want to setup
+ // Then invoke `confirmSignIn` api with the MFA type
+ break;
+ }
+ case CONTINUE_SIGN_IN_WITH_EMAIL_MFA_SETUP: {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by setting up email MFA");
+ // Prompt the user to enter the email address they would like to use to receive OTPs
+ // Then invoke `confirmSignIn` api with the email address
+ break;
+ }
+ case CONTINUE_SIGN_IN_WITH_TOTP_SETUP: {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by setting up TOTP");
+ Log.i("AuthQuickstart", "Shared secret that will be used to set up TOTP in the authenticator app" + nextStep.getTotpSetupDetails().getSharedSecret());
+ // Prompt the user to enter the TOTP code generated in their authenticator app
+ // Then invoke `confirmSignIn` api with the code
+ break;
+ }
+ case CONTINUE_SIGN_IN_WITH_MFA_SELECTION: {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by selecting MFA type");
+ Log.i("AuthQuickstart", "Allowed MFA type" + nextStep.getAllowedMFATypes());
+ // Prompt the user to select the MFA type they want to use
+ // Then invoke `confirmSignIn` api with the MFA type
+ break;
+ }
+ case CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION: {
+ Log.i("AuthQuickstart", "Available authentication factors for this user: " + result.getNextStep().getAvailableFactors());
+ // Prompt the user to select which authentication factor they want to use to sign-in
+ // Then invoke `confirmSignIn` api with that selection
+ break;
+ }
+ case CONFIRM_SIGN_IN_WITH_SMS_MFA_CODE: {
+ Log.i("AuthQuickstart", "SMS code sent to " + nextStep.getCodeDeliveryDetails().getDestination());
+ Log.i("AuthQuickstart", "Additional Info :" + nextStep.getAdditionalInfo());
+ // Prompt the user to enter the SMS MFA code they received
+ // Then invoke `confirmSignIn` api with the code
+ break;
+ }
+ case CONFIRM_SIGN_IN_WITH_OTP: {
+ Log.i("AuthQuickstart", "OTP code sent to " + nextStep.getCodeDeliveryDetails().getDestination());
+ Log.i("AuthQuickstart", "Additional Info :" + nextStep.getAdditionalInfo());
+ // Prompt the user to enter the OTP MFA code they received
+ // Then invoke `confirmSignIn` api with the code
+ break;
+ }
+ case CONFIRM_SIGN_IN_WITH_PASSWORD: {
+ Log.i("AuthQuickstart", "Received next step as confirm sign in with password");
+ // Prompt the user to enter their password
+ // Then invoke `confirmSignIn` api with that password
+ break;
+ }
+ case CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE: {
+ Log.i("AuthQuickstart", "Custom challenge, additional info: " + nextStep.getAdditionalInfo());
+ // Prompt the user to enter custom challenge answer
+ // Then invoke `confirmSignIn` api with the answer
+ break;
+ }
+ case CONFIRM_SIGN_IN_WITH_NEW_PASSWORD: {
+ Log.i("AuthQuickstart", "Sign in with new password, additional info: " + nextStep.getAdditionalInfo());
+ // Prompt the user to enter a new password
+ // Then invoke `confirmSignIn` api with new password
+ break;
+ }
+ case DONE: {
+ Log.i("AuthQuickstart", "SignIn complete");
+ // User has successfully signed in to the app
+ break;
+ }
+ }
+ },
+ error -> {
+ if (error instanceof UserNotConfirmedException) {
+ // User was not confirmed during the signup process.
+ // Invoke `confirmSignUp` api to confirm the user if
+ // they have the confirmation code. If they do not have the
+ // confirmation code, invoke `resendSignUpCode` to send the
+ // code again.
+ // After the user is confirmed, invoke the `signIn` api again.
+ Log.i("AuthQuickstart", "Signup confirmation required" + error);
+ } else if (error instanceof PasswordResetRequiredException) {
+ // User needs to reset their password.
+ // Invoke `resetPassword` api to start the reset password
+ // flow, and once reset password flow completes, invoke
+ // `signIn` api to trigger signIn flow again.
+ Log.i("AuthQuickstart", "Password reset required" + error);
+ } else {
+ Log.e("AuthQuickstart", "SignIn failed: " + error);
+ }
+ }
+ );
+} catch (Exception error) {
+ Log.e("AuthQuickstart", "Unexpected error occurred: " + error);
+}
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+try {
+ Amplify.Auth.signIn(
+ "hello@example.com",
+ "password",
+ { result ->
+ val nextStep = result.nextStep
+ when(nextStep.signInStep){
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_TOTP_CODE -> {
+ Log.i("AuthQuickstart", "Received next step as confirm sign in with TOTP code")
+ // Prompt the user to enter the TOTP code generated in their authenticator app
+ // Then invoke `confirmSignIn` api with the code
+ }
+ AuthSignInStep.CONTINUE_SIGN_IN_WITH_MFA_SETUP_SELECTION -> {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by selecting an MFA method to setup")
+ Log.i("AuthQuickstart", "Allowed MFA types for setup ${nextStep.allowedMFATypes}")
+ // Prompt the user to select the MFA type they want to setup
+ // Then invoke `confirmSignIn` api with the MFA type
+ }
+ AuthSignInStep.CONTINUE_SIGN_IN_WITH_EMAIL_MFA_SETUP -> {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by setting up email MFA")
+ // Prompt the user to enter the email address they would like to use to receive OTPs
+ // Then invoke `confirmSignIn` api with the email address
+ }
+ AuthSignInStep.CONTINUE_SIGN_IN_WITH_TOTP_SETUP -> {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by setting up TOTP")
+ Log.i("AuthQuickstart", "Shared secret that will be used to set up TOTP in the authenticator app ${nextStep.totpSetupDetails?.sharedSecret}")
+ // Prompt the user to enter the TOTP code generated in their authenticator app
+ // Then invoke `confirmSignIn` api with the code
+ }
+ AuthSignInStep.CONTINUE_SIGN_IN_WITH_MFA_SELECTION -> {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by selecting MFA type")
+ Log.i("AuthQuickstart", "Allowed MFA types ${nextStep.allowedMFATypes}")
+ // Prompt the user to select the MFA type they want to use
+ // Then invoke `confirmSignIn` api with the MFA type
+ }
+ AuthSignInStep.CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION -> {
+ Log.i("AuthQuickstart", "Available authentication factors for this user: ${result.nextStep.availableFactors}")
+ // Prompt the user to select which authentication factor they want to use to sign-in
+ // Then invoke `confirmSignIn` api with that selection
+ }
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_SMS_MFA_CODE -> {
+ Log.i("AuthQuickstart", "SMS code sent to ${nextStep.codeDeliveryDetails?.destination}")
+ Log.i("AuthQuickstart", "Additional Info ${nextStep.additionalInfo}")
+ // Prompt the user to enter the SMS MFA code they received
+ // Then invoke `confirmSignIn` api with the code
+ }
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_OTP -> {
+ Log.i("AuthQuickstart", "OTP code sent to ${nextStep.codeDeliveryDetails?.destination}")
+ Log.i("AuthQuickstart", "Additional Info ${nextStep.additionalInfo}")
+ // Prompt the user to enter the OTP MFA code they received
+ // Then invoke `confirmSignIn` api with the code
+ }
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_PASSWORD -> {
+ Log.i("AuthQuickstart", "Received next step as confirm sign in with password")
+ // Prompt the user to enter their password
+ // Then invoke `confirmSignIn` api with that password
+ }
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE -> {
+ Log.i("AuthQuickstart","Custom challenge, additional info: ${nextStep.additionalInfo}")
+ // Prompt the user to enter custom challenge answer
+ // Then invoke `confirmSignIn` api with the answer
+ }
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_NEW_PASSWORD -> {
+ Log.i("AuthQuickstart", "Sign in with new password, additional info: ${nextStep.additionalInfo}")
+ // Prompt the user to enter a new password
+ // Then invoke `confirmSignIn` api with new password
+ }
+ AuthSignInStep.DONE -> {
+ Log.i("AuthQuickstart", "SignIn complete")
+ // User has successfully signed in to the app
+ }
+ }
+
+ }
+ ) { error ->
+ when (error) {
+ is UserNotConfirmedException -> {
+ // User was not confirmed during the signup process.
+ // Invoke `confirmSignUp` api to confirm the user if
+ // they have the confirmation code. If they do not have the
+ // confirmation code, invoke `resendSignUpCode` to send the
+ // code again.
+ // After the user is confirmed, invoke the `signIn` api again.
+ Log.e("AuthQuickstart", "Signup confirmation required", error)
+ }
+ is PasswordResetRequiredException -> {
+ // User needs to reset their password.
+ // Invoke `resetPassword` api to start the reset password
+ // flow, and once reset password flow completes, invoke
+ // `signIn` api to trigger signIn flow again.
+ Log.e("AuthQuickstart", "Password reset required", error)
+ }
+ else -> {
+ Log.e("AuthQuickstart", "Unexpected error occurred: $error")
+ }
+ }
+ }
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "Unexpected error occurred: $error")
+}
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.signIn(
+ "hello@example.com",
+ "password"
+ )
+ val nextStep = result.nextStep
+ when (nextStep.signInStep) {
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_TOTP_CODE -> {
+ Log.i("AuthQuickstart", "Received next step as confirm sign in with TOTP code")
+ // Prompt the user to enter the TOTP code generated in their authenticator app
+ // Then invoke `confirmSignIn` api with the code
+ }
+ AuthSignInStep.CONTINUE_SIGN_IN_WITH_MFA_SETUP_SELECTION -> {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by selecting an MFA method to setup")
+ Log.i("AuthQuickstart", "Allowed MFA types for setup ${nextStep.allowedMFATypes}")
+ // Prompt the user to select the MFA type they want to setup
+ // Then invoke `confirmSignIn` api with the MFA type
+ }
+ AuthSignInStep.CONTINUE_SIGN_IN_WITH_EMAIL_MFA_SETUP -> {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by setting up email MFA")
+ // Prompt the user to enter the email address they would like to use to receive OTPs
+ // Then invoke `confirmSignIn` api with the email address
+ }
+ AuthSignInStep.CONTINUE_SIGN_IN_WITH_TOTP_SETUP -> {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by setting up TOTP")
+ Log.i("AuthQuickstart", "Shared secret that will be used to set up TOTP in the authenticator app ${nextStep.totpSetupDetails?.sharedSecret}")
+ // Prompt the user to enter the TOTP code generated in their authenticator app
+ // Then invoke `confirmSignIn` api with the code
+ }
+ AuthSignInStep.CONTINUE_SIGN_IN_WITH_MFA_SELECTION -> {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by selecting MFA type")
+ Log.i("AuthQuickstart", "Allowed MFA types ${nextStep.allowedMFATypes}")
+ // Prompt the user to select the MFA type they want to use
+ // Then invoke `confirmSignIn` api with the MFA type
+ }
+ AuthSignInStep.CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION -> {
+ Log.i("AuthQuickstart", "Available authentication factors for this user: ${result.nextStep.availableFactors}")
+ // Prompt the user to select which authentication factor they want to use to sign-in
+ // Then invoke `confirmSignIn` api with that selection
+ }
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_SMS_MFA_CODE -> {
+ Log.i("AuthQuickstart", "SMS code sent to ${nextStep.codeDeliveryDetails?.destination}")
+ Log.i("AuthQuickstart", "Additional Info ${nextStep.additionalInfo}")
+ // Prompt the user to enter the SMS MFA code they received
+ // Then invoke `confirmSignIn` api with the code
+ }
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_OTP -> {
+ Log.i("AuthQuickstart", "OTP code sent to ${nextStep.codeDeliveryDetails?.destination}")
+ Log.i("AuthQuickstart", "Additional Info ${nextStep.additionalInfo}")
+ // Prompt the user to enter the OTP MFA code they received
+ // Then invoke `confirmSignIn` api with the code
+ }
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_PASSWORD -> {
+ Log.i("AuthQuickstart", "Received next step as confirm sign in with password")
+ // Prompt the user to enter their password
+ // Then invoke `confirmSignIn` api with that password
+ }
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE -> {
+ Log.i("AuthQuickstart","Custom challenge, additional info: ${nextStep.additionalInfo}")
+ // Prompt the user to enter custom challenge answer
+ // Then invoke `confirmSignIn` api with the answer
+ }
+ AuthSignInStep.CONFIRM_SIGN_IN_WITH_NEW_PASSWORD -> {
+ Log.i("AuthQuickstart", "Sign in with new password, additional info: ${nextStep.additionalInfo}")
+ // Prompt the user to enter a new password
+ // Then invoke `confirmSignIn` api with new password
+ }
+ AuthSignInStep.DONE -> {
+ Log.i("AuthQuickstart", "SignIn complete")
+ // User has successfully signed in to the app
+ }
+ }
+} catch (error: Exception) {
+ when (error) {
+ is UserNotConfirmedException -> {
+ // User was not confirmed during the signup process.
+ // Invoke `confirmSignUp` api to confirm the user if
+ // they have the confirmation code. If they do not have the
+ // confirmation code, invoke `resendSignUpCode` to send the
+ // code again.
+ // After the user is confirmed, invoke the `signIn` api again.
+ Log.e("AuthQuickstart", "Signup confirmation required", error)
+ }
+ is PasswordResetRequiredException -> {
+ // User needs to reset their password.
+ // Invoke `resetPassword` api to start the reset password
+ // flow, and once reset password flow completes, invoke
+ // `signIn` api to trigger signIn flow again.
+ Log.e("AuthQuickstart", "Password reset required", error)
+ }
+ else -> {
+ Log.e("AuthQuickstart", "Unexpected error occurred: $error")
+ }
+ }
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.signIn("hello@example.com", "password").subscribe(
+ result ->
+ {
+ AuthNextSignInStep nextStep = result.getNextStep();
+ switch (nextStep.getSignInStep()) {
+ case CONFIRM_SIGN_IN_WITH_TOTP_CODE: {
+ Log.i("AuthQuickstart", "Received next step as confirm sign in with TOTP code");
+ // Prompt the user to enter the TOTP code generated in their authenticator app
+ // Then invoke `confirmSignIn` api with the code
+ break;
+ }
+ case CONTINUE_SIGN_IN_WITH_MFA_SETUP_SELECTION: {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by selecting an MFA method to setup");
+ Log.i("AuthQuickstart", "Allowed MFA types for setup" + nextStep.getAllowedMFATypes());
+ // Prompt the user to select the MFA type they want to setup
+ // Then invoke `confirmSignIn` api with the MFA type
+ break;
+ }
+ case CONTINUE_SIGN_IN_WITH_EMAIL_MFA_SETUP: {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by setting up email MFA");
+ // Prompt the user to enter the email address they would like to use to receive OTPs
+ // Then invoke `confirmSignIn` api with the email address
+ break;
+ }
+ case CONTINUE_SIGN_IN_WITH_TOTP_SETUP: {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by setting up TOTP");
+ Log.i("AuthQuickstart", "Shared secret that will be used to set up TOTP in the authenticator app" + nextStep.getTotpSetupDetails().getSharedSecret());
+ // Prompt the user to enter the TOTP code generated in their authenticator app
+ // Then invoke `confirmSignIn` api with the code
+ break;
+ }
+ case CONTINUE_SIGN_IN_WITH_MFA_SELECTION: {
+ Log.i("AuthQuickstart", "Received next step as continue sign in by selecting MFA type");
+ Log.i("AuthQuickstart", "Allowed MFA type" + nextStep.getAllowedMFATypes());
+ // Prompt the user to select the MFA type they want to use
+ // Then invoke `confirmSignIn` api with the MFA type
+ break;
+ }
+ case CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION: {
+ Log.i("AuthQuickstart", "Available authentication factors for this user: " + result.getNextStep().getAvailableFactors());
+ // Prompt the user to select which authentication factor they want to use to sign-in
+ // Then invoke `confirmSignIn` api with that selection
+ break;
+ }
+ case CONFIRM_SIGN_IN_WITH_SMS_MFA_CODE: {
+ Log.i("AuthQuickstart", "SMS code sent to " + nextStep.getCodeDeliveryDetails().getDestination());
+ Log.i("AuthQuickstart", "Additional Info :" + nextStep.getAdditionalInfo());
+ // Prompt the user to enter the SMS MFA code they received
+ // Then invoke `confirmSignIn` api with the code
+ break;
+ }
+ case CONFIRM_SIGN_IN_WITH_OTP: {
+ Log.i("AuthQuickstart", "OTP code sent to " + nextStep.getCodeDeliveryDetails().getDestination());
+ Log.i("AuthQuickstart", "Additional Info :" + nextStep.getAdditionalInfo());
+ // Prompt the user to enter the OTP MFA code they received
+ // Then invoke `confirmSignIn` api with the code
+ break;
+ }
+ case CONFIRM_SIGN_IN_WITH_PASSWORD: {
+ Log.i("AuthQuickstart", "Received next step as confirm sign in with password");
+ // Prompt the user to enter their password
+ // Then invoke `confirmSignIn` api with that password
+ break;
+ }
+ case CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE: {
+ Log.i("AuthQuickstart", "Custom challenge, additional info: " + nextStep.getAdditionalInfo());
+ // Prompt the user to enter custom challenge answer
+ // Then invoke `confirmSignIn` api with the answer
+ break;
+ }
+ case CONFIRM_SIGN_IN_WITH_NEW_PASSWORD: {
+ Log.i("AuthQuickstart", "Sign in with new password, additional info: " + nextStep.getAdditionalInfo());
+ // Prompt the user to enter a new password
+ // Then invoke `confirmSignIn` api with new password
+ break;
+ }
+ case DONE: {
+ Log.i("AuthQuickstart", "SignIn complete");
+ // User has successfully signed in to the app
+ break;
+ }
+ }
+ },
+ error -> {
+ if (error instanceof UserNotConfirmedException) {
+ // User was not confirmed during the signup process.
+ // Invoke `confirmSignUp` api to confirm the user if
+ // they have the confirmation code. If they do not have the
+ // confirmation code, invoke `resendSignUpCode` to send the
+ // code again.
+ // After the user is confirmed, invoke the `signIn` api again.
+ Log.i("AuthQuickstart", "Signup confirmation required" + error);
+ } else if (error instanceof PasswordResetRequiredException) {
+ // User needs to reset their password.
+ // Invoke `resetPassword` api to start the reset password
+ // flow, and once reset password flow completes, invoke
+ // `signIn` api to trigger signIn flow again.
+ Log.i("AuthQuickstart", "Password reset required" + error);
+ } else {
+ Log.e("AuthQuickstart", "SignIn failed: " + error);
+ }
+ }
+);
+```
+
+## Confirm sign-in with SMS MFA
+
+If the next step is `CONFIRM_SIGN_IN_WITH_SMS_MFA_CODE`, Amplify Auth has sent the user a random code over SMS, and is waiting to find out if the user successfully received it. To handle this step, your app's UI must prompt the user to enter the code. After the user enters the code, your implementation must pass the value to Amplify Auth `confirmSignIn` API.
+
+
+
+**Note:** The result also includes an `AuthCodeDeliveryDetails` member. It includes additional information about the code delivery such as the partial phone number of the SMS recipient.
+
+
+
+#### [Java]
+
+```java
+try {
+ Amplify.Auth.confirmSignIn(
+ "confirmation code",
+ result -> {
+ if (result.isSignedIn()) {
+ Log.i("AuthQuickstart", "Confirm signIn succeeded");
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: " + result.getNextStep());
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ },
+ error -> Log.e("AuthQuickstart", "Confirm sign in failed: " + error)
+ );
+} catch (Exception error) {
+ Log.e("AuthQuickstart", "Unexpected error: " + error);
+}
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+try {
+ Amplify.Auth.confirmSignIn(
+ "confirmation code",
+ { result ->
+ if (result.isSignedIn) {
+ Log.i("AuthQuickstart","Confirm signIn succeeded")
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: ${result.nextStep}")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ }
+ ) { error -> Log.e("AuthQuickstart", "Confirm sign in failed: $error")}
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "Unexpected error: $error")
+}
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.confirmSignIn(
+ "confirmation code"
+ )
+ if (result.isSignedIn) {
+ Log.i("AuthQuickstart", "Confirm signIn succeeded")
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: ${result.nextStep}"
+ )
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "Unexpected error: $error")
+}
+```
+
+#### [RxJava]
+
+```java
+
+RxAmplify.Auth.confirmSignIn(
+ "confirmation code").subscribe(
+ result -> {
+ if (result.isSignedIn()) {
+ Log.i("AuthQuickstart", "Confirm signIn succeeded");
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: " + result.getNextStep());
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ },
+ error -> Log.e("AuthQuickstart", "Confirm sign in failed: " + error)
+ );
+```
+
+## Confirm sign-in with TOTP MFA
+
+If the next step is `CONFIRM_SIGN_IN_WITH_TOTP_CODE`, you should prompt the user to enter the TOTP code from their associated authenticator app during set up. The code is a six-digit number that changes every 30 seconds. The user must enter the code before the 30-second window expires.
+
+After the user enters the code, your implementation must pass the value to Amplify Auth `confirmSignIn` API.
+
+## Confirm sign-in with Email MFA
+
+If the next step is `CONFIRM_SIGN_IN_WITH_EMAIL_MFA_CODE`, Amplify Auth has sent the user a random code to their email address and is waiting to find out if the user successfully received it. To handle this step, your app's UI must prompt the user to enter the code. After the user enters the code, your implementation must pass the value to Amplify Auth `confirmSignIn` API.
+
+
+
+**Note:** The result also includes an `AuthCodeDeliveryDetails` member. It includes additional information about the code delivery such as the partial email address of the recipient.
+
+
+
+## Confirm sign-in with OTP
+
+If the next step is `CONFIRM_SIGN_IN_WITH_OTP`, Amplify Auth has sent the user a random code to the medium of the user's choosing (e.g. SMS or email) and is waiting for the user to verify that code. To handle this step, your app's UI must prompt the user to enter the code. After the user enters the code, pass the value to the `confirmSignIn` API.
+
+
+
+**Note:** The result includes an `AuthCodeDeliveryDetails` member. It includes additional information about the code delivery, such as the partial email address of the recipient, which can be used to prompt the user on where to look for the code.
+
+
+
+## Continue sign-in with MFA Selection
+
+If the next step is `CONTINUE_SIGN_IN_WITH_MFA_SELECTION`, the user must select the MFA method to use. Amplify Auth currently supports SMS, TOTP, and email as MFA methods. After the user selects an MFA method, your implementation must pass the selected MFA method to Amplify Auth using `confirmSignIn` API.
+
+## Continue sign-in with Email Setup
+
+If the next step is `CONTINUE_SIGN_IN_WITH_EMAIL_MFA_SETUP`, then the user must provide an email address to complete the sign in process. Once this value has been collected from the user, call the `confirmSignIn` API to continue.
+
+## Continue sign-in with TOTP Setup
+
+If the next step is `CONTINUE_SIGN_IN_WITH_TOTP_SETUP`, then the user must provide a TOTP code to complete the sign in process. The step returns an associated value of type `TOTPSetupDetails` which would be used for generating TOTP. `TOTPSetupDetails` provides a helper method called `getSetupURI` that can be used to generate a URI, which can be used by native password managers for TOTP association. For example. if the URI is used on Apple platforms, it will trigger the platform's native password manager to associate TOTP with the account. For more advanced use cases, `TOTPSetupDetails` also contains the `sharedSecret` that will be used to either generate a QR code or can be manually entered into an authenticator app.
+
+Once the authenticator app is set up, the user can generate a TOTP code and provide it to the library to complete the sign in process.
+
+## Continue sign-in with MFA Setup Selection
+
+If the next step is `CONTINUE_SIGN_IN_WITH_MFA_SETUP_SELECTION`, the user must select the MFA method to setup. Amplify Auth currently supports SMS, TOTP, and email as MFA methods. After the user selects an MFA method, your implementation must pass the selected MFA method to Amplify Auth using `confirmSignIn` API.
+
+## Continue sign-in with First Factor Selection
+
+If the next step is `CONTINUE_SIGN_IN_WITH_FIRST_FACTOR_SELECTION`, the user must select an authentication factor to use either because they did not specify one or because the one they chose is not supported (e.g. selecting SMS when they don't have a phone number registered to their account). Amplify Auth currently supports SMS, email, password, and webauthn as authentication factors. After the user selects an authentication method, your implementation must pass the selected authentication method to Amplify Auth using `confirmSignIn` API.
+
+Visit the [sign-in documentation](/[platform]/build-a-backend/auth/connect-your-frontend/sign-in/#sign-in-with-passwordless-methods) to see examples on how to call the `confirmSignIn` API.
+
+## Confirm sign-in with custom challenge
+
+If the next step is `CONFIRM_SIGN_IN_WITH_CUSTOM_CHALLENGE`, Amplify Auth is awaiting completion of a custom authentication challenge. The challenge is based on the Lambda trigger you setup when you configured a [custom sign in flow](/[platform]/build-a-backend/auth/customize-auth-lifecycle/custom-auth-flows/#sign-in-a-user). To complete this step, you should prompt the user for the custom challenge answer, and pass the answer to the `confirmSignIn` API.
+
+#### [Java]
+
+```java
+try {
+ Amplify.Auth.confirmSignIn(
+ "challenge answer",
+ result -> {
+ if (result.isSignedIn()) {
+ Log.i("AuthQuickstart", "Confirm signIn succeeded");
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: " + result.getNextStep());
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ },
+ error -> Log.e("AuthQuickstart", "Confirm sign in failed: " + error)
+ );
+} catch (Exception error) {
+ Log.e("AuthQuickstart", "Unexpected error: " + error);
+}
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+try {
+ Amplify.Auth.confirmSignIn(
+ "challenge answer",
+ { result ->
+ if (result.isSignedIn) {
+ Log.i("AuthQuickstart","Confirm signIn succeeded")
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: ${result.nextStep}")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ }
+ ) { error ->
+ Log.e("AuthQuickstart", "Confirm sign in failed: $error")
+ }
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "Unexpected error: $error")
+}
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.confirmSignIn(
+ "challenge answer"
+ )
+ if (result.isSignedIn) {
+ Log.i("AuthQuickstart", "Confirm signIn succeeded")
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: ${result.nextStep}")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "Unexpected error: $error")
+}
+```
+
+#### [RxJava]
+
+```java
+
+RxAmplify.Auth.confirmSignIn(
+ "challenge answer").subscribe(
+ result -> {
+ if (result.isSignedIn()) {
+ Log.i("AuthQuickstart", "Confirm signIn succeeded");
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: " + result.getNextStep());
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ },
+ error -> Log.e("AuthQuickstart", "Confirm sign in failed: " + error)
+);
+```
+
+> **Warning:** **Special Handling on `confirmSignIn`**
+>
+> During a confirmSignIn call if `failAuthentication=true` is returned by the Lambda the session of the request gets invalidated by cognito, a NotAuthorizedException is returned and a new signIn call is expected via Amplify.Auth.signIn
+>
+> ```java
+NotAuthorizedException{message=Failed since user is not authorized., cause=NotAuthorizedException(message=Invalid session for the user.), recoverySuggestion=Check whether the given values are correct and the user is authorized to perform the operation.}
+```
+
+## Confirm sign-in with new password
+If you receive a `UserNotConfirmedException` while signing in, Amplify Auth requires a new password for the user before they can proceed. Prompt the user for a new password and pass it to the `confirmSignIn` API.
+
+#### [Java]
+
+```java
+try {
+ Amplify.Auth.confirmSignIn(
+ "confirmation code",
+ result -> {
+ if (result.isSignedIn()) {
+ Log.i("AuthQuickstart", "Confirm signIn succeeded");
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: " + result.getNextStep());
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ },
+ error -> Log.e("AuthQuickstart", "Confirm sign in failed: " + error)
+ );
+} catch (Exception error) {
+ Log.e("AuthQuickstart", "Unexpected error: " + error);
+}
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+ try {
+ Amplify.Auth.confirmSignIn(
+ "confirmation code",
+ { result ->
+ if (result.isSignedIn) {
+ Log.i("AuthQuickstart","Confirm signIn succeeded")
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: ${result.nextStep}")
+ }
+ }
+ ) { error ->
+ Log.e("AuthQuickstart", "Confirm sign in failed: $error")
+ }
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "Unexpected error: $error")
+}
+}
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.confirmSignIn(
+ "confirmation code"
+ )
+ if (result.isSignedIn) {
+ Log.i("AuthQuickstart", "Confirm signIn succeeded")
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: ${result.nextStep}")
+ }
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "Unexpected error: $error")
+}
+```
+
+#### [RxJava]
+
+```java
+
+RxAmplify.Auth.confirmSignIn(
+ "confirmation code").subscribe(
+ result -> {
+ if (result.isSignedIn()) {
+ Log.i("AuthQuickstart", "Confirm signIn succeeded");
+ } else {
+ Log.i("AuthQuickstart", "Confirm sign in not complete. There might be additional steps: " + result.getNextStep());
+ }
+ },
+ error -> Log.e("AuthQuickstart", "Confirm sign in failed: " + error)
+ );
+```
+
+## Reset password
+If you receive `PasswordResetRequiredException`, authentication flow could not proceed without resetting the password. The next step is to invoke `resetPassword` api and follow the reset password flow.
+
+#### [Java]
+
+```java
+try {
+ Amplify.Auth.resetPassword(
+ "username",
+ result -> Log.i("AuthQuickstart", "Reset password succeeded"),
+ error -> Log.e("AuthQuickstart", "Reset password failed : " + error)
+ );
+} catch (Exception error) {
+ Log.e("AuthQuickstart", "Unexpected error: " + error);
+}
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+try {
+ Amplify.Auth.resetPassword(
+ "username",
+ {
+ Log.i("AuthQuickstart", "Reset password succeeded")
+ }
+ ) { error ->
+ Log.e("AuthQuickstart", "Reset password failed : $error")
+ }
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "Unexpected error: $error")
+}
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ Amplify.Auth.resetPassword("username")
+ Log.i("AuthQuickstart", "Reset password succeeded")
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "Unexpected error: $error")
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.resetPassword(
+ "username").subscribe(
+ result -> Log.i("AuthQuickstart", "Reset password succeeded"),
+ error -> Log.e("AuthQuickstart", "Reset password failed : " + error)
+);
+```
+
+## Confirm Signup
+
+If you receive `CONFIRM_SIGN_UP` as a next step, sign up could not proceed without confirming user information such as email or phone number. The next step is to invoke the `confirmSignUp` API and follow the confirm signup flow.
+
+#### [Java]
+
+```java
+ try {
+ Amplify.Auth.confirmSignUp(
+ "username",
+ "confirmation code",
+ result -> Log.i("AuthQuickstart", "Confirm signUp result completed: " + result.isSignUpComplete()),
+ error -> Log.e("AuthQuickstart", "An error occurred while confirming sign up: " + error)
+ );
+} catch (Exception error) {
+ Log.e("AuthQuickstart", "unexpected error: " + error);
+}
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+ try {
+ Amplify.Auth.confirmSignUp(
+ "username",
+ "confirmation code",
+ { result ->
+ Log.i("AuthQuickstart", "Confirm signUp result completed: ${result.isSignUpComplete}")
+ }
+ ) { error ->
+ Log.e("AuthQuickstart", "An error occurred while confirming sign up: $error")
+ }
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "unexpected error: $error")
+}
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.confirmSignUp(
+ "username",
+ "confirmation code"
+ )
+ Log.i("AuthQuickstart", "Confirm signUp result completed: ${result.isSignUpComplete}")
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "unexpected error: $error")
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.confirmSignUp(
+ "username",
+ "confirmation code").subscribe(
+ result -> Log.i("AuthQuickstart", "Confirm signUp result completed: " + result.isSignUpComplete()),
+ error -> Log.e("AuthQuickstart", "An error occurred while confirming sign up: " + error)
+);
+```
+
+## Get Current User
+
+This call fetches the current logged in user and should be used after a user has been successfully signed in.
+If the user is signed in, it will return the current userId and username.
+
+
+**Note:** An empty string will be assigned to userId and/or username, if the values are not present in the accessToken.
+
+
+#### [Java]
+
+```java
+ try {
+ Amplify.Auth.getCurrentUser(
+ result -> Log.i("AuthQuickstart", "Current user details are:" + result.toString(),
+ error -> Log.e("AuthQuickstart", "getCurrentUser failed with an exception: " + error)
+ );
+ } catch (Exception error) {
+ Log.e("AuthQuickstart", "unexpected error: " + error);
+ }
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.getCurrentUser({
+ Log.i("AuthQuickStart", "Current user details are: $it")},{
+ Log.e("AuthQuickStart", "getCurrentUser failed with an exception: $it")
+})
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.getCurrentUser()
+ Log.i("AuthQuickstart", "Current user details are: $result")
+} catch (error: Exception) {
+ Log.e("AuthQuickstart", "getCurrentUser failed with an exception: $error")
+}
+```
+
+#### [RxJava]
+
+```java
+ RxAmplify.Auth.getCurrentUser().subscribe(
+ result -> Log.i("AuthQuickStart getCurrentUser: " + result.toString()),
+ error -> Log.e("AuthQuickStart", error.toString())
+ );
+```
+
+## Done
+
+Sign In flow is complete when you get `done`. This means the user is successfully authenticated. As a convenience, the SignInResult also provides the `isSignedIn` property, which will be true if the next step is `done`.
+
+
+
+After a user has finished signup, they can proceed to sign in. Amplify Auth signin flows can be multi step processes. The required steps are determined by the configuration you provided when you define your auth resources like described on [Manage MFA Settings](/[platform]/build-a-backend/auth/concepts/multi-factor-authentication/) page.
+
+Depending on the configuration, you may need to call various APIs to finish authenticating a user's signin attempt. To identify the next step in a signin flow, inspect the `nextStep` parameter in the signin result.
+
+> **Warning:** *New enumeration values*
+>
+> When Amplify adds a new enumeration value (e.g., a new enum class entry or sealed class subtype in Kotlin, or a new enum value in Swift/Dart/Kotlin), it will publish a new minor version of the Amplify Library. Plugins that switch over enumeration values should include default handlers (an else branch in Kotlin or a default statement in Swift/Dart/Kotlin) to ensure that they are not impacted by new enumeration values.
+
+When called successfully, the signin APIs will return an `AuthSignInResult`. Inspect the `nextStep` property in the result to see if additional signin steps are required.
+
+```swift
+func signIn(username: String, password: String) async {
+ do {
+ let signInResult = try await Amplify.Auth.signIn(username: username, password: password)
+ switch signInResult.nextStep {
+ case .confirmSignInWithSMSMFACode(let deliveryDetails, let info):
+ print("SMS code sent to \(deliveryDetails.destination)")
+ print("Additional info \(String(describing: info))")
+
+ // Prompt the user to enter the SMSMFA code they received
+ // Then invoke `confirmSignIn` api with the code
+
+ case .confirmSignInWithTOTPCode:
+ print("Received next step as confirm sign in with TOTP code")
+
+ // Prompt the user to enter the TOTP code generated in their authenticator app
+ // Then invoke `confirmSignIn` api with the code
+
+ case .confirmSignInWithOTP(let deliveryDetails):
+ print("Email code sent to \(deliveryDetails.destination)")
+
+ // Prompt the user to enter the Email MFA code they received
+ // Then invoke `confirmSignIn` api with the code
+
+ case .continueSignInWithFirstFactorSelection(let allowedFactors):
+ print("Received next step as continue sign in by selecting first factor")
+ print("Allowed factors \(allowedFactors)")
+
+ // Prompt the user to select the first factor they want to use
+ // Then invoke `confirmSignIn` api with the factor
+
+ case .confirmSignInWithPassword:
+ print("Received next step as confirm sign in with password")
+
+ // Prompt the user to enter the password
+ // Then invoke `confirmSignIn` api with the password
+
+ case .continueSignInWithTOTPSetup(let setUpDetails):
+ print("Received next step as continue sign in by setting up TOTP")
+ print("Shared secret that will be used to set up TOTP in the authenticator app \(setUpDetails.sharedSecret)")
+
+ // Prompt the user to enter the TOTP code generated in their authenticator app
+ // Then invoke `confirmSignIn` api with the code
+
+ case .continueSignInWithEmailMFASetup:
+ print("Received next step as continue sign in by setting up email MFA")
+
+ // Prompt the user to enter the email address they wish to use for MFA
+ // Then invoke `confirmSignIn` api with the email address
+
+ case .continueSignInWithMFASetupSelection(let allowedMFATypes):
+ print("Received next step as continue sign in by selecting MFA type to setup")
+ print("Allowed MFA types \(allowedMFATypes)")
+
+ // Prompt the user to select the MFA type they want to setup
+ // Then invoke `confirmSignIn` api with the MFA type
+
+ case .continueSignInWithMFASelection(let allowedMFATypes):
+ print("Received next step as continue sign in by selecting MFA type")
+ print("Allowed MFA types \(allowedMFATypes)")
+
+ // Prompt the user to select the MFA type they want to use
+ // Then invoke `confirmSignIn` api with the MFA type
+
+ case .confirmSignInWithCustomChallenge(let info):
+ print("Custom challenge, additional info \(String(describing: info))")
+
+ // Prompt the user to enter custom challenge answer
+ // Then invoke `confirmSignIn` api with the answer
+
+ case .confirmSignInWithNewPassword(let info):
+ print("New password additional info \(String(describing: info))")
+
+ // Prompt the user to enter a new password
+ // Then invoke `confirmSignIn` api with new password
+
+ case .resetPassword(let info):
+ print("Reset password additional info \(String(describing: info))")
+
+ // User needs to reset their password.
+ // Invoke `resetPassword` api to start the reset password
+ // flow, and once reset password flow completes, invoke
+ // `signIn` api to trigger signin flow again.
+
+ case .confirmSignUp(let info):
+ print("Confirm signup additional info \(String(describing: info))")
+
+ // User was not confirmed during the signup process.
+ // Invoke `confirmSignUp` api to confirm the user if
+ // they have the confirmation code. If they do not have the
+ // confirmation code, invoke `resendSignUpCode` to send the
+ // code again.
+ // After the user is confirmed, invoke the `signIn` api again.
+ case .done:
+
+ // Use has successfully signed in to the app
+ print("Signin complete")
+ }
+ } catch let error as AuthError{
+ print ("Sign in failed \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+The `nextStep` property is of enum type `AuthSignInStep`. Depending on its value, your code should take one of the following actions:
+
+## Confirm sign-in with SMS MFA
+If the next step is `confirmSignInWithSMSMFACode`, Amplify Auth has sent the user a random code over SMS, and is waiting to find out if the user successfully received it. To handle this step, your app's UI must prompt the user to enter the code. After the user enters the code, your implementation must pass the value to Amplify Auth `confirmSignIn` API.
+
+Note: the signin result also includes an `AuthCodeDeliveryDetails` member. It includes additional information about the code delivery such as the partial phone number of the SMS recipient.
+
+#### [Async/Await]
+
+```swift
+func confirmSignIn(confirmationCodeFromUser: String) async {
+ do {
+ let signInResult = try await Amplify.Auth.confirmSignIn(challengeResponse: confirmationCodeFromUser)
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ } catch let error as AuthError {
+ print("Confirm sign in failed \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func confirmSignIn(confirmationCodeFromUser: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirmSignIn(challengeResponse: confirmationCodeFromUser)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Confirm sign in failed \(authError)")
+ }
+ }
+ receiveValue: { signInResult in
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ }
+}
+```
+
+## Confirm sign-in with TOTP MFA
+
+If the next step is `confirmSignInWithTOTPCode`, you should prompt the user to enter the TOTP code from their associated authenticator app during set up. The code is a six-digit number that changes every 30 seconds. The user must enter the code before the 30-second window expires.
+
+After the user enters the code, your implementation must pass the value to Amplify Auth `confirmSignIn` API.
+
+#### [Async/Await]
+
+```swift
+func confirmSignIn(totpCode: String) async {
+ do {
+ let signInResult = try await Amplify.Auth.confirmSignIn(challengeResponse: totpCode)
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ } catch {
+ print("Confirm sign in failed \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func confirmSignIn(totpCode: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirmSignIn(challengeResponse: totpCode)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Confirm sign in failed \(authError)")
+ }
+ }
+ receiveValue: { signInResult in
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ }
+}
+```
+
+## Confirm sign-in with Email MFA
+If the next step is `confirmSignInWithOTP`, Amplify Auth has sent a random code to the user's email address, and is waiting to find out if the user successfully received it. To handle this step, your app's UI must prompt the user to enter the code. After the user enters the code, your implementation must pass the value to Amplify Auth `confirmSignIn` API.
+
+> **Info:** **Note:** the sign-in result also includes an `AuthCodeDeliveryDetails` member. It includes additional information about the code delivery such as the partial email address of the recipient.
+
+#### [Async/Await]
+
+```swift
+func confirmSignIn(confirmationCodeFromUser: String) async {
+ do {
+ let signInResult = try await Amplify.Auth.confirmSignIn(challengeResponse: confirmationCodeFromUser)
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ } catch let error as AuthError {
+ print("Confirm sign in failed \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func confirmSignIn(confirmationCodeFromUser: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirmSignIn(challengeResponse: confirmationCodeFromUser)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Confirm sign in failed \(authError)")
+ }
+ }
+ receiveValue: { signInResult in
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ }
+}
+```
+
+## Continue sign-in with MFA Selection
+
+If the next step is `continueSignInWithMFASelection`, the user must select the MFA method to use. Amplify Auth currently supports SMS, TOTP, and email as MFA methods. After the user selects an MFA method, your implementation must pass the selected MFA method to Amplify Auth using `confirmSignIn` API.
+
+#### [Async/Await]
+
+```swift
+func confirmSignInWithTOTPAsMFASelection() async {
+ do {
+ let signInResult = try await Amplify.Auth.confirmSignIn(
+ challengeResponse: MFAType.totp.challengeResponse)
+
+ if case .confirmSignInWithTOTPCode = signInResult.nextStep {
+ print("Received next step as confirm sign in with TOTP")
+ }
+
+ } catch {
+ print("Confirm sign in failed \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func confirmSignInWithTOTPAsMFASelection() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirmSignIn(
+ challengeResponse: MFAType.totp.challengeResponse)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Confirm sign in failed \(authError)")
+ }
+ }
+ receiveValue: { signInResult in
+ if case .confirmSignInWithTOTPCode = signInResult.nextStep {
+ print("Received next step as confirm sign in with TOTP")
+ }
+ }
+}
+```
+
+## Continue sign-in with Email Setup
+If the next step is `continueSignInWithEmailMFASetup`, then the user must provide an email address to complete the sign in process. Once this value has been collected from the user, call the `confirmSignIn` API to continue.
+
+```swift
+// Confirm sign in with Email Setup
+case .continueSignInWithEmailMFASetup:
+ print("Received next step as continue sign in by setting up email MFA")
+
+ // Prompt the user to enter the email address they wish to use for MFA
+ // Then invoke `confirmSignIn` api with the email address
+```
+
+## Continue sign-in with TOTP Setup
+
+If the next step is `continueSignInWithTOTPSetup`, then the user must provide a TOTP code to complete the sign in process. The step returns an associated value of type `TOTPSetupDetails` which would be used for generating TOTP. `TOTPSetupDetails` provides a helper method called `getSetupURI` that can be used to generate a URI, which can be used by native password managers for TOTP association. For example. if the URI is used on Apple platforms, it will trigger the platform's native password manager to associate TOTP with the account. For more advanced use cases, `TOTPSetupDetails` also contains the `sharedSecret` that will be used to either generate a QR code or can be manually entered into an authenticator app.
+
+Once the authenticator app is set up, the user can generate a TOTP code and provide it to the library to complete the sign in process.
+
+```swift
+// Confirm sign in with TOTP setup
+case .continueSignInWithTOTPSetup(let setUpDetails):
+
+ /// appName parameter will help distinguish the account in the Authenticator app
+ let setupURI = try setUpDetails.getSetupURI(appName: ">")
+
+ print("TOTP Setup URI: \(setupURI)")
+```
+
+#### [Async/Await]
+
+```swift
+func confirmSignInWithTOTPSetup(totpCodeFromAuthenticatorApp: String) async {
+ do {
+ let signInResult = try await Amplify.Auth.confirmSignIn(
+ challengeResponse: totpCodeFromAuthenticatorApp)
+
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ } catch {
+ print("Confirm sign in failed \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func confirmSignInWithTOTPSetup(totpCodeFromAuthenticatorApp: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirmSignIn(
+ challengeResponse: totpCodeFromAuthenticatorApp)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Confirm sign in failed \(authError)")
+ }
+ }
+ receiveValue: { signInResult in
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ }
+}
+```
+
+## Continue sign-in with MFA Setup Selection
+
+If the next step is `continueSignInWithMFASetupSelection`, the user must indicate which of the available MFA methods they would like to setup. After the user selects an MFA method to setup, your implementation must pass the selected MFA method to the `confirmSignIn` API.
+
+#### [Async/Await]
+
+```swift
+func continueSignInWithEmailMFASetupSelection() async {
+ do {
+ let signInResult = try await Amplify.Auth.confirmSignIn(
+ challengeResponse: MFAType.email.challengeResponse)
+
+ if case .confirmSignInWithTOTPCode = signInResult.nextStep {
+ print("Received next step as confirm sign in with TOTP")
+ }
+
+ } catch {
+ print("Confirm sign in failed \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func continueSignInWithEmailMFASetupSelection() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirmSignIn(
+ challengeResponse: MFAType.email.challengeResponse)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Confirm sign in failed \(authError)")
+ }
+ }
+ receiveValue: { signInResult in
+ if case .confirmSignInWithTOTPCode = signInResult.nextStep {
+ print("Received next step as confirm sign in with TOTP")
+ }
+ }
+}
+```
+
+## Confirm sign-in with custom challenge
+
+If the next step is `confirmSignInWithCustomChallenge`, Amplify Auth is awaiting completion of a custom authentication challenge. The challenge is based on the Lambda trigger you setup when you configured a [custom sign in flow](/[platform]/build-a-backend/auth/customize-auth-lifecycle/custom-auth-flows/#sign-in-a-user). To complete this step, you should prompt the user for the custom challenge answer, and pass the answer to the `confirmSignIn` API.
+
+#### [Async/Await]
+
+```swift
+func confirmSignIn(challengeAnswerFromUser: String) async {
+ do {
+ let signInResult = try await Amplify.Auth.confirmSignIn(challengeResponse: challengeAnswerFromUser)
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ } catch let error as AuthError {
+ print("Confirm sign in failed \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func confirmSignIn(challengeAnswerFromUser: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirmSignIn(challengeResponse: challengeAnswerFromUser)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Confirm sign in failed \(authError)")
+ }
+ }
+ receiveValue: { signInResult in
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ }
+}
+```
+
+> **Warning:** **Special Handling on `confirmSignIn`**
+>
+> During a confirmSignIn call if `failAuthentication=true` is returned by the Lambda function the session of the request gets invalidated by cognito, a NotAuthorizedException is returned and a new signIn call is expected via Amplify.Auth.signIn
+>
+> ```swift
+Exception: notAuthorized{message=Failed since user is not authorized., cause=NotAuthorizedException(message=Invalid session for the user.), recoverySuggestion=Check whether the given values are correct and the user is authorized to perform the operation.}
+```
+
+## Confirm sign-in with new password
+
+If the next step is `confirmSignInWithNewPassword`, Amplify Auth requires a new password for the user before they can proceed. Prompt the user for a new password and pass it to the `confirmSignIn` API.
+
+#### [Async/Await]
+
+```swift
+func confirmSignIn(newPasswordFromUser: String) async {
+ do {
+ let signInResult = try await Amplify.Auth.confirmSignIn(challengeResponse: newPasswordFromUser)
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ } catch let error as AuthError {
+ print("Confirm sign in failed \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func confirmSignIn(newPasswordFromUser: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirmSignIn(challengeResponse: newPasswordFromUser)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Confirm sign in failed \(authError)")
+ }
+ }
+ receiveValue: { signInResult in
+ if signInResult.isSignedIn {
+ print("Confirm sign in succeeded. The user is signed in.")
+ } else {
+ print("Confirm sign in succeeded.")
+ print("Next step: \(signInResult.nextStep)")
+ // Switch on the next step to take appropriate actions.
+ // If `signInResult.isSignedIn` is true, the next step
+ // is 'done', and the user is now signed in.
+ }
+ }
+}
+```
+
+## Reset password
+
+If you receive `resetPassword`, authentication flow could not proceed without resetting the password. The next step is to invoke `resetPassword` api and follow the reset password flow.
+
+#### [Async/Await]
+
+```swift
+func resetPassword(username: String) async {
+ do {
+ let resetPasswordResult = try await Amplify.Auth.resetPassword(for: username)
+ print("Reset password succeeded.")
+ print("Next step: \(resetPasswordResult.nextStep)")
+ } catch let error as AuthError {
+ print("Reset password failed \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func resetPassword(username: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.resetPassword(for: username)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Reset password failed \(authError)")
+ }
+ }
+ receiveValue: { resetPasswordResult in
+ print("Reset password succeeded.")
+ print("Next step: \(resetPasswordResult.nextStep)")
+ }
+}
+```
+
+## Confirm Signup
+
+If you receive `confirmSignUp` as a next step, sign up could not proceed without confirming user information such as email or phone number. The next step is to invoke the `confirmSignUp` API and follow the confirm signup flow.
+
+#### [Async/Await]
+
+```swift
+func confirmSignUp(for username: String, with confirmationCode: String) async {
+ do {
+ let confirmSignUpResult = try await Amplify.Auth.confirmSignUp(
+ for: username,
+ confirmationCode: confirmationCode
+ )
+ print("Confirm sign up result completed: \(confirmSignUpResult.isSignUpComplete)")
+ } catch let error as AuthError {
+ print("An error occurred while confirming sign up \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func confirmSignUp(for username: String, with confirmationCode: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirmSignUp(for: username, confirmationCode: confirmationCode)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("An error occurred while confirming sign up \(authError)")
+ }
+ }
+ receiveValue: { _ in
+ print("Confirm signUp succeeded")
+ }
+}
+```
+
+## Done
+
+Signin flow is complete when you get `done`. This means the user is successfully authenticated. As a convenience, the SignInResult also provides the `isSignedIn` property, which will be true if the next step is `done`.
+
+
+---
+
+---
+title: "Manage users"
+section: "build-a-backend/auth"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-05-01T21:28:13.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/manage-users/"
+---
+
+
+
+---
+
+---
+title: "With admin actions"
+section: "build-a-backend/auth/manage-users"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-05-02T01:41:16.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/manage-users/with-admin-actions/"
+---
+
+Amplify Auth can be managed with the [AWS SDK's `@aws-sdk/client-cognito-identity-provider` package](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/). This package is intended to use server-side, and can be used within a Function. This example focuses on the `addUserToGroup` action and will be defined as a [custom mutation](/[platform]/build-a-backend/data/custom-business-logic/#step-1---define-a-custom-query-or-mutation).
+
+To get started, create an "ADMINS" group that will be used to authorize the mutation:
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from "@aws-amplify/backend"
+
+export const auth = defineAuth({
+ loginWith: {
+ email: true,
+ },
+ // highlight-next-line
+ groups: ["ADMINS"]
+})
+```
+
+Next, create the Function resource:
+
+```ts title="amplify/data/add-user-to-group/resource.ts"
+import { defineFunction } from "@aws-amplify/backend"
+
+export const addUserToGroup = defineFunction({
+ name: "add-user-to-group",
+})
+```
+
+Then, in your auth resources, grant access for the function to perform the `addUserToGroup` action. [Learn more about granting access to auth resources](/[platform]/build-a-backend/auth/grant-access-to-auth-resources).
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from "@aws-amplify/backend"
+// highlight-next-line
+import { addUserToGroup } from "../data/add-user-to-group/resource"
+
+export const auth = defineAuth({
+ loginWith: {
+ email: true,
+ },
+ groups: ["ADMINS"],
+ // highlight-start
+ access: (allow) => [
+ allow.resource(addUserToGroup).to(["addUserToGroup"])
+ ],
+ // highlight-end
+})
+```
+
+You're now ready to define the custom mutation. Here you will use the newly-created `addUserToGroup` function resource to handle the `addUserToGroup` mutation. This mutation can only be called by a user in the "ADMINS" group.
+
+```ts title="amplify/data/resource.ts"
+import type { ClientSchema } from "@aws-amplify/backend"
+import { a, defineData } from "@aws-amplify/backend"
+import { addUserToGroup } from "./resource"
+
+const schema = a.schema({
+ addUserToGroup: a
+ .mutation()
+ .arguments({
+ userId: a.string().required(),
+ groupName: a.string().required(),
+ })
+ .authorization((allow) => [allow.group("ADMINS")])
+ .handler(a.handler.function(addUserToGroup))
+ .returns(a.json())
+})
+
+export type Schema = ClientSchema
+
+export const data = defineData({
+ schema,
+ authorizationModes: {
+ defaultAuthorizationMode: "iam",
+ },
+})
+```
+
+Lastly, create the function's handler using the exported client schema to type the handler function, and the generated `env` to specify the user pool ID you'd like to interact with:
+
+```ts title="amplify/data/add-user-to-group/handler.ts"
+import type { Schema } from "../resource"
+import { env } from "$amplify/env/add-user-to-group"
+import {
+ AdminAddUserToGroupCommand,
+ CognitoIdentityProviderClient,
+} from "@aws-sdk/client-cognito-identity-provider"
+
+type Handler = Schema["addUserToGroup"]["functionHandler"]
+const client = new CognitoIdentityProviderClient()
+
+export const handler: Handler = async (event) => {
+ const { userId, groupName } = event.arguments
+ const command = new AdminAddUserToGroupCommand({
+ Username: userId,
+ GroupName: groupName,
+ UserPoolId: env.AMPLIFY_AUTH_USERPOOL_ID,
+ })
+ const response = await client.send(command)
+ return response
+}
+```
+
+
+In your frontend, use the generated client to call your mutation using the group name and the user's ID.
+
+
+```ts title="src/client.ts"
+import type { Schema } from "../amplify/data/resource"
+import { generateClient } from "aws-amplify/data"
+
+const client = generateClient()
+
+await client.mutations.addUserToGroup({
+ groupName: "ADMINS",
+ userId: "5468d468-4061-70ed-8870-45c766d26225",
+})
+```
+
+
+
+
+
+
+
+
+
+
+
+
+---
+
+---
+title: "Manage passwords"
+section: "build-a-backend/auth/manage-users"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-10-14T15:02:39.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/manage-users/manage-passwords/"
+---
+
+Amplify Auth provides a secure way for your users to change their password or recover a forgotten password.
+
+## Understand password default settings
+
+By default, your users can retrieve access to their accounts if they forgot their password by using either their phone or email. The following are the default account recovery methods used when either `phone` or `email` are used as login options.
+
+| Login option | User account verification channel |
+| ------------------- | --------------------------------- |
+| `phone` | Phone Number |
+| `email` | Email |
+| `email` and `phone` | Email |
+
+## Reset Password
+
+To reset a user's password, use the `resetPassword` API which will send a reset code to the destination (e.g. email or SMS) based on the user's settings.
+
+
+```ts
+import { resetPassword } from 'aws-amplify/auth';
+
+const output = await resetPassword({
+ username: "hello@mycompany.com"
+});
+
+const { nextStep } = output;
+switch (nextStep.resetPasswordStep) {
+ case 'CONFIRM_RESET_PASSWORD_WITH_CODE':
+ const codeDeliveryDetails = nextStep.codeDeliveryDetails;
+ console.log(
+ `Confirmation code was sent to ${codeDeliveryDetails.deliveryMedium}`
+ );
+ // Collect the confirmation code from the user and pass to confirmResetPassword.
+ break;
+ case 'DONE':
+ console.log('Successfully reset password.');
+ break;
+}
+```
+
+
+```dart
+Future resetPassword(String username) async {
+ try {
+ final result = await Amplify.Auth.resetPassword(
+ username: username,
+ );
+ await _handleResetPasswordResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error resetting password: ${e.message}');
+ }
+}
+```
+
+```dart
+Future _handleResetPasswordResult(ResetPasswordResult result) async {
+ switch (result.nextStep.updateStep) {
+ case AuthResetPasswordStep.confirmResetPasswordWithCode:
+ final codeDeliveryDetails = result.nextStep.codeDeliveryDetails!;
+ _handleCodeDelivery(codeDeliveryDetails);
+ break;
+ case AuthResetPasswordStep.done:
+ safePrint('Successfully reset password');
+ break;
+ }
+}
+```
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.resetPassword(
+ "username",
+ result -> Log.i("AuthQuickstart", result.toString()),
+ error -> Log.e("AuthQuickstart", error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.resetPassword("username",
+ { Log.i("AuthQuickstart", "Password reset OK: $it") },
+ { Log.e("AuthQuickstart", "Password reset failed", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.resetPassword("username")
+ Log.i("AuthQuickstart", "Password reset OK: $result")
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Password reset failed", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.resetPassword("username")
+ .subscribe(
+ result -> Log.i("AuthQuickstart", result.toString()),
+ error -> Log.e("AuthQuickstart", error.toString())
+ );
+```
+
+
+
+
+#### [Async/Await]
+
+```swift
+func resetPassword(username: String) async {
+ do {
+ let resetResult = try await Amplify.Auth.resetPassword(for: username)
+ switch resetResult.nextStep {
+ case .confirmResetPasswordWithCode(let deliveryDetails, let info):
+ print("Confirm reset password with code send to - \(deliveryDetails) \(String(describing: info))")
+ case .done:
+ print("Reset completed")
+ }
+ } catch let error as AuthError {
+ print("Reset password failed with error \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func resetPassword(username: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.resetPassword(for: username)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Reset password failed with error \(authError)")
+ }
+ }
+ receiveValue: { resetResult in
+ switch resetResult.nextStep {
+ case .confirmResetPasswordWithCode(let deliveryDetails, let info):
+ print("Confirm reset password with code send to - \(deliveryDetails) \(String(describing: info))")
+ case .done:
+ print("Reset completed")
+ }
+ }
+}
+```
+
+Usually, resetting the password require you to verify that it is the actual user that tried to reset the password. The next step above will be `.confirmResetPasswordWithCode`.
+
+If you would like to display a more specific view or messaging to your users based the error that occurred, you can handle this by downcasting the `underlyingError` to `AWSCognitoAuthError`.
+
+```swift
+if let authError = error as? AuthError,
+ let cognitoAuthError = authError.underlyingError as? AWSCognitoAuthError {
+ switch cognitoAuthError {
+ case .userNotFound:
+ print("User not found")
+ case .invalidParameter:
+ print("Invalid Parameter)
+ default:
+ break
+ }
+}
+```
+
+
+To complete the password reset process, invoke the `confirmResetPassword` API with the code your user received and the new password they want to set.
+
+
+```ts
+import { confirmResetPassword } from 'aws-amplify/auth';
+
+await confirmResetPassword({
+ username: "hello@mycompany.com",
+ confirmationCode: "123456",
+ newPassword: "hunter3",
+});
+```
+
+
+```dart
+Future confirmResetPassword({
+ required String username,
+ required String newPassword,
+ required String confirmationCode,
+}) async {
+ try {
+ final result = await Amplify.Auth.confirmResetPassword(
+ username: username,
+ newPassword: newPassword,
+ confirmationCode: confirmationCode,
+ );
+ safePrint('Password reset complete: ${result.isPasswordReset}');
+ } on AuthException catch (e) {
+ safePrint('Error resetting password: ${e.message}');
+ }
+}
+```
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.confirmResetPassword(
+ "Username",
+ "NewPassword123",
+ "confirmation code you received",
+ () -> Log.i("AuthQuickstart", "New password confirmed"),
+ error -> Log.e("AuthQuickstart", error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.confirmResetPassword("Username", "NewPassword123", "confirmation code",
+ { Log.i("AuthQuickstart", "New password confirmed") },
+ { Log.e("AuthQuickstart", "Failed to confirm password reset", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ Amplify.Auth.confirmResetPassword("Username", "NewPassword123", "code you received")
+ Log.i("AuthQuickstart", "New password confirmed")
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Failed to confirm password reset", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.confirmResetPassword("Username","NewPassword123", "confirmation code")
+ .subscribe(
+ () -> Log.i("AuthQuickstart", "New password confirmed"),
+ error -> Log.e("AuthQuickstart", error.toString())
+ );
+```
+
+
+
+
+#### [Async/Await]
+
+```swift
+func confirmResetPassword(
+ username: String,
+ newPassword: String,
+ confirmationCode: String
+) async {
+ do {
+ try await Amplify.Auth.confirmResetPassword(
+ for: username,
+ with: newPassword,
+ confirmationCode: confirmationCode
+ )
+ print("Password reset confirmed")
+ } catch let error as AuthError {
+ print("Reset password failed with error \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func confirmResetPassword(
+ username: String,
+ newPassword: String,
+ confirmationCode: String
+) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirmResetPassword(
+ for: username,
+ with: newPassword,
+ confirmationCode: confirmationCode
+ )
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Reset password failed with error \(authError)")
+ }
+ }
+ receiveValue: {
+ print("Password reset confirmed")
+ }
+}
+```
+
+
+
+## Update password
+
+You can update a signed in user's password using the `updatePassword` API.
+
+
+```ts
+import { updatePassword } from 'aws-amplify/auth';
+
+await updatePassword({
+ oldPassword: "hunter2",
+ newPassword: "hunter3",
+});
+```
+
+
+```dart
+Future updatePassword({
+ required String oldPassword,
+ required String newPassword,
+}) async {
+ try {
+ await Amplify.Auth.updatePassword(
+ oldPassword: oldPassword,
+ newPassword: newPassword,
+ );
+ } on AuthException catch (e) {
+ safePrint('Error updating password: ${e.message}');
+ }
+}
+```
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.updatePassword(
+ "existingPassword",
+ "newPassword",
+ () -> Log.i("AuthQuickstart", "Updated password successfully"),
+ error -> Log.e("AuthQuickstart", error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.updatePassword("existingPassword", "newPassword",
+ { Log.i("AuthQuickstart", "Updated password successfully") },
+ { Log.e("AuthQuickstart", "Password update failed", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ Amplify.Auth.updatePassword("existingPassword", "newPassword")
+ Log.i("AuthQuickstart", "Updated password successfully")
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Password update failed", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.updatePassword("existingPassword", "newPassword")
+ .subscribe(
+ () -> Log.i("AuthQuickstart", "Updated password successfully"),
+ error -> Log.e("AuthQuickstart", error.toString())
+ );
+```
+
+
+
+
+#### [Async/Await]
+
+```swift
+func changePassword(oldPassword: String, newPassword: String) async {
+ do {
+ try await Amplify.Auth.update(oldPassword: oldPassword, to: newPassword)
+ print("Change password succeeded")
+ } catch let error as AuthError {
+ print("Change password failed with error \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func changePassword(oldPassword: String, newPassword: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.update(oldPassword: oldPassword, to: newPassword)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Change password failed with error \(authError)")
+ }
+ }
+ receiveValue: {
+ print("Change password succeeded")
+ }
+}
+```
+
+
+
+### Override default user account verification channel
+
+You can always change the channel used by your authentication resources by overriding the following setting.
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from '@aws-amplify/backend';
+
+export const auth = defineAuth({
+ loginWith: {
+ email: true
+ },
+// highlight-start
+ accountRecovery: 'EMAIL_ONLY'
+// highlight-end
+});
+```
+
+## Override default password policy
+
+By default your password policy is set to the following:
+
+- `MinLength`: 8 characters
+- `requireLowercase`: true
+- `requireUppercase`: true
+- `requireNumbers`: true
+- `requireSymbols`: true
+- `tempPasswordValidity`: 3 days
+
+You can customize the password format acceptable by your auth resource by modifying the underlying `cfnUserPool` resource:
+
+```ts title="amplify/backend.ts"
+import { defineBackend } from '@aws-amplify/backend';
+import { auth } from './auth/resource';
+
+const backend = defineBackend({
+ auth,
+});
+// extract L1 CfnUserPool resources
+const { cfnUserPool } = backend.auth.resources.cfnResources;
+// modify cfnUserPool policies directly
+cfnUserPool.policies = {
+ passwordPolicy: {
+ minimumLength: 32,
+ requireLowercase: true,
+ requireNumbers: true,
+ requireSymbols: true,
+ requireUppercase: true,
+ temporaryPasswordValidityDays: 20,
+ },
+};
+```
+
+---
+
+---
+title: "Manage WebAuthn credentials"
+section: "build-a-backend/auth/manage-users"
+platforms: ["android", "angular", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2025-06-24T13:29:28.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/manage-users/manage-webauthn-credentials/"
+---
+
+
+> **Warning:** WebAuthn registration and authentication are not currently supported on React Native, other passwordless features are fully supported.
+
+
+Amplify Auth uses passkeys as the credential mechanism for WebAuthn. The following APIs allow users to register, keep track of, and delete the passkeys associated with their Cognito account.
+
+[Learn more about using passkeys with Amplify](/[platform]/build-a-backend/auth/concepts/passwordless/#webauthn-passkey).
+
+## Associate WebAuthn credentials
+
+
+> **Warning:** Registering a passkey is supported on Android 9 (API level 28) and above.
+
+
+Note that users must be authenticated to register a passkey. That also means users cannot create a passkey during sign up; consequently, they must have at least one other first factor authentication mechanism associated with their account to use WebAuthn.
+
+You can associate a passkey using the following API:
+
+
+```ts
+import { associateWebAuthnCredential} from 'aws-amplify/auth';
+
+await associateWebAuthnCredential();
+
+```
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.associateWebAuthnCredential(
+ activity,
+ () -> Log.i("AuthQuickstart", "Associated credential"),
+ error -> Log.e("AuthQuickstart", "Failed to associate credential", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.associateWebAuthnCredential(
+ activity,
+ { Log.i("AuthQuickstart", "Associated credential") },
+ { Log.e("AuthQuickstart", "Failed to associate credential", error) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.associateWebAuthnCredential(activity)
+ Log.i("AuthQuickstart", "Associated credential")
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Failed to associate credential", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.associateWebAuthnCredential(activity)
+ .subscribe(
+ result -> Log.i("AuthQuickstart", "Associated credential"),
+ error -> Log.e("AuthQuickstart", "Failed to associate credential", error)
+ );
+```
+
+You must supply an `Activity` instance so that Amplify can display the PassKey UI in your application's [Task](https://developer.android.com/guide/components/activities/tasks-and-back-stack).
+
+
+
+#### [Async/Await]
+
+```swift
+func associateWebAuthNCredentials() async {
+ do {
+ try await Amplify.Auth.associateWebAuthnCredential()
+ print("WebAuthn credential was associated")
+ } catch {
+ print("Associate WebAuthn Credential failed: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func associateWebAuthNCredentials() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.associateWebAuthnCredential()
+ }.sink {
+ print("Associate WebAuthn Credential failed: \($0)")
+ }
+ receiveValue: { _ in
+ print("WebAuthn credential was associated")
+ }
+}
+```
+
+
+
+The user will be prompted to register a passkey using their local authenticator. Amplify will then associate that passkey with Cognito.
+
+## List WebAuthn credentials
+
+You can list registered passkeys using the following API:
+
+
+```ts
+import { listWebAuthnCredentials } from 'aws-amplify/auth';
+
+const result = await listWebAuthnCredentials();
+
+for (const credential of result.credentials) {
+ console.log(`Credential ID: ${credential.credentialId}`);
+ console.log(`Friendly Name: ${credential.friendlyCredentialName}`);
+ console.log(`Relying Party ID: ${credential.relyingPartyId}`);
+ console.log(`Created At: ${credential.createdAt}`);
+}
+
+```
+
+
+
+#### [Async/Await]
+
+```swift
+func listWebAuthNCredentials() async {
+ do {
+ let result = try await Amplify.Auth.listWebAuthnCredentials(
+ options: .init(pageSize: 5))
+
+ for credential in result.credentials {
+ print("Credential ID: \(credential.credentialId)")
+ print("Created At: \(credential.createdAt)")
+ print("Relying Party Id: \(credential.relyingPartyId)")
+ if let friendlyName = credential.friendlyName {
+ print("Friendly name: \(friendlyName)")
+ }
+ }
+
+ // Fetch the next page
+ if let nextToken = result.nextToken {
+ let nextResult = try await Amplify.Auth.listWebAuthnCredentials(
+ options: .init(
+ pageSize: 5,
+ nextToken: nextToken))
+ }
+ } catch {
+ print("Associate WebAuthn Credential failed: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func listWebAuthNCredentials() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.listWebAuthnCredentials(
+ options: .init(pageSize: 5))
+ }.sink {
+ print("List WebAuthn Credential failed: \($0)")
+ }
+ receiveValue: { result in
+ for credential in result.credentials {
+ print("Credential ID: \(credential.credentialId)")
+ print("Created At: \(credential.createdAt)")
+ print("Relying Party Id: \(credential.relyingPartyId)")
+ if let friendlyName = credential.friendlyName {
+ print("Friendly name: \(friendlyName)")
+ }
+ }
+
+ if let nextToken = result.nextToken {
+ // Fetch the next page
+ }
+ }
+}
+```
+
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.listWebAuthnCredentials(
+ result -> result.getCredentials().forEach(credential -> {
+ Log.i("AuthQuickstart", "Credential ID: " + credential.getCredentialId());
+ Log.i("AuthQuickstart", "Friendly Name: " + credential.getFriendlyName());
+ Log.i("AuthQuickstart", "Relying Party ID: " + credential.getRelyingPartyId());
+ Log.i("AuthQuickstart", "Created At: " + credential.getCreatedAt());
+ }),
+ error -> Log.e("AuthQuickstart", "Failed to list credentials", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.listWebAuthnCredentials(
+ { result ->
+ result.credentials.forEach { credential ->
+ Log.i("AuthQuickstart", "Credential ID: ${credential.credentialId}")
+ Log.i("AuthQuickstart", "Friendly Name: ${credential.friendlyName}")
+ Log.i("AuthQuickstart", "Relying Party ID: ${credential.relyingPartyId}")
+ Log.i("AuthQuickstart", "Created At: ${credential.createdAt}")
+ }
+ },
+ { error -> Log.e("AuthQuickstart", "Failed to list credentials", error) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.listWebAuthnCredentials()
+ result.credentials.forEach { credential ->
+ Log.i("AuthQuickstart", "Credential ID: ${credential.credentialId}")
+ Log.i("AuthQuickstart", "Friendly Name: ${credential.friendlyName}")
+ Log.i("AuthQuickstart", "Relying Party ID: ${credential.relyingPartyId}")
+ Log.i("AuthQuickstart", "Created At: ${credential.createdAt}")
+ }
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Failed to list credentials", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.listWebAuthnCredentials()
+ .subscribe(
+ result -> result.getCredentials().forEach(credential -> {
+ Log.i("AuthQuickstart", "Credential ID: " + credential.getCredentialId());
+ Log.i("AuthQuickstart", "Friendly Name: " + credential.getFriendlyName());
+ Log.i("AuthQuickstart", "Relying Party ID: " + credential.getRelyingPartyId());
+ Log.i("AuthQuickstart", "Created At: " + credential.getCreatedAt());
+ }),
+ error -> Log.e("AuthQuickstart", "Failed to list credentials", error)
+ );
+```
+
+
+
+## Delete WebAuthn credentials
+
+You can delete a passkey with the following API:
+
+
+```ts
+import { deleteWebAuthnCredential } from 'aws-amplify/auth';
+
+const id = "credential-id-to-delete";
+
+await deleteWebAuthnCredential({
+ credentialId: id
+});
+```
+
+
+
+#### [Async/Await]
+
+```swift
+func deleteWebAuthNCredentials(credentialId: String) async {
+ do {
+ try await Amplify.Auth.deleteWebAuthnCredential(credentialId: credentialId)
+ print("WebAuthn credential was deleted")
+ } catch {
+ print("Delete WebAuthn Credential failed: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func deleteWebAuthNCredentials(credentialId: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.deleteWebAuthnCredential(credentialId: credentialId)
+ }.sink {
+ print("Delete WebAuthn Credential failed: \($0)")
+ }
+ receiveValue: { _ in
+ print("WebAuthn credential was deleted")
+ }
+}
+```
+
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.deleteWebAuthnCredential(
+ credentialId,
+ (result) -> Log.i("AuthQuickstart", "Deleted credential"),
+ error -> Log.e("AuthQuickstart", "Failed to delete credential", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.deleteWebAuthnCredential(
+ credentialId,
+ { Log.i("AuthQuickstart", "Deleted credential") },
+ { Log.e("AuthQuickstart", "Failed to delete credential", error) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.deleteWebAuthnCredential(credentialId)
+ Log.i("AuthQuickstart", "Deleted credential")
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Failed to delete credential", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.deleteWebAuthnCredential(credentialId)
+ .subscribe(
+ result -> Log.i("AuthQuickstart", "Deleted credential"),
+ error -> Log.e("AuthQuickstart", "Failed to delete credential", error)
+ );
+```
+
+The delete passkey API has only the required `credentialId` as input, and it does not return a value.
+
+
+
+## Practical example
+
+Here is a code example that uses the list and delete APIs together. In this example, the user has 3 passkeys registered. They want to list all passkeys while using a `pageSize` of 2 as well as delete the first passkey in the list.
+
+```ts
+import {
+ listWebAuthnCredentials,
+ deleteWebAuthnCredential
+} from 'aws-amplify/auth';
+
+let passkeys = [];
+
+const result = await listWebAuthnCredentials({ pageSize: 2 });
+
+passkeys.push(...result.credentials);
+
+const nextPage = await listWebAuthnCredentials({
+ pageSize: 2,
+ nextToken: result.nextToken,
+});
+
+passkeys.push(...nextPage.credentials);
+
+const id = passkeys[0].credentialId;
+
+await deleteWebAuthnCredential({
+ credentialId: id
+});
+```
+
+
+---
+
+---
+title: "Manage devices"
+section: "build-a-backend/auth/manage-users"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-08-20T18:34:28.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/manage-users/manage-devices/"
+---
+
+Amplify Auth enables you to track devices your users use for auditing, MFA, and more. Before you begin it is important to understand the terminology for device statuses:
+
+- **Tracked:** Every time the user signs in with a new device, the client is given the device key at the end of a successful authentication event. We use this device key to generate a salt and password verifier which is used to call the ConfirmDevice API. At this point, the device is considered to be _tracked_. Once the device is in a tracked state, you can use the Amazon Cognito console to see the time it started to be tracked, last authentication time, and other information about that device.
+- **Remembered:** Remembered devices are also tracked. During user authentication, the device key and secret pair assigned to a remembered device is used to authenticate the device to verify that it is the same device that the user previously used to sign in.
+- **Not Remembered:** A not-remembered device is a tracked device where Cognito has been configured to require users to "Opt-in" to remember a device, but the user has not opt-ed in to having the device remembered. This use case is used for users signing into their application from a device that they don't own.
+- **Forgotten:** a forgotten device is one removed from being remembered
+
+> **Info:** **Note:** [device tracking and remembering](https://aws.amazon.com/blogs/mobile/tracking-and-remembering-devices-using-amazon-cognito-your-user-pools/) features are not available when using federating sign-in with external providers as devices are tracked on the upstream identity provider. These features are also not available when using Cognito's Hosted UI.
+
+## Remember devices
+
+You can remember devices using the following:
+
+
+```ts
+import { rememberDevice } from 'aws-amplify/auth';
+
+await rememberDevice();
+```
+
+
+```dart
+Future rememberCurrentDevice() async {
+ try {
+ await Amplify.Auth.rememberDevice();
+ safePrint('Remember device succeeded');
+ } on AuthException catch (e) {
+ safePrint('Remember device failed with error: $e');
+ }
+}
+```
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.rememberDevice(
+ () -> Log.i("AuthQuickStart", "Remember device succeeded"),
+ error -> Log.e("AuthQuickStart", "Remember device failed with error " + error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.rememberDevice(
+ { Log.i("AuthQuickStart", "Remember device succeeded") },
+ { Log.e("AuthQuickStart", "Remember device failed with error", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ Amplify.Auth.rememberDevice()
+ Log.i("AuthQuickStart", "Remember device succeeded")
+} catch (error: AuthException) {
+ Log.e("AuthQuickStart", "Remember device failed with error", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.rememberDevice()
+ .subscribe(
+ () -> Log.i("AuthQuickStart", "Remember device succeeded"),
+ error -> Log.e("AuthQuickStart", "Remember device failed with error " + error.toString())
+ );
+```
+
+
+
+
+#### [Async/Await]
+
+```swift
+func rememberDevice() async {
+ do {
+ try await Amplify.Auth.rememberDevice()
+ print("Remember device succeeded")
+ } catch let error as AuthError {
+ print("Remember device failed with error \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func rememberDevice() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.rememberDevice()
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Remember device failed with error \(authError)")
+ }
+ }
+ receiveValue: {
+ print("Remember device succeeded")
+ }
+}
+```
+
+
+
+## Forget devices
+
+You can also forget devices but note that forgotten devices are neither remembered nor tracked.
+
+
+```ts
+import { forgetDevice } from 'aws-amplify/auth';
+
+await forgetDevice();
+```
+
+
+
+#### [Current Device]
+
+```dart
+Future forgetCurrentDevice() async {
+ try {
+ await Amplify.Auth.forgetDevice();
+ safePrint('Forget device succeeded');
+ } on AuthException catch (e) {
+ safePrint('Forget device failed with error: $e');
+ }
+}
+```
+
+#### [Specific Device]
+
+```dart
+// A device that was fetched via Amplify.Auth.fetchDevices()
+Future forgetSpecificDevice(AuthDevice myDevice) async {
+ try {
+ await Amplify.Auth.forgetDevice(myDevice);
+ safePrint('Forget device succeeded');
+ } on AuthException catch (e) {
+ safePrint('Forget device failed with error: $e');
+ }
+}
+```
+
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.forgetDevice(
+ () -> Log.i("AuthQuickStart", "Forget device succeeded"),
+ error -> Log.e("AuthQuickStart", "Forget device failed with error " + error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.forgetDevice(
+ { Log.i("AuthQuickStart", "Forget device succeeded") },
+ { Log.e("AuthQuickStart", "Forget device failed with error", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ Amplify.Auth.forgetDevice()
+ Log.i("AuthQuickStart", "Forget device succeeded")
+} catch (error: AuthException) {
+ Log.e("AuthQuickStart", "Forget device failed with error", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.forgetDevice()
+ .subscribe(
+ () -> Log.i("AuthQuickStart", "Forget device succeeded"),
+ error -> Log.e("AuthQuickStart", "Forget device failed with error " + error.toString())
+ );
+```
+
+
+
+
+#### [Async/Await]
+
+```swift
+func forgetDevice() async {
+ do {
+ try await Amplify.Auth.forgetDevice()
+ print("Forget device succeeded")
+ } catch let error as AuthError {
+ print("Forget device failed with error \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func forgetDevice() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.forgetDevice()
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Forget device failed with error \(authError)")
+ }
+ }
+ receiveValue: {
+ print("Forget device succeeded")
+ }
+}
+```
+
+
+
+## Fetch devices
+
+You can fetch a list of remembered devices by using the following:
+
+
+```ts
+import { fetchDevices } from 'aws-amplify/auth';
+
+const output = await fetchDevices();
+```
+
+
+```dart
+Future fetchAllDevices() async {
+ try {
+ final devices = await Amplify.Auth.fetchDevices();
+ for (final device in devices) {
+ safePrint('Device: $device');
+ }
+ } on AuthException catch (e) {
+ safePrint('Fetch devices failed with error: $e');
+ }
+}
+```
+
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.fetchDevices(
+ devices -> {
+ for (AuthDevice device : devices) {
+ Log.i("AuthQuickStart", "Device: " + device);
+ }
+ },
+ error -> Log.e("AuthQuickStart", "Fetch devices failed with error: " + error.toString()));
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.fetchDevices(
+ { devices ->
+ devices.forEach { Log.i("AuthQuickStart", "Device: " + it) }
+ },
+ { Log.e("AuthQuickStart", "Fetch devices failed with error", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ Amplify.Auth.fetchDevices().forEach { device ->
+ Log.i("AuthQuickStart", "Device: $device")
+ }
+} catch (error: AuthException) {
+ Log.e("AuthQuickStart", "Fetch devices failed with error", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.fetchDevices()
+ .subscribe(
+ device -> Log.i("AuthQuickStart", "Device: " + device);
+ error -> Log.e("AuthQuickStart", "Fetch devices failed with error: " + error.toString())
+ );
+```
+
+
+
+
+#### [Async/Await]
+
+```swift
+func fetchDevices() async {
+ do {
+ let fetchDeviceResult = try await Amplify.Auth.fetchDevices()
+ for device in fetchDeviceResult {
+ print(device.id)
+ }
+ } catch let error as AuthError {
+ print("Fetch devices failed with error \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func fetchDevices() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.fetchDevices()
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Fetch devices failed with error \(authError)")
+ }
+ }
+ receiveValue: { fetchDeviceResult in
+ for device in fetchDeviceResult {
+ print(device.id)
+ }
+ }
+}
+```
+
+
+
+
+## Fetch the current device
+
+You can fetch the current device by using the following:
+
+```dart
+Future fetchCurrentUserDevice() async {
+ try {
+ final device = await Amplify.Auth.fetchCurrentDevice();
+ safePrint('Device: $device');
+ } on AuthException catch (e) {
+ safePrint('Get current device failed with error: $e');
+ }
+}
+```
+
+
+You can now set up devices to be remembered, forgotten, and fetched.
+
+---
+
+---
+title: "Manage users with Amplify console"
+section: "build-a-backend/auth/manage-users"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-08-06T19:20:15.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/manage-users/with-amplify-console/"
+---
+
+The **User management** page in the Amplify console provides a user-friendly interface for managing your application's users. You can create and manage users and groups, edit user attributes, and suspend users.
+
+If you have not yet created an **auth** resource, visit the [Auth setup guide](/[platform]/build-a-backend/auth/set-up-auth/).
+
+## Access User management
+
+After you've deployed your auth resource, you can access the manager on Amplify Console.
+
+1. Log in to the [Amplify console](https://console.aws.amazon.com/amplify/home) and choose your app.
+2. Select the branch you would like to access.
+3. Select **Authentication** from the left navigation bar.
+4. Then, select **User management**.
+
+### To create a user
+
+1. On the **User management** page, select **Users** tab.
+2. Select **Create user**.
+3. In the **Create user** window, for Unique identifier enter a email address, username, or phone number. For Temporary password enter a password.
+4. Choose Create user.
+
+
+
+A user can be confirmed by using the [pre-built UI components](/[platform]/build-a-backend/auth/connect-your-frontend/using-the-authenticator/) and [Amplify libraries](/[platform]/build-a-backend/auth/connect-your-frontend/sign-up/).
+
+
+
+## To create a group
+
+1. On the **User management** page, choose the **Groups** tab and then choose **Create group**.
+2. In the **Create group** window, for **Title** enter a name for the group.
+3. Choose **Create group**.
+
+## To add a users to a group
+
+1. On the **User management** page, choose the **Groups** tab.
+2. Select the name of the group to add users to.
+3. Choose **Add users**.
+4. In the **Add users to group** window, choose how you want to search for users to add from the **Search** menu. You can choose _Email_, _Phone number_, or _Username_.
+5. Add one user or multiple users to add to the group and then choose **Add users**.
+
+## To delete a group
+
+1. On the **User management** page, choose the **Groups** tab.
+2. In the **Groups** section, select the name of the group to delete.
+3. Choose **Delete**.
+4. A confirmation window is displayed. Enter _Delete_ and choose, **Confirm deletion**.
+
+---
+
+---
+title: "Customize auth lifecycle"
+section: "build-a-backend/auth"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-05-01T23:11:32.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/customize-auth-lifecycle/"
+---
+
+
+
+---
+
+---
+title: "Custom auth flows"
+section: "build-a-backend/auth/customize-auth-lifecycle"
+platforms: ["android", "flutter", "swift"]
+gen: 2
+last-updated: "2024-10-31T15:49:20.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/customize-auth-lifecycle/custom-auth-flows/"
+---
+
+
+The Auth category can be configured to perform a [custom authentication flow](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html) defined by you. The following guide shows how to setup a simple passwordless authentication flow.
+
+## Prerequisites
+An application with Amplify libraries integrated and a minimum target of any of the following:
+- **iOS 13.0**, using **Xcode 14.1** or later.
+- **macOS 10.15**, using **Xcode 14.1** or later.
+- **tvOS 13.0**, using **Xcode 14.3** or later.
+- **watchOS 9.0**, using **Xcode 14.3** or later.
+- **visionOS 1.0**, using **Xcode 15** or later. (Preview support - see below for more details.)
+
+For a full example, please follow the [project setup walkthrough](/[platform]/start/quickstart/).
+
+
+
+visionOS support is currently in **preview** and can be used by using the latest [Amplify Release](https://github.com/aws-amplify/amplify-swift/releases).
+As new Xcode and visionOS versions are released, the support will be updated with any necessary fixes on a best effort basis.
+
+
+
+
+
+To use Auth in a macOS project, you'll need to enable the Keychain Sharing capability. In Xcode, navigate to **your application target** > **Signing & Capabilities** > **+ Capability**, then select **Keychain Sharing.**
+
+This capability is required because Auth uses the Data Protection Keychain on macOS as a platform best practice. See [TN3137: macOS keychain APIs and implementations](https://developer.apple.com/documentation/technotes/tn3137-on-mac-keychains) for more information on how Keychain works on macOS and the Keychain Sharing entitlement.
+
+For more information on adding capabilities to your application, see [Xcode Capabilities](https://developer.apple.com/documentation/xcode/capabilities).
+
+
+
+## Configure Auth
+
+The custom auth flow can be [configured manually](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html).
+
+## Sign in a user
+
+Implement a UI to get the username from the user. After the user enters the username you can start the sign in flow by calling the following method:
+
+#### [Async/Await]
+
+```swift
+func signIn(username: String) async {
+ do {
+ let options = AWSAuthSignInOptions(authFlowType: .customWithoutSRP)
+ let signInResult = try await Amplify.Auth.signIn(username: username,
+ options: .init(pluginOptions: options))
+ if case .confirmSignInWithCustomChallenge(_) = signInResult.nextStep {
+ // Ask the user to enter the custom challenge.
+ } else {
+ print("Sign in succeeded")
+ }
+ } catch let error as AuthError {
+ print("Sign in failed \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func signIn(username: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ let options = AWSAuthSignInOptions(authFlowType: .customWithoutSRP)
+ try await Amplify.Auth.signIn(username: username,
+ options: .init(pluginOptions: options))
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Sign in failed \(authError)")
+ }
+ }
+ receiveValue: { result in
+ if case .confirmSignInWithCustomChallenge(_) = result.nextStep {
+ // Ask the user to enter the custom challenge.
+ } else {
+ print("Sign in succeeded")
+ }
+ }
+}
+```
+
+Since this is a custom authentication flow with a challenge, the result of the signin process has a next step `.confirmSignInWithCustomChallenge`. Implement a UI to allow the user to enter the custom challenge.
+
+## Confirm sign in with custom challenge
+
+To get a custom challenge from the user, create an appropriate UI for the user to submit the required value, and pass that value into the `confirmSignin()` API.
+
+#### [Async/Await]
+
+```swift
+func customChallenge(response: String) async {
+ do {
+ _ = try await Amplify.Auth.confirmSignIn(challengeResponse: response)
+ print("Confirm sign in succeeded")
+ } catch let error as AuthError {
+ print("Confirm sign in failed \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func customChallenge(response: String) -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.confirmSignIn(challengeResponse: response)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Confirm sign in failed \(authError)")
+ }
+ }
+ receiveValue: { _ in
+ print("Confirm sign in succeeded")
+ }
+}
+```
+
+You will know the sign in flow is complete if you see the following in your console window:
+
+```console
+Confirm sign in succeeded
+```
+
+### Lambda Trigger Setup
+
+AWS Amplify now supports creating functions as part of its new backend experience. For more information on the Functions and how to start with them check out [Functions documentation](/[platform]/build-a-backend/functions/). In addition, more information on available triggers can be found in the [Cognito documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html).
+
+### Custom Auth Flow with Secure Remote Password (SRP)
+
+Cognito User Pool allows to start the custom authentication flow with SRP as the first step. If you would like to use this flow, setup Define Auth Lambda trigger to handle SRP_A as the first challenge as shown below:
+
+```javascript
+exports.handler = (event, context) => {
+ if (event.request.session.length == 1 &&
+ event.request.session[0].challengeName == 'SRP_A') {
+ event.response.issueTokens = false;
+ event.response.failAuthentication = false;
+ event.response.challengeName = 'PASSWORD_VERIFIER';
+ } else if (event.request.session.length == 2 &&
+ event.request.session[1].challengeName == 'PASSWORD_VERIFIER' &&
+ event.request.session[1].challengeResult == true) {
+ event.response.issueTokens = false;
+ event.response.failAuthentication = false;
+ event.response.challengeName = 'CUSTOM_CHALLENGE';
+ } else if (event.request.session.length == 3 &&
+ event.request.session[2].challengeName == 'CUSTOM_CHALLENGE' &&
+ event.request.session[2].challengeResult == true) {
+ event.response.issueTokens = true;
+ event.response.failAuthentication = false;
+ } else {
+ event.response.issueTokens = false;
+ event.response.failAuthentication = true;
+ }
+ context.done(null, event);
+};
+```
+
+If your lambda is setup to start with `SRP` as the first step, make sure to initiate the signIn process with `customWithSRP` as the authentication flow:
+
+```swift
+let options = AWSAuthSignInOptions(
+ authFlowType: .customWithSRP)
+let signInResult = try await Amplify.Auth.signIn(
+ username: username,
+ password: password,
+ options: .init(pluginOptions: options))
+```
+
+
+The Auth category can be configured to perform a [custom authentication flow](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html) defined by you. The following guide shows how to setup a simple passwordless authentication flow.
+
+## Prerequisites
+
+* An Android application targeting at least Android SDK API level 24 with Amplify libraries integrated
+ * For a full example of creating Android project, please follow the [project setup walkthrough](/[platform]/start/quickstart/)
+
+## Configure Auth
+
+The custom auth flow can be [configured manually](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html).
+
+## Register a user
+
+The flow as mentioned above requires a username and a valid email id as parameters to register a user. Invoke the following api to initiate a sign up flow.
+
+#### [Java]
+
+```java
+AuthSignUpOptions options = AuthSignUpOptions.builder()
+ .userAttribute(AuthUserAttributeKey.email(), "my@email.com")
+ .build();
+Amplify.Auth.signUp("username", "Password123", options,
+ result -> Log.i("AuthQuickStart", "Result: " + result.toString()),
+ error -> Log.e("AuthQuickStart", "Sign up failed", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+val options = AuthSignUpOptions.builder()
+ .userAttribute(AuthUserAttributeKey.email(), "my@email.com")
+ .build()
+Amplify.Auth.signUp("username", "Password123", options,
+ { Log.i("AuthQuickStart", "Sign up succeeded: $it") },
+ { Log.e ("AuthQuickStart", "Sign up failed", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+val options = AuthSignUpOptions.builder()
+ .userAttribute(AuthUserAttributeKey.email(), "my@email.com")
+ .build()
+try {
+ val result = Amplify.Auth.signUp("username", "Password123", options)
+ Log.i("AuthQuickStart", "Result: $result")
+} catch (error: AuthException) {
+ Log.e("AuthQuickStart", "Sign up failed", error)
+}
+```
+
+#### [RxJava]
+
+ ```java
+RxAmplify.Auth.signUp(
+ "username",
+ "Password123",
+ AuthSignUpOptions.builder().userAttribute(AuthUserAttributeKey.email(), "my@email.com").build())
+ .subscribe(
+ result -> Log.i("AuthQuickStart", "Result: " + result.toString()),
+ error -> Log.e("AuthQuickStart", "Sign up failed", error)
+ );
+```
+
+The next step in the sign up flow is to confirm the user. A confirmation code will be sent to the email id provided during sign up. Enter the confirmation code received via email in the `confirmSignUp` call.
+
+#### [Java]
+
+```java
+Amplify.Auth.confirmSignUp(
+ "username",
+ "the code you received via email",
+ result -> Log.i("AuthQuickstart", result.isSignUpComplete() ? "Confirm signUp succeeded" : "Confirm sign up not complete"),
+ error -> Log.e("AuthQuickstart", error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.confirmSignUp(
+ "username", "the code you received via email",
+ { result ->
+ if (result.isSignUpComplete) {
+ Log.i("AuthQuickstart", "Confirm signUp succeeded")
+ } else {
+ Log.i("AuthQuickstart","Confirm sign up not complete")
+ }
+ },
+ { Log.e("AuthQuickstart", "Failed to confirm sign up", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val code = "code you received via email"
+ val result = Amplify.Auth.confirmSignUp("username", code)
+ if (result.isSignUpComplete) {
+ Log.i("AuthQuickstart", "Signup confirmed")
+ } else {
+ Log.i("AuthQuickstart", "Signup confirmation not yet complete")
+ }
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Failed to confirm signup", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.confirmSignUp("username", "the code you received via email")
+ .subscribe(
+ result -> Log.i("AuthQuickstart", result.isSignUpComplete() ? "Confirm signUp succeeded" : "Confirm sign up not complete"),
+ error -> Log.e("AuthQuickstart", error.toString())
+ );
+```
+
+You will know the sign up flow is complete if you see the following in your console window:
+
+```console
+Confirm signUp succeeded
+```
+
+## Sign in a user
+
+Implement a UI to get the username from the user. After the user enters the username you can start the sign in flow by calling the following method:
+
+#### [Java]
+
+```java
+AWSCognitoAuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.CUSTOM_AUTH_WITHOUT_SRP)
+ .build();
+Amplify.Auth.signIn(
+ "username",
+ "password",
+ options,
+ result -> Log.i("AuthQuickstart", result.isSignedIn() ? "Sign in succeeded" : "Sign in not complete"),
+ error -> Log.e("AuthQuickstart", error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+val options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.CUSTOM_AUTH_WITHOUT_SRP)
+ .build()
+Amplify.Auth.signIn(
+ "username",
+ "password",
+ options,
+ { result ->
+ if (result.isSignedIn) {
+ Log.i("AuthQuickstart", "Sign in succeeded")
+ } else {
+ Log.i("AuthQuickstart", "Sign in not complete")
+ }
+ },
+ { Log.e("AuthQuickstart", "Failed to sign in", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+val options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.CUSTOM_AUTH_WITHOUT_SRP)
+ .build()
+try {
+ val result = Amplify.Auth.signIn("username", "password", options)
+ if (result.isSignedIn) {
+ Log.i("AuthQuickstart", "Sign in succeeded")
+ } else {
+ Log.e("AuthQuickstart", "Sign in not complete")
+ }
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Sign in failed", error)
+}
+```
+
+#### [RxJava]
+
+```java
+AWSCognitoAuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.CUSTOM_AUTH_WITHOUT_SRP)
+ .build();
+RxAmplify.Auth.signIn("username", "password", options)
+ .subscribe(
+ result -> Log.i("AuthQuickstart", result.isSignedIn() ? "Sign in succeeded" : "Sign in not complete"),
+ error -> Log.e("AuthQuickstart", error.toString())
+ );
+```
+
+Since this is a custom authentication flow with a challenge, the result of the signin process has a next step `.confirmSignInWithCustomChallenge`. Implement a UI to allow the user to enter the custom challenge.
+
+## Confirm sign in with custom challenge
+
+Get the custom challenge (`1234` in this case) from the user and pass it to the `confirmSignin()` api.
+
+#### [Java]
+
+```java
+Amplify.Auth.confirmSignIn(
+ "confirmation",
+ result -> Log.i("AuthQuickstart", "Confirm sign in succeeded: " + result.toString()),
+ error -> Log.e("AuthQuickstart", "Failed to confirm sign in", error)
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.confirmSignIn("confirmation",
+ { Log.i("AuthQuickstart", "Confirm sign in succeeded: $it") },
+ { Log.e("AuthQuickstart", "Failed to confirm sign in", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.confirmSignIn("confirmation")
+ Log.i("AuthQuickstart", "Confirm sign in succeeded: $result")
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Failed to confirm signin", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.confirmSignIn("confirmation")
+ .subscribe(
+ result -> Log.i("AuthQuickstart", result.toString()),
+ error -> Log.e("AuthQuickstart", error.toString())
+ );
+```
+
+You will know the sign in flow is complete if you see the following in your console window:
+
+```console
+Confirm sign in succeeded
+```
+
+### Lambda Trigger Setup
+
+AWS Amplify now supports creating functions as part of the AWS Amplify. For more information on the Functions and how to start with them check out [Functions documentation](/[platform]/build-a-backend/functions/). In addition, more information on available triggers can be found in the [Cognito documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html).
+
+### Custom Auth Flow with Secure Remote Password (SRP)
+
+Cognito User Pool allows to start the custom authentication flow with SRP as the first step. If you would like to use this flow, setup Define Auth Lambda trigger to handle SRP_A as the first challenge as shown below:
+
+```javascript
+exports.handler = (event, context) => {
+ if (event.request.session.length == 1 &&
+ event.request.session[0].challengeName == 'SRP_A') {
+ event.response.issueTokens = false;
+ event.response.failAuthentication = false;
+ event.response.challengeName = 'PASSWORD_VERIFIER';
+ } else if (event.request.session.length == 2 &&
+ event.request.session[1].challengeName == 'PASSWORD_VERIFIER' &&
+ event.request.session[1].challengeResult == true) {
+ event.response.issueTokens = false;
+ event.response.failAuthentication = false;
+ event.response.challengeName = 'CUSTOM_CHALLENGE';
+ } else if (event.request.session.length == 3 &&
+ event.request.session[2].challengeName == 'CUSTOM_CHALLENGE' &&
+ event.request.session[2].challengeResult == true) {
+ event.response.issueTokens = true;
+ event.response.failAuthentication = false;
+ } else {
+ event.response.issueTokens = false;
+ event.response.failAuthentication = true;
+ }
+ context.done(null, event);
+};
+```
+
+If your lambda is setup to start with `SRP` as the first step, make sure to initiate the signIn process with `customWithSRP` as the authentication flow:
+
+#### [Java]
+
+```java
+AWSCognitoAuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.CUSTOM_AUTH_WITH_SRP)
+ .build();
+Amplify.Auth.signIn(
+ "username",
+ "password",
+ options,
+ result -> Log.i("AuthQuickstart", result.isSignedIn() ? "Sign in succeeded" : "Sign in not complete"),
+ error -> Log.e("AuthQuickstart", error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+val options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.CUSTOM_AUTH_WITH_SRP)
+ .build()
+Amplify.Auth.signIn(
+ "username",
+ "password",
+ options,
+ { result ->
+ if (result.isSignedIn) {
+ Log.i("AuthQuickstart", "Sign in succeeded")
+ } else {
+ Log.i("AuthQuickstart", "Sign in not complete")
+ }
+ },
+ { Log.e("AuthQuickstart", "Failed to sign in", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+val options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.CUSTOM_AUTH_WITH_SRP)
+ .build()
+try {
+ val result = Amplify.Auth.signIn("username", "password", options)
+ if (result.isSignedIn) {
+ Log.i("AuthQuickstart", "Sign in succeeded")
+ } else {
+ Log.e("AuthQuickstart", "Sign in not complete")
+ }
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Sign in failed", error)
+}
+```
+
+#### [RxJava]
+
+```java
+AWSCognitoAuthSignInOptions options = AWSCognitoAuthSignInOptions.builder()
+ .authFlowType(AuthFlowType.CUSTOM_AUTH_WITH_SRP)
+ .build();
+RxAmplify.Auth.signIn("username", "password", options)
+ .subscribe(
+ result -> Log.i("AuthQuickstart", result.isSignedIn() ? "Sign in succeeded" : "Sign in not complete"),
+ error -> Log.e("AuthQuickstart", error.toString())
+ );
+```
+
+
+
+
+The Auth category can be configured to perform a [custom authentication flow](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html) defined by you. The following guide shows how to setup a simple passwordless authentication flow.
+
+## Prerequisites
+
+Amplify requires a minimum target platform for iOS (13.0), Android (API level 24), and macOS (10.15). Refer to [Flutter's supported deployment platforms](https://docs.flutter.dev/reference/supported-platforms) when targeting Web, Windows, or Linux. Additional setup is required for some target platforms. Please see the [platform setup](/[platform]/build-a-backend/auth/connect-your-frontend/sign-in/#platform-setup) for more details on platform specific setup.
+
+## Configure Auth
+
+The custom auth flow can be [configured manually](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html).
+
+## Register a user
+
+The flow as mentioned above requires a username and a valid email id as parameters to register a user. Invoke the following api to initiate a sign up flow.
+
+Because authentication flows in Cognito can be switched via your configuration, it is still required that users register with a password.
+
+```dart
+Future signUpCustomFlow() async {
+ try {
+ final userAttributes = {
+ AuthUserAttributeKey.email: 'email@domain.com',
+ AuthUserAttributeKey.phoneNumber: '+15559101234',
+ // additional attributes as needed
+ };
+ final result = await Amplify.Auth.signUp(
+ username: 'myusername',
+ password: 'mysupersecurepassword',
+ options: SignUpOptions(userAttributes: userAttributes),
+ );
+ safePrint('Sign up result: $result');
+ } on AuthException catch (e) {
+ safePrint('Error signing up: ${e.message}');
+ }
+}
+```
+
+The next step in the sign up flow is to confirm the user. A confirmation code will be sent to the email id provided during sign up. Enter the confirmation code received via email in the `confirmSignUp` call.
+
+```dart
+Future confirmUser({
+ required String username,
+ required String confirmationCode,
+}) async {
+ try {
+ final result = await Amplify.Auth.confirmSignUp(
+ username: username,
+ confirmationCode: confirmationCode,
+ );
+ // Check if further confirmations are needed or if
+ // the sign up is complete.
+ await _handleSignUpResult(result);
+ } on AuthException catch (e) {
+ safePrint('Error confirming user: ${e.message}');
+ }
+}
+```
+
+## Sign in a user
+
+Implement a UI to get the username from the user. After the user enters the username you can start the sign in flow by calling the following method:
+
+```dart
+// Create state variables for the sign in status
+var isSignedIn = false;
+String? challengeHint;
+
+Future signInCustomFlow(String username) async {
+ try {
+ final result = await Amplify.Auth.signIn(username: username);
+ setState(() {
+ isSignedIn = result.isSignedIn;
+ // Get the publicChallengeParameters from your Create Auth Challenge Lambda
+ challengeHint = result.nextStep.additionalInfo['hint'];
+ });
+ } on AuthException catch (e) {
+ safePrint('Error signing in: ${e.message}');
+ }
+}
+```
+
+
+
+Please note that you will be prevented from successfully calling `signIn` if a
+user has already signed in and a valid session is active. You must first call
+`signOut` to remove the original session.
+
+
+## Confirm sign in with custom challenge
+
+To get a custom challenge from the user, create an appropriate UI for the user to submit the required value, and pass that value into the `confirmSignin()` API.
+
+```dart
+Future confirmSignIn(String generatedNumber) async {
+ try {
+ final result = await Amplify.Auth.confirmSignIn(
+ /// Enter the random number generated by your Create Auth Challenge trigger
+ confirmationValue: generatedNumber,
+ );
+ safePrint('Sign in result: $result');
+ } on AuthException catch (e) {
+ safePrint('Error signing in: ${e.message}');
+ }
+}
+```
+
+Once the user provides the correct response, they should be authenticated in your application.
+
+> **Warning:** Special Handling on ConfirmSignIn
+>
+> During a `confirmSignIn` call, if `failAuthentication: true` is returned by the Lambda, the session of the request gets invalidated by Cognito, and a `NotAuthorizedException` is thrown. To recover, the user must initiate a new sign in by calling `Amplify.Auth.signIn`.
+>
+> Exception: `NotAuthorizedException` with a message `Invalid session for the user.`
+
+## Custom authentication flow with password verification
+
+The example in this documentation demonstrates the passwordless custom authentication flow. However, it is also possible to require that users supply a valid password as part of the custom authentication flow.
+
+To require a valid password, you can alter the [DefineAuthChallenge](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-define-auth-challenge.html) code to handle a `PASSWORD_VERIFIER` step:
+
+```js
+exports.handler = async (event) => {
+ if (
+ event.request.session.length === 1 &&
+ event.request.session[0].challengeName === 'SRP_A'
+ ) {
+ event.response.issueTokens = false;
+ event.response.failAuthentication = false;
+ event.response.challengeName = 'PASSWORD_VERIFIER';
+ } else if (
+ event.request.session.length === 2 &&
+ event.request.session[1].challengeName === 'PASSWORD_VERIFIER' &&
+ event.request.session[1].challengeResult === true
+ ) {
+ event.response.issueTokens = false;
+ event.response.failAuthentication = false;
+ event.response.challengeName = 'CUSTOM_CHALLENGE';
+ } else if (
+ event.request.session.length === 3 &&
+ event.request.session[2].challengeName === 'CUSTOM_CHALLENGE' &&
+ event.request.session[2].challengeResult === true
+ ) {
+ event.response.issueTokens = true;
+ event.response.failAuthentication = false;
+ } else {
+ event.response.issueTokens = false;
+ event.response.failAuthentication = true;
+ }
+
+ return event;
+};
+```
+
+
+---
+
+---
+title: "Email customization"
+section: "build-a-backend/auth/customize-auth-lifecycle"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-08-15T17:57:11.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/customize-auth-lifecycle/email-customization/"
+---
+
+## Customize the Verification Email
+
+By default, Amplify Auth resources are scaffolded with email as the default method for your users to sign in. When you users sign up they receive a verification email to confirm their ownership of the email they specified during sign-up. Emails such as the verification email can be customized with your app's brand identity.
+
+To get started, change the `email` attribute of `loginWith` from `true` to an object to begin customizing its default behavior:
+
+```diff title="amplify/auth/resource.ts"
+import { defineAuth } from "@aws-amplify/backend"
+
+export const auth = defineAuth({
+ loginWith: {
+- email: true,
++ email: {
++ verificationEmailStyle: "CODE",
++ verificationEmailSubject: "Welcome to my app!",
++ verificationEmailBody: (createCode) => `Use this code to confirm your account: ${createCode()}`,
++ },
+ },
+})
+```
+
+## Customize the Invitation Email
+
+In some cases, you may [set up a user account on behalf of a user in the Amplify console](/[platform]/build-a-backend/auth/manage-users/with-amplify-console/). In this case, Amplify Auth will send an invitation email to the user welcoming them to your application. This email includes a brief welcome message, along with the email address they can log in with and the temporary password you've set up for them.
+
+If you'd like to customize that email, you can override the `userInvitation` attribute of the `email` object:
+
+```diff title="amplify/auth/resource.ts"
+import { defineAuth } from "@aws-amplify/backend"
+
+export const auth = defineAuth({
+ loginWith: {
+- email: true,
++ email: {
++ // can be used in conjunction with a customized welcome email as well
++ verificationEmailStyle: "CODE",
++ verificationEmailSubject: "Welcome to my app!",
++ verificationEmailBody: (createCode) => `Use this code to confirm your account: ${createCode()}`,
++ userInvitation: {
++ emailSubject: "Welcome to my app!",
++ emailBody: (user, code) =>
++ `We're happy to have you! You can now login with username ${user()} and temporary password ${code()}`,
++ },
++ },
+ },
+})
+```
+
+Note that when using the `user` and `code` arguments of the `emailBody` function, `user` and `code` are **functions** which must be called. Failure to call them will result in an error when your sandbox deploys.
+
+---
+
+---
+title: "Triggers"
+section: "build-a-backend/auth/customize-auth-lifecycle"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-05-03T17:21:51.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/customize-auth-lifecycle/triggers/"
+---
+
+Amplify Auth's behavior can be customized through the use of triggers. A trigger is defined as a Function, and is a mechanism to slot some logic to execute during the authentication flow. For example, you can use triggers to [validate whether emails include an allowlisted domain](/[platform]/build-a-backend/functions/examples/email-domain-filtering), [add a user to a group upon confirmation](/[platform]/build-a-backend/functions/examples/add-user-to-group), or [create a "UserProfile" model upon account confirmation](/[platform]/build-a-backend/functions/examples/create-user-profile-record).
+
+Triggers translate to [Cognito user pool Lambda triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html).
+
+> When you have a Lambda trigger assigned to your user pool, Amazon Cognito interrupts its default flow to request information from your function. Amazon Cognito generates a JSON event and passes it to your function. The event contains information about your user's request to create a user account, sign in, reset a password, or update an attribute. Your function then has an opportunity to take action, or to send the event back unmodified.
+
+To get started, define a function and specify the `triggers` property on your auth resource:
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from "@aws-amplify/backend"
+
+export const auth = defineAuth({
+ loginWith: {
+ email: true,
+ },
+ // highlight-next-line
+ triggers: {}
+})
+```
+
+To learn more about use cases for triggers, visit the [Functions examples](/[platform]/build-a-backend/functions/examples/).
+
+---
+
+---
+title: "Enable sign-in with web UI"
+section: "build-a-backend/auth"
+platforms: ["flutter", "swift", "android"]
+gen: 2
+last-updated: "2025-12-16T19:28:39.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/sign-in-with-web-ui/"
+---
+
+
+## Prerequisites
+* An app set up according to the [getting started walkthrough](/[platform]/build-a-backend/auth/set-up-auth/)
+
+> **Warning:** When configuring social sign-in, it's important to exercise caution when designating attributes as "required." Different social identity providers have varied scopes in terms of the information they respond back to Cognito with. User pool attributes that are initially set up as "required" cannot be changed later, and may require you to migrate the users or create a new user pool.
+
+## Configure Auth Category
+
+
+
+This library's Cognito plugin currently supports the [Authorization Code Grant](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) OAuth Flow.
+
+
+
+In your `auth/resource.ts` file, update the
+```ts
+export const auth = defineAuth({
+ loginWith: {
+ email: true,
+ externalProviders: {
+ callbackUrls: ["myapp://callback/"],
+ logoutUrls: ["myapp://signout/"],
+ },
+ },
+});
+```
+
+## Update AndroidManifest.xml
+
+Add the following activity and queries tag to your app's `AndroidManifest.xml` file, replacing `myapp` with
+your redirect URI prefix if necessary:
+
+```xml
+
+ ...
+
+
+
+
+ ...
+
+```
+
+## Launch Web UI Sign In
+
+Sweet! You're now ready to launch sign in with web UI. For now, just add this method to the `onCreate` method of MainActivity:
+
+#### [Java]
+
+```java
+Amplify.Auth.signInWithWebUI(
+ this,
+ result -> Log.i("AuthQuickStart", result.toString()),
+ error -> Log.e("AuthQuickStart", error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.signInWithWebUI(
+ this,
+ { Log.i("AuthQuickStart", "Signin OK = $it") },
+ { Log.e("AuthQuickStart", "Signin failed", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.signInWithWebUI(this)
+ Log.i("AuthQuickStart", "Signin OK: $result")
+} catch (error: AuthException) {
+ Log.e("AuthQuickStart", "Signin failed", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.signInWithWebUI(this)
+ .subscribe(
+ result -> Log.i("AuthQuickStart", result.toString()),
+ error -> Log.e("AuthQuickStart", error.toString())
+ );
+```
+
+### Additional options during signIn
+
+You may pass additional parameters to the `Amplify.Auth.signInWithWebUI` which are added as query parameters in the requests to [Cognito authorization endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html).
+
+```kotlin
+val options = AWSCognitoAuthWebUISignInOptions.builder()
+ .nonce("randomUUID")
+ .language("en")
+ .loginHint("username")
+ .prompt(AuthWebUIPrompt.LOGIN, AuthWebUIPrompt.CONSENT)
+ .resource("https://localhost")
+ .build()
+
+Amplify.Auth.signInWithWebUI(
+ this,
+ options,
+ result -> Log.i("AuthQuickStart", result.toString()),
+ error -> Log.e("AuthQuickStart", error.toString())
+);
+```
+
+
+## Prerequisites
+
+> **Warning:** **Note:** Social sign-in (OAuth) functionality is only available in **iOS**, **macOS** and **visionOS**.
+>
+> When configuring social sign-in, it's important to exercise caution when designating attributes as "required." Different social identity providers have varied scopes in terms of the information they respond back to Cognito with. User pool attributes that are initially set up as "required" cannot be changed later, and may require you to migrate the users or create a new user pool.
+
+For a full example, please follow the [project setup walkthrough](/[platform]/start/quickstart/).
+
+
+
+To use Auth in a macOS project, you'll need to enable the Keychain Sharing capability. In Xcode, navigate to **your application target** > **Signing & Capabilities** > **+ Capability**, then select **Keychain Sharing.**
+
+This capability is required because Auth uses the Data Protection Keychain on macOS as a platform best practice.
+See [TN3137: macOS keychain APIs and implementations](https://developer.apple.com/documentation/technotes/tn3137-on-mac-keychains) for more information on how Keychain works on macOS and the Keychain Sharing entitlement.
+
+For more information on adding capabilities to your application, see [Xcode Capabilities](https://developer.apple.com/documentation/xcode/capabilities).
+
+
+
+## Configure Auth Category
+
+
+
+This library's Cognito plugin currently supports the [Authorization Code Grant](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) OAuth Flow.
+
+
+
+Update the `auth/resource.ts` file like the following to enable the sign-in and sign-out capabilities with a web ui.
+
+```ts
+export const auth = defineAuth({
+ loginWith: {
+ email: true,
+ externalProviders: {
+ callbackUrls: ["myapp://callback/"],
+ logoutUrls: ["myapp://signout/"],
+ },
+ },
+});
+```
+## Update Info.plist
+
+Signin with web UI require the Amplify plugin to show up the signin UI inside a webview. After the signin process is complete it will redirect back to your app.
+You have to enable this in your app's `Info.plist`. Right click Info.plist and then choose Open As > Source Code. Add the following entry in the URL scheme:
+
+```xml
+
+
+
+
+
+
+
+
+ CFBundleURLTypes
+
+
+ CFBundleURLSchemes
+
+ myapp
+
+
+
+
+
+
+```
+
+When creating a new SwiftUI app using Xcode 13 no longer require configuration files such as the Info.plist. If you are missing this file, click on the project target, under Info, Url Types, and click '+' to add a new URL Type. Add `myapp` to the URL Schemes. You should see the Info.plist file now with the entry for CFBundleURLSchemes.
+
+## Launch Web UI Sign In
+
+You're now ready to launch sign in with web UI. The `signInWithWebUI` api require a presentationAnchor and for an iOS app it will be the main UIWindow of the app. The example code below assume that you are in a UIViewController where you can fetch the UIWindow instance by `self.view.window`.
+
+#### [Async/Await]
+
+```swift
+func signInWithWebUI() async {
+ do {
+ let signInResult = try await Amplify.Auth.signInWithWebUI(presentationAnchor: self.view.window!)
+ if signInResult.isSignedIn {
+ print("Sign in succeeded")
+ }
+ } catch let error as AuthError {
+ print("Sign in failed \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func signInWithWebUI() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.signInWithWebUI(presentationAnchor: self.view.window!)
+ }.sink {
+ if case let .failure(authError) = $0 {
+ print("Sign in failed \(authError)")
+ }
+ }
+ receiveValue: { signInResult in
+ if signInResult.isSignedIn {
+ print("Sign in succeeded")
+ }
+ }
+}
+```
+
+### Prefer private session during signIn
+
+Starting Amplify 1.6.0, `Amplify.Auth.signInWithWebUI` automatically uses [ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession) internally for iOS 13.0+. For older iOS versions, it will fall back to [SFAuthenticationSession](https://developer.apple.com/documentation/safariservices/sfauthenticationsession).
+This release also introduces a new `preferPrivateSession` flag to `AWSAuthWebUISignInOptions` during the sign in flow. If `preferPrivateSession` is set to `true` during sign in, the user will not see a web view displayed when they sign out. `preferPrivateSession` will set [ASWebAuthenticationSession.prefersEphemeralWebBrowserSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/3237231-prefersephemeralwebbrowsersessio) internally and the authentication session will be private if the user's preferred browser supports it.
+
+```swift
+try await Amplify.Auth.signInWithWebUI(
+ presentationAnchor: self.view.window!,
+ options: .preferPrivateSession()
+) {
+ ...
+}
+```
+
+### Additional options during signIn
+
+You may pass additional parameters to the `Amplify.Auth.signInWithWebUI` which are added as query parameters in the requests to [Cognito authorization endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html).
+
+```swift
+let options = AuthWebUISignInRequest.Options(
+ pluginOptions: AWSAuthWebUISignInOptions.init(
+ nonce: "randomUUID",
+ language: "en",
+ loginHint: "username",
+ prompt: [.login, .consent],
+ resource: "http://localhost"))
+
+let signInResult = try await Amplify.Auth.signInWithWebUI(
+ presentationAnchor: self.view.window!,
+ options: options)
+```
+
+
+## Prerequisites
+
+* An app set up according to the [getting started walkthrough](/[platform]/build-a-backend/auth/set-up-auth/)
+
+> **Warning:** When configuring Social sign-in, it's important to exercise caution when designating attributes as "required." Different social identity providers have varied scopes in terms of the information they respond back to Cognito with. User pool attributes that are initially set up as "required" cannot be changed later, and may require you to migrate the users or create a new user pool.
+
+## Configure Auth Category
+
+
+
+This library's Cognito plugin currently supports the [Authorization Code Grant](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) OAuth Flow.
+
+
+
+Update the `auth/resource.ts` file like the following to enable the sign-in and sign-out capabilities with a web ui.
+
+```ts
+export const auth = defineAuth({
+ loginWith: {
+ email: true,
+ externalProviders: {
+ callbackUrls: ["myapp://callback/"],
+ logoutUrls: ["myapp://signout/"],
+ },
+ },
+});
+```
+
+## How It Works
+
+Sign-in with web UI will display the sign-in UI inside a webview. After the sign-in process is complete, the sign-in UI will redirect back to your app.
+
+## Platform Setup
+
+### Web
+
+To use Hosted UI in your Flutter web application locally, you must run the app with the `--web-port=3000` argument (with the value being whichever port you assigned to localhost host when configuring your redirect URIs).
+
+### Android
+
+Add the following `queries` element to the `AndroidManifest.xml` file in your app's `android/app/src/main` directory, as well as the following `intent-filter` to the `MainActivity` in the same file.
+
+Replace `myapp` with your redirect URI scheme as necessary:
+
+```xml
+
+
+
+
+
+ ...
+
+
+
+
+ ...
+
+```
+
+### macOS
+
+Open XCode and enable the App Sandbox capability and then select "Incoming Connections (Server)" under "Network".
+
+
+
+### iOS, Windows and Linux
+
+No specific platform configuration is required.
+
+## Launch Web UI Sign In
+
+You're now ready to launch sign in with web UI.
+
+```dart
+Future signInWithWebUI() async {
+ try {
+ final result = await Amplify.Auth.signInWithWebUI();
+ safePrint('Sign in result: $result');
+ } on AuthException catch (e) {
+ safePrint('Error signing in: ${e.message}');
+ }
+}
+```
+
+You can also specify a provider with the `provider` attribute:
+
+```dart
+Future signInWithWebUIProvider() async {
+ try {
+ final result = await Amplify.Auth.signInWithWebUI(
+ provider: AuthProvider.google,
+ );
+ safePrint('Result: $result');
+ } on AuthException catch (e) {
+ safePrint('Error signing in: ${e.message}');
+ }
+}
+```
+
+Amplify Flutter currently supports the following social sign-in providers:
+ * Google
+ * Facebook
+ * Login With Amazon
+ * Apple
+
+### Prefer private session during signIn on iOS.
+
+Amplify.Auth.signInWithWebUI uses [ASWebAuthenticationSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession) internally for iOS. ASWebAuthenticationSession has a property, [prefersEphemeralWebBrowserSession](https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession/3237231-prefersephemeralwebbrowsersessio) which can be used to indicate whether the session should ask the browser for a private authentication session. To set this flag to true, set `preferPrivateSession` to true using `CognitoSignInWithWebUIPluginOptions`.
+
+This will bypass the permissions dialog that is displayed to the end user during sign in and sign out. However, it will also prevent reuse of existing sessions from the user's browser. For example, if the user is logged into Google in their browser and try to sign in using Google in your app, they would now need to re-enter their credentials.
+
+```dart
+Future signInWithWebUIAndPrivateSession() async {
+ await Amplify.Auth.signInWithWebUI(
+ options: const SignInWithWebUIOptions(
+ pluginOptions: CognitoSignInWithWebUIPluginOptions(
+ isPreferPrivateSession: true,
+ ),
+ ),
+ );
+}
+```
+
+### Additional options during signIn
+
+You may pass additional parameters to the `Amplify.Auth.signInWithWebUI` which are added as query parameters in the requests to [Cognito authorization endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html).
+
+```dart
+Future signInWithWebUIAndOptions() async {
+ try {
+ final result = await Amplify.Auth.Amplify.Auth.signInWithWebUI(
+ options: SignInWithWebUIOptions(pluginOptions: CognitoSignInWithWebUIPluginOptions(
+ nonce: 'randomUUID',
+ language: 'en',
+ loginHint: 'username',
+ prompt: List.from([CognitoSignInWithWebUIPrompt.login, CognitoSignInWithWebUIPrompt.consent]),
+ resource: 'http://localhost'
+ )
+ )
+ );
+ safePrint('Sign in result: $result');
+ } on AuthException catch (e) {
+ safePrint('Error signing in: ${e.message}');
+ }
+}
+```
+
+
+---
+
+---
+title: "Uninstalling the app"
+section: "build-a-backend/auth"
+platforms: ["swift", "android"]
+gen: 2
+last-updated: "2024-05-02T22:35:36.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/app-uninstall/"
+---
+
+
+Some Amplify categories such as Analytics and Auth persist data to the local device. This application data is removed when a user uninstalls the application from the device.
+
+If the [Android Auto Backup for Apps](https://developer.android.com/guide/topics/data/autobackup) service was enabled, this service will attempt to restore application data.
+
+Amplify Auth uses [EncryptedSharedPreferences](https://developer.android.com/reference/androidx/security/crypto/EncryptedSharedPreferences) when persisting auth data. When an application is uninstalled, the [Android Keystore](https://developer.android.com/training/articles/keystore) keys used to create our EncryptedSharedPreferences files are deleted. Upon an application re-install, these restored files are no longer readable due to the key removal from the Android Keystore.
+
+Due to this limitation with EncryptedSharedPreferences, Auth information canβt be restored on an application re-install. The user will have to re-authenticate.
+
+
+
+Some Amplify categories such as Analytics and Auth persist data to the local device. Some of that data is automatically removed when a user uninstalls the app from the device.
+
+Amplify stores Auth information in the local [system keychain](https://developer.apple.com/documentation/security/keychain_services), which does not guarantee any particular behavior around whether data is removed when an app is uninstalled.
+
+Deciding on when to clear this auth information is not something that the SDK can do in a generic way, so App developers should decide when to clear the data by signing out. One strategy for accomplishing this would be to use [UserDefaults](https://developer.apple.com/documentation/foundation/userdefaults) to detect whether or not the app is launching for the first time, and invoking [`Auth.signOut()`](/[platform]/build-a-backend/auth/connect-your-frontend/sign-out/) if the app has not been launched before.
+
+
+---
+
+---
+title: "Data usage policy information"
+section: "build-a-backend/auth"
+platforms: ["swift"]
+gen: 2
+last-updated: "2024-05-02T22:35:36.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/data-usage-policy/"
+---
+
+
+Apple requires app developers to provide the data usage policy of the app when they submit their app to the App Store. See Apple's [User privacy and data use](https://developer.apple.com/app-store/user-privacy-and-data-use/) for more details. The Amplify Library is used to interact with AWS resources under the developerβs ownership and management. The library cannot predict the usage of its APIs and it is up to the developer to provide the privacy manifest that accurately reflects the data collected by the app. Below are the different categories identified by Apple and the corresponding data type used by the Amplify Library.
+
+By utilizing the library, Amplify gathers API usage metrics from the AWS services accessed. This process involves adding a user agent to the request made to your AWS service. The user-agent header is included with information about the Amplify Library version, operating system name, and version. AWS collects this data to generate metrics related to our library usage. This information is not linked to the userβs identity and not used for tracking purposes as described in Apple's privacy and data use guidelines.
+
+Should you have any specific concerns or require additional information for the enhancement of your privacy manifest, please don't hesitate to reach out.
+
+## Contact info
+
+| Data Type | Amplify Category | Purpose | Linked To Identity | Tracking | Provided by developer |
+| ------------------------------ | ------------------ | ------------------- | :------------------: | :--------: | :---------------------: |
+| **Name** | | | | | |
+| | Auth | App Functionality | β
| β | β
|
+| **Email Address** | | | | | |
+| | Auth | App Functionality | β
| β | β
|
+| **Phone Number** | | | | | |
+| | Auth | App Functionality | β
| β | β
|
+
+## User Content
+
+| Data Type | Amplify Category | Purpose | Linked To Identity | Tracking | Provided by developer |
+| ------------------------------ | ------------------ | ------------------- | :------------------: | :--------: | :---------------------: |
+| **Photos or Videos** | | | | | |
+| | Storage | App Functionality | β | β | β
|
+| | Predictions | App Functionality | β | β | β
|
+| **Audio Data** | | | | | |
+| | Predictions | App Functionality | β | β | β
|
+
+## Identifiers
+
+| Data Type | Amplify Category | Purpose | Linked To Identity | Tracking | Provided by developer |
+| ------------------------------ | ------------------ | ------------------- | :------------------: | :--------: | :---------------------: |
+| **User ID** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| | Analytics | Analytics | β
| β | β |
+| **Device ID** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| | Analytics | Analytics | β
| β | β |
+
+## Other Data
+
+| Data Type | Amplify Category | Purpose | Linked To Identity | Tracking | Provided by developer |
+| ------------------------------ | ------------------ | ------------------- | :------------------: | :--------: | :---------------------: |
+| **OS Version** | | | | | |
+| | All categories | Analytics | β | β | β |
+| **OS Name** | | | | | |
+| | All categories | Analytics | β | β | β |
+| **Locale Info** | | | | | |
+| | All categories | Analytics | β | β | β |
+| **App Version** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| **Min OS target of the app** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| **Timezone information** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| **Network information** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| **Has SIM card** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| **Cellular Carrier Name** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| **Device Model** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| **Device Name** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| **Device OS Version** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| **Device Height and Width** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| **Device Language** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+| **identifierForVendor** | | | | | |
+| | Auth | App Functionality | β
| β | β |
+
+## Health and Fitness
+No data is collected
+
+## Financial Info
+No data is collected
+
+## Location
+No data is collected
+
+## Sensitive Info
+No data is collected
+
+## Contacts
+No data is collected
+
+## Browsing History
+No data is collected
+
+## Search History
+No data is collected
+
+## Diagnostics
+No data is collected
+
+
+Some Amplify categories such as Analytics and Auth persist data to the local device. Some of that data is automatically removed when a user uninstalls the app from the device.
+
+Amplify stores Auth information in the local [system keychain](https://developer.apple.com/documentation/security/keychain_services), which does not guarantee any particular behavior around whether data is removed when an app is uninstalled.
+
+Deciding on when to clear this auth information is not something that the SDK can do in a generic way, so App developers should decide when to clear the data by signing out. One strategy for accomplishing this would be to use [UserDefaults](https://developer.apple.com/documentation/foundation/userdefaults) to detect whether or not the app is launching for the first time, and invoking [`Auth.signOut()`](/[platform]/build-a-backend/auth/connect-your-frontend/sign-out/) if the app has not been launched before.
+
+---
+
+---
+title: "Examples"
+section: "build-a-backend/auth"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-10-18T22:15:30.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/examples/"
+---
+
+
+
+---
+
+---
+title: "Microsoft Entra ID (SAML)"
+section: "build-a-backend/auth/examples"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2025-02-28T16:21:52.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/examples/microsoft-entra-id-saml/"
+---
+
+Microsoft Entra ID can be configured as a SAML provider for use with Amazon Cognito. Integrating Entra ID enables you to sign in with your existing enterprise users, and maintain profiles unique to the Amplify Auth resource for use within your Amplify app. To learn more, visit the [Azure documentation for SAML authentication with Microsoft Entra ID](https://learn.microsoft.com/en-us/entra/architecture/auth-saml).
+
+> **Info:** **Note:** the following guidance showcases configuration with your [personal cloud sandbox](/[platform]/deploy-and-host/sandbox-environments/setup/). You will need to repeat the configuration steps for branch deployments after confirming functionality against your sandbox.
+
+## Start your personal cloud sandbox
+
+To get started, define your auth resource with the appropriate redirect URIs:
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from "@aws-amplify/backend"
+
+/**
+ * Define and configure your auth resource
+ * @see https://docs.amplify.aws/gen2/build-a-backend/auth
+ */
+export const auth = defineAuth({
+ loginWith: {
+ email: true,
+ externalProviders: {
+ logoutUrls: ["http://localhost:3000/come-back-soon"],
+ callbackUrls: ["http://localhost:3000/profile"],
+ },
+ },
+})
+```
+
+Deploy to your personal cloud sandbox with `npx ampx sandbox`. This will generate a domain you can use to configure your new Entra ID App. After deploying your changes successfully, copy the generated `domain` value from `amplify_outputs.json`
+
+```json title="amplify_outputs.json"
+{
+ "auth": {
+ "aws_region": "us-east-1",
+ "user_pool_id": "",
+ "user_pool_client_id": "",
+ "identity_pool_id": "",
+ "mfa_methods": [],
+ "standard_required_attributes": [
+ "email"
+ ],
+ "username_attributes": [
+ "email"
+ ],
+ "user_verification_types": [
+ "email"
+ ],
+ "mfa_configuration": "OFF",
+ "password_policy": {
+ "min_length": 8,
+ "require_numbers": true,
+ "require_lowercase": true,
+ "require_uppercase": true,
+ "require_symbols": true
+ },
+ "oauth": {
+ "identity_providers": [],
+ "redirect_sign_in_uri": [
+ "http://localhost:3000/profile"
+ ],
+ "redirect_sign_out_uri": [
+ "http://localhost:3000/come-back-soon"
+ ],
+ "response_type": "code",
+ "scopes": [
+ "phone",
+ "email",
+ "openid",
+ "profile",
+ "aws.cognito.signin.user.admin"
+ ],
+ // highlight-next-line
+ "domain": ".auth.us-east-1.amazoncognito.com"
+ },
+ },
+ "version": "1"
+}
+```
+
+## Set up Microsoft Entra ID
+
+Next, navigate to [portal.azure.com](https://portal.azure.com/), select **Entra ID**. In your default directory, or company's existing directory, under **Manage**, select **Enterprise Applications**
+
+
+
+Afterwards, select **New application**, then select **Create your own application**. Specify a name for the application and choose **Integrate any other application you don't find in the gallery (Non-gallery)**
+
+
+
+Now that you have created the new enterprise application you can begin to configure Single Sign-on with SAML. Select **Single sign-on**
+
+
+
+Then select **SAML**
+
+
+
+You will be directed to a page to set up single sign-on with SAML, which needs a few pieces of information from your Amplify Auth resource.
+
+
+
+In the **Basic SAML Configuration** step, select **Edit** and populate with the appropriate values.
+
+| Label | Value |
+|-------|-------|
+| Identifier (Entity ID) | `urn:amazon:cognito:sp:` |
+| Reply URL (Assertion Consumer Service URL) | `https:///saml2/idpresponse` |
+| Logout Url (Optional) | `https:///saml2/logout` |
+
+> **Info:** **Note:** Amazon Cognito redirect URIs for SAML providers follow the convention:
+>
+> ```text showLineNumbers={false}
+https://.auth..amazoncognito.com/saml2/
+```
+>
+> If you are using a custom domain the route remains the same: `/saml2/`. [Learn more about configuring Amazon Cognito with SAML identity providers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html)
+
+> **Warning:** **Warning:** there is a known limitation where upstream sign-out functionality successfully signs out of Entra ID, but fails to redirect back to the user app. This behavior is disabled by default with SAML integrations in Amplify Auth.
+
+Save the configuration and proceed to Step 3's **SAML Certificates** section. Copy the **App Federation Metadata Url**
+
+
+
+## Configure your backend with Entra ID
+
+Now that you've configured your SAML provider with Microsoft Entra ID and copied the **App Federation Metadata Url**, configure your auth resource with the new SAML provider and paste the URL value into the `metadataContent` property:
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from "@aws-amplify/backend"
+
+/**
+ * Define and configure your auth resource
+ * @see https://docs.amplify.aws/gen2/build-a-backend/auth
+ */
+export const auth = defineAuth({
+ loginWith: {
+ email: true,
+ externalProviders: {
+ saml: {
+ name: "MicrosoftEntraIDSAML",
+ metadata: {
+ metadataType: "URL",
+ metadataContent: "",
+ },
+ attributeMapping: {
+ email: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
+ },
+ },
+ logoutUrls: ["http://localhost:3000/come-back-soon"],
+ callbackUrls: ["http://localhost:3000/profile"],
+ },
+ },
+})
+```
+
+User attributes can be found in Step 2's **Attributes & Claims** section, and are prefixed with a namespace by default. The example above shows mapping the default claim for the SAML user's email address, however additional attributes can be mapped.
+
+## Optionally upload the Cognito Signing Certificate
+
+In the AWS Console, navigate to your Cognito User Pool. Select the identity provider, **MicrosoftEntraIDSAML**, created after configuring Amplify Auth with the Entra ID SAML provider. Select **View signing certificate** and **download as .crt**
+
+
+
+Rename the file extension to `.cer` in order to upload to Azure. On the **Single sign-on** page, scroll down to **Step 3** (**SAML Certificates**), and under **Verification Certificates (optional)**, select **Edit**.
+
+
+
+Select **Require verification certificates** and upload the certificate.
+
+
+
+Save your changes, and now requests to Entra ID from your Cognito User Pool will be verified.
+
+## Connect your frontend
+
+Now your users are ready to sign in with Microsoft Entra ID. To sign in with this custom provider, specify the provider name as the name specified in your auth resource definition: `MicrosoftEntraIDSAML`
+
+
+```ts title="main.ts"
+import { signInWithRedirect } from "aws-amplify/auth"
+
+signInWithRedirect({
+ provider: { custom: "MicrosoftEntraIDSAML" }
+})
+```
+
+
+
+#### [Java]
+
+```java
+Amplify.Auth.signInWithSocialWebUI(
+ AuthProvider.custom("MicrosoftEntraIDSAML")
+ this,
+ result -> Log.i("AuthQuickStart", result.toString()),
+ error -> Log.e("AuthQuickStart", error.toString())
+);
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+Amplify.Auth.signInWithSocialWebUI(
+ AuthProvider.custom("MicrosoftEntraIDSAML"),
+ this,
+ { Log.i("AuthQuickstart", "Sign in OK: $it") },
+ { Log.e("AuthQuickstart", "Sign in failed", it) }
+)
+```
+
+#### [Kotlin - Coroutines]
+
+```kotlin
+try {
+ val result = Amplify.Auth.signInWithSocialWebUI(AuthProvider.custom("MicrosoftEntraIDSAML"), this)
+ Log.i("AuthQuickstart", "Sign in OK: $result")
+} catch (error: AuthException) {
+ Log.e("AuthQuickstart", "Sign in failed", error)
+}
+```
+
+#### [RxJava]
+
+```java
+RxAmplify.Auth.signInWithSocialWebUI(AuthProvider.custom("MicrosoftEntraIDSAML"), this)
+ .subscribe(
+ result -> Log.i("AuthQuickstart", result.toString()),
+ error -> Log.e("AuthQuickstart", error.toString())
+ );
+```
+
+
+
+```dart
+Future signInWithMicrosoftEntraID() async {
+ try {
+ final result = await Amplify.Auth.signInWithWebUI(
+ provider: AuthProvider.custom("MicrosoftEntraIDSAML"),
+ );
+ safePrint('Sign in result: $result');
+ } on AuthException catch (e) {
+ safePrint('Error signing in: ${e.message}');
+ }
+}
+```
+
+
+
+#### [Async/Await]
+
+```swift
+func signInWithMicrosoftEntraID() async {
+ do {
+ let signInResult = try await Amplify.Auth.signInWithWebUI(
+ for: AuthProvider.custom("MicrosoftEntraIDSAML"),
+ presentationAnchor: self.view.window!
+ )
+ if signInResult.isSignedIn {
+ print("Sign in succeeded")
+ }
+ } catch let error as AuthError {
+ print("Sign in failed \(error)")
+ } catch {
+ print("Unexpected error: \(error)")
+ }
+}
+```
+
+#### [Combine]
+
+```swift
+func signInWithMicrosoftEntraID() -> AnyCancellable {
+ Amplify.Publisher.create {
+ try await Amplify.Auth.signInWithWebUI(
+ for: AuthProvider.custom("MicrosoftEntraIDSAML"),
+ presentationAnchor: self.view.window!
+ )
+ }
+ .sink { completion in
+ if case let .failure(authError) = completion {
+ print("Sign in failed \(authError)")
+ }
+ } receiveValue: { signInResult in
+ if signInResult.isSignedIn {
+ print("Sign in succeeded")
+ }
+ }
+}
+```
+
+
+
+---
+
+---
+title: "Grant access to auth resources"
+section: "build-a-backend/auth"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-07-12T17:36:34.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/grant-access-to-auth-resources/"
+---
+
+Amplify Auth can be defined with an `access` property, which allows other resources to interact with auth by specifying actions.
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from "@aws-amplify/backend"
+import { addUserToGroup } from "../functions/add-user-to-group/resource"
+
+/**
+ * Define and configure your auth resource
+ * @see https://docs.amplify.aws/gen2/build-a-backend/auth
+ */
+export const auth = defineAuth({
+ loginWith: {
+ email: true,
+ },
+ access: (allow) => [
+ allow.resource(addUserToGroup).to(["addUserToGroup"])
+ ],
+})
+```
+
+
+
+When you grant a function access to another resource in your Amplify backend it will configure environment variables for that function to make SDK calls to the AWS services it has access to. Those environment variables are typed and available as part of the `env` object.
+
+
+
+## List of actions
+
+|Action Name|Description|Cognito IAM Actions|
+|-|-|-|
+|manageUsers | Grants CRUD access to users in the UserPool | - cognito-idp:AdminConfirmSignUp
- cognito-idp:AdminCreateUser
- cognito-idp:AdminDeleteUser
- cognito-idp:AdminDeleteUserAttributes
- cognito-idp:AdminDisableUser
- cognito-idp:AdminEnableUser
- cognito-idp:AdminGetUser
- cognito-idp:AdminListGroupsForUser
- cognito-idp:AdminRespondToAuthChallenge
- cognito-idp:AdminSetUserMFAPreference
- cognito-idp:AdminSetUserSettings
- cognito-idp:AdminUpdateUserAttributes
- cognito-idp:AdminUserGlobalSignOut
|
+|manageGroupMembership | Grants permission to add and remove users from groups | - cognito-idp:AdminAddUserToGroup
- cognito-idp:AdminRemoveUserFromGroup
|
+|manageGroups | Grants CRUD access to groups in the UserPool | - cognito-idp:GetGroup
- cognito-idp:ListGroups
- cognito-idp:CreateGroup
- cognito-idp:DeleteGroup
- cognito-idp:UpdateGroup
|
+|manageUserDevices | Manages devices registered to users| - cognito-idp:AdminForgetDevice
- cognito-idp:AdminGetDevice
- cognito-idp:AdminListDevices
- cognito-idp:AdminUpdateDeviceStatus
|
+|managePasswordRecovery | Grants permission to reset user passwords | - cognito-idp:AdminResetUserPassword
- cognito-idp:AdminSetUserPassword
|
+|addUserToGroup | Grants permission to add any user to any group. | - cognito-idp:AdminAddUserToGroup
+|createUser | Grants permission to create new users and send welcome messages via email or SMS. | - cognito-idp:AdminCreateUser
+|deleteUser | Grants permission to delete any user | - cognito-idp:AdminDeleteUser
+|deleteUserAttributes | Grants permission to delete attributes from any user | - cognito-idp:AdminDeleteUserAttributes
+|disableUser | Grants permission to deactivate any user | - cognito-idp:AdminDisableUser
+|enableUser | Grants permission to activate any user | - cognito-idp:AdminEnableUser
+|forgetDevice | Grants permission to deregister any user's devices | - cognito-idp:AdminForgetDevice
+|getDevice | Grants permission to get information about any user's devices | - cognito-idp:AdminGetDevice
+|getUser | Grants permission to look up any user by user name | - cognito-idp:AdminGetUser
+|listUsers | Grants permission to list users and their basic details in the UserPool | - cognito-idp:ListUsers
+|listDevices | Grants permission to list any user's remembered devices | - cognito-idp:AdminListDevices
+|listGroupsForUser | Grants permission to list the groups that any user belongs to | - cognito-idp:AdminListGroupsForUser
+|listUsersInGroup | Grants permission to list users in the specified group | - cognito-idp:ListUsersInGroup
+|removeUserFromGroup | Grants permission to remove any user from any group | - cognito-idp:AdminRemoveUserFromGroup
+|resetUserPassword | Grants permission to reset any user's password | - cognito-idp:AdminResetUserPassword
+|setUserMfaPreference | Grants permission to set any user's preferred MFA method | - cognito-idp:AdminSetUserMFAPreference
+|setUserPassword | Grants permission to set any user's password | - cognito-idp:AdminSetUserPassword
+|setUserSettings | Grants permission to set user settings for any user | - cognito-idp:AdminSetUserSettings
+|updateDeviceStatus | Grants permission to update the status of any user's remembered devices | - cognito-idp:AdminUpdateDeviceStatus
+|updateUserAttributes | Grants permission to updates any user's standard or custom attributes | - cognito-idp:AdminUpdateUserAttributes
+
+---
+
+---
+title: "Modify Amplify-generated Cognito resources with CDK"
+section: "build-a-backend/auth"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2025-12-03T11:13:25.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/modify-resources-with-cdk/"
+---
+
+Amplify Auth provides sensible defaults for the underlying Amazon Cognito resource definitions. You can customize your authentication resource to enable it to behave exactly as needed for your use cases by modifying it directly using [AWS Cloud Development Kit (CDK)](https://aws.amazon.com/cdk/)
+
+## Override Cognito UserPool password policies
+
+You can override the password policy by using the L1 `cfnUserPool` construct and adding a `addPropertyOverride`.
+
+```ts title="amplify/backend.ts"
+import { defineBackend } from '@aws-amplify/backend';
+import { auth } from './auth/resource';
+
+const backend = defineBackend({
+ auth,
+});
+// extract L1 CfnUserPool resources
+const { cfnUserPool } = backend.auth.resources.cfnResources;
+// modify cfnUserPool policies directly
+cfnUserPool.policies = {
+ passwordPolicy: {
+ minimumLength: 10,
+ requireLowercase: true,
+ requireNumbers: true,
+ requireSymbols: true,
+ requireUppercase: true,
+ temporaryPasswordValidityDays: 20,
+ },
+};
+```
+
+
+## Override Cognito UserPool to enable passwordless sign-in methods
+
+> **Info:** **Recommended approach:** Passwordless authentication can now be configured directly in `defineAuth` without requiring CDK overrides. [Learn how to configure passwordless authentication](/[platform]/build-a-backend/auth/concepts/passwordless/).
+
+For advanced use cases, you can still modify the underlying Cognito user pool resource to enable sign in with passwordless methods using CDK overrides. [Learn more about passwordless sign-in methods](/[platform]/build-a-backend/auth/concepts/passwordless/).
+
+You can also read more about how passwordless authentication flows are implemented in the [Cognito documentation](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html).
+
+```ts title="amplify/backend.ts"
+import { defineBackend } from "@aws-amplify/backend"
+import { auth } from "./auth/resource"
+
+const backend = defineBackend({
+ auth,
+})
+
+const { cfnResources } = backend.auth.resources;
+const { cfnUserPool, cfnUserPoolClient } = cfnResources;
+
+// Specify which authentication factors you want to allow with USER_AUTH
+cfnUserPool.addPropertyOverride(
+ 'Policies.SignInPolicy.AllowedFirstAuthFactors',
+ ['PASSWORD', 'WEB_AUTHN', 'EMAIL_OTP', 'SMS_OTP']
+);
+
+// The USER_AUTH flow is used for passwordless sign in
+cfnUserPoolClient.explicitAuthFlows = [
+ 'ALLOW_REFRESH_TOKEN_AUTH',
+ 'ALLOW_USER_AUTH'
+];
+
+/* Needed for WebAuthn */
+// The WebAuthnRelyingPartyID is the domain of your relying party, e.g. "example.domain.com"
+cfnUserPool.addPropertyOverride('WebAuthnRelyingPartyID', '');
+cfnUserPool.addPropertyOverride('WebAuthnUserVerification', 'preferred');
+```
+
+
+---
+
+---
+title: "Moving to production"
+section: "build-a-backend/auth"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-10-10T22:55:38.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/moving-to-production/"
+---
+
+Amplify Auth provisions [Amazon Cognito](https://aws.amazon.com/cognito/) resources that are provisioned with limited capabilities for sending email and SMS messages. In its default state, it is not intended to handle production workloads, but is sufficient for developing your application and associated business logic.
+
+## Email
+
+Cognito provides a [default email functionality](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html#user-pool-email-default) that limits how many emails can be sent in one day. When considering production workloads, Cognito can be configured to send emails using [Amazon Simple Email Service (Amazon SES)](https://aws.amazon.com/ses/).
+
+> **Warning:** All new AWS accounts default to a "sandbox" status with Amazon SES. This comes with the primary caveat that you can only send mail **to** verified email addresses and domains
+
+To get started with Amazon SES in production, you must first [request production access](https://docs.aws.amazon.com/ses/latest/dg/request-production-access.html). Once you submit your request the submission cannot be modified, however you will receive a response from AWS within 24 hours.
+
+After you have configured your account for production access and have verified your _sender_ email, you can configure your Cognito user pool to send emails using the verified sender:
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from "@aws-amplify/backend"
+
+/**
+ * Define and configure your auth resource
+ * @see https://docs.amplify.aws/react/build-a-backend/auth
+ */
+export const auth = defineAuth({
+ loginWith: {
+ email: true,
+ },
+ senders: {
+ email: {
+ // configure using the email registered and verified in Amazon SES
+ fromEmail: "registrations@example.com",
+ },
+ },
+})
+```
+
+Now when emails are sent on new user sign-ups, password resets, etc., the sending account will be your verified email! To customize further, you can change the display name of the sender, or optionally apply a custom address for your users to reply.
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from "@aws-amplify/backend"
+
+/**
+ * Define and configure your auth resource
+ * @see https://docs.amplify.aws/react/build-a-backend/auth
+ */
+export const auth = defineAuth({
+ loginWith: {
+ email: true,
+ },
+ senders: {
+ email: {
+ fromEmail: "registrations@example.com",
+ // highlight-start
+ fromName: "MyApp",
+ replyTo: "inquiries@example.com"
+ // highlight-end
+ },
+ },
+})
+```
+
+## SMS
+
+In order to send SMS authentication codes, you must [request an origination number](https://docs.aws.amazon.com/pinpoint/latest/userguide/settings-request-number.html). Authentication codes will be sent from the origination number. If your AWS account is in the SMS sandbox, you must also add a destination phone number, which can be done by going to the [Amazon Pinpoint Console](https://console.aws.amazon.com/pinpoint/), selecting SMS and voice in the navigation pane, and selecting Add phone number in the Destination phone numbers tab. To check if your AWS account is in the SMS sandbox, go to the [SNS console](https://console.aws.amazon.com/sns/), select the Text messaging (SMS) tab from the navigation pane, and check the status under the Account information section.
+
+---
+
+---
+title: "Advanced workflows"
+section: "build-a-backend/auth"
+platforms: ["javascript", "react-native", "flutter", "swift", "android", "angular", "nextjs", "react", "vue"]
+gen: 2
+last-updated: "2025-11-19T19:55:05.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/advanced-workflows/"
+---
+
+
+## Identity Pool Federation
+
+With identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known external identity
+provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. They can receive an authentication token, and then exchange that token for
+temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. Using an IdP helps you keep your AWS account secure because you
+don't have to embed and distribute long-term security credentials with your application.
+
+Imagine that you are creating a mobile app that accesses AWS resources, such as a game that runs on a mobile device and stores player and score information using Amazon S3 and DynamoDB.
+
+When you write such an app, you make requests to AWS services that must be signed with an AWS access key. However, we strongly recommend that you do not embed or distribute long-term
+AWS credentials with apps that a user downloads to a device, even in an encrypted store. Instead, build your app so that it requests temporary AWS security credentials dynamically when
+needed using identity federation. The supplied temporary credentials map to an AWS role that has only the permissions needed to perform the tasks required by the mobile app.
+
+You can use `federateToIdentityPool` to get AWS credentials directly from Cognito Federated Identities and not use User Pool federation. If you logged in with `Auth.signIn` you **cannot**
+call `federateToIdentityPool` as Amplify will perform this federation automatically for you in the background. In general, you should only call `Auth.federatedSignIn()` when using OAuth flows.
+
+You can use the escape hatch API `federateToIdentityPool` with a valid token from other social providers.
+
+```dart
+final cognitoPlugin =
+ Amplify.Auth.getPlugin(AmplifyAuthCognito.pluginKey);
+const googleIdToken = 'idToken';
+final session = await cognitoPlugin.federateToIdentityPool(
+ token: googleIdToken,
+ provider: AuthProvider.google,
+);
+```
+
+
+
+Note that when federated, APIs such as `Auth.getCurrentUser` will throw an error as the user is not authenticated with User Pools.
+
+
+
+### Retrieve Session
+
+After federated login, you can retrieve the session using the `Auth.fetchAuthSession` API.
+
+### Token Refresh
+
+
+
+Automatic authentication token refresh is NOT supported when federated.
+
+
+
+By default, Amplify will **NOT** automatically refresh the tokens from the federated providers. You will need to handle the token refresh logic and provide the new token to the `federateToIdentityPool` API.
+
+### Clear Session
+
+You can clear the federated session using the `clearFederationToIdentityPool` API.
+
+```dart
+final cognitoPlugin =
+ Amplify.Auth.getPlugin(AmplifyAuthCognito.pluginKey);
+await cognitoPlugin.clearFederationToIdentityPool();
+```
+
+
+
+`clearFederationToIdentityPool` will only clear the session from the local cache; the developer needs to handle signing out from the federated identity provider.
+
+
+
+### Provide Custom Identity ID
+
+You can provide a custom identity ID to the `federateToIdentityPool` API. This is useful when you want to use the same identity ID across multiple sessions.
+
+```dart
+final cognitoPlugin =
+ Amplify.Auth.getPlugin(AmplifyAuthCognito.pluginKey);
+const googleIdToken = 'idToken';
+const identityId = 'us-west-2:b4cd4809-7ab1-42e1-b044-07dab9eaa768';
+final session = await cognitoPlugin.federateToIdentityPool(
+ token: googleIdToken,
+ provider: AuthProvider.google,
+ options: FederateToIdentityPoolOptions(
+ developerProvidedIdentityId: identityId,
+ ),
+);
+```
+
+
+## Subscribing Events
+
+You can take specific actions when users sign-in or sign-out by subscribing to authentication events in your app. Please see our [Hub Module Developer Guide](/[platform]/build-a-backend/auth/connect-your-frontend/listen-to-auth-events/) for more information.
+
+## Identity Pool Federation
+
+Imagine that you are creating a mobile app that accesses AWS resources, such as a game that runs on a mobile device and stores player and score information using Amazon S3 and DynamoDB.
+
+When you write such an app, you make requests to AWS services that must be signed with an AWS access key. However, we strongly recommend that you do not embed or distribute long-term AWS credentials with apps that a user downloads to a device, even in an encrypted store. Instead, build your app so that it requests temporary AWS security credentials dynamically when needed using web identity federation. The supplied temporary credentials map to an AWS role that has only the permissions needed to perform the tasks required by the mobile app.
+
+With web identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. They can receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. Using an IdP helps you keep your AWS account secure because you don't have to embed and distribute long-term security credentials with your application.
+
+You can use `federateToIdentityPool` to get AWS credentials directly from Cognito Federated Identities and not use User Pool federation. If you logged in with `Auth.signIn` you **cannot** call `federateToIdentityPool` as Amplify will perform this federation automatically for you in the background. In general, you should only call `Auth.federatedSignIn()` when using OAuth flows.
+
+You can use the escape hatch API `federateToIdentityPool` with a valid token from other social providers.
+
+#### [Java]
+
+```java
+if (Amplify.Auth.getPlugin("awsCognitoAuthPlugin") instanceof AWSCognitoAuthPlugin) {
+ AWSCognitoAuthPlugin plugin = (AWSCognitoAuthPlugin) Amplify.Auth.getPlugin("awsCognitoAuthPlugin");
+ plugin.federateToIdentityPool(
+ "YOUR_TOKEN",
+ AuthProvider.facebook(),
+ result -> {
+ Log.i("AuthQuickstart", "Successful federation to Identity Pool.");
+ // use result.getCredentials()
+ },
+ e -> {
+ Log.e("AuthQuickstart", "Failed to federate to Identity Pool.", e)
+ }
+ );
+}
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+(Amplify.Auth.getPlugin("awsCognitoAuthPlugin") as? AWSCognitoAuthPlugin)?.let { plugin ->
+ plugin.federateToIdentityPool(
+ "YOUR_TOKEN",
+ AuthProvider.facebook(),
+ {
+ Log.i("AuthQuickstart", "Successful federation to Identity Pool.")
+ // use "it.credentials"
+ },
+ {
+ Log.e("AuthQuickstart", "Failed to federate to Identity Pool.", it)
+ }
+ )
+}
+```
+
+
+Note that when federated, APIs such as Auth.getCurrentUser will throw an error as the user is not authenticated with User Pools.
+
+
+### Retrieve Session
+
+After federated login, you can retrieve the session using the `Auth.fetchAuthSession` API.
+
+### Token Refresh
+
+
+Automatic authentication token refresh is NOT supported when federated.
+
+
+By default, Amplify will **NOT** automatically refresh the tokens from the federated providers. You will need to handle the token refresh logic and provide the new token to the `federateToIdentityPool` API.
+
+### Clear Session
+
+You can clear the federated session using the `clearFederationToIdentityPool` API.
+
+#### [Java]
+
+```java
+if (Amplify.Auth.getPlugin("awsCognitoAuthPlugin") instanceof AWSCognitoAuthPlugin) {
+ AWSCognitoAuthPlugin plugin = (AWSCognitoAuthPlugin) Amplify.Auth.getPlugin("awsCognitoAuthPlugin");
+ plugin.clearFederationToIdentityPool(
+ () -> Log.i("AuthQuickstart", "Federation cleared successfully."),
+ e -> Log.e("AuthQuickstart", "Failed to clear federation.", e)
+ );
+}
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+(Amplify.Auth.getPlugin("awsCognitoAuthPlugin") as? AWSCognitoAuthPlugin)?.let { plugin ->
+ plugin.clearFederationToIdentityPool(
+ { Log.i("AuthQuickstart", "Federation cleared successfully.") },
+ { Log.e("AuthQuickstart", "Failed to clear federation.", it) }
+ )
+}
+```
+
+
+`clearFederationToIdentityPool` will only clear the session from the local cache, the developer needs to handle signing out from the federated provider.
+
+
+### Provide Custom Identity Id
+
+You can provide a custom identity id to the `federateToIdentityPool` API. This is useful when you want to use the same identity id across multiple devices.
+
+#### [Java]
+
+```java
+FederateToIdentityPoolOptions options = FederateToIdentityPoolOptions.builder()
+ .developerProvidedIdentityId("YOUR_CUSTOM_IDENTITY_ID")
+ .build();
+
+if (Amplify.Auth.getPlugin("awsCognitoAuthPlugin") instanceof AWSCognitoAuthPlugin) {
+ AWSCognitoAuthPlugin plugin = (AWSCognitoAuthPlugin) Amplify.Auth.getPlugin("awsCognitoAuthPlugin");
+ plugin.federateToIdentityPool(
+ "YOUR_TOKEN",
+ AuthProvider.facebook(),
+ options,
+ result -> {
+ Log.i("AuthQuickstart", "Successful federation to Identity Pool.");
+ // use result.getCredentials()
+ },
+ e -> {
+ Log.e("AuthQuickstart", "Failed to federate to Identity Pool.", e)
+ }
+ );
+}
+```
+
+#### [Kotlin - Callbacks]
+
+```kotlin
+val options = FederateToIdentityPoolOptions.builder()
+ .developerProvidedIdentityId("YOUR_CUSTOM_IDENTITY_ID")
+ .build()
+
+(Amplify.Auth.getPlugin("awsCognitoAuthPlugin") as? AWSCognitoAuthPlugin)?.let { plugin ->
+ plugin.federateToIdentityPool(
+ "YOUR_TOKEN",
+ AuthProvider.facebook(),
+ options,
+ {
+ Log.i("AuthQuickstart", "Successful federation to Identity Pool.")
+ // use "it.credentials"
+ },
+ {
+ Log.e("AuthQuickstart", "Failed to federate to Identity Pool.", it)
+ }
+ )
+}
+```
+
+
+
+## Subscribing Events
+
+You can take specific actions when users sign-in or sign-out by subscribing authentication events in your app. Please see our [Hub Module Developer Guide](/[platform]/build-a-backend/auth/connect-your-frontend/listen-to-auth-events/) for more information.
+
+## Identity Pool Federation
+
+Imagine that you are creating a mobile app that accesses AWS resources, such as a game that runs on a mobile device and stores player and score information using Amazon S3 and DynamoDB.
+
+When you write such an app, you make requests to AWS services that must be signed with an AWS access key. However, we strongly recommend that you do not embed or distribute long-term AWS credentials with apps that a user downloads to a device, even in an encrypted store. Instead, build your app so that it requests temporary AWS security credentials dynamically when needed using web identity federation. The supplied temporary credentials map to an AWS role that has only the permissions needed to perform the tasks required by the mobile app.
+
+With web identity federation, you don't need to create custom sign-in code or manage your own user identities. Instead, users of your app can sign in using a well-known external identity provider (IdP), such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP. They can receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account. Using an IdP helps you keep your AWS account secure, because you don't have to embed and distribute long-term security credentials with your application.
+
+You can use `federateToIdentityPool` to get AWS credentials directly from Cognito Federated Identities and not use User Pool federation. If you have logged in with `Auth.signIn` you **can not** call `federateToIdentityPool` as Amplify will perform this federation automatically for you in the background. In general, you should only call `Auth.federateToIdentityPool` when using OAuth flows.
+
+You can use the escape hatch API `federateToIdentityPool` with a valid token from other social providers.
+
+```swift
+func federateToIdentityPools() async throws {
+ guard let authCognitoPlugin = try Amplify.Auth.getPlugin(
+ for: "awsCognitoAuthPlugin") as? AWSCognitoAuthPlugin else {
+ fatalError("Unable to get the Auth plugin")
+ }
+ do {
+ let result = try await authCognitoPlugin.federateToIdentityPool(
+ withProviderToken: "YOUR_TOKEN", for: .facebook)
+ print("Federation successful with result: \(result)")
+ } catch {
+ print("Failed to federate to identity pools with error: \(error)")
+ }
+}
+```
+
+
+Note that when federated, API's such as Auth.getCurrentUser() will throw an error as the user is not authenticated with User Pools.
+
+
+### Retrieve Session
+
+After federated login, you can retrieve session using the `Auth.fetchAuthSession` API.
+
+### Token Refresh
+
+
+NOTE: Automatic authentication token refresh is NOT supported when federated.
+
+
+By default, Amplify will **NOT** automatically refresh the tokens from the federated providers. You will need to handle the token refresh logic and provide the new token to the `federateToIdentityPool` API.
+
+### Clear Session
+
+You can clear the federated session using the `clearFederationToIdentityPool` API.
+
+```swift
+func clearFederationToIdentityPools() async throws {
+ guard let authCognitoPlugin = try Amplify.Auth.getPlugin(
+ for: "awsCognitoAuthPlugin") as? AWSCognitoAuthPlugin else {
+ fatalError("Unable to get the Auth plugin")
+ }
+ do {
+ try await authCognitoPlugin.clearFederationToIdentityPool()
+ print("Federation cleared successfully")
+ } catch {
+ print("Clear federation failed with error: \(error)")
+ }
+}
+```
+
+
+clearFederationToIdentityPool will only clear the session from local cache, developer need to handle signing out from the federated provider.
+
+
+### Provide Custom Identity Id
+
+You can provide a custom identity id to the `federateToIdentityPool` API. This is useful when you want to use the same identity id across multiple devices.
+
+```swift
+func federateToIdentityPoolsUsingCustomIdentityId() async throws {
+ guard let authCognitoPlugin = try Amplify.Auth.getPlugin(
+ for: "awsCognitoAuthPlugin") as? AWSCognitoAuthPlugin else {
+ fatalError("Unable to get the Auth plugin")
+ }
+ do {
+ let identityId = "YOUR_CUSTOM_IDENTITY_ID"
+ let result = try await authCognitoPlugin.federateToIdentityPool(
+ withProviderToken: "YOUR_TOKEN",
+ for: .facebook,
+ options: .init(developerProvidedIdentityID: identityId))
+ print("Federation successful with result: \(result)")
+ } catch {
+ print("Failed to federate to identity pools with error: \(error)")
+ }
+}
+```
+
+## Keychain Sharing
+
+### Migrating to a Shared Keychain
+
+To use a shared keychain:
+
+1. In Xcode, go to Project Settings β Your Target β Signing & Capabilities
+2. Select +Capability
+3. Add Keychain Sharing capability
+4. Add a keychain group
+5. Repeat for all apps for which you want to share auth state, adding the same keychain group for all of them
+
+To move to the shared keychain using this new keychain access group, specify the `accessGroup` parameter when instantiating the `AWSCognitoAuthPlugin`. If a user is currently signed in, they will be signed out when first using the access group:
+
+```swift
+let accessGroup = AccessGroup(name: "\(teamID)com.example.sharedItems")
+let secureStoragePreferences = AWSCognitoSecureStoragePreferences(
+ accessGroup: accessGroup)
+try Amplify.add(
+ plugin: AWSCognitoAuthPlugin(
+ secureStoragePreferences: secureStoragePreferences))
+try Amplify.configure()
+```
+
+If you would prefer the user session to be migrated (which will allow the user to continue to be signed in), then specify the `migrateKeychainItemsOfUserSession` boolean in the AccessGroup to be true like so:
+
+```swift
+let accessGroup = AccessGroup(
+ name: "\(teamID)com.example.sharedItems",
+ migrateKeychainItemsOfUserSession: true)
+let secureStoragePreferences = AWSCognitoSecureStoragePreferences(
+ accessGroup: accessGroup)
+try Amplify.add(
+ plugin: AWSCognitoAuthPlugin(
+ secureStoragePreferences: secureStoragePreferences))
+try Amplify.configure()
+```
+
+Sign in a user with any sign-in method within one app that uses this access group. After reloading another app that uses this access group, the user will be signed in. Likewise, signing out of one app will sign out the other app after reloading it.
+
+### Migrating to another Shared Keychain
+
+To move to a different access group, update the name parameter of the AccessGroup to be the new access group. Set `migrateKeychainItemsOfUserSession` to `true` to migrate an existing user session under the previously used access group.
+
+### Migrating from a Shared Keychain
+
+If you'd like to stop sharing state between this app and other apps, you can set the access group to be `AccessGroup.none` or `AccessGroup.none(migrateKeychainItemsOfUserSession: true)` if you'd like the session to be migrated.
+
+### Retrieving Team ID
+
+First, ensure your Info.plist has the `AppIdentifierPrefix` key:
+
+```xml title="Info.plist"
+
+
+
+
+ AppIdentifierPrefix
+ $(AppIdentifierPrefix)
+
+
+```
+
+Then, you can retrieve the team ID from your Info.plist:
+
+```swift
+guard let teamID = Bundle.main.infoDictionary?["AppIdentifierPrefix"] as? String else {
+ fatalError("AppIdentifierPrefix key not found in Info.plist")
+}
+```
+
+
+## Subscribing to Events
+
+You can take specific actions when users sign-in or sign-out by subscribing to authentication events in your app. Please see our [Hub Module Developer Guide](/[platform]/build-a-backend/auth/connect-your-frontend/listen-to-auth-events/) for more information.
+
+## Identity Pool Federation
+
+You can alternatively create your own custom credentials provider to get AWS credentials directly from Cognito Federated Identities and not use User Pool federation. You must supply the custom credentials provider to Amplify via the `Amplify.configure` method call. Below, you can see sample code of how such a custom provider can be built to achieve the use case.
+
+```js
+import { Amplify } from 'aws-amplify';
+import {
+ fetchAuthSession,
+ CredentialsAndIdentityIdProvider,
+ CredentialsAndIdentityId,
+ GetCredentialsOptions,
+ AuthTokens,
+} from 'aws-amplify/auth';
+
+// Note: This example requires installing `@aws-sdk/client-cognito-identity` to obtain Cognito credentials
+// npm add @aws-sdk/client-cognito-identity
+import { CognitoIdentity } from '@aws-sdk/client-cognito-identity';
+
+// You can make use of the sdk to get identityId and credentials
+const cognitoidentity = new CognitoIdentity({
+ region: '',
+});
+
+// Note: The custom provider class must implement CredentialsAndIdentityIdProvider
+class CustomCredentialsProvider implements CredentialsAndIdentityIdProvider {
+
+ // Example class member that holds the login information
+ federatedLogin?: {
+ domain: string,
+ token: string
+ };
+
+ // Custom method to load the federated login information
+ loadFederatedLogin(login?: typeof this.federatedLogin) {
+ // You may also persist this by caching if needed
+ this.federatedLogin = login;
+ }
+
+ async getCredentialsAndIdentityId(
+ getCredentialsOptions: GetCredentialsOptions
+ ): Promise {
+ try {
+
+ // You can add in some validation to check if the token is available before proceeding
+ // You can also refresh the token if it's expired before proceeding
+
+ const getIdResult = await cognitoidentity.getId({
+ // Get the identityPoolId from config
+ IdentityPoolId: '',
+ Logins: { [this.federatedLogin.domain]: this.federatedLogin.token },
+ });
+
+ const cognitoCredentialsResult = await cognitoidentity.getCredentialsForIdentity({
+ IdentityId: getIdResult.IdentityId,
+ Logins: { [this.federatedLogin.domain]: this.federatedLogin.token },
+ });
+
+ const credentials: CredentialsAndIdentityId = {
+ credentials: {
+ accessKeyId: cognitoCredentialsResult.Credentials?.AccessKeyId,
+ secretAccessKey: cognitoCredentialsResult.Credentials?.SecretKey,
+ sessionToken: cognitoCredentialsResult.Credentials?.SessionToken,
+ expiration: cognitoCredentialsResult.Credentials?.Expiration,
+ },
+ identityId: getIdResult.IdentityId,
+ };
+ return credentials;
+ } catch (e) {
+ console.log('Error getting credentials: ', e);
+ }
+ }
+ // Implement this to clear any cached credentials and identityId. This can be called when signing out of the federation service.
+ clearCredentialsAndIdentityId(): void {}
+}
+
+// Create an instance of your custom provider
+const customCredentialsProvider = new CustomCredentialsProvider();
+Amplify.configure(awsconfig, {
+ Auth: {
+ // Supply the custom credentials provider to Amplify
+ credentialsProvider: customCredentialsProvider
+ },
+});
+
+```
+
+Now that the custom credentials provider is built and supplied to `Amplify.configure`, let's look at how you can use the custom credentials provider to finish federation into Cognito identity pool.
+
+
+### Facebook Sign-in (React Native - Expo)
+
+```javascript
+import Expo from 'expo';
+import React from 'react';
+import { fetchAuthSession } from 'aws-amplify/auth';
+
+const App = () => {
+ const signIn = async () => {
+ const { type, token, expires } =
+ await Expo.Facebook.logInWithReadPermissionsAsync(
+ 'YOUR_FACEBOOK_APP_ID',
+ {
+ permissions: ['public_profile']
+ }
+ );
+ if (type === 'success') {
+ // sign in with federated identity
+ try {
+ customCredentialsProvider.loadFederatedLogin({
+ domain: 'graph.facebook.com',
+ token: token
+ });
+ const fetchSessionResult = await fetchAuthSession(); // will return the credentials
+ console.log('fetchSessionResult: ', fetchSessionResult);
+ } catch (err) {
+ console.log(err);
+ }
+ }
+ };
+
+ // ...
+
+ return (
+
+
+
+ );
+};
+```
+
+
+
+### Facebook sign-in (React)
+
+```js
+import React, { useEffect } from 'react';
+import {
+ fetchAuthSession,
+} from 'aws-amplify/auth';
+
+// To federated sign in from Facebook
+const SignInWithFacebook = () => {
+
+ useEffect(() => {
+ if (!window.FB) createScript();
+ }, [])
+
+ const signIn = () => {
+ const fb = window.FB;
+ fb.getLoginStatus(response => {
+ if (response.status === 'connected') {
+ getAWSCredentials(response.authResponse);
+ } else {
+ fb.login(
+ response => {
+ if (!response || !response.authResponse) {
+ return;
+ }
+ customCredentialsProvider.loadFederatedLogin({
+ domain: 'graph.facebook.com',
+ token: response.authResponse.accessToken,
+ });
+ const fetchSessionResult = await fetchAuthSession(); // will return the credentials
+ console.log('fetchSessionResult: ', fetchSessionResult);
+ },
+ {
+ // the authorized scopes
+ scope: 'public_profile,email'
+ }
+ );
+ }
+ });
+ }
+
+ const createScript = () => {
+ // load the sdk
+ window.fbAsyncInit = fbAsyncInit;
+ const script = document.createElement('script');
+ script.src = 'https://connect.facebook.net/en_US/sdk.js';
+ script.async = true;
+ script.onload = initFB;
+ document.body.appendChild(script);
+ }
+
+ const initFB = () => {
+ const fb = window.FB;
+ console.log('FB SDK initialized');
+ }
+
+ const fbAsyncInit = () => {
+ // init the fb sdk client
+ const fb = window.FB;
+ fb.init({
+ appId : 'your_facebook_app_id',
+ cookie : true,
+ xfbml : true,
+ version : 'v2.11'
+ });
+ }
+
+ return (
+
+
+
+ );
+}
+```
+
+### Google sign-in (React)
+
+```jsx
+import React, { useEffect } from 'react';
+import jwt from 'jwt-decode';
+import {
+ fetchAuthSession,
+} from 'aws-amplify/auth';
+
+const SignInWithGoogle = () => {
+ useEffect(() => {
+ // Check for an existing Google client initialization
+ if (!window.google?.accounts) createScript();
+ }, []);
+
+ // Load the Google client
+ const createScript = () => {
+ const script = document.createElement('script');
+ script.src = 'https://accounts.google.com/gsi/client';
+ script.async = true;
+ script.defer = true;
+ script.onload = initGsi;
+ document.body.appendChild(script);
+ }
+
+ // Initialize Google client and render Google button
+ const initGsi = () => {
+ if (window.google?.accounts) {
+ window.google.accounts.id.initialize({
+ client_id: process.env.GOOGLE_CLIENT_ID,
+ callback: (response: any) => {
+ customCredentialsProvider.loadFederatedLogin({
+ domain: 'accounts.google.com',
+ token: response.credential,
+ });
+ const fetchSessionResult = await fetchAuthSession(); // will return the credentials
+ console.log('fetchSessionResult: ', fetchSessionResult);
+ },
+ });
+ window.google.accounts.id.renderButton(
+ document.getElementById('googleSignInButton'),
+ { theme: 'outline', size: 'large' }
+ );
+ }
+ }
+
+ return (
+
+
+
+ );
+}
+```
+
+### Federate with Auth0
+
+You can use `Auth0` as one of the providers of your Cognito Identity Pool. This will allow users authenticated via Auth0 have access to your AWS resources.
+
+Step 1. [Follow Auth0 integration instructions for Cognito Federated Identity Pools](https://auth0.com/docs/customize/integrations/aws/amazon-cognito)
+
+Step 2. Login with `Auth0`, then use the id token returned to get AWS credentials from `Cognito Federated Identity Pools` using custom credentials provider you created at the start:
+
+```js
+import { fetchAuthSession } from 'aws-amplify/auth';
+
+const { idToken, domain, name, email, phoneNumber } = getFromAuth0(); // get the user credentials and info from auth0
+
+async function getCognitoCredentials() {
+ try {
+ customCredentialsProvider.loadFederatedLogin({
+ domain,
+ token: idToken
+ });
+ const fetchSessionResult = await fetchAuthSession(); // will return the credentials
+ console.log('fetchSessionResult: ', fetchSessionResult);
+ } catch (err) {
+ console.log(err);
+ }
+}
+```
+
+
+## Lambda Triggers
+
+With the triggers property of defineAuth and defineFunction from the new Functions implementation, you can define [Lambda Triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html) for your Cognito User Pool. These enable you to add custom functionality to your registration and authentication flows. [Check out a preSignUp hook example here.](/[platform]/build-a-backend/functions/examples/email-domain-filtering/)
+
+### Pre Authentication and Pre Sign-up Lambda triggers
+
+If you have a Pre Authentication Lambda trigger enabled, you can pass `clientMetadata` as an option for `signIn`. This metadata can be used to implement additional validations around authentication.
+
+```ts
+import { signIn } from 'aws-amplify/auth';
+
+async function handleSignIn(username: string, password: string) {
+ try {
+ await signIn({
+ username,
+ password,
+ options: {
+ clientMetadata: {} // Optional, an object of key-value pairs which can contain any key and will be passed to your Lambda trigger as-is.
+ }
+ });
+ } catch (err) {
+ console.log(err);
+ }
+}
+```
+
+### Passing metadata to other Lambda triggers
+
+Many Cognito Lambda Triggers also accept unsanitized key/value pairs in the form of a `clientMetadata` attribute. This attribute can be specified for various Auth APIs which result in Cognito Lambda Trigger execution.
+
+These APIs include:
+
+- `signIn`
+- `signUp`
+- `confirmSignIn`
+- `confirmSignUp`
+- `resetPassword`
+- `confirmResetPassword`
+- `resendSignUpCode`
+- `updateUserAttributes`
+- `fetchAuthSession`
+
+Additionally, you can configure a `ClientMetadataProvider` which passes the `clientMetadata` to internal `fetchAuthSession` calls:
+
+```javascript
+// Set global clientMetadata (affects all token refreshes)
+import { cognitoUserPoolsTokenProvider } from 'aws-amplify/auth/cognito';
+
+const clientMetadataProvider = () => Promise.resolve({
+ 'app-version': '1.0.0',
+ 'device-type': 'mobile'
+});
+
+cognitoUserPoolsTokenProvider.setClientMetadataProvider(clientMetadataProvider);
+```
+
+Please note that some of triggers which accept a `validationData` attribute will use `clientMetadata` as the value for `validationData`. Exercise caution with using `clientMetadata` when you are relying on `validationData`.
+
+## Working with AWS service objects
+
+You can use AWS _Service Interface Objects_ to work with AWS Services in authenticated State. You can call methods on any AWS Service interface object by passing your credentials from Amplify `fetchAuthSession` to the service call constructor:
+
+```javascript
+import { fetchAuthSession } from 'aws-amplify/auth';
+import Route53 from 'aws-sdk/clients/route53';
+
+async function changeResourceRecordSets() {
+ try {
+ const { credentials } = await fetchAuthSession();
+
+ const route53 = new Route53({
+ apiVersion: '2013-04-01',
+ credentials
+ });
+
+ // more code working with route53 object
+ //route53.changeResourceRecordSets();
+ } catch (err) {
+ console.log(err);
+ }
+}
+```
+
+> **Warning:** Note: To work with Service Interface Objects, your Amazon Cognito users' [IAM role](https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html) must have the appropriate permissions to call the requested services.
+
+## Custom Token providers
+
+Create a custom Auth token provider for situations where you would like provide your own tokens for a service. For example, using OIDC Auth with AppSync. You must supply the token provider to Amplify via the `Amplify.configure` method call. Below, you can see sample code of how such a custom provider can be built to achieve the use case.
+
+```javascript
+import { Amplify } from 'aws-amplify';
+import { TokenProvider, decodeJWT } from 'aws-amplify/auth';
+
+// ...
+
+const myTokenProvider: TokenProvider = {
+ async getTokens({ forceRefresh } = {}) {
+ if (forceRefresh) {
+ // try to obtain new tokens if possible
+ }
+
+ const accessTokenString = '';
+ const idTokenString = '';
+
+ return {
+ accessToken: decodeJWT(accessTokenString),
+ idToken: decodeJWT(idTokenString),
+ };
+ },
+};
+
+Amplify.configure(awsconfig, {
+ Auth: {
+ tokenProvider: myTokenProvider
+ }
+});
+
+```
+## API reference
+
+For the complete API documentation for Authentication module, visit our [API Reference](https://aws-amplify.github.io/amplify-js/api/modules/aws_amplify.auth.html)
+
+
+---
+
+---
+title: "Use existing Cognito resources"
+section: "build-a-backend/auth"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2025-02-19T23:36:30.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/use-existing-cognito-resources/"
+---
+
+Amplify Auth can be configured to use an existing Amazon Cognito user pool and identity pool. If you are in a team setting or part of a company that has previously created auth resources, you can [configure the client library directly](#use-auth-resources-without-an-amplify-backend), or maintain references with [AWS Cloud Development Kit (AWS CDK)](https://aws.amazon.com/cdk/) in your Amplify backend.
+
+> **Info:** **Note:** when using existing auth resources, it may be necessary to add additional policies or permissions for your authenticated and unauthenticated IAM roles. These changes must be performed manually.
+
+## Use auth resources without an Amplify backend
+
+
+You can use existing resources without an Amplify backend by configuring the client library directly.
+
+```ts title="src/main.ts"
+import { Amplify } from "aws-amplify"
+
+Amplify.configure({
+ Auth: {
+ Cognito: {
+ userPoolId: "",
+ userPoolClientId: "",
+ identityPoolId: "",
+ loginWith: {
+ email: true,
+ },
+ signUpVerificationMethod: "code",
+ userAttributes: {
+ email: {
+ required: true,
+ },
+ },
+ allowGuestAccess: true,
+ passwordFormat: {
+ minLength: 8,
+ requireLowercase: true,
+ requireUppercase: true,
+ requireNumbers: true,
+ requireSpecialCharacters: true,
+ },
+ },
+ },
+})
+```
+
+
+Configuring the mobile client libraries directly is not supported, however you can manually create `amplify_outputs.json` with the following schema:
+
+> **Info:** **Note:** it is strongly recommended to use backend outputs to generate this file for each sandbox or branch deployment
+
+```json title="amplify_outputs.json"
+{
+ "version": "1",
+ "auth": {
+ "aws_region": "",
+ "user_pool_id": "",
+ "user_pool_client_id": "",
+ "identity_pool_id": "",
+ "username_attributes": ["email"],
+ "standard_required_attributes": ["email"],
+ "user_verification_types": ["email"],
+ "unauthenticated_identities_enabled": true,
+ "password_policy": {
+ "min_length": 8,
+ "require_lowercase": true,
+ "require_uppercase": true,
+ "require_numbers": true,
+ "require_symbols": true
+ }
+ }
+}
+```
+
+
+## Use auth resources with an Amplify backend
+
+> **Warning:** Amplify cannot modify the configuration of your referenced resources and only captures the resource configuration at the time of reference, any subsequent changes made to the referenced resources will not be automatically reflected in your Amplify backend.
+
+If you have created Amazon Cognito resources outside of the context of your Amplify app such as creating resources through the AWS Console or consuming resources created by a separate team, you can use `referenceAuth` to reference the existing resources. It requires a user pool, a user pool client, identity pool, and an authenticated & unauthenticated IAM role configured on your identity pool.
+
+```ts title="amplify/auth/resource.ts"
+import { referenceAuth } from '@aws-amplify/backend';
+
+export const auth = referenceAuth({
+ userPoolId: 'us-east-1_xxxx',
+ identityPoolId: 'us-east-1:b57b7c3b-9c95-43e4-9266-xxxx',
+ authRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthauthenticatedU-xxxx',
+ unauthRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthunauthenticate-xxxx',
+ userPoolClientId: 'xxxx',
+});
+```
+
+> **Info:** IAM policies specific to your Amplify application will be appended to your authenticated and unauthenticated roles, and applications using the referenced resource will be able to create users in the Cognito user pool and identities in the Cognito identity pool.
+
+You can also use the [`access` property](/[platform]/build-a-backend/auth/grant-access-to-auth-resources/) to grant permissions to your auth resource from other Amplify backend resources. For example, if you have a function that needs to retrieve details about a user:
+
+```ts title="amplify/auth/resource.ts"
+import { referenceAuth } from '@aws-amplify/backend';
+import { getUser } from "../functions/get-user/resource";
+
+export const auth = referenceAuth({
+ userPoolId: 'us-east-1_xxxx',
+ identityPoolId: 'us-east-1:b57b7c3b-9c95-43e4-9266-xxxx',
+ authRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthauthenticatedU-xxxx',
+ unauthRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthunauthenticate-xxxx',
+ userPoolClientId: 'xxxx',
+ access: (allow) => [
+ allow.resource(getUser).to(["getUser"]),
+ ],
+});
+```
+
+Additionally, you can also use the `groups` property to reference groups in your user pool. This is useful if you want to work with groups in your application and provide access to resources such as storage based on group membership.
+
+```ts title="amplify/auth/resource.ts"
+import { referenceAuth } from '@aws-amplify/backend';
+import { getUser } from "../functions/get-user/resource";
+
+export const auth = referenceAuth({
+ userPoolId: 'us-east-1_xxxx',
+ identityPoolId: 'us-east-1:b57b7c3b-9c95-43e4-9266-xxxx',
+ authRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthauthenticatedU-xxxx',
+ unauthRoleArn: 'arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthunauthenticate-xxxx',
+ userPoolClientId: 'xxxx',
+ groups: {
+ admin: "arn:aws:iam::xxxx:role/amplify-xxxx-mai-amplifyAuthadminGroupRole-xxxx",
+ },
+});
+```
+
+In a team setting you may want to reference a different set of auth resources depending on the deployment context. For instance if you have a `staging` branch that should reuse resources from a separate "staging" environment compared to a `production` branch that should reuse resources from the separate "production" environment. In this case we recommend using environment variables.
+
+```ts title="amplify/auth/resource.ts"
+import { referenceAuth } from '@aws-amplify/backend';
+
+export const auth = referenceAuth({
+ userPoolId: process.env.MY_USER_POOL_ID,
+ identityPoolId: process.env.MY_IDENTITY_POOL_ID,
+ authRoleArn: process.env.MY_AUTH_ROLE_ARN,
+ unauthRoleArn: process.env.MY_UNAUTH_ROLE_ARN,
+ userPoolClientId: process.env.MY_USER_POOL_CLIENT_ID,
+});
+```
+
+Environment variables must be configured separately on your machine for sandbox deployments and Amplify console for branch deployments.
+
+## Next steps
+
+- [Learn how to connect your frontend](/[platform]/build-a-backend/auth/connect-your-frontend/)
+
+---
+
+---
+title: "Use AWS SDK"
+section: "build-a-backend/auth"
+platforms: ["swift", "android"]
+gen: 2
+last-updated: "2024-09-24T23:57:23.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/auth/use-aws-sdk/"
+---
+
+For advanced use cases where Amplify does not provide the functionality, you can retrieve an escape hatch to access the underlying Amazon Cognito client.
+
+
+The escape hatch provides access to the underlying `AWSCognitoIdentityProvider` instance. Import the necessary types:
+
+```swift
+import AWSCognitoAuthPlugin
+import AWSCognitoIdentityProvider
+```
+
+Then retrieve the escape hatch with this code:
+
+```swift
+func getEscapeHatch() {
+ let client: CognitoIdentityProviderClient
+
+ // Get the instance of AWSCognitoAuthPlugin
+ let plugin = try? Amplify.Auth.getPlugin(for: "awsCognitoAuthPlugin") as? AWSCognitoAuthPlugin
+
+ // Get the instance of CognitoIdentityProviderClient
+ if case .userPoolAndIdentityPool(let userPoolClient, _) = plugin?.getEscapeHatch() {
+ client = userPoolClient
+ } else if case .userPool(let userPoolClient) = plugin?.getEscapeHatch() {
+ client = userPoolClient
+ } else {
+ fatalError("No user pool configuration found")
+ }
+ print("Fetched escape hatch - \(String(describing: client))")
+}
+```
+
+
+
+You can access the underlying `CognitoIdentityProviderClient` and `CognitoIdentityClient` as shown below
+
+```kotlin
+implementation "aws.sdk.kotlin:cognitoidentityprovider:1.0.44"
+implementation "aws.sdk.kotlin:cognitoidentity:1.0.44"
+```
+
+#### [Kotlin]
+
+```kotlin
+suspend fun resendCodeUsingEscapeHatch() {
+ // Get the instance of AWSCognitoAuthPlugin
+ val cognitoAuthPlugin = Amplify.Auth.getPlugin("awsCognitoAuthPlugin")
+ val cognitoAuthService = cognitoAuthPlugin.escapeHatch as AWSCognitoAuthService
+
+ // Get the instance of CognitoIdentityProviderClient
+ val cognitoIdentityProviderClient = cognitoAuthService.cognitoIdentityProviderClient
+ val request = ResendConfirmationCodeRequest {
+ clientId = "xxxxxxxxxxxxxxxx"
+ username = "user1"
+ }
+ val response = cognitoIdentityProviderClient?.resendConfirmationCode(request)
+}
+```
+
+#### [Java]
+
+
+
+[Learn more about consuming Kotlin clients from Java using either a blocking interface or an equivalent async interface based on futures](https://github.com/awslabs/smithy-kotlin/blob/main/docs/design/kotlin-smithy-sdk.md#java-interop).
+
+
+
+```java
+// Get the instance of AWSCognitoAuthPlugin
+AWSCognitoAuthPlugin cognitoAuthPlugin = (AWSCognitoAuthPlugin) Amplify.Auth.getPlugin("awsCognitoAuthPlugin");
+
+// Get the instance of CognitoIdentityProviderClient
+CognitoIdentityProviderClient client = cognitoAuthPlugin.getEscapeHatch().getCognitoIdentityProviderClient();
+ResendConfirmationCodeRequest request = ResendConfirmationCodeRequest.Companion.invoke(dslBuilder -> {
+ dslBuilder.setClientId("xxxxxxxxxxxxxxxx");
+ dslBuilder.setUsername("user1");
+ return null;
+});
+
+assert client != null;
+client.resendConfirmationCode(request, new Continuation() {
+ @NonNull
+ @Override
+ public CoroutineContext getContext() {
+ return GlobalScope.INSTANCE.getCoroutineContext();
+ }
+
+ @Override
+ public void resumeWith(@NonNull Object resultOrException) {
+ Log.i(TAG, "Result: " + resultOrException);
+ }
+});
+```
+
+
+
+---
+
+---
+title: "API References"
+section: "build-a-backend/auth"
+platforms: ["angular", "javascript", "nextjs", "react", "react-native", "vue"]
+gen: 2
+last-updated: ""
+url: "https://docs.amplify.aws/react/build-a-backend/auth/reference/"
+---
+
+
+
+---
+
+---
+title: "Data"
+section: "build-a-backend"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2024-02-21T20:06:17.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/data/"
+---
+
+
+
+---
+
+---
+title: "Set up Amplify Data"
+section: "build-a-backend/data"
+platforms: ["android", "angular", "flutter", "javascript", "nextjs", "react", "react-native", "swift", "vue"]
+gen: 2
+last-updated: "2025-11-13T16:29:27.000Z"
+url: "https://docs.amplify.aws/react/build-a-backend/data/set-up-data/"
+---
+
+In this guide, you will learn how to set up Amplify Data. This includes building a real-time API and database using TypeScript to define your data model, and securing your API with authorization rules. We will also explore using AWS Lambda to scale to custom use cases.
+
+Before you begin, you will need:
+
+- [Node.js](https://nodejs.org/) v18.16.0 or later
+- [npm](https://www.npmjs.com/) v6.14.4 or later
+- [git](https://git-scm.com/) v2.14.1 or later
+
+With Amplify Data, you can build a secure, real-time API backed by a database in minutes. After you define your data model using TypeScript, Amplify will deploy a real-time API for you. This API is powered by AWS AppSync and connected to an Amazon DynamoDB database. You can secure your API with authorization rules and scale to custom use cases with AWS Lambda.
+
+## Building your data backend
+
+If you've run `npm create amplify@latest` already, you should see an `amplify/data/resource.ts` file, which is the central location to configure your data backend. The most important element is the `schema` object, which defines your backend data models (`a.model()`) and custom queries (`a.query()`), mutations (`a.mutation()`), and subscriptions (`a.subscription()`).
+
+```ts title="amplify/data/resource.ts"
+import { a, defineData, type ClientSchema } from '@aws-amplify/backend';
+
+const schema = a.schema({
+ Todo: a.model({
+ content: a.string(),
+ isDone: a.boolean()
+ })
+ .authorization(allow => [allow.publicApiKey()])
+});
+
+// Used for code completion / highlighting when making requests from frontend
+export type Schema = ClientSchema;
+
+// defines the data resource to be deployed
+export const data = defineData({
+ schema,
+ authorizationModes: {
+ defaultAuthorizationMode: 'apiKey',
+ apiKeyAuthorizationMode: { expiresInDays: 30 }
+ }
+});
+```
+
+Every `a.model()` automatically creates the following resources in the cloud:
+
+- a DynamoDB database table to store records
+- query and mutation APIs to create, read (list/get), update, and delete records
+- `createdAt` and `updatedAt` fields that help you keep track of when each record was initially created or when it was last updated
+- real-time APIs to subscribe for create, update, and delete events of records
+
+The `allow.publicApiKey()` rule designates that anyone authenticated using an API key can create, read, update, and delete todos.
+
+To deploy these resources to your cloud sandbox, run the following CLI command in your terminal:
+
+
+```bash title="Terminal" showLineNumbers={false}
+npx ampx sandbox
+```
+
+
+
+```bash title="Terminal" showLineNumbers={false}
+npx ampx sandbox --outputs-out-dir
+```
+
+
+```bash title="Terminal" showLineNumbers={false}
+npx ampx sandbox --outputs-format dart --outputs-out-dir lib
+```
+
+
+## Connect your application code to the data backend
+
+Once the cloud sandbox is up and running, it will also create an `amplify_outputs.json` file, which includes the relevant connection information to your data backend, like your API endpoint URL and API key.
+
+To connect your frontend code to your backend, you need to:
+
+1. Configure the Amplify library with the Amplify client configuration file (`amplify_outputs.json`)
+2. Generate a new API client from the Amplify library
+3. Make an API request with end-to-end type-safety
+
+
+First, install the Amplify client library to your project:
+
+```bash title="Terminal" showLineNumbers={false}
+npm add aws-amplify
+```
+
+
+
+In your app's entry point, typically **main.tsx** for React apps created using Vite, make the following edits:
+
+```tsx title="src/main.tsx"
+import { Amplify } from 'aws-amplify';
+import outputs from '../amplify_outputs.json';
+
+Amplify.configure(outputs);
+```
+
+
+
+In your app's entry point, typically **main.ts** for Vue apps created using Vite, make the following edits:
+
+```tsx title="src/main.ts"
+import { Amplify } from 'aws-amplify';
+import outputs from '../amplify_outputs.json';
+
+Amplify.configure(outputs);
+```
+
+
+
+Under Gradle Scripts, open build.gradle (Module :app), add the following lines:
+
+```kotlin title="app/build.gradle.kts"
+android {
+ compileOptions {
+ // Support for modern Java features
+ isCoreLibraryDesugaringEnabled = true
+ }
+}
+
+dependencies {
+ // Amplify API dependencies
+ // highlight-start
+ implementation("com.amplifyframework:aws-api:ANDROID_VERSION")
+ // highlight-end
+ // ... other dependencies
+ coreLibraryDesugaring("com.android.tools:desugar_jdk_libs:ANDROID_DESUGAR_VERSION")
+}
+```
+
+Click **Sync Now** in the notification bar above the file editor to sync these dependencies.
+
+Next, configure the Amplify client library with the generated `amplify_outputs.json` file to make it aware of the backend API endpoint. *Note: verify that the **amplify_outputs.json** file is present in your **res/raw/** folder.
+
+Create a new `MyAmplifyApp` class that inherits from `Application` with the following code:
+
+> **Warning:** Before calling the `Amplify.configure` function, make sure to either download the `amplify_outputs.json` file from the console, or generate it with the following command:
+>
+> ```bash title="Terminal" showLineNumbers={false}
+npx ampx generate outputs --app-id