@aws-sdk/client-cognito-identity-provider

import { ExceptionOptionType as __ExceptionOptionType } from "@smithy/smithy-client"; import { DocumentType as __DocumentType } from "@smithy/types"; import { CognitoIdentityProviderServiceException as __BaseException } from "./CognitoIdentityProviderServiceException"; /** * @public * @enum */ export declare const RecoveryOptionNameType: { readonly ADMIN_ONLY: "admin_only"; readonly VERIFIED_EMAIL: "verified_email"; readonly VERIFIED_PHONE_NUMBER: "verified_phone_number"; }; /** * @public */ export type RecoveryOptionNameType = (typeof RecoveryOptionNameType)[keyof typeof RecoveryOptionNameType]; /** * A recovery option for a user. The <code>AccountRecoverySettingType</code> data type is * an array of this object. Each <code>RecoveryOptionType</code> has a priority property * that determines whether it is a primary or secondary option. * For example, if <code>verified_email</code> has a priority of <code>1</code> and * <code>verified_phone_number</code> has a priority of <code>2</code>, your user pool * sends account-recovery messages to a verified email address but falls back to an SMS * message if the user has a verified phone number. The <code>admin_only</code> option * prevents self-service account recovery. * This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>. * @public */ export interface RecoveryOptionType { /** * Your priority preference for using the specified attribute in account recovery. The * highest priority is <code>1</code>. * @public */ Priority: number | undefined; /** * The recovery method that this object sets a recovery option for. * @public */ Name: RecoveryOptionNameType | undefined; } /** * The settings for user message delivery in forgot-password operations. Contains * preference for email or SMS message delivery of password reset codes, or for admin-only * password reset. * This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>. * @public */ export interface AccountRecoverySettingType { /** * The list of options and priorities for user message delivery in forgot-password * operations. Sets or displays user pool preferences for email or SMS message priority, * whether users should fall back to a second delivery method, and whether passwords should * only be reset by administrators. * @public */ RecoveryMechanisms?: RecoveryOptionType[] | undefined; } /** * @public * @enum */ export declare const AccountTakeoverEventActionType: { readonly BLOCK: "BLOCK"; readonly MFA_IF_CONFIGURED: "MFA_IF_CONFIGURED"; readonly MFA_REQUIRED: "MFA_REQUIRED"; readonly NO_ACTION: "NO_ACTION"; }; /** * @public */ export type AccountTakeoverEventActionType = (typeof AccountTakeoverEventActionType)[keyof typeof AccountTakeoverEventActionType]; /** * The automated response to a risk level for adaptive authentication in full-function, * or <code>ENFORCED</code>, mode. You can assign an action to each risk level that * advanced security features evaluates. * This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>. * @public */ export interface AccountTakeoverActionType { /** * Determines whether Amazon Cognito sends a user a notification message when your user pools * assesses a user's session at the associated risk level. * @public */ Notify: boolean | undefined; /** * The action to take for the attempted account takeover action for the associated risk * level. Valid values are as follows: * <ul> * <li> * * <code>BLOCK</code>: Block the request. * </li> * <li> * * <code>MFA_IF_CONFIGURED</code>: Present an MFA challenge if possible. MFA is * possible if the user pool has active MFA methods that the user can set up. For * example, if the user pool only supports SMS message MFA but the user * doesn't have a phone number attribute, MFA setup isn't possible. If MFA * setup isn't possible, allow the request. * </li> * <li> * * <code>MFA_REQUIRED</code>: Present an MFA challenge if possible. Block the * request if a user hasn't set up MFA. To sign in with required MFA, users must * have an email address or phone number attribute, or a registered TOTP * factor. * </li> * <li> * * <code>NO_ACTION</code>: Take no action. Permit sign-in. * </li> * </ul> * @public */ EventAction: AccountTakeoverEventActionType | undefined; } /** * A list of account-takeover actions for each level of risk that Amazon Cognito might assess with * advanced security features. * This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>. * @public */ export interface AccountTakeoverActionsType { /** * The action that you assign to a low-risk assessment by advanced security * features. * @public */ LowAction?: AccountTakeoverActionType | undefined; /** * The action that you assign to a medium-risk assessment by advanced security * features. * @public */ MediumAction?: AccountTakeoverActionType | undefined; /** * The action that you assign to a high-risk assessment by advanced security * features. * @public */ HighAction?: AccountTakeoverActionType | undefined; } /** * The template for email messages that advanced security features sends to a user when * your threat protection automated response has a Notify * action. * This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>. * @public */ export interface NotifyEmailType { /** * The subject of the threat protection email notification. * @public */ Subject: string | undefined; /** * The body of an email notification formatted in HTML. Choose an <code>HtmlBody</code> * or a <code>TextBody</code> to send an HTML-formatted or plaintext message, * respectively. * @public */ HtmlBody?: string | undefined; /** * The body of an email notification formatted in plaintext. Choose an * <code>HtmlBody</code> or a <code>TextBody</code> to send an HTML-formatted or * plaintext message, respectively. * @public */ TextBody?: string | undefined; } /** * The configuration for Amazon SES email messages that advanced security features sends to a * user when your adaptive authentication automated response has a * Notify action. * This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>. * @public */ export interface NotifyConfigurationType { /** * The email address that sends the email message. The address must be either * individually verified with Amazon Simple Email Service, or from a domain that has been verified with * Amazon SES. * @public */ From?: string | undefined; /** * The reply-to email address of an email template. * @public */ ReplyTo?: string | undefined; /** * The Amazon Resource Name (ARN) of the identity that is associated with the sending * authorization policy. This identity permits Amazon Cognito to send for the email address * specified in the <code>From</code> parameter. * @public */ SourceArn: string | undefined; /** * The template for the email message that your user pool sends when a detected risk * event is blocked. * @public */ BlockEmail?: NotifyEmailType | undefined; /** * The template for the email message that your user pool sends when no action is taken * in response to a detected risk. * @public */ NoActionEmail?: NotifyEmailType | undefined; /** * The template for the email message that your user pool sends when MFA is challenged in * response to a detected risk. * @public */ MfaEmail?: NotifyEmailType | undefined; } /** * The settings for automated responses and notification templates for adaptive * authentication with advanced security features. * This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>. * @public */ export interface AccountTakeoverRiskConfigurationType { /** * The settings for composing and sending an email message when advanced security * features assesses a risk level with adaptive authentication. When you choose to notify * users in <code>AccountTakeoverRiskConfiguration</code>, Amazon Cognito sends an email message * using the method and template that you set with this data type. * @public */ NotifyConfiguration?: NotifyConfigurationType | undefined; /** * A list of account-takeover actions for each level of risk that Amazon Cognito might assess with * advanced security features. * @public */ Actions: AccountTakeoverActionsType | undefined; } /** * @public * @enum */ export declare const AttributeDataType: { readonly BOOLEAN: "Boolean"; readonly DATETIME: "DateTime"; readonly NUMBER: "Number"; readonly STRING: "String"; }; /** * @public */ export type AttributeDataType = (typeof AttributeDataType)[keyof typeof AttributeDataType]; /** * The minimum and maximum values of an attribute that is of the number type, for example * <code>custom:age</code>. * This data type is part of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html">SchemaAttributeType</a>. It defines the length constraints * on number-type attributes that you configure in <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and displays the length constraints of * all number-type attributes in the response to <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a> * * @public */ export interface NumberAttributeConstraintsType { /** * The minimum value of an attribute that is of the number data type. * @public */ MinValue?: string | undefined; /** * The maximum length of a number attribute value. Must be a number less than or equal to * <code>2^1023</code>, represented as a string with a length of 131072 characters or * fewer. * @public */ MaxValue?: string | undefined; } /** * The minimum and maximum length values of an attribute that is of the string type, for * example <code>custom:department</code>. * This data type is part of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html">SchemaAttributeType</a>. It defines the length constraints * on string-type attributes that you configure in <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and displays the length constraints of * all string-type attributes in the response to <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a> * * @public */ export interface StringAttributeConstraintsType { /** * The minimum length of a string attribute value. * @public */ MinLength?: string | undefined; /** * The maximum length of a string attribute value. Must be a number less than or equal to * <code>2^1023</code>, represented as a string with a length of 131072 characters or * fewer. * @public */ MaxLength?: string | undefined; } /** * A list of the user attributes and their properties in your user pool. The attribute * schema contains standard attributes, custom attributes with a <code>custom:</code> * prefix, and developer attributes with a <code>dev:</code> prefix. For more information, * see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html">User pool * attributes</a>. * Developer-only <code>dev:</code> attributes are a legacy feature of user pools, and * are read-only to all app clients. You can create and update developer-only attributes * only with IAM-authenticated API operations. Use app client read/write permissions * instead. * This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>. * @public */ export interface SchemaAttributeType { /** * The name of your user pool attribute. When you create or update a user pool, adding a * schema attribute creates a custom or developer-only attribute. When you add an attribute * with a <code>Name</code> value of <code>MyAttribute</code>, Amazon Cognito creates the custom * attribute <code>custom:MyAttribute</code>. When <code>DeveloperOnlyAttribute</code> is * <code>true</code>, Amazon Cognito creates your attribute as <code>dev:MyAttribute</code>. In * an operation that describes a user pool, Amazon Cognito returns this value as <code>value</code> * for standard attributes, <code>custom:value</code> for custom attributes, and * <code>dev:value</code> for developer-only attributes.. * @public */ Name?: string | undefined; /** * The data format of the values for your attribute. When you choose an * <code>AttributeDataType</code>, Amazon Cognito validates the input against the data type. A * custom attribute value in your user's ID token is always a string, for example * <code>"custom:isMember" : "true"</code> or <code>"custom:YearsAsMember" : * "12"</code>. * @public */ AttributeDataType?: AttributeDataType | undefined; /** * <note> * You should use <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes">WriteAttributes</a> in the user pool client to control how attributes can * be mutated for new use cases instead of using * <code>DeveloperOnlyAttribute</code>. * </note> * Specifies whether the attribute type is developer only. This attribute can only be * modified by an administrator. Users won't be able to modify this attribute using their * access token. For example, <code>DeveloperOnlyAttribute</code> can be modified using * AdminUpdateUserAttributes but can't be updated using UpdateUserAttributes. * @public */ DeveloperOnlyAttribute?: boolean | undefined; /** * Specifies whether the value of the attribute can be changed. * Any user pool attribute whose value you map from an IdP attribute must be mutable, * with a parameter value of <code>true</code>. Amazon Cognito updates mapped attributes when users * sign in to your application through an IdP. If an attribute is immutable, Amazon Cognito throws * an error when it attempts to update the attribute. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html">Specifying Identity Provider Attribute Mappings for Your User * Pool</a>. * @public */ Mutable?: boolean | undefined; /** * Specifies whether a user pool attribute is required. If the attribute is required and * the user doesn't provide a value, registration or sign-in will fail. * @public */ Required?: boolean | undefined; /** * Specifies the constraints for an attribute of the number type. * @public */ NumberAttributeConstraints?: NumberAttributeConstraintsType | undefined; /** * Specifies the constraints for an attribute of the string type. * @public */ StringAttributeConstraints?: StringAttributeConstraintsType | undefined; } /** * Represents the request to add custom attributes. * @public */ export interface AddCustomAttributesRequest { /** * The user pool ID for the user pool where you want to add custom attributes. * @public */ UserPoolId: string | undefined; /** * An array of custom attributes, such as Mutable and Name. * @public */ CustomAttributes: SchemaAttributeType[] | undefined; } /** * Represents the response from the server for the request to add custom * attributes. * @public */ export interface AddCustomAttributesResponse { } /** * This exception is thrown when Amazon Cognito encounters an internal error. * @public */ export declare class InternalErrorException extends __BaseException { readonly name: "InternalErrorException"; readonly $fault: "server"; /** * @internal */ constructor(opts: __ExceptionOptionType<InternalErrorException, __BaseException>); } /** * This exception is thrown when the Amazon Cognito service encounters an invalid * parameter. * @public */ export declare class InvalidParameterException extends __BaseException { readonly name: "InvalidParameterException"; readonly $fault: "client"; /** * The reason code of the exception. * @public */ reasonCode?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionType<InvalidParameterException, __BaseException>); } /** * This exception is thrown when a user isn't authorized. * @public */ export declare class NotAuthorizedException extends __BaseException { readonly name: "NotAuthorizedException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<NotAuthorizedException, __BaseException>); } /** * This exception is thrown when the Amazon Cognito service can't find the requested * resource. * @public */ export declare class ResourceNotFoundException extends __BaseException { readonly name: "ResourceNotFoundException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<ResourceNotFoundException, __BaseException>); } /** * This exception is thrown when the user has made too many requests for a given * operation. * @public */ export declare class TooManyRequestsException extends __BaseException { readonly name: "TooManyRequestsException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<TooManyRequestsException, __BaseException>); } /** * This exception is thrown when you're trying to modify a user pool while a user import * job is in progress for that pool. * @public */ export declare class UserImportInProgressException extends __BaseException { readonly name: "UserImportInProgressException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UserImportInProgressException, __BaseException>); } /** * @public */ export interface AdminAddUserToGroupRequest { /** * The user pool ID for the user pool. * @public */ UserPoolId: string | undefined; /** * The username of the user that you want to query or modify. The value of this parameter * is typically your user's username, but it can be any of their alias attributes. If * <code>username</code> isn't an alias attribute in your user pool, this value * must be the <code>sub</code> of a local user or the username of a user from a * third-party IdP. * @public */ Username: string | undefined; /** * The name of the group that you want to add your user to. * @public */ GroupName: string | undefined; } /** * This exception is thrown when a user isn't found. * @public */ export declare class UserNotFoundException extends __BaseException { readonly name: "UserNotFoundException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UserNotFoundException, __BaseException>); } /** * Confirm a user's registration as a user pool administrator. * @public */ export interface AdminConfirmSignUpRequest { /** * The user pool ID for which you want to confirm user registration. * @public */ UserPoolId: string | undefined; /** * The username of the user that you want to query or modify. The value of this parameter * is typically your user's username, but it can be any of their alias attributes. If * <code>username</code> isn't an alias attribute in your user pool, this value * must be the <code>sub</code> of a local user or the username of a user from a * third-party IdP. * @public */ Username: string | undefined; /** * A map of custom key-value pairs that you can provide as input for any custom workflows * that this action triggers. * If your user pool configuration includes triggers, the AdminConfirmSignUp API action * invokes the Lambda function that is specified for the post * confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON * payload, which the function receives as input. In this payload, the * <code>clientMetadata</code> attribute provides the data that you assigned to the * ClientMetadata parameter in your AdminConfirmSignUp request. In your function code in * Lambda, you can process the ClientMetadata value to enhance your workflow for your * specific needs. * For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html"> * Customizing user pool Workflows with Lambda Triggers</a> in the Amazon Cognito Developer Guide. * <note> * When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the * following: * <ul> * <li> * Store the ClientMetadata value. This data is available only to Lambda * triggers that are assigned to a user pool to support custom workflows. If * your user pool configuration doesn't include triggers, the ClientMetadata * parameter serves no purpose. * </li> * <li> * Validate the ClientMetadata value. * </li> * <li> * Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive * information. * </li> * </ul> * </note> * @public */ ClientMetadata?: Record<string, string> | undefined; } /** * Represents the response from the server for the request to confirm * registration. * @public */ export interface AdminConfirmSignUpResponse { } /** * This exception is thrown when Amazon Cognito encounters an invalid Lambda response. * @public */ export declare class InvalidLambdaResponseException extends __BaseException { readonly name: "InvalidLambdaResponseException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<InvalidLambdaResponseException, __BaseException>); } /** * This exception is thrown when a user exceeds the limit for a requested Amazon Web Services * resource. * @public */ export declare class LimitExceededException extends __BaseException { readonly name: "LimitExceededException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<LimitExceededException, __BaseException>); } /** * This exception is thrown when the user has made too many failed attempts for a given * action, such as sign-in. * @public */ export declare class TooManyFailedAttemptsException extends __BaseException { readonly name: "TooManyFailedAttemptsException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<TooManyFailedAttemptsException, __BaseException>); } /** * This exception is thrown when Amazon Cognito encounters an unexpected exception with * Lambda. * @public */ export declare class UnexpectedLambdaException extends __BaseException { readonly name: "UnexpectedLambdaException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UnexpectedLambdaException, __BaseException>); } /** * This exception is thrown when the Amazon Cognito service encounters a user validation exception * with the Lambda service. * @public */ export declare class UserLambdaValidationException extends __BaseException { readonly name: "UserLambdaValidationException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UserLambdaValidationException, __BaseException>); } /** * @public * @enum */ export declare const DeliveryMediumType: { readonly EMAIL: "EMAIL"; readonly SMS: "SMS"; }; /** * @public */ export type DeliveryMediumType = (typeof DeliveryMediumType)[keyof typeof DeliveryMediumType]; /** * @public * @enum */ export declare const MessageActionType: { readonly RESEND: "RESEND"; readonly SUPPRESS: "SUPPRESS"; }; /** * @public */ export type MessageActionType = (typeof MessageActionType)[keyof typeof MessageActionType]; /** * The name and value of a user attribute. * This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html">AdminUpdateUserAttributes</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html">UpdateUserAttributes</a>. * @public */ export interface AttributeType { /** * The name of the attribute. * @public */ Name: string | undefined; /** * The value of the attribute. * @public */ Value?: string | undefined; } /** * Creates a new user in the specified user pool. * @public */ export interface AdminCreateUserRequest { /** * The user pool ID for the user pool where the user will be created. * @public */ UserPoolId: string | undefined; /** * The value that you want to set as the username sign-in attribute. The following * conditions apply to the username parameter. * <ul> * <li> * The username can't be a duplicate of another username in the same user * pool. * </li> * <li> * You can't change the value of a username after you create it. * </li> * <li> * You can only provide a value if usernames are a valid sign-in attribute for * your user pool. If your user pool only supports phone numbers or email addresses * as sign-in attributes, Amazon Cognito automatically generates a username value. For more * information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases">Customizing sign-in attributes</a>. * </li> * </ul> * @public */ Username: string | undefined; /** * An array of name-value pairs that contain user attributes and attribute values to be * set for the user to be created. You can create a user without specifying any attributes * other than <code>Username</code>. However, any attributes that you specify as required * (when creating a user pool or in the Attributes tab of * the console) either you should supply (in your call to <code>AdminCreateUser</code>) or * the user should supply (when they sign up in response to your welcome message). * For custom attributes, you must prepend the <code>custom:</code> prefix to the * attribute name. * To send a message inviting the user to sign up, you must specify the user's email * address or phone number. You can do this in your call to AdminCreateUser or in the * Users tab of the Amazon Cognito console for managing your * user pools. * You must also provide an email address or phone number when you expect the user to do * passwordless sign-in with an email or SMS OTP. These attributes must be provided when * passwordless options are the only available, or when you don't submit a * <code>TemporaryPassword</code>. * In your call to <code>AdminCreateUser</code>, you can set the * <code>email_verified</code> attribute to <code>True</code>, and you can set the * <code>phone_number_verified</code> attribute to <code>True</code>. You can also do * this by calling <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html">AdminUpdateUserAttributes</a>. * <ul> * <li> * * email: The email address of the user to whom * the message that contains the code and username will be sent. Required if the * <code>email_verified</code> attribute is set to <code>True</code>, or if * <code>"EMAIL"</code> is specified in the <code>DesiredDeliveryMediums</code> * parameter. * </li> * <li> * * phone_number: The phone number of the user to * whom the message that contains the code and username will be sent. Required if * the <code>phone_number_verified</code> attribute is set to <code>True</code>, or * if <code>"SMS"</code> is specified in the <code>DesiredDeliveryMediums</code> * parameter. * </li> * </ul> * @public */ UserAttributes?: AttributeType[] | undefined; /** * Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda * trigger. This set of key-value pairs are for custom validation of information that you * collect from your users but don't need to retain. * Your Lambda function can analyze this additional data and act on it. Your function * might perform external API operations like logging user attributes and validation data * to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns * to Amazon Cognito, like automatically confirming the user if they sign up from within your * network. * For more information about the pre sign-up Lambda trigger, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html">Pre sign-up Lambda trigger</a>. * @public */ ValidationData?: AttributeType[] | undefined; /** * The user's temporary password. This password must conform to the password policy that * you specified when you created the user pool. * The exception to the requirement for a password is when your user pool supports * passwordless sign-in with email or SMS OTPs. To create a user with no password, omit * this parameter or submit a blank value. You can only create a passwordless user when * passwordless sign-in is available. See <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignInPolicyType.html">the SignInPolicyType</a> property of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>. * The temporary password is valid only once. To complete the Admin Create User flow, the * user must enter the temporary password in the sign-in page, along with a new password to * be used in all future sign-ins. * If you don't specify a value, Amazon Cognito generates one for you unless you have passwordless * options active for your user pool. * The temporary password can only be used until the user account expiration limit that * you set for your user pool. To reset the account after that time limit, you must call * <code>AdminCreateUser</code> again and specify <code>RESEND</code> for the * <code>MessageAction</code> parameter. * @public */ TemporaryPassword?: string | undefined; /** * This parameter is used only if the <code>phone_number_verified</code> or * <code>email_verified</code> attribute is set to <code>True</code>. Otherwise, it is * ignored. * If this parameter is set to <code>True</code> and the phone number or email address * specified in the UserAttributes parameter already exists as an alias with a different * user, the API call will migrate the alias from the previous user to the newly created * user. The previous user will no longer be able to log in using that alias. * If this parameter is set to <code>False</code>, the API throws an * <code>AliasExistsException</code> error if the alias already exists. The default * value is <code>False</code>. * @public */ ForceAliasCreation?: boolean | undefined; /** * Set to <code>RESEND</code> to resend the invitation message to a user that already * exists and reset the expiration limit on the user's account. Set to * <code>SUPPRESS</code> to suppress sending the message. You can specify only one * value. * @public */ MessageAction?: MessageActionType | undefined; /** * Specify <code>"EMAIL"</code> if email will be used to send the welcome message. * Specify <code>"SMS"</code> if the phone number will be used. The default value is * <code>"SMS"</code>. You can specify more than one value. * @public */ DesiredDeliveryMediums?: DeliveryMediumType[] | undefined; /** * A map of custom key-value pairs that you can provide as input for any custom workflows * that this action triggers. * You create custom workflows by assigning Lambda functions to user pool triggers. * When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned * to the pre sign-up trigger. When Amazon Cognito invokes this function, it * passes a JSON payload, which the function receives as input. This payload contains a * <code>clientMetadata</code> attribute, which provides the data that you assigned to * the ClientMetadata parameter in your AdminCreateUser request. In your function code in * Lambda, you can process the <code>clientMetadata</code> value to enhance your * workflow for your specific needs. * For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html"> * Customizing user pool Workflows with Lambda Triggers</a> in the Amazon Cognito Developer Guide. * <note> * When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the * following: * <ul> * <li> * Store the ClientMetadata value. This data is available only to Lambda * triggers that are assigned to a user pool to support custom workflows. If * your user pool configuration doesn't include triggers, the ClientMetadata * parameter serves no purpose. * </li> * <li> * Validate the ClientMetadata value. * </li> * <li> * Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive * information. * </li> * </ul> * </note> * @public */ ClientMetadata?: Record<string, string> | undefined; } /** * * This data type is no longer supported. Applies only to SMS * multi-factor authentication (MFA) configurations. Does not apply to time-based one-time * password (TOTP) software token MFA configurations. * @public */ export interface MFAOptionType { /** * The delivery medium to send the MFA code. You can use this parameter to set only the * <code>SMS</code> delivery medium value. * @public */ DeliveryMedium?: DeliveryMediumType | undefined; /** * The attribute name of the MFA option type. The only valid value is * <code>phone_number</code>. * @public */ AttributeName?: string | undefined; } /** * @public * @enum */ export declare const UserStatusType: { readonly ARCHIVED: "ARCHIVED"; readonly COMPROMISED: "COMPROMISED"; readonly CONFIRMED: "CONFIRMED"; readonly EXTERNAL_PROVIDER: "EXTERNAL_PROVIDER"; readonly FORCE_CHANGE_PASSWORD: "FORCE_CHANGE_PASSWORD"; readonly RESET_REQUIRED: "RESET_REQUIRED"; readonly UNCONFIRMED: "UNCONFIRMED"; readonly UNKNOWN: "UNKNOWN"; }; /** * @public */ export type UserStatusType = (typeof UserStatusType)[keyof typeof UserStatusType]; /** * A user profile in a Amazon Cognito user pool. * This data type is a response parameter to <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html">AdminCreateUser</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html">ListUsers</a>. * @public */ export interface UserType { /** * The user's username. * @public */ Username?: string | undefined; /** * Names and values of a user's attributes, for example <code>email</code>. * @public */ Attributes?: AttributeType[] | undefined; /** * The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a * human-readable format like ISO 8601 or a Java <code>Date</code> object. * @public */ UserCreateDate?: Date | undefined; /** * The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a * human-readable format like ISO 8601 or a Java <code>Date</code> object. * @public */ UserLastModifiedDate?: Date | undefined; /** * Indicates whether the user's account is enabled or disabled. * @public */ Enabled?: boolean | undefined; /** * The user status. This can be one of the following: * <ul> * <li> * UNCONFIRMED - User has been created but not confirmed. * </li> * <li> * CONFIRMED - User has been confirmed. * </li> * <li> * EXTERNAL_PROVIDER - User signed in with a third-party IdP. * </li> * <li> * UNKNOWN - User status isn't known. * </li> * <li> * RESET_REQUIRED - User is confirmed, but the user must request a code and reset * their password before they can sign in. * </li> * <li> * FORCE_CHANGE_PASSWORD - The user is confirmed and the user can sign in using a * temporary password, but on first sign-in, the user must change their password to * a new value before doing anything else. * </li> * </ul> * @public */ UserStatus?: UserStatusType | undefined; /** * The user's MFA configuration. * @public */ MFAOptions?: MFAOptionType[] | undefined; } /** * Represents the response from the server to the request to create the user. * @public */ export interface AdminCreateUserResponse { /** * The newly created user. * @public */ User?: UserType | undefined; } /** * This exception is thrown when a verification code fails to deliver * successfully. * @public */ export declare class CodeDeliveryFailureException extends __BaseException { readonly name: "CodeDeliveryFailureException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<CodeDeliveryFailureException, __BaseException>); } /** * This exception is thrown when Amazon Cognito encounters an invalid password. * @public */ export declare class InvalidPasswordException extends __BaseException { readonly name: "InvalidPasswordException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<InvalidPasswordException, __BaseException>); } /** * This exception is returned when the role provided for SMS configuration doesn't have * permission to publish using Amazon SNS. * @public */ export declare class InvalidSmsRoleAccessPolicyException extends __BaseException { readonly name: "InvalidSmsRoleAccessPolicyException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<InvalidSmsRoleAccessPolicyException, __BaseException>); } /** * This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust * <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool. * @public */ export declare class InvalidSmsRoleTrustRelationshipException extends __BaseException { readonly name: "InvalidSmsRoleTrustRelationshipException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<InvalidSmsRoleTrustRelationshipException, __BaseException>); } /** * This exception is thrown when a precondition is not met. * @public */ export declare class PreconditionNotMetException extends __BaseException { readonly name: "PreconditionNotMetException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<PreconditionNotMetException, __BaseException>); } /** * The request failed because the user is in an unsupported state. * @public */ export declare class UnsupportedUserStateException extends __BaseException { readonly name: "UnsupportedUserStateException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UnsupportedUserStateException, __BaseException>); } /** * This e