## Sign-up
Create a new user in the Amazon Cognito UserPool by passing the new user's email address, password, and other attributes to `Auth.signUp`.
```ts
import { Auth } from 'aws-amplify';
type SignUpParameters = {
username: string;
password: string;
email: string;
phoneNumber: string;
};
export async function signUp({ username, password, email, phoneNumber }: SignUpParameters) {
try {
const { user } = await Auth.signUp({
username,
password,
attributes: {
email, // optional
phoneNumber, // optional - E.164 number convention
// other custom attributes
},
autoSignIn: {
// optional - enables auto sign in after user is confirmed
enabled: true,
},
});
console.log(user);
} catch (error) {
console.log('error signing up:', error);
}
}
```
```javascript
import { Auth } from 'aws-amplify';
async function signUp() {
try {
const { user } = await Auth.signUp({
username,
password,
attributes: {
email, // optional
phone_number, // optional - E.164 number convention
// other custom attributes
},
autoSignIn: { // optional - enables auto sign in after user is confirmed
enabled: true,
}
});
console.log(user);
} catch (error) {
console.log('error signing up:', error);
}
}
```
The `Auth.signUp` promise returns a data object of type [`ISignUpResult`](https://github.com/aws-amplify/amplify-js/blob/4644b4322ee260165dd756ca9faeb235445000e3/packages/amazon-cognito-identity-js/index.d.ts#L136-L139) with a [`CognitoUser`](https://github.com/aws-amplify/amplify-js/blob/4644b4322ee260165dd756ca9faeb235445000e3/packages/amazon-cognito-identity-js/index.d.ts#L48). `CognitoUser` contains a `userSub` which is a unique identifier of the authenticated user; the `userSub` is not the same as the `username`.
```js
{
user: CognitoUser;
userConfirmed: boolean;
userSub: string;
}
```
### Re-send sign up confirmation code
If user didn't get a confirmation code, you can use `resendSignUp` function to send a new one.
```ts
import { Auth } from 'aws-amplify';
type ResendConfCodeParameters = {
username: string;
};
export async function resendConfirmationCode({ username }: ResendConfCodeParameters) {
try {
await Auth.resendSignUp(username);
console.log('code resent successfully');
} catch (err) {
console.log('error resending code: ', err);
}
}
```
```js
import { Auth } from 'aws-amplify';
async function resendConfirmationCode() {
try {
await Auth.resendSignUp(username);
console.log('code resent successfully');
} catch (err) {
console.log('error resending code: ', err);
}
}
```
### Confirm sign up
If you enabled multi-factor auth, confirm the sign-up after retrieving a confirmation code from the user.
```ts
import { Auth } from 'aws-amplify';
type ConfirmSignUpParameters = {
username: string;
code: string;
};
export async function confirmSignUp({ username, code }: ConfirmSignUpParameters) {
try {
await Auth.confirmSignUp(username, code);
} catch (error) {
console.log('error confirming sign up', error);
}
}
```
```js
import { Auth } from 'aws-amplify';
async function confirmSignUp() {
try {
await Auth.confirmSignUp(username, code);
} catch (error) {
console.log('error confirming sign up', error);
}
}
```
As part of the options parameter, you can specify the `forceAliasCreation` boolean. By default
set to `True`. If set to `False` and the email or phone number used for sign up confirmation
already exists as an alias for a different user, the API will throw an `AliasExistsException`
error. If set to `True`, the API call will migrate the alias from the previous user to
a newly created user.
```ts
import { Auth } from 'aws-amplify';
type ConfirmSignUpParameters = {
username: string;
code: string;
};
export async function confirmSignUp({ username, code }: ConfirmSignUpParameters) {
try {
await Auth.confirmSignUp(username, code, {
forceAliasCreation: false,
});
} catch (error) {
console.log('error confirming sign up', error);
}
}
```
```js
import { Auth } from 'aws-amplify';
async function confirmSignUp() {
try {
await Auth.confirmSignUp(username, code, { forceAliasCreation: false });
} catch (error) {
console.log('error confirming sign up', error);
}
}
```
### Auto sign in after sign up
If you enabled `autoSignIn`, the `sign up` function will dispatch `autoSignIn` hub event after successful confirmation.
If authentication was successful, the event will contain `CognitoUser` in data object. If auto sign in failed, it will dispatch `autoSignIn_failure` event.
```js
import { Hub } from 'aws-amplify';
function listenToAutoSignInEvent() {
Hub.listen('auth', ({ payload }) => {
const { event } = payload;
if (event === 'autoSignIn') {
const user = payload.data;
// assign user
} else if (event === 'autoSignIn_failure') {
// redirect to sign in page
}
})
}
```
### Custom Attributes
To create a custom attribute during your sign-up process, add it to the attributes field of the signUp method prepended with `custom:`.
```js
Auth.signUp({
username,
password,
attributes: {
email,
'custom:favorite_flavor': 'Cookie Dough' // custom attribute, not standard
}
})
```
> Amazon Cognito does not dynamically create custom attributes on sign up. In order to use a custom attribute, the attribute must be first [created in the user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html). To open the User Pool to create custom attributes using the Amplify ClI, run `amplify console auth`. If you are not using the Amplify CLI, you can view the user pool by visiting the AWS console and opening the Amazon Cognito dashboard.
## Sign-in
After a user has finished signing up, they can proceed to sign in. When signing in with user name and password, you will pass in the username and the password to the `signIn()` method of the Auth class.
```ts
import { Auth } from 'aws-amplify';
type SignInParameters = {
username: string;
password: string;
};
export async function signIn({ username, password }: SignInParameters) {
try {
const user = await Auth.signIn(username, password);
} catch (error) {
console.log('error signing in', error);
}
}
```
```js
import { Auth } from 'aws-amplify';
async function signIn() {
try {
const user = await Auth.signIn(username, password);
} catch (error) {
console.log('error signing in', error);
}
}
```
The sign in flows can be as simple as just a user name and password as shown above, or multi-step process based on how Auth was configured. Amazon Cognito will return a user object when `Auth.signIn` is called that contains `challengeName` and `challengeParam`. Depending on what is enabled for each user, they may need to pass additional challenges such as multi-factor authentication (MFA), time-based one time password (TOTP), or a custom challenge such as CAPTCHA.
Based on the two parameters returned in the user object, you can then call the corresponding functions below:
### Confirm sign in with SMS MFA
If the user has SMS Multi-Factor Authentication (MFA) enabled, Cognito responds with a challenge that requires the user to provide an SMS verification code. This is where you can trigger `Auth.confirmSignIn()` and pass in the code provided by the user. Amplify will then verify with Cognito that the SMS code is valid and complete the sign in process via Cognito returning access, ID, and refresh tokens that are all handled by Amplify internally.
```javascript
import { Auth } from 'aws-amplify';
async function signInWithMFA() {
try {
const user = await Auth.signIn(username, password);
if (
user.challengeName === 'SMS_MFA' ||
user.challengeName === 'SOFTWARE_TOKEN_MFA'
) {
// You need to get the code from the UI inputs
// and then trigger the following function with a button click.
const code = getCodeFromUserInput();
const mfaType = getMFATypeFromUserInput();
// If MFA is enabled, sign-in should be confirmed with the confirmation code
const loggedUser = await Auth.confirmSignIn(
user, // Return object from Auth.signIn()
code, // Confirmation code
mfaType // MFA Type e.g. SMS_MFA, SOFTWARE_TOKEN_MFA
);
console.log(loggedUser)
} else {
// The user directly signs in
console.log(user)
}
} catch (error) {
console.log(`error signing in`, error);
}
};
```
### Confirm sign in with custom challenge
If you have implemented custom challenges within your authentication flow, Cognito will respond to a sign in attempt with a `challengeName` and `challengeParam`. Once again, Cognito will validate the the user's response and provide the necessary tokens if successful and resolves the `Auth.signIn()` promise.
```javascript
import { Auth } from 'aws-amplify';
async function signInWithCustomChallenge() {
try {
const user = await Auth.signIn(username, password)
if (user.challengeName === 'CUSTOM_CHALLENGE') {
const challengeResponse = getChallengeResponseFromUserInput();
// to send the answer of the custom challenge
const loggedUser = await Auth.sendCustomChallengeAnswer(user, challengeResponse)
console.log(loggedUser)
} else {
console.log(user);
}
} catch(err => console.log(err));
}
```
### Confirm sign in with new password
New users can be created from the [Cognito console](https://console.aws.amazon.com/cognito/home) for your app, which then forces the user to input a new password and any "required attributes" that may have been optionally configured to complete the sign in flow. If the user object returned by `Auth.signIn()` contains the `NEW_PASSWORD_REQUIRED` for the `challengeName`, you can submit the data using the `Auth.completeNewPassword()` method as well.
```javascript
import { Auth } from 'aws-amplify';
async function signInWithNewPassword() {
try {
const user = await Auth.signIn(username, password);
if (user.challengeName === 'NEW_PASSWORD_REQUIRED`) {
// Required attributes are OPTIONAL, but if they were configured
// you need to get these in addition to new password from UI inputs
const { requiredAttributes } = user.challengeParam;
// Example if email and phone_number were required attributes
const { username, email, phone_number } = getInfoFromUserInput();
const loggedUser = await Auth.completeNewPassword(
user, // the Cognito User Object
newPassword, // the new password
// OPTIONAL, the required attributes
{
email,
phone_number
}
);
console.log(loggedUser)
}
} catch (error) {
console.log('Error confirming sign in with new password', error);
}
}
```
For further examples of Authentication using MFA, custom challenges, or custom validation data for AWS Lambda Triggers, refer to the [advanced use cases](/lib/auth/mfa/q/platform/js/#advanced-use-cases).
## Sign-out
```ts
import { Auth } from 'aws-amplify';
export async function signOut() {
try {
await Auth.signOut();
} catch (error) {
console.log('error signing out: ', error);
}
}
```
```js
import { Auth } from 'aws-amplify';
async function signOut() {
try {
await Auth.signOut();
} catch (error) {
console.log('error signing out: ', error);
}
}
```
[Amazon Cognito now supports token revocation](https://aws.amazon.com/about-aws/whats-new/2021/06/amazon-cognito-now-supports-targeted-sign-out-through-refresh-token-revocation/) and Amplify (from version 4.1.0) will revoke Amazon Cognito tokens if the application is online. This means Cognito refresh token cannot be used anymore to generate new Access and Id Tokens.
Access and Id Tokens are short-lived (60 minutes by default but can be set from 5 minutes to 1 day). After revocation these tokens cannot be used with Cognito User Pools anymore, however they are still valid when used with other services like AppSync or API Gateway.
For limiting subsequent calls to these other services after invalidating tokens, we recommend lowering token expiration time for your app client in the Cognito User Pools console. If you are using the Amplify CLI this can be accessed by running `amplify console auth`.
Token revocation is enabled automatically on new Amazon Cognito User Pools, however existing User Pools must enable this feature, [using the Cognito Console or AWS CLI](https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html)
### Global sign-out
By doing this, you sign out users from all devices. It also invalidates all refresh tokens issued to a user. The user's current access and Id tokens remain valid until their expiry. Access and Id tokens expire one hour after they are issued.
```ts
import { Auth } from 'aws-amplify';
export async function signOut() {
try {
await Auth.signOut({ global: true });
} catch (error) {
console.log('error signing out: ', error);
}
}
```
```js
import { Auth } from 'aws-amplify';
async function signOut() {
try {
await Auth.signOut({ global: true });
} catch (error) {
console.log('error signing out: ', error);
}
}
```