User-interactive managed login and classic hosted UI endpoints - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

User-interactive managed login and classic hosted UI endpoints

Amazon Cognito activates the managed login endpoints in this section when you add a domain to your user pool. They are webpages where your users can complete the core authentication operations of a user pool. They include pages for password management, multi-factor authentication (MFA), and attribute verification.

The webpages that make up managed login are a front-end web application for interactive user sessions with your customers. Your app must invoke managed login in your users' browsers. Amazon Cognito doesn't support programmatic access to the webpages in this chapter. Those federation endpoints in the Identity provider and relying party endpoints that return a JSON response can be queried directly in your app code. The Authorize endpoint redirects either to managed login or to an IdP sign-in page and also must be opened in users' browsers.

All user pool endpoints accept traffic from IPv4 and IPv6 source IP addresses.

The topics in this guide describe frequently-used managed login and classic hosted UI endpoints in detail. The difference between managed login and the hosted UI is visible, not functional. Except for /passkeys/add, all paths are shared between the two versions of managed login branding.

Amazon Cognito makes the webpages that follow available when you assign a domain to your user pool.

Managed login endpoints
Endpoint URL Description How it's accessed
https://Your user pool domain/login Signs in user pool local and federated users.

Redirect from endpoints like Authorize endpoint, /logout, and /confirmforgotPassword. See Login endpoint.

https://Your user pool domain/logout Signs out user pool users.

Direct link. See Logout endpoint.

https://Your user pool domain/confirmUser Confirms users who have selected an email link to verify their user account.

User selected link in an email message.

https://Your user pool domain/signup Signs up a new user. The /login page directs your user to /signup when they select Sign up.

Direct link with same parameters as /oauth2/authorize.

https://Your user pool domain/confirm After your user pool sends a confirmation code to a user who signed up, prompts your user for the code.

Redirect-only from /signup.

https://Your user pool domain/forgotPassword Prompts your user for their user name and sends a password-reset code. The /login page directs your user to /forgotPassword when they select Forgot your password?.
  1. From Forgot password link at /login.

  2. Direct link with same parameters as /oauth2/authorize.

https://Your user pool domain/confirmforgotPassword Prompts your user for their password-reset code and a new password. The /forgotPassword page directs your user to /confirmforgotPassword when they select Reset your password. Redirect-only from /forgotPassword.
https://Your user pool domain/resendcode Sends a new confirmation code to a user who has signed up in your user pool.

Redirect-only from Send a new code link at /confirm.

https://Your user pool domain/passkeys/add Registers a new passkey. Only available in managed login.
  • In the sign-up flow after confirmation in app clients that support passkey authentication.

  • Direct link with same parameters as /oauth2/authorize.