How do I recover a user password in Amazon Cognito?

3 minute read

I want to recover a user password in Amazon Cognito.


There are two ways to recover a user password in Amazon Cognito:

  • Through a verified email or phone number.
  • Through a user password through the administrator.

Email or phone number verification

You can use the ForgotPassword API command to recover a user password. The ForgotPassword API command sends a recovery code to a verified email or a verified phone number. The recovery code is valid for one hour. Then, use the ConfirmForgotPassword API command to enter a confirmation code that resets the password.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

AWS CLI commands:


aws cognito-idp forgot-password --client-id 38fjsnc484p94kpqsnet7mpld0 --username


  "CodeDeliveryDetails": {
    "Destination": "j***@e***.com",
    "DeliveryMedium": "EMAIL",
    "AttributeName": "email"


aws cognito-idp confirm-forgot-password --client-id 3n4b5urk1ft4fl3mg5e62d9ado --password PASSWORD --confirmation-code CONF_CODE

Note: You must pass --secret-hash in the CLI command if you meet both of the following requirements:

  • Your AWS CLI commands have --client-id as a parameter.
  • The app client is configured with a secret.

To calculate the secret hash of an app client, see [How do I troubleshoot "Unable to verify secret hash for client

" errors from my Amazon Cognito user pools API?](

Administrator reset

Note: If you're not an administrator, then contact your administrator to complete the following actions.

When you call the AdminResetUserPassword API command, the current password is invalidated, and you must change it. If a user tries to sign in after the API command is called, the app will do the following:

  • Get PasswordResetRequiredException back.
  • Direct the user to reset the password with the forgot password flow.

Additionally, calling the API results in sending a message to the user with a code to change their password if:

  • The user pool has phone verification set up, and
  • A verified phone number or email exists for the user.

AWS CLI commands:


aws cognito-idp admin-reset-user-password --user-pool-id us-west-2_aaaaaaaaa --username


aws cognito-idp confirm-forgot-password --client-id 3n4b5urk1ft4fl3mg5e62d9ado --username --password PASSWORD --confirmation-code CONF_CODE


As the administrator you can also use the AdminSetUserPassword API command to call the user's password in a user pool. The password can be temporary or permanent. If it's temporary, then the user status enters the FORCE_CHANGE_PASSWORD state. When you sign in, the InitiateAuth/AdminInitiateAuth response contains the NEW_PASSWORD_REQUIRED challenge. If you don't sign in before it expires, then you can't sign in, and you must reset the password. After you set a new password, or if the password is permanent, then the user status is set to CONFIRMED.

aws cognito-idp admin-set-user-password --user-pool-id us-west-2_aaaaaaaaa --username --password Hello@123 --permanent

AWS OFFICIALUpdated a year ago