@aws-sdk/client-cognito-identity-provider 3.865.0 → 3.873.0

package/dist-types/models/models_1.d.ts

@@ -1,7 +1,222 @@
 import { ExceptionOptionType as __ExceptionOptionType } from "@smithy/smithy-client";
 import { DocumentType as __DocumentType } from "@smithy/types";
 import { CognitoIdentityProviderServiceException as __BaseException } from "./CognitoIdentityProviderServiceException";
-import { AccountRecoverySettingType, AccountTakeoverRiskConfigurationType, AdminCreateUserConfigType, AnalyticsConfigurationType, AnalyticsMetadataType, AssetType, AttributeType, AuthenticationResultType, AuthFactorType, AuthFlowType, ChallengeNameType, CodeDeliveryDetailsType, CompromisedCredentialsRiskConfigurationType, CustomDomainConfigType, DeletionProtectionType, DeviceConfigurationType, DeviceRememberedStatusType, DeviceType, EmailConfigurationType, EmailMfaSettingsType, ExplicitAuthFlowsType, FeedbackValueType, GroupType, IdentityProviderType, IdentityProviderTypeType, LambdaConfigType, LogConfigurationType, LogDeliveryConfigurationType, ManagedLoginBrandingType, MFAOptionType, OAuthFlowType, PreventUserExistenceErrorTypes, RefreshTokenRotationType, ResourceServerScopeType, ResourceServerType, RiskConfigurationType, RiskExceptionConfigurationType, SmsConfigurationType, SMSMfaSettingsType, SoftwareTokenMfaSettingsType, StatusType, TokenValidityUnitsType, UICustomizationType, UserAttributeUpdateSettingsType, UserContextDataType, UserImportJobType, UserPoolAddOnsType, UserPoolClientType, UserPoolMfaType, UserPoolPolicyType, UserPoolTierType, UserType, VerificationMessageTemplateType, VerifiedAttributeType } from "./models_0";
+import { AccountRecoverySettingType, AccountTakeoverRiskConfigurationType, AdminCreateUserConfigType, AnalyticsConfigurationType, AnalyticsMetadataType, AssetType, AttributeType, AuthenticationResultType, AuthFactorType, AuthFlowType, ChallengeNameType, CodeDeliveryDetailsType, CompromisedCredentialsRiskConfigurationType, CustomDomainConfigType, DeletionProtectionType, DeviceConfigurationType, DeviceRememberedStatusType, DeviceType, EmailConfigurationType, EmailMfaSettingsType, ExplicitAuthFlowsType, FeedbackValueType, GroupType, IdentityProviderType, IdentityProviderTypeType, LambdaConfigType, LogConfigurationType, LogDeliveryConfigurationType, ManagedLoginBrandingType, MFAOptionType, OAuthFlowType, PreventUserExistenceErrorTypes, RefreshTokenRotationType, ResourceServerScopeType, ResourceServerType, RiskConfigurationType, RiskExceptionConfigurationType, SmsConfigurationType, SMSMfaSettingsType, SoftwareTokenMfaSettingsType, StatusType, TermsEnforcementType, TermsSourceType, TermsType, TokenValidityUnitsType, UserAttributeUpdateSettingsType, UserContextDataType, UserImportJobType, UserPoolAddOnsType, UserPoolClientType, UserPoolMfaType, UserPoolPolicyType, UserPoolTierType, UserType, VerificationMessageTemplateType, VerifiedAttributeType } from "./models_0";
+/**
+ * @public
+ */
+export interface GetTokensFromRefreshTokenResponse {
+    /**
+     * <p>The object that your application receives after authentication. Contains tokens and
+     *             information for device authentication.</p>
+     * @public
+     */
+    AuthenticationResult?: AuthenticationResultType | undefined;
+}
+/**
+ * <p>This exception is throw when your application requests token refresh with a refresh
+ *             token that has been invalidated by refresh-token rotation.</p>
+ * @public
+ */
+export declare class RefreshTokenReuseException extends __BaseException {
+    readonly name: "RefreshTokenReuseException";
+    readonly $fault: "client";
+    /**
+     * @internal
+     */
+    constructor(opts: __ExceptionOptionType<RefreshTokenReuseException, __BaseException>);
+}
+/**
+ * @public
+ */
+export interface GetUICustomizationRequest {
+    /**
+     * <p>The ID of the user pool that you want to query for branding settings.</p>
+     * @public
+     */
+    UserPoolId: string | undefined;
+    /**
+     * <p>The ID of the app client that you want to query for branding settings.</p>
+     * @public
+     */
+    ClientId?: string | undefined;
+}
+/**
+ * <p>A container for the UI customization information for the hosted UI in a user
+ *             pool.</p>
+ * @public
+ */
+export interface UICustomizationType {
+    /**
+     * <p>The ID of the user pool with hosted UI customizations.</p>
+     * @public
+     */
+    UserPoolId?: string | undefined;
+    /**
+     * <p>The app client ID for your UI customization. When this value isn't present, the
+     *             customization applies to all user pool app clients that don't have client-level
+     *             settings..</p>
+     * @public
+     */
+    ClientId?: string | undefined;
+    /**
+     * <p>A URL path to the hosted logo image of your UI customization.</p>
+     * @public
+     */
+    ImageUrl?: string | undefined;
+    /**
+     * <p>The CSS values in the UI customization.</p>
+     * @public
+     */
+    CSS?: string | undefined;
+    /**
+     * <p>The CSS version number.</p>
+     * @public
+     */
+    CSSVersion?: string | undefined;
+    /**
+     * <p>The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+     * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
+     * @public
+     */
+    LastModifiedDate?: Date | undefined;
+    /**
+     * <p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+     * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
+     * @public
+     */
+    CreationDate?: Date | undefined;
+}
+/**
+ * @public
+ */
+export interface GetUICustomizationResponse {
+    /**
+     * <p>Information about the classic hosted UI custom CSS and logo-image branding that you
+     *             applied to the user pool or app client.</p>
+     * @public
+     */
+    UICustomization: UICustomizationType | undefined;
+}
+/**
+ * <p>Represents the request to get information about the user.</p>
+ * @public
+ */
+export interface GetUserRequest {
+    /**
+     * <p>A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for
+     * <code>aws.cognito.signin.user.admin</code>.</p>
+     * @public
+     */
+    AccessToken: string | undefined;
+}
+/**
+ * <p>Represents the response from the server from the request to get information about the
+ *             user.</p>
+ * @public
+ */
+export interface GetUserResponse {
+    /**
+     * <p>The name of the user that you requested.</p>
+     * @public
+     */
+    Username: string | undefined;
+    /**
+     * <p>An array of name-value pairs representing user attributes.</p>
+     *          <p>Custom attributes are prepended with the <code>custom:</code> prefix.</p>
+     * @public
+     */
+    UserAttributes: AttributeType[] | undefined;
+    /**
+     * <p>
+     *             <i>This response parameter is no longer supported.</i> It provides
+     *             information only about SMS MFA configurations. It doesn't provide information about
+     *             time-based one-time password (TOTP) software token MFA configurations. To look up
+     *             information about either type of MFA configuration, use UserMFASettingList
+     *             instead.</p>
+     * @public
+     */
+    MFAOptions?: MFAOptionType[] | undefined;
+    /**
+     * <p>The user's preferred MFA. Users can prefer SMS message, email message, or TOTP
+     *             MFA.</p>
+     * @public
+     */
+    PreferredMfaSetting?: string | undefined;
+    /**
+     * <p>The MFA options that are activated for the user. The possible values in this list are
+     *                 <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and
+     *             <code>SOFTWARE_TOKEN_MFA</code>.</p>
+     * @public
+     */
+    UserMFASettingList?: string[] | undefined;
+}
+/**
+ * <p>Represents the request to get user attribute verification.</p>
+ * @public
+ */
+export interface GetUserAttributeVerificationCodeRequest {
+    /**
+     * <p>A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for
+     * <code>aws.cognito.signin.user.admin</code>.</p>
+     * @public
+     */
+    AccessToken: string | undefined;
+    /**
+     * <p>The name of the attribute that the user wants to verify, for example
+     *                 <code>email</code>.</p>
+     * @public
+     */
+    AttributeName: string | undefined;
+    /**
+     * <p>A map of custom key-value pairs that you can provide as input for any custom workflows
+     *             that this action triggers.</p>
+     *          <p>You create custom workflows by assigning Lambda functions to user pool
+     *             triggers. When you use the GetUserAttributeVerificationCode API action, Amazon Cognito invokes
+     *             the function that is assigned to the <i>custom message</i> trigger. When
+     *             Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as
+     *             input. This payload contains a <code>clientMetadata</code> attribute, which provides the
+     *             data that you assigned to the ClientMetadata parameter in your
+     *             GetUserAttributeVerificationCode request. In your function code in Lambda, you can process the <code>clientMetadata</code> value to enhance your workflow for
+     *             your specific needs.</p>
+     *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html">
+     * Using Lambda triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>
+     *          <note>
+     *             <p>When you use the <code>ClientMetadata</code> parameter, note that Amazon Cognito won't do the
+     *                 following:</p>
+     *             <ul>
+     *                <li>
+     *                   <p>Store the <code>ClientMetadata</code> value. This data is available only
+     *                         to Lambda triggers that are assigned to a user pool to support custom
+     *                         workflows. If your user pool configuration doesn't include triggers, the
+     *                         <code>ClientMetadata</code> parameter serves no purpose.</p>
+     *                </li>
+     *                <li>
+     *                   <p>Validate the <code>ClientMetadata</code> value.</p>
+     *                </li>
+     *                <li>
+     *                   <p>Encrypt the <code>ClientMetadata</code> value. Don't send sensitive
+     *                         information in this parameter.</p>
+     *                </li>
+     *             </ul>
+     *          </note>
+     * @public
+     */
+    ClientMetadata?: Record<string, string> | undefined;
+}
+/**
+ * <p>The verification code response returned by the server response to get the user
+ *             attribute verification code.</p>
+ * @public
+ */
+export interface GetUserAttributeVerificationCodeResponse {
+    /**
+     * <p>Information about the delivery destination of the user attribute verification
+     *             code.</p>
+     * @public
+     */
+    CodeDeliveryDetails?: CodeDeliveryDetailsType | undefined;
+}
 /**
  * @public
  */
@@ -293,42 +508,82 @@ export interface InitiateAuthRequest {
     /**
      * <p>The authentication parameters. These are inputs corresponding to the
      *                 <code>AuthFlow</code> that you're invoking.</p>
-     *          <p>The required values are specific to the <a>InitiateAuthRequest$AuthFlow</a>.</p>
      *          <p>The following are some authentication flows and their parameters. Add a
-     *                 <code>SECRET_HASH</code> parameter if your app client has a client secret.</p>
-     *          <ul>
-     *             <li>
-     *                <p>
-     *                   <code>USER_AUTH</code>: <code>USERNAME</code> (required),
-     *                         <code>PREFERRED_CHALLENGE</code>. If you don't provide a value for
-     *                         <code>PREFERRED_CHALLENGE</code>, Amazon Cognito responds with the
-     *                         <code>AvailableChallenges</code> parameter that specifies the available
-     *                     sign-in methods.</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>USER_SRP_AUTH</code>: <code>USERNAME</code> (required),
-     *                         <code>SRP_A</code> (required), <code>DEVICE_KEY</code>.</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>USER_PASSWORD_AUTH</code>: <code>USERNAME</code> (required),
-     *                         <code>PASSWORD</code> (required), <code>DEVICE_KEY</code>.</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>REFRESH_TOKEN_AUTH/REFRESH_TOKEN</code>: <code>REFRESH_TOKEN</code>
-     *                     (required), <code>DEVICE_KEY</code>.</p>
-     *             </li>
-     *             <li>
-     *                <p>
-     *                   <code>CUSTOM_AUTH</code>: <code>USERNAME</code> (required),
-     *                         <code>SECRET_HASH</code> (if app client is configured with client secret),
-     *                         <code>DEVICE_KEY</code>. To start the authentication flow with password
-     *                     verification, include <code>ChallengeName: SRP_A</code> and <code>SRP_A: (The
-     *                         SRP_A Value)</code>.</p>
-     *             </li>
-     *          </ul>
+     *                 <code>SECRET_HASH</code> parameter if your app client has a client secret. Add
+     *                 <code>DEVICE_KEY</code> if you want to bypass multi-factor authentication with a
+     *             remembered device. </p>
+     *          <dl>
+     *             <dt>USER_AUTH</dt>
+     *             <dd>
+     *                <ul>
+     *                   <li>
+     *                      <p>
+     *                         <code>USERNAME</code> (required)</p>
+     *                   </li>
+     *                   <li>
+     *                      <p>
+     *                         <code>PREFERRED_CHALLENGE</code>. If you don't provide a
+     *                                 value for <code>PREFERRED_CHALLENGE</code>, Amazon Cognito responds with the
+     *                                     <code>AvailableChallenges</code> parameter that specifies the
+     *                                 available sign-in methods.</p>
+     *                   </li>
+     *                </ul>
+     *             </dd>
+     *             <dt>USER_SRP_AUTH</dt>
+     *             <dd>
+     *                <ul>
+     *                   <li>
+     *                      <p>
+     *                         <code>USERNAME</code> (required)</p>
+     *                   </li>
+     *                   <li>
+     *                      <p>
+     *                         <code>SRP_A</code> (required)</p>
+     *                   </li>
+     *                </ul>
+     *             </dd>
+     *             <dt>USER_PASSWORD_AUTH</dt>
+     *             <dd>
+     *                <ul>
+     *                   <li>
+     *                      <p>
+     *                         <code>USERNAME</code> (required)</p>
+     *                   </li>
+     *                   <li>
+     *                      <p>
+     *                         <code>PASSWORD</code> (required)</p>
+     *                   </li>
+     *                </ul>
+     *             </dd>
+     *             <dt>REFRESH_TOKEN_AUTH/REFRESH_TOKEN</dt>
+     *             <dd>
+     *                <ul>
+     *                   <li>
+     *                      <p>
+     *                         <code>REFRESH_TOKEN</code>(required)</p>
+     *                   </li>
+     *                </ul>
+     *             </dd>
+     *             <dt>CUSTOM_AUTH</dt>
+     *             <dd>
+     *                <ul>
+     *                   <li>
+     *                      <p>
+     *                         <code>USERNAME</code> (required)</p>
+     *                   </li>
+     *                   <li>
+     *                      <p>
+     *                         <code>ChallengeName: SRP_A</code> (when doing SRP authentication
+     *                                 before custom challenges)</p>
+     *                   </li>
+     *                   <li>
+     *                      <p>
+     *                         <code>SRP_A: (An SRP_A value)</code> (when doing SRP
+     *                                 authentication before custom challenges)</p>
+     *                   </li>
+     *                </ul>
+     *             </dd>
+     *          </dl>
      *          <p>For more information about <code>SECRET_HASH</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash">Computing secret hash values</a>. For information about
      *             <code>DEVICE_KEY</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html">Working with user devices in your user pool</a>.</p>
      * @public
@@ -452,59 +707,66 @@ export interface InitiateAuthResponse {
      *          <p>Possible challenges include the following:</p>
      *          <note>
      *             <p>All of the following challenges require <code>USERNAME</code> and, when the app
-     *                 client has a client secret, <code>SECRET_HASH</code> in the parameters.</p>
+     *                 client has a client secret, <code>SECRET_HASH</code> in the parameters. Include a
+     *                 <code>DEVICE_KEY</code> for device authentication.</p>
      *          </note>
      *          <ul>
      *             <li>
      *                <p>
      *                   <code>WEB_AUTHN</code>: Respond to the challenge with the results of a
-     *                     successful authentication with a WebAuthn authenticator, or passkey. Examples
-     *                     of WebAuthn authenticators include biometric devices and security keys.</p>
+     *                     successful authentication with a WebAuthn authenticator, or passkey, as
+     *                     <code>CREDENTIAL</code>. Examples of WebAuthn authenticators include
+     *                     biometric devices and security keys.</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PASSWORD</code>: Respond with the user's password as <code>PASSWORD</code>.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>PASSWORD</code>: Respond with <code>USER_PASSWORD_AUTH</code>
-     *                     parameters: <code>USERNAME</code> (required), <code>PASSWORD</code> (required),
-     *                         <code>SECRET_HASH</code> (required if the app client is configured with a
-     *                     client secret), <code>DEVICE_KEY</code>.</p>
+     *                   <code>PASSWORD_SRP</code>: Respond with the initial SRP secret as <code>SRP_A</code>.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>PASSWORD_SRP</code>: Respond with <code>USER_SRP_AUTH</code> parameters:
-     *                         <code>USERNAME</code> (required), <code>SRP_A</code> (required),
-     *                         <code>SECRET_HASH</code> (required if the app client is configured with a
-     *                     client secret), <code>DEVICE_KEY</code>.</p>
+     *                   <code>SELECT_CHALLENGE</code>: Respond with a challenge selection as <code>ANSWER</code>.
+     *                 It must be one of the challenge types in the <code>AvailableChallenges</code> response
+     *                 parameter. Add the parameters of the selected challenge, for example <code>USERNAME</code>
+     *                 and <code>SMS_OTP</code>.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>SELECT_CHALLENGE</code>: Respond to the challenge with
-     *                         <code>USERNAME</code> and an <code>ANSWER</code> that matches one of the
-     *                     challenge types in the <code>AvailableChallenges</code> response
-     *                     parameter.</p>
+     *                   <code>SMS_MFA</code>: Respond with the code that your user pool delivered in an SMS
+     *                     message, as <code>SMS_MFA_CODE</code>
+     *                </p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>SMS_MFA</code>: Respond with an
-     *                     <code>SMS_MFA_CODE</code> that your user pool delivered in an SMS message.</p>
+     *                   <code>EMAIL_MFA</code>: Respond with the code that your user pool delivered in an email
+     *                     message, as <code>EMAIL_MFA_CODE</code>
+     *                </p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>EMAIL_OTP</code>: Respond with an
-     *                         <code>EMAIL_OTP_CODE</code> that your user pool delivered in an email
-     *                     message.</p>
+     *                   <code>EMAIL_OTP</code>: Respond with the code that your user pool delivered in an email
+     *                     message, as <code>EMAIL_OTP_CODE</code> .</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>PASSWORD_VERIFIER</code>: Respond with
-     *                         <code>PASSWORD_CLAIM_SIGNATURE</code>,
-     *                         <code>PASSWORD_CLAIM_SECRET_BLOCK</code>, and <code>TIMESTAMP</code> after
-     *                     client-side SRP calculations.</p>
+     *                   <code>SMS_OTP</code>: Respond with the code that your user pool delivered in an SMS
+     *                     message, as <code>SMS_OTP_CODE</code>.</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PASSWORD_VERIFIER</code>: Respond with the second stage of SRP secrets as
+     *                         <code>PASSWORD_CLAIM_SIGNATURE</code>, <code>PASSWORD_CLAIM_SECRET_BLOCK</code>,
+     *                         and <code>TIMESTAMP</code>.</p>
      *             </li>
      *             <li>
      *                <p>
      *                   <code>CUSTOM_CHALLENGE</code>: This is returned if your custom authentication
      *                     flow determines that the user should pass another challenge before tokens are
-     *                     issued. The parameters of the challenge are determined by your Lambda function.</p>
+     *                     issued. The parameters of the challenge are determined by your Lambda function
+     *                     and issued in the <code>ChallengeParameters</code> of a challenge response.</p>
      *             </li>
      *             <li>
      *                <p>
@@ -811,6 +1073,84 @@ export interface ListTagsForResourceResponse {
      */
     Tags?: Record<string, string> | undefined;
 }
+/**
+ * @public
+ */
+export interface ListTermsRequest {
+    /**
+     * <p>The ID of the user pool where you want to list terms documents.</p>
+     * @public
+     */
+    UserPoolId: string | undefined;
+    /**
+     * <p>The maximum number of terms documents that you want Amazon Cognito to return in the
+     *             response.</p>
+     * @public
+     */
+    MaxResults?: number | undefined;
+    /**
+     * <p>This API operation returns a limited number of results. The pagination token is
+     * an identifier that you can present in an additional API request with the same parameters. When
+     * you include the pagination token, Amazon Cognito returns the next set of items after the current list.
+     * Subsequent requests return a new pagination token. By use of this token, you can paginate
+     * through the full list of items.</p>
+     * @public
+     */
+    NextToken?: string | undefined;
+}
+/**
+ * <p>The details of a set of terms documents. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-terms-documents">Terms documents</a>.</p>
+ * @public
+ */
+export interface TermsDescriptionType {
+    /**
+     * <p>The ID of the requested terms documents.</p>
+     * @public
+     */
+    TermsId: string | undefined;
+    /**
+     * <p>The type and friendly name of the requested terms documents.</p>
+     * @public
+     */
+    TermsName: string | undefined;
+    /**
+     * <p>This parameter is reserved for future use and currently accepts one value.</p>
+     * @public
+     */
+    Enforcement: TermsEnforcementType | undefined;
+    /**
+     * <p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+     * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
+     * @public
+     */
+    CreationDate: Date | undefined;
+    /**
+     * <p>The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+     * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
+     * @public
+     */
+    LastModifiedDate: Date | undefined;
+}
+/**
+ * @public
+ */
+export interface ListTermsResponse {
+    /**
+     * <p>A summary of the requested terms documents. Includes unique identifiers for later
+     *             changes to the terms documents.</p>
+     * @public
+     */
+    Terms: TermsDescriptionType[] | undefined;
+    /**
+     * <p>This API operation returns a limited number of results. The pagination token is
+     * an identifier that you can present in an additional API request with the same parameters. When
+     * you include the pagination token, Amazon Cognito returns the next set of items after the current list.
+     * Subsequent requests return a new pagination token. By use of this token, you can paginate
+     * through the full list of items.</p>
+     * @public
+     */
+    NextToken?: string | undefined;
+}
 /**
  * <p>Represents the request to list the user import jobs.</p>
  * @public
@@ -1394,59 +1734,66 @@ export interface RespondToAuthChallengeRequest {
      *          <p>Possible challenges include the following:</p>
      *          <note>
      *             <p>All of the following challenges require <code>USERNAME</code> and, when the app
-     *                 client has a client secret, <code>SECRET_HASH</code> in the parameters.</p>
+     *                 client has a client secret, <code>SECRET_HASH</code> in the parameters. Include a
+     *                 <code>DEVICE_KEY</code> for device authentication.</p>
      *          </note>
      *          <ul>
      *             <li>
      *                <p>
      *                   <code>WEB_AUTHN</code>: Respond to the challenge with the results of a
-     *                     successful authentication with a WebAuthn authenticator, or passkey. Examples
-     *                     of WebAuthn authenticators include biometric devices and security keys.</p>
+     *                     successful authentication with a WebAuthn authenticator, or passkey, as
+     *                     <code>CREDENTIAL</code>. Examples of WebAuthn authenticators include
+     *                     biometric devices and security keys.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>PASSWORD</code>: Respond with <code>USER_PASSWORD_AUTH</code>
-     *                     parameters: <code>USERNAME</code> (required), <code>PASSWORD</code> (required),
-     *                         <code>SECRET_HASH</code> (required if the app client is configured with a
-     *                     client secret), <code>DEVICE_KEY</code>.</p>
+     *                   <code>PASSWORD</code>: Respond with the user's password as <code>PASSWORD</code>.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>PASSWORD_SRP</code>: Respond with <code>USER_SRP_AUTH</code> parameters:
-     *                         <code>USERNAME</code> (required), <code>SRP_A</code> (required),
-     *                         <code>SECRET_HASH</code> (required if the app client is configured with a
-     *                     client secret), <code>DEVICE_KEY</code>.</p>
+     *                   <code>PASSWORD_SRP</code>: Respond with the initial SRP secret as <code>SRP_A</code>.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>SELECT_CHALLENGE</code>: Respond to the challenge with
-     *                         <code>USERNAME</code> and an <code>ANSWER</code> that matches one of the
-     *                     challenge types in the <code>AvailableChallenges</code> response
-     *                     parameter.</p>
+     *                   <code>SELECT_CHALLENGE</code>: Respond with a challenge selection as <code>ANSWER</code>.
+     *                 It must be one of the challenge types in the <code>AvailableChallenges</code> response
+     *                 parameter. Add the parameters of the selected challenge, for example <code>USERNAME</code>
+     *                 and <code>SMS_OTP</code>.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>SMS_MFA</code>: Respond with an
-     *                     <code>SMS_MFA_CODE</code> that your user pool delivered in an SMS message.</p>
+     *                   <code>SMS_MFA</code>: Respond with the code that your user pool delivered in an SMS
+     *                     message, as <code>SMS_MFA_CODE</code>
+     *                </p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>EMAIL_OTP</code>: Respond with an
-     *                         <code>EMAIL_OTP_CODE</code> that your user pool delivered in an email
-     *                     message.</p>
+     *                   <code>EMAIL_MFA</code>: Respond with the code that your user pool delivered in an email
+     *                     message, as <code>EMAIL_MFA_CODE</code>
+     *                </p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>PASSWORD_VERIFIER</code>: Respond with
-     *                         <code>PASSWORD_CLAIM_SIGNATURE</code>,
-     *                         <code>PASSWORD_CLAIM_SECRET_BLOCK</code>, and <code>TIMESTAMP</code> after
-     *                     client-side SRP calculations.</p>
+     *                   <code>EMAIL_OTP</code>: Respond with the code that your user pool delivered in an email
+     *                     message, as <code>EMAIL_OTP_CODE</code> .</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>SMS_OTP</code>: Respond with the code that your user pool delivered in an SMS
+     *                     message, as <code>SMS_OTP_CODE</code>.</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PASSWORD_VERIFIER</code>: Respond with the second stage of SRP secrets as
+     *                         <code>PASSWORD_CLAIM_SIGNATURE</code>, <code>PASSWORD_CLAIM_SECRET_BLOCK</code>,
+     *                         and <code>TIMESTAMP</code>.</p>
      *             </li>
      *             <li>
      *                <p>
      *                   <code>CUSTOM_CHALLENGE</code>: This is returned if your custom authentication
      *                     flow determines that the user should pass another challenge before tokens are
-     *                     issued. The parameters of the challenge are determined by your Lambda function.</p>
+     *                     issued. The parameters of the challenge are determined by your Lambda function
+     *                     and issued in the <code>ChallengeParameters</code> of a challenge response.</p>
      *             </li>
      *             <li>
      *                <p>
@@ -1578,6 +1925,32 @@ export interface RespondToAuthChallengeRequest {
      *                   </li>
      *                </ul>
      *             </dd>
+     *             <dt>WEB_AUTHN</dt>
+     *             <dd>
+     *                <p>
+     *                   <code>"ChallengeName": "WEB_AUTHN", "ChallengeResponses": \{
+     *                   "USERNAME": "[username]",
+     *                   "CREDENTIAL": "[AuthenticationResponseJSON]"\}</code>
+     *                </p>
+     *                <p>See <a href="https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson">
+     *                   AuthenticationResponseJSON</a>.</p>
+     *             </dd>
+     *             <dt>PASSWORD</dt>
+     *             <dd>
+     *                <p>
+     *                   <code>"ChallengeName": "PASSWORD", "ChallengeResponses": \{
+     *                   "USERNAME": "[username]",
+     *                   "PASSWORD": "[password]"\}</code>
+     *                </p>
+     *             </dd>
+     *             <dt>PASSWORD_SRP</dt>
+     *             <dd>
+     *                <p>
+     *                   <code>"ChallengeName": "PASSWORD_SRP", "ChallengeResponses": \{
+     *                   "USERNAME": "[username]",
+     *                   "SRP_A": "[SRP_A]"\}</code>
+     *                </p>
+     *             </dd>
      *             <dt>SMS_OTP</dt>
      *             <dd>
      *                <p>
@@ -1611,8 +1984,6 @@ export interface RespondToAuthChallengeRequest {
      *                     "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
      *                     [timestamp], "USERNAME": "[username]"\}</code>
      *                </p>
-     *                <p>Add <code>"DEVICE_KEY"</code> when you sign in with a remembered
-     *                 device.</p>
      *             </dd>
      *             <dt>CUSTOM_CHALLENGE</dt>
      *             <dd>
@@ -1620,8 +1991,6 @@ export interface RespondToAuthChallengeRequest {
      *                   <code>"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses":
      *                     \{"USERNAME": "[username]", "ANSWER": "[challenge_answer]"\}</code>
      *                </p>
-     *                <p>Add <code>"DEVICE_KEY"</code> when you sign in with a remembered
-     *                 device.</p>
      *             </dd>
      *             <dt>NEW_PASSWORD_REQUIRED</dt>
      *             <dd>
@@ -1679,7 +2048,7 @@ export interface RespondToAuthChallengeRequest {
      *             <dd>
      *                <p>
      *                   <code>"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": \{"USERNAME":
-     *                 "[username]", "ANSWER": "[SMS_MFA or SOFTWARE_TOKEN_MFA]"\}</code>
+     *                 "[username]", "ANSWER": "[SMS_MFA|EMAIL_MFA|SOFTWARE_TOKEN_MFA]"\}</code>
      *                </p>
      *             </dd>
      *          </dl>
@@ -1754,59 +2123,66 @@ export interface RespondToAuthChallengeResponse {
      *          <p>Possible challenges include the following:</p>
      *          <note>
      *             <p>All of the following challenges require <code>USERNAME</code> and, when the app
-     *                 client has a client secret, <code>SECRET_HASH</code> in the parameters.</p>
+     *                 client has a client secret, <code>SECRET_HASH</code> in the parameters. Include a
+     *                 <code>DEVICE_KEY</code> for device authentication.</p>
      *          </note>
      *          <ul>
      *             <li>
      *                <p>
      *                   <code>WEB_AUTHN</code>: Respond to the challenge with the results of a
-     *                     successful authentication with a WebAuthn authenticator, or passkey. Examples
-     *                     of WebAuthn authenticators include biometric devices and security keys.</p>
+     *                     successful authentication with a WebAuthn authenticator, or passkey, as
+     *                     <code>CREDENTIAL</code>. Examples of WebAuthn authenticators include
+     *                     biometric devices and security keys.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>PASSWORD</code>: Respond with <code>USER_PASSWORD_AUTH</code>
-     *                     parameters: <code>USERNAME</code> (required), <code>PASSWORD</code> (required),
-     *                         <code>SECRET_HASH</code> (required if the app client is configured with a
-     *                     client secret), <code>DEVICE_KEY</code>.</p>
+     *                   <code>PASSWORD</code>: Respond with the user's password as <code>PASSWORD</code>.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>PASSWORD_SRP</code>: Respond with <code>USER_SRP_AUTH</code> parameters:
-     *                         <code>USERNAME</code> (required), <code>SRP_A</code> (required),
-     *                         <code>SECRET_HASH</code> (required if the app client is configured with a
-     *                     client secret), <code>DEVICE_KEY</code>.</p>
+     *                   <code>PASSWORD_SRP</code>: Respond with the initial SRP secret as <code>SRP_A</code>.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>SELECT_CHALLENGE</code>: Respond to the challenge with
-     *                         <code>USERNAME</code> and an <code>ANSWER</code> that matches one of the
-     *                     challenge types in the <code>AvailableChallenges</code> response
-     *                     parameter.</p>
+     *                   <code>SELECT_CHALLENGE</code>: Respond with a challenge selection as <code>ANSWER</code>.
+     *                 It must be one of the challenge types in the <code>AvailableChallenges</code> response
+     *                 parameter. Add the parameters of the selected challenge, for example <code>USERNAME</code>
+     *                 and <code>SMS_OTP</code>.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>SMS_MFA</code>: Respond with an
-     *                     <code>SMS_MFA_CODE</code> that your user pool delivered in an SMS message.</p>
+     *                   <code>SMS_MFA</code>: Respond with the code that your user pool delivered in an SMS
+     *                     message, as <code>SMS_MFA_CODE</code>
+     *                </p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>EMAIL_OTP</code>: Respond with an
-     *                         <code>EMAIL_OTP_CODE</code> that your user pool delivered in an email
-     *                     message.</p>
+     *                   <code>EMAIL_MFA</code>: Respond with the code that your user pool delivered in an email
+     *                     message, as <code>EMAIL_MFA_CODE</code>
+     *                </p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <code>PASSWORD_VERIFIER</code>: Respond with
-     *                         <code>PASSWORD_CLAIM_SIGNATURE</code>,
-     *                         <code>PASSWORD_CLAIM_SECRET_BLOCK</code>, and <code>TIMESTAMP</code> after
-     *                     client-side SRP calculations.</p>
+     *                   <code>EMAIL_OTP</code>: Respond with the code that your user pool delivered in an email
+     *                     message, as <code>EMAIL_OTP_CODE</code> .</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>SMS_OTP</code>: Respond with the code that your user pool delivered in an SMS
+     *                     message, as <code>SMS_OTP_CODE</code>.</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>PASSWORD_VERIFIER</code>: Respond with the second stage of SRP secrets as
+     *                         <code>PASSWORD_CLAIM_SIGNATURE</code>, <code>PASSWORD_CLAIM_SECRET_BLOCK</code>,
+     *                         and <code>TIMESTAMP</code>.</p>
      *             </li>
      *             <li>
      *                <p>
      *                   <code>CUSTOM_CHALLENGE</code>: This is returned if your custom authentication
      *                     flow determines that the user should pass another challenge before tokens are
-     *                     issued. The parameters of the challenge are determined by your Lambda function.</p>
+     *                     issued. The parameters of the challenge are determined by your Lambda function
+     *                     and issued in the <code>ChallengeParameters</code> of a challenge response.</p>
      *             </li>
      *             <li>
      *                <p>
@@ -2796,7 +3172,7 @@ export interface UpdateManagedLoginBrandingRequest {
     /**
      * <p>When <code>true</code>, applies the default branding style options. This option
      *             reverts to default style options that are managed by Amazon Cognito. You can modify them later in
-     *             the branding designer.</p>
+     *             the branding editor.</p>
      *          <p>When you specify <code>true</code> for this option, you must also omit values for
      *                 <code>Settings</code> and <code>Assets</code> in the request.</p>
      * @public
@@ -2805,6 +3181,30 @@ export interface UpdateManagedLoginBrandingRequest {
     /**
      * <p>A JSON file, encoded as a <code>Document</code> type, with the the settings that you
      *             want to apply to your style.</p>
+     *          <p>The following components are not currently implemented and reserved for future
+     *             use:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>signUp</code>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>instructions</code>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>sessionTimerDisplay</code>
+     *                </p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>languageSelector</code> (for localization, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html#managed-login-localization">Managed login localization)</a>
+     *                </p>
+     *             </li>
+     *          </ul>
      * @public
      */
     Settings?: __DocumentType | undefined;
@@ -2868,6 +3268,55 @@ export interface UpdateResourceServerResponse {
      */
     ResourceServer: ResourceServerType | undefined;
 }
+/**
+ * @public
+ */
+export interface UpdateTermsRequest {
+    /**
+     * <p>The ID of the terms document that you want to update.</p>
+     * @public
+     */
+    TermsId: string | undefined;
+    /**
+     * <p>The ID of the user pool that contains the terms that you want to update.</p>
+     * @public
+     */
+    UserPoolId: string | undefined;
+    /**
+     * <p>The new name that you want to apply to the requested terms documents.</p>
+     * @public
+     */
+    TermsName?: string | undefined;
+    /**
+     * <p>This parameter is reserved for future use and currently accepts only one value.</p>
+     * @public
+     */
+    TermsSource?: TermsSourceType | undefined;
+    /**
+     * <p>This parameter is reserved for future use and currently accepts only one value.</p>
+     * @public
+     */
+    Enforcement?: TermsEnforcementType | undefined;
+    /**
+     * <p>A map of URLs to languages. For each localized language that will view the requested
+     *             <code>TermsName</code>, assign a URL. A selection of <code>cognito:default</code>
+     *             displays for all languages that don't have a language-specific URL.</p>
+     *          <p>For example, <code>"cognito:default": "https://terms.example.com", "cognito:spanish":
+     *                 "https://terms.example.com/es"</code>.</p>
+     * @public
+     */
+    Links?: Record<string, string> | undefined;
+}
+/**
+ * @public
+ */
+export interface UpdateTermsResponse {
+    /**
+     * <p>A summary of the updates to your terms documents.</p>
+     * @public
+     */
+    Terms?: TermsType | undefined;
+}
 /**
  * <p>Represents the request to update user attributes.</p>
  * @public
@@ -3505,7 +3954,7 @@ export interface UpdateUserPoolDomainRequest {
     /**
      * <p>A version number that indicates the state of managed login for your domain. Version
      *             <code>1</code> is hosted UI (classic). Version <code>2</code> is the newer managed
-     *             login with the branding designer. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html">Managed login</a>.</p>
+     *             login with the branding editor. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html">Managed login</a>.</p>
      * @public
      */
     ManagedLoginVersion?: number | undefined;
@@ -3530,7 +3979,7 @@ export interface UpdateUserPoolDomainResponse {
     /**
      * <p>A version number that indicates the state of managed login for your domain. Version
      *             <code>1</code> is hosted UI (classic). Version <code>2</code> is the newer managed
-     *             login with the branding designer. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html">Managed login</a>.</p>
+     *             login with the branding editor. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html">Managed login</a>.</p>
      * @public
      */
     ManagedLoginVersion?: number | undefined;
@@ -3643,6 +4092,34 @@ export interface VerifyUserAttributeRequest {
  */
 export interface VerifyUserAttributeResponse {
 }
+/**
+ * @internal
+ */
+export declare const GetTokensFromRefreshTokenResponseFilterSensitiveLog: (obj: GetTokensFromRefreshTokenResponse) => any;
+/**
+ * @internal
+ */
+export declare const GetUICustomizationRequestFilterSensitiveLog: (obj: GetUICustomizationRequest) => any;
+/**
+ * @internal
+ */
+export declare const UICustomizationTypeFilterSensitiveLog: (obj: UICustomizationType) => any;
+/**
+ * @internal
+ */
+export declare const GetUICustomizationResponseFilterSensitiveLog: (obj: GetUICustomizationResponse) => any;
+/**
+ * @internal
+ */
+export declare const GetUserRequestFilterSensitiveLog: (obj: GetUserRequest) => any;
+/**
+ * @internal
+ */
+export declare const GetUserResponseFilterSensitiveLog: (obj: GetUserResponse) => any;
+/**
+ * @internal
+ */
+export declare const GetUserAttributeVerificationCodeRequestFilterSensitiveLog: (obj: GetUserAttributeVerificationCodeRequest) => any;
 /**
  * @internal
  */
@@ -3751,6 +4228,10 @@ export declare const UpdateAuthEventFeedbackRequestFilterSensitiveLog: (obj: Upd
  * @internal
  */
 export declare const UpdateDeviceStatusRequestFilterSensitiveLog: (obj: UpdateDeviceStatusRequest) => any;
+/**
+ * @internal
+ */
+export declare const UpdateTermsResponseFilterSensitiveLog: (obj: UpdateTermsResponse) => any;
 /**
  * @internal
  */