Why is Amazon Cognito not sending the verification code email or SMS text message with the ForgotPassword API?
Last updated: 2022-02-10
Amazon Cognito didn't send the verification code email or SMS text message for the ForgotPassword API call.
Follow these best practices to troubleshoot the Amazon Cognito user pool configuration.
Check the spam and junk folder
Make sure that the verification email didn't go to the user's spam or junk folders.
Confirm that the user exists in the user pool
Verify that the user exists in the Amazon Cognito user pool. To search for users in the user pool using the Amazon Cognito console, see Managing and searching for user accounts.
Search for the user in the user pool using the AdminGetUser API.
The user isn't in a CONFIRMED status
Users created by administrators are in a FORCE_CHANGE_PASSWORD status by default until they sign in with the password provided. Then, users are prompted to change the password.
If the user status is FORCE_CHANGE_PASSWORD, then the ForgotPassword API call can't be used and the verification code isn't sent.
Check how the user is able to recover the account
Verify how the user account is configured to recover the account. For example, email, phone, email only, phone only, phone if available, or none.
1. Open the Amazon Cognito console, choose manage user pools, and then choose the user pool.
2. In General settings, choose MFA and verifications.
3. In the How will a user be able to recover their account? section, note the recovery method selection.
Users in the CONFIRMED status may not have their email or phone verified for password recovery. User accounts created by administrators must be verified when the accounts are created using the verification check box. Administrators can also use the API call AdminUpdateUserAttributes to mark phone and email as verified similar to the following:
aws cognito-idp admin-update-user-attributes --user-pool-id <userpool id> --username <user name> --user-attributes Name=email_verified,Value=true --region <region name>
Phone number verified
aws cognito-idp admin-update-user-attributes --user-pool-id <userpool id> --username <user name> --user-attributes Name=phone_number_verified,Value=true --region <region name>
Check the Amazon SNS quota limit
Amazon Cognito uses Amazon Simple Notification Service (Amazon SNS) to deliver SMS text messages. The default Amazon SNS spending quota for accounts is $1.00 (USD) per month. To check or change the account spend limit, see Setting SMS messaging preferences using the AWS Management Console.
Important: If the account spend limit set in the AWS Management Console exceeds your service quota, then Amazon SNS stops publishing SMS messages.
For quota increases, see Requesting increases to your monthly SMS spending quota for Amazon SNS.
Check the Amazon SES limit
Amazon Cognito uses Amazon Simple Email Service (Amazon SES) to deliver emails. By default, Amazon Cognito allows a limited number of emails a day for your user pool. for more information, see Amazon Cognito user pools resource quotas.
You can set a higher email delivery by configuring your user pool to use your Amazon SES email configuration. For instructions, see Email settings for Amazon Cognito user pools.
Reset the user password using the AdminSetUserPassword API
Administrators can set a user's password in an Amazon Cognito user pool as temporary or permanent using the AdminSetUserPassword API. Users with temporary passwords must sign in and change it before expiry. After a user resets the temporary password or if the password is permanent, the status is set to CONFIRMED.