InitiateAuth and RespondToAuthChallenge to confirm user password and authenticate in AWS Cognito using plain HTTP calls


I have a newly created user in AWS Cognito and want to start invoking calls as him - including new password creation.


For such newly created user first call to the InitiateAuth API like this:

POST https://cognito-idp.[YOUR-REGION-GOES-HERE]
Content-Type: application/x-amz-json-1.1
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth

    "AuthFlow" : "USER_PASSWORD_AUTH",
    "AuthParameters" : {
        "USERNAME" : "pnowicki",


will return a response similar to this:

  "ChallengeName": "NEW_PASSWORD_REQUIRED",
  "ChallengeParameters": {
      "USER_ID_FOR_SRP": "pnowicki", 
      "requiredAttributes": "[\"\"]",

That is a sample response for the user with username pnowicki that has an email configured as a required attribute.

Now you need to invoke RespondToAuthChallenge in order to configure the new password:

Content-Type: application/x-amz-json-1.1
X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge

  "ChallengeName": "NEW_PASSWORD_REQUIRED",
  "ChallengeResponses": {
      "USERNAME": "pnowicki",
      "": "[EMAIL_GOES_HERE]"

As a response, you should now get the AccessToken you can use as an Authorization Bearer in consecutive calls.