# User-interactive managed login and classic hosted UI endpoints
<a name="managed-login-endpoints"></a>

Amazon Cognito activates the managed login endpoints in this section when you add a domain to your user pool. They are webpages where your users can complete the core authentication operations of a user pool. They include pages for password management, multi-factor authentication (MFA), and attribute verification.

The webpages that make up managed login are a front-end web application for interactive user sessions with your customers. Your app must invoke managed login in your users' browsers. Amazon Cognito doesn't support programmatic access to the webpages in this chapter. Those federation endpoints in the [Identity provider and relying party endpoints](federation-endpoints.md) that return a JSON response can be queried directly in your app code. The [Authorize endpoint](authorization-endpoint.md) redirects either to managed login or to an IdP sign-in page and also must be opened in users' browsers.

All user pool endpoints accept traffic from IPv4 and IPv6 source IP addresses.

The topics in this guide describe frequently-used managed login and classic hosted UI endpoints in detail. The difference between managed login and the hosted UI is visible, not functional. Except for `/passkeys/add`, all paths are shared between the two versions of managed login branding.

Amazon Cognito makes the webpages that follow available when you assign a domain to your user pool.


**Managed login endpoints**  

| Endpoint URL | Description | How it's accessed | 
| --- | --- | --- | 
| https://Your user pool domain/login | Signs in user pool local and federated users. |  Redirect from endpoints like [Authorize endpoint](authorization-endpoint.md), `/logout`, and `/confirmforgotPassword`. See [Login endpoint](login-endpoint.md).  | 
| https://Your user pool domain/logout | Signs out user pool users. |  Direct link. See [Logout endpoint](logout-endpoint.md).  | 
| https://Your user pool domain/confirmUser | Confirms users who have selected an email link to verify their user account. |  User selected link in an email message.  | 
| https://Your user pool domain/signup | Signs up a new user. The /login page directs your user to /signup when they select Sign up. |  Direct link with same parameters as `/oauth2/authorize`.  | 
| https://Your user pool domain/confirm | After your user pool sends a confirmation code to a user who signed up, prompts your user for the code. |  Redirect-only from `/signup`.  | 
| https://Your user pool domain/forgotPassword | Prompts your user for their user name and sends a password-reset code. The /login page directs your user to /forgotPassword when they select Forgot your password?. |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-endpoints.html)  | 
| https://Your user pool domain/confirmforgotPassword | Prompts your user for their password-reset code and a new password. The /forgotPassword page directs your user to /confirmforgotPassword when they select Reset your password. | Redirect-only from /forgotPassword. | 
| https://Your user pool domain/resendcode | Sends a new confirmation code to a user who has signed up in your user pool. |  Redirect-only from **Send a new code** link at `/confirm`.  | 
| https://Your user pool domain/passkeys/add | Registers a new [passkey](amazon-cognito-user-pools-authentication-flow-methods.md#amazon-cognito-user-pools-authentication-flow-methods-passkey). Only available in managed login. |  [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-endpoints.html)  | 

**Topics**
+ [The managed login sign-in endpoint: `/login`](login-endpoint.md)
+ [The managed login sign-out endpoint: `/logout`](logout-endpoint.md)

# The managed login sign-in endpoint: `/login`
<a name="login-endpoint"></a>

The login endpoint is an authentication server and a redirect destination from [Authorize endpoint](authorization-endpoint.md). It's the entry point to managed login when you don't specify an identity provider. When you generate a redirect to the login endpoint, it loads the login page and presents the authentication options configured for the client to the user.

**Note**  
The login endpoint is a component of managed login. In your app, invoke federation and managed login pages that redirect to the login endpoint. Direct access by users to the login endpoint isn't a best practice.

## GET /login
<a name="get-login"></a>

The `/login` endpoint only supports `HTTPS GET` for your user's initial request. Your app invokes the page in a browser like Chrome or Firefox. When you redirect to `/login` from the [Authorize endpoint](authorization-endpoint.md), it passes along all the parameters that you provided in your initial request. The login endpoint supports all the request parameters of the authorize endpoint. You can also access the login endpoint directly. As a best practice, originate all your users' sessions at `/oauth2/authorize`.

**Example – prompt the user to sign in**

This example displays the login screen.

```
GET https://mydomain.auth.us-east-1.amazoncognito.com/login?
                response_type=code&
                client_id=ad398u21ijw3s9w3939&
                redirect_uri=https://YOUR_APP/redirect_uri&
                state=STATE&
                scope=openid+profile+aws.cognito.signin.user.admin
```

**Example – response**  
The authentication server redirects to your app with the authorization code and state. The server must return the code and state in the query string parameters and not in the fragment.

```
HTTP/1.1 302 Found
                    Location: https://YOUR_APP/redirect_uri?code=AUTHORIZATION_CODE&state=STATE
```

## User-initiated sign-in request
<a name="post-login"></a>

After your user loads the `/login` endpoint, they can enter a user name and password and choose **Sign in**. When they do this, they generate an `HTTPS POST` request with the same header request parameters as the `GET` request, and a request body with their username, password, and a device fingerprint.

# The managed login sign-out endpoint: `/logout`
<a name="logout-endpoint"></a>

The `/logout` endpoint is a redirection endpoint. It signs out the user and redirects either to an authorized sign-out URL for your app client, or to the `/login` endpoint. The available parameters in a GET request to the `/logout` endpoint are tailored to Amazon Cognito managed login use cases.

The logout endpoint is a front-end web application for interactive user sessions with your customers. Your app must invoke this and other managed login endpoints in your users' browsers.

To redirect your user to managed login to sign in again, add a `redirect_uri` parameter to your request. A `logout` request with a `redirect_uri` parameter must also include parameters for your subsequent request to the [Login endpoint](login-endpoint.md), like `client_id`, `response_type`, and `scope`.

To redirect your user to a page that you choose, add **Allowed sign-out URLs** to your app client. In your users' requests to the `logout` endpoint, add `logout_uri` and `client_id` parameters. If the value of `logout_uri` is one of the **Allowed sign-out URLs** for your app client, Amazon Cognito redirects users to that URL.

With single logout (SLO) for SAML 2.0 IdPs, Amazon Cognito first redirects your user to the SLO endpoint you defined in your IdP configuration. After your IdP redirects your user back to `saml2/logout`, Amazon Cognito responds with one more redirect to the `redirect_uri` or `logout_uri` from your request. For more information, see [Signing out SAML users with single sign-out](cognito-user-pools-saml-idp-sign-out.md).

The logout endpoint doesn't sign users out of OIDC or social identity providers (IdPs). To sign users out from their session with an external IdP, direct them to the sign-out page for that provider.

## GET /logout
<a name="get-logout"></a>

The `/logout` endpoint only supports `HTTPS GET`. The user pool client typically makes this request through the system browser. The browser is typically Custom Chrome Tab in Android or Safari View Control in iOS.

### Request parameters
<a name="get-logout-request-parameters"></a>

*client\$1id*  
The app client ID for your app. To get an app client ID, you must register the app in the user pool. For more information, see [Application-specific settings with app clients](user-pool-settings-client-apps.md).  
Required.

*logout\$1uri*  
Redirect your user to a custom sign-out page with a *logout\$1uri* parameter. Set its value to the app client **sign-out URL** where you want to redirect your user after they sign out. Use *logout\$1uri* only with a *client\$1id* parameter. For more information, see [Application-specific settings with app clients](user-pool-settings-client-apps.md).  
You can also use the *logout\$1uri* parameter to redirect your user to the sign-in page for another app client. Set the sign-in page for the other app client as an **Allowed callback URL** in your app client. In your request to the `/logout` endpoint, set the value of the *logout\$1uri* parameter to the URL-encoded sign-in page.  
Amazon Cognito requires either a *logout\$1uri* or a *redirect\$1uri* parameter in your request to the `/logout` endpoint. A *logout\$1uri* parameter redirects your user to another website. If both *logout\$1uri* and *redirect\$1uri* parameters are included in your request to the `/logout` endpoint, Amazon Cognito will utilize the *logout\$1uri* parameter exclusively, overriding the *redirect\$1uri* parameter.

*`nonce`*  
(Optional) A random value that you can add to the request. The nonce value that you provide is included in the ID token that Amazon Cognito issues. To guard against replay attacks, your app can inspect the `nonce` claim in the ID token and compare it to the one you generated. For more information about the `nonce` claim, see [ID token validation](https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) in the *OpenID Connect standard*.

**redirect\$1uri**  
Redirect your user to your sign-in page to authenticate with a *redirect\$1uri* parameter. Set its value to the app client **Allowed callback URL** where you want to redirect your user after they sign in again. Add *client\$1id*, *scope*, *state*, and *response\$1type* parameters that you want to pass to your `/login` endpoint.  
Amazon Cognito requires either a *logout\$1uri* or a *redirect\$1uri* parameter in your request to the `/logout` endpoint. To redirect your user to your `/login` endpoint to reauthenticate and pass tokens to your app, add a *redirect\$1uri* parameter. If both *logout\$1uri* and *redirect\$1uri* parameters are included in your request to the `/logout` endpoint, Amazon Cognito overrides the *redirect\$1uri* parameter and processes the *logout\$1uri* parameter exclusively.

*response\$1type*  
The OAuth 2.0 response that you want to receive from Amazon Cognito after your user signs in. `code` and `token` are the valid values for the *response\$1type* parameter.  
Required if you use a *redirect\$1uri* parameter.

*state*  
When your application adds a *state* parameter to a request, Amazon Cognito returns its value to your app when the `/oauth2/logout` endpoint redirects your user.  
Add this value to your requests to guard against [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) attacks.  
You can't set the value of a `state` parameter to a URL-encoded JSON string. To pass a string that matches this format in a `state` parameter, encode the string to base64, then decode it in your application.  
Strongly recommended if you use a *redirect\$1uri* parameter.

*scope*  
The OAuth 2.0 scopes that you want to request from Amazon Cognito after you sign them out with a *redirect\$1uri* parameter. Amazon Cognito redirects your user to the `/login` endpoint with the *scope* parameter in your request to the `/logout` endpoint.  
Optional if you use a *redirect\$1uri* parameter. If you don't include a *scope* parameter, Amazon Cognito redirects your user to the `/login` endpoint with a *scope* parameter. When Amazon Cognito redirects your user and automatically populates `scope`, the parameter includes all authorized scopes for your app client.

### Example requests
<a name="get-logout-request-sample"></a>

**Example – log out and redirect user to client**

Amazon Cognito redirects user sessions to the URL in the value of `logout_uri`, ignoring all other request parameters, when requests include `logout_uri` and `client_id`. This URL must be an authorized sign-out URL for the app client.

The following is an example request for sign-out and redirect to `https://www.example.com/welcome`.

```
GET https://mydomain.auth.us-east-1.amazoncognito.com/logout?
  client_id=1example23456789&
  logout_uri=https%3A%2F%2Fwww.example.com%2Fwelcome
```

**Example – log out and prompt the user to sign in as another user**

When requests omit `logout_uri` but otherwise provide the parameters that make up a well-formed request to the authorize endpoint, Amazon Cognito redirects users to managed login sign-in. The logout endpoint appends the parameters in your original request to the redirect destination.

The additional parameters that you add to the logout request must be in the list at [Request parameters](#get-logout-request-parameters). For example, the logout endpoint doesn't support automatic IdP redirect with `identity_provider` or `idp_identifier` parameters. The parameter `redirect_uri` in a request to the logout endpoint is not a sign-out URL, but a post-sign-in URL that you want to pass through to the authorize endpoint.

The following is an example request that signs a user out, redirects to the sign-in page, and provides an authorization code to `https://www.example.com` after sign-in.

```
GET https://mydomain.auth.us-east-1.amazoncognito.com/logout?
  response_type=code&
  client_id=1example23456789&
  redirect_uri=https%3A%2F%2Fwww.example.com&
  state=example-state-value&
  nonce=example-nonce-value&
  scope=openid+profile+aws.cognito.signin.user.admin
```