Amplify has re-imagined the way frontend developers build fullstack applications. Develop and deploy without the hassle.

Fullstack TypeScript

Write your app's data model, auth, storage, and functions in TypeScript; Amplify will do the rest.

Built with the AWS CDK

Use any cloud resource your app needs. Never worry about scale.

Back to Gen 1 DocsLearn more

Choose your framework/language

Edit on GitHub

Page updated May 1, 2024

Manage passwords

Amplify Auth provides a secure way for your users to change their password or recover a forgotten password.

Understand password default settings

By default, your users can retrieve access to their accounts if they forgot their password by using either their phone or email. The following are the default account recovery methods used when either phone or email are used as login options.

Login optionUser account verification channel
phonePhone Number
emailEmail
email and phoneEmail

Reset Password

To reset a user's password, use the resetPassword API which will send a reset code to the destination (e.g. email or SMS) based on the user's settings.

import { resetPassword } from 'aws-amplify/auth';


const output = await resetPassword({
  username: "hello@mycompany.com"
});


const { nextStep } = output;
switch (nextStep.resetPasswordStep) {
  case 'CONFIRM_RESET_PASSWORD_WITH_CODE':
    const codeDeliveryDetails = nextStep.codeDeliveryDetails;
    console.log(
      `Confirmation code was sent to ${codeDeliveryDetails.deliveryMedium}`
    );
    // Collect the confirmation code from the user and pass to confirmResetPassword.
    break;
  case 'DONE':
    console.log('Successfully reset password.');
    break;
}

To complete the password reset process, invoke the confirmResetPassword API with the code your user received and the new password they want to set.

import { confirmResetPassword } from 'aws-amplify/auth';


await confirmResetPassword({
  username: "hello@mycompany.com",
  confirmationCode: "123456",
  newPassword: "hunter3",
});

Update password

You can update a signed in user's password using the updatePassword API.

import { updatePassword } from 'aws-amplify/auth';


await updatePassword({
  oldPassword: "hunter2",
  newPassword: "hunter3",
});

Override default user account verification channel

You can always change the channel used by your authentication resources by overriding the following setting.

amplify/auth/resource.ts
import { defineAuth } from '@aws-amplify/backend';


export const auth = defineAuth({
  loginWith: {
    email: true
  },
  accountRecovery: 'EMAIL_ONLY'
});

Override default password policy

You can customize the password format acceptable by your auth backend. By default your password policy is set to the following:

  • MinLength: 8 characters
  • requireLowercase: true
  • requireUppercase: true
  • requireDigits: true
  • tempPasswordValidity: 3 days
amplify/backend.ts
// amplify/backend.ts
import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';


const backend = defineBackend({
  auth,
  data
});


// extract L1 UserPool construct
const { cfnUserPool } = backend.auth.resources.cfnResources;
// from the CDK use `addPropertyOverride` to modify properties directly
cfnUserPool.addPropertyOverride('Policies.PasswordPolicy.MinimumLength', 32);
PREVIOUS
With admin actions
NEXT
Manage devices
Site color mode

Amplify open source software, documentation and community are supported by Amazon Web Services.

© 2024, Amazon Web Services, Inc. and its affiliates.

All rights reserved. View the site terms and privacy policy.

Flutter and the related logo are trademarks of Google LLC. We are not endorsed by or affiliated with Google LLC.