From 3ef966f648e52ce2abdfc99f06af0f8e49a60e08 Mon Sep 17 00:00:00 2001
From: awstools <awstools@amazon.com>
Date: Fri, 22 Nov 2024 19:18:07 +0000
Subject: [PATCH] feat(client-cognito-identity-provider): Add support for users
 to sign up and sign in without passwords, using email and SMS OTPs and
 Passkeys. Add support for Passkeys based on WebAuthn. Add support for
 enhanced branding customization for hosted authentication pages with Amazon
 Cognito Managed Login. Add feature tiers with new pricing.

---
 .../README.md                                 |   80 +
 .../src/CognitoIdentityProvider.ts            |  231 ++
 .../src/CognitoIdentityProviderClient.ts      |   57 +
 .../src/auth/httpAuthSchemeProvider.ts        |   20 +
 .../src/commands/AdminCreateUserCommand.ts    |   13 +-
 .../src/commands/AdminGetUserCommand.ts       |    3 +-
 .../src/commands/AdminInitiateAuthCommand.ts  |    9 +-
 .../src/commands/AdminListDevicesCommand.ts   |    2 +-
 .../commands/AdminResetUserPasswordCommand.ts |    4 +-
 .../AdminRespondToAuthChallengeCommand.ts     |    8 +-
 .../AdminUpdateUserAttributesCommand.ts       |    4 +-
 .../src/commands/ChangePasswordCommand.ts     |    2 +-
 .../CompleteWebAuthnRegistrationCommand.ts    |  153 +
 .../src/commands/ConfirmSignUpCommand.ts      |   10 +-
 .../CreateManagedLoginBrandingCommand.ts      |  191 +
 .../commands/CreateUserPoolClientCommand.ts   |    4 +-
 .../src/commands/CreateUserPoolCommand.ts     |   24 +-
 .../commands/CreateUserPoolDomainCommand.ts   |    9 +-
 .../DeleteManagedLoginBrandingCommand.ts      |  138 +
 .../DeleteWebAuthnCredentialCommand.ts        |  119 +
 ...ribeManagedLoginBrandingByClientCommand.ts |  142 +
 .../DescribeManagedLoginBrandingCommand.ts    |  138 +
 .../commands/DescribeUserPoolClientCommand.ts |    2 +-
 .../src/commands/DescribeUserPoolCommand.ts   |    6 +
 .../commands/DescribeUserPoolDomainCommand.ts |    1 +
 .../src/commands/ForgotPasswordCommand.ts     |    4 +-
 ...GetUserAttributeVerificationCodeCommand.ts |    4 +-
 .../src/commands/GetUserAuthFactorsCommand.ts |  150 +
 .../commands/GetUserPoolMfaConfigCommand.ts   |    7 +-
 .../src/commands/GlobalSignOutCommand.ts      |    2 +-
 .../src/commands/InitiateAuthCommand.ts       |   14 +-
 .../src/commands/ListDevicesCommand.ts        |    2 +-
 .../src/commands/ListGroupsCommand.ts         |    2 +-
 .../commands/ListIdentityProvidersCommand.ts  |    2 +-
 .../commands/ListResourceServersCommand.ts    |    2 +-
 .../commands/ListTagsForResourceCommand.ts    |    2 +-
 .../src/commands/ListUserImportJobsCommand.ts |    2 +-
 .../commands/ListUserPoolClientsCommand.ts    |    2 +-
 .../src/commands/ListUserPoolsCommand.ts      |    2 +-
 .../src/commands/ListUsersCommand.ts          |    2 +-
 .../src/commands/ListUsersInGroupCommand.ts   |    2 +-
 .../ListWebAuthnCredentialsCommand.ts         |  129 +
 .../commands/ResendConfirmationCodeCommand.ts |    6 +-
 .../commands/RespondToAuthChallengeCommand.ts |   16 +-
 .../SetLogDeliveryConfigurationCommand.ts     |    4 +
 .../commands/SetUserPoolMfaConfigCommand.ts   |   18 +-
 .../src/commands/SignUpCommand.ts             |   23 +-
 .../StartWebAuthnRegistrationCommand.ts       |  136 +
 .../UpdateManagedLoginBrandingCommand.ts      |  175 +
 .../commands/UpdateUserAttributesCommand.ts   |    4 +-
 .../commands/UpdateUserPoolClientCommand.ts   |    4 +-
 .../src/commands/UpdateUserPoolCommand.ts     |   19 +-
 .../commands/UpdateUserPoolDomainCommand.ts   |    6 +
 .../src/commands/index.ts                     |   10 +
 .../src/models/models_0.ts                    | 3638 ++++++++---------
 .../src/models/models_1.ts                    | 1926 ++++++++-
 .../src/protocols/Aws_json1_1.ts              |  928 ++++-
 .../aws-models/cognito-identity-provider.json | 2296 +++++++++--
 58 files changed, 8633 insertions(+), 2276 deletions(-)
 create mode 100644 clients/client-cognito-identity-provider/src/commands/CompleteWebAuthnRegistrationCommand.ts
 create mode 100644 clients/client-cognito-identity-provider/src/commands/CreateManagedLoginBrandingCommand.ts
 create mode 100644 clients/client-cognito-identity-provider/src/commands/DeleteManagedLoginBrandingCommand.ts
 create mode 100644 clients/client-cognito-identity-provider/src/commands/DeleteWebAuthnCredentialCommand.ts
 create mode 100644 clients/client-cognito-identity-provider/src/commands/DescribeManagedLoginBrandingByClientCommand.ts
 create mode 100644 clients/client-cognito-identity-provider/src/commands/DescribeManagedLoginBrandingCommand.ts
 create mode 100644 clients/client-cognito-identity-provider/src/commands/GetUserAuthFactorsCommand.ts
 create mode 100644 clients/client-cognito-identity-provider/src/commands/ListWebAuthnCredentialsCommand.ts
 create mode 100644 clients/client-cognito-identity-provider/src/commands/StartWebAuthnRegistrationCommand.ts
 create mode 100644 clients/client-cognito-identity-provider/src/commands/UpdateManagedLoginBrandingCommand.ts

diff --git a/clients/client-cognito-identity-provider/README.md b/clients/client-cognito-identity-provider/README.md
index 251f60f38f65..53c82abf55e0 100644
--- a/clients/client-cognito-identity-provider/README.md
+++ b/clients/client-cognito-identity-provider/README.md
@@ -516,6 +516,14 @@ ChangePassword
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ChangePasswordCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/ChangePasswordCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/ChangePasswordCommandOutput/)
 
+</details>
+<details>
+<summary>
+CompleteWebAuthnRegistration
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/CompleteWebAuthnRegistrationCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/CompleteWebAuthnRegistrationCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/CompleteWebAuthnRegistrationCommandOutput/)
+
 </details>
 <details>
 <summary>
@@ -556,6 +564,14 @@ CreateIdentityProvider
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/CreateIdentityProviderCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/CreateIdentityProviderCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/CreateIdentityProviderCommandOutput/)
 
+</details>
+<details>
+<summary>
+CreateManagedLoginBranding
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/CreateManagedLoginBrandingCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/CreateManagedLoginBrandingCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/CreateManagedLoginBrandingCommandOutput/)
+
 </details>
 <details>
 <summary>
@@ -612,6 +628,14 @@ DeleteIdentityProvider
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/DeleteIdentityProviderCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DeleteIdentityProviderCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DeleteIdentityProviderCommandOutput/)
 
+</details>
+<details>
+<summary>
+DeleteManagedLoginBranding
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/DeleteManagedLoginBrandingCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DeleteManagedLoginBrandingCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DeleteManagedLoginBrandingCommandOutput/)
+
 </details>
 <details>
 <summary>
@@ -660,6 +684,14 @@ DeleteUserPoolDomain
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/DeleteUserPoolDomainCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DeleteUserPoolDomainCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DeleteUserPoolDomainCommandOutput/)
 
+</details>
+<details>
+<summary>
+DeleteWebAuthnCredential
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/DeleteWebAuthnCredentialCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DeleteWebAuthnCredentialCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DeleteWebAuthnCredentialCommandOutput/)
+
 </details>
 <details>
 <summary>
@@ -668,6 +700,22 @@ DescribeIdentityProvider
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/DescribeIdentityProviderCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DescribeIdentityProviderCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DescribeIdentityProviderCommandOutput/)
 
+</details>
+<details>
+<summary>
+DescribeManagedLoginBranding
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/DescribeManagedLoginBrandingCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DescribeManagedLoginBrandingCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DescribeManagedLoginBrandingCommandOutput/)
+
+</details>
+<details>
+<summary>
+DescribeManagedLoginBrandingByClient
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/DescribeManagedLoginBrandingByClientCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DescribeManagedLoginBrandingByClientCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/DescribeManagedLoginBrandingByClientCommandOutput/)
+
 </details>
 <details>
 <summary>
@@ -804,6 +852,14 @@ GetUserAttributeVerificationCode
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/GetUserAttributeVerificationCodeCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/GetUserAttributeVerificationCodeCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/GetUserAttributeVerificationCodeCommandOutput/)
 
+</details>
+<details>
+<summary>
+GetUserAuthFactors
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/GetUserAuthFactorsCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/GetUserAuthFactorsCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/GetUserAuthFactorsCommandOutput/)
+
 </details>
 <details>
 <summary>
@@ -908,6 +964,14 @@ ListUsersInGroup
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ListUsersInGroupCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/ListUsersInGroupCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/ListUsersInGroupCommandOutput/)
 
+</details>
+<details>
+<summary>
+ListWebAuthnCredentials
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ListWebAuthnCredentialsCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/ListWebAuthnCredentialsCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/ListWebAuthnCredentialsCommandOutput/)
+
 </details>
 <details>
 <summary>
@@ -996,6 +1060,14 @@ StartUserImportJob
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/StartUserImportJobCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/StartUserImportJobCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/StartUserImportJobCommandOutput/)
 
+</details>
+<details>
+<summary>
+StartWebAuthnRegistration
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/StartWebAuthnRegistrationCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/StartWebAuthnRegistrationCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/StartWebAuthnRegistrationCommandOutput/)
+
 </details>
 <details>
 <summary>
@@ -1052,6 +1124,14 @@ UpdateIdentityProvider
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/UpdateIdentityProviderCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/UpdateIdentityProviderCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/UpdateIdentityProviderCommandOutput/)
 
+</details>
+<details>
+<summary>
+UpdateManagedLoginBranding
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/UpdateManagedLoginBrandingCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/UpdateManagedLoginBrandingCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/UpdateManagedLoginBrandingCommandOutput/)
+
 </details>
 <details>
 <summary>
diff --git a/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts b/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts
index 3f91c3766a35..f41a64e93eb2 100644
--- a/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts
+++ b/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts
@@ -148,6 +148,11 @@ import {
   ChangePasswordCommandInput,
   ChangePasswordCommandOutput,
 } from "./commands/ChangePasswordCommand";
+import {
+  CompleteWebAuthnRegistrationCommand,
+  CompleteWebAuthnRegistrationCommandInput,
+  CompleteWebAuthnRegistrationCommandOutput,
+} from "./commands/CompleteWebAuthnRegistrationCommand";
 import {
   ConfirmDeviceCommand,
   ConfirmDeviceCommandInput,
@@ -169,6 +174,11 @@ import {
   CreateIdentityProviderCommandInput,
   CreateIdentityProviderCommandOutput,
 } from "./commands/CreateIdentityProviderCommand";
+import {
+  CreateManagedLoginBrandingCommand,
+  CreateManagedLoginBrandingCommandInput,
+  CreateManagedLoginBrandingCommandOutput,
+} from "./commands/CreateManagedLoginBrandingCommand";
 import {
   CreateResourceServerCommand,
   CreateResourceServerCommandInput,
@@ -200,6 +210,11 @@ import {
   DeleteIdentityProviderCommandInput,
   DeleteIdentityProviderCommandOutput,
 } from "./commands/DeleteIdentityProviderCommand";
+import {
+  DeleteManagedLoginBrandingCommand,
+  DeleteManagedLoginBrandingCommandInput,
+  DeleteManagedLoginBrandingCommandOutput,
+} from "./commands/DeleteManagedLoginBrandingCommand";
 import {
   DeleteResourceServerCommand,
   DeleteResourceServerCommandInput,
@@ -226,11 +241,26 @@ import {
   DeleteUserPoolDomainCommandInput,
   DeleteUserPoolDomainCommandOutput,
 } from "./commands/DeleteUserPoolDomainCommand";
+import {
+  DeleteWebAuthnCredentialCommand,
+  DeleteWebAuthnCredentialCommandInput,
+  DeleteWebAuthnCredentialCommandOutput,
+} from "./commands/DeleteWebAuthnCredentialCommand";
 import {
   DescribeIdentityProviderCommand,
   DescribeIdentityProviderCommandInput,
   DescribeIdentityProviderCommandOutput,
 } from "./commands/DescribeIdentityProviderCommand";
+import {
+  DescribeManagedLoginBrandingByClientCommand,
+  DescribeManagedLoginBrandingByClientCommandInput,
+  DescribeManagedLoginBrandingByClientCommandOutput,
+} from "./commands/DescribeManagedLoginBrandingByClientCommand";
+import {
+  DescribeManagedLoginBrandingCommand,
+  DescribeManagedLoginBrandingCommandInput,
+  DescribeManagedLoginBrandingCommandOutput,
+} from "./commands/DescribeManagedLoginBrandingCommand";
 import {
   DescribeResourceServerCommand,
   DescribeResourceServerCommandInput,
@@ -303,6 +333,11 @@ import {
   GetUserAttributeVerificationCodeCommandInput,
   GetUserAttributeVerificationCodeCommandOutput,
 } from "./commands/GetUserAttributeVerificationCodeCommand";
+import {
+  GetUserAuthFactorsCommand,
+  GetUserAuthFactorsCommandInput,
+  GetUserAuthFactorsCommandOutput,
+} from "./commands/GetUserAuthFactorsCommand";
 import { GetUserCommand, GetUserCommandInput, GetUserCommandOutput } from "./commands/GetUserCommand";
 import {
   GetUserPoolMfaConfigCommand,
@@ -357,6 +392,11 @@ import {
   ListUsersInGroupCommandInput,
   ListUsersInGroupCommandOutput,
 } from "./commands/ListUsersInGroupCommand";
+import {
+  ListWebAuthnCredentialsCommand,
+  ListWebAuthnCredentialsCommandInput,
+  ListWebAuthnCredentialsCommandOutput,
+} from "./commands/ListWebAuthnCredentialsCommand";
 import {
   ResendConfirmationCodeCommand,
   ResendConfirmationCodeCommandInput,
@@ -404,6 +444,11 @@ import {
   StartUserImportJobCommandInput,
   StartUserImportJobCommandOutput,
 } from "./commands/StartUserImportJobCommand";
+import {
+  StartWebAuthnRegistrationCommand,
+  StartWebAuthnRegistrationCommandInput,
+  StartWebAuthnRegistrationCommandOutput,
+} from "./commands/StartWebAuthnRegistrationCommand";
 import {
   StopUserImportJobCommand,
   StopUserImportJobCommandInput,
@@ -431,6 +476,11 @@ import {
   UpdateIdentityProviderCommandInput,
   UpdateIdentityProviderCommandOutput,
 } from "./commands/UpdateIdentityProviderCommand";
+import {
+  UpdateManagedLoginBrandingCommand,
+  UpdateManagedLoginBrandingCommandInput,
+  UpdateManagedLoginBrandingCommandOutput,
+} from "./commands/UpdateManagedLoginBrandingCommand";
 import {
   UpdateResourceServerCommand,
   UpdateResourceServerCommandInput,
@@ -497,11 +547,13 @@ const commands = {
   AdminUserGlobalSignOutCommand,
   AssociateSoftwareTokenCommand,
   ChangePasswordCommand,
+  CompleteWebAuthnRegistrationCommand,
   ConfirmDeviceCommand,
   ConfirmForgotPasswordCommand,
   ConfirmSignUpCommand,
   CreateGroupCommand,
   CreateIdentityProviderCommand,
+  CreateManagedLoginBrandingCommand,
   CreateResourceServerCommand,
   CreateUserImportJobCommand,
   CreateUserPoolCommand,
@@ -509,13 +561,17 @@ const commands = {
   CreateUserPoolDomainCommand,
   DeleteGroupCommand,
   DeleteIdentityProviderCommand,
+  DeleteManagedLoginBrandingCommand,
   DeleteResourceServerCommand,
   DeleteUserCommand,
   DeleteUserAttributesCommand,
   DeleteUserPoolCommand,
   DeleteUserPoolClientCommand,
   DeleteUserPoolDomainCommand,
+  DeleteWebAuthnCredentialCommand,
   DescribeIdentityProviderCommand,
+  DescribeManagedLoginBrandingCommand,
+  DescribeManagedLoginBrandingByClientCommand,
   DescribeResourceServerCommand,
   DescribeRiskConfigurationCommand,
   DescribeUserImportJobCommand,
@@ -533,6 +589,7 @@ const commands = {
   GetUICustomizationCommand,
   GetUserCommand,
   GetUserAttributeVerificationCodeCommand,
+  GetUserAuthFactorsCommand,
   GetUserPoolMfaConfigCommand,
   GlobalSignOutCommand,
   InitiateAuthCommand,
@@ -546,6 +603,7 @@ const commands = {
   ListUserPoolsCommand,
   ListUsersCommand,
   ListUsersInGroupCommand,
+  ListWebAuthnCredentialsCommand,
   ResendConfirmationCodeCommand,
   RespondToAuthChallengeCommand,
   RevokeTokenCommand,
@@ -557,6 +615,7 @@ const commands = {
   SetUserSettingsCommand,
   SignUpCommand,
   StartUserImportJobCommand,
+  StartWebAuthnRegistrationCommand,
   StopUserImportJobCommand,
   TagResourceCommand,
   UntagResourceCommand,
@@ -564,6 +623,7 @@ const commands = {
   UpdateDeviceStatusCommand,
   UpdateGroupCommand,
   UpdateIdentityProviderCommand,
+  UpdateManagedLoginBrandingCommand,
   UpdateResourceServerCommand,
   UpdateUserAttributesCommand,
   UpdateUserPoolCommand,
@@ -1047,6 +1107,23 @@ export interface CognitoIdentityProvider {
     cb: (err: any, data?: ChangePasswordCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link CompleteWebAuthnRegistrationCommand}
+   */
+  completeWebAuthnRegistration(
+    args: CompleteWebAuthnRegistrationCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<CompleteWebAuthnRegistrationCommandOutput>;
+  completeWebAuthnRegistration(
+    args: CompleteWebAuthnRegistrationCommandInput,
+    cb: (err: any, data?: CompleteWebAuthnRegistrationCommandOutput) => void
+  ): void;
+  completeWebAuthnRegistration(
+    args: CompleteWebAuthnRegistrationCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: CompleteWebAuthnRegistrationCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link ConfirmDeviceCommand}
    */
@@ -1114,6 +1191,23 @@ export interface CognitoIdentityProvider {
     cb: (err: any, data?: CreateIdentityProviderCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link CreateManagedLoginBrandingCommand}
+   */
+  createManagedLoginBranding(
+    args: CreateManagedLoginBrandingCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<CreateManagedLoginBrandingCommandOutput>;
+  createManagedLoginBranding(
+    args: CreateManagedLoginBrandingCommandInput,
+    cb: (err: any, data?: CreateManagedLoginBrandingCommandOutput) => void
+  ): void;
+  createManagedLoginBranding(
+    args: CreateManagedLoginBrandingCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: CreateManagedLoginBrandingCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link CreateResourceServerCommand}
    */
@@ -1224,6 +1318,23 @@ export interface CognitoIdentityProvider {
     cb: (err: any, data?: DeleteIdentityProviderCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link DeleteManagedLoginBrandingCommand}
+   */
+  deleteManagedLoginBranding(
+    args: DeleteManagedLoginBrandingCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<DeleteManagedLoginBrandingCommandOutput>;
+  deleteManagedLoginBranding(
+    args: DeleteManagedLoginBrandingCommandInput,
+    cb: (err: any, data?: DeleteManagedLoginBrandingCommandOutput) => void
+  ): void;
+  deleteManagedLoginBranding(
+    args: DeleteManagedLoginBrandingCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: DeleteManagedLoginBrandingCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link DeleteResourceServerCommand}
    */
@@ -1317,6 +1428,23 @@ export interface CognitoIdentityProvider {
     cb: (err: any, data?: DeleteUserPoolDomainCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link DeleteWebAuthnCredentialCommand}
+   */
+  deleteWebAuthnCredential(
+    args: DeleteWebAuthnCredentialCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<DeleteWebAuthnCredentialCommandOutput>;
+  deleteWebAuthnCredential(
+    args: DeleteWebAuthnCredentialCommandInput,
+    cb: (err: any, data?: DeleteWebAuthnCredentialCommandOutput) => void
+  ): void;
+  deleteWebAuthnCredential(
+    args: DeleteWebAuthnCredentialCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: DeleteWebAuthnCredentialCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link DescribeIdentityProviderCommand}
    */
@@ -1334,6 +1462,40 @@ export interface CognitoIdentityProvider {
     cb: (err: any, data?: DescribeIdentityProviderCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link DescribeManagedLoginBrandingCommand}
+   */
+  describeManagedLoginBranding(
+    args: DescribeManagedLoginBrandingCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<DescribeManagedLoginBrandingCommandOutput>;
+  describeManagedLoginBranding(
+    args: DescribeManagedLoginBrandingCommandInput,
+    cb: (err: any, data?: DescribeManagedLoginBrandingCommandOutput) => void
+  ): void;
+  describeManagedLoginBranding(
+    args: DescribeManagedLoginBrandingCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: DescribeManagedLoginBrandingCommandOutput) => void
+  ): void;
+
+  /**
+   * @see {@link DescribeManagedLoginBrandingByClientCommand}
+   */
+  describeManagedLoginBrandingByClient(
+    args: DescribeManagedLoginBrandingByClientCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<DescribeManagedLoginBrandingByClientCommandOutput>;
+  describeManagedLoginBrandingByClient(
+    args: DescribeManagedLoginBrandingByClientCommandInput,
+    cb: (err: any, data?: DescribeManagedLoginBrandingByClientCommandOutput) => void
+  ): void;
+  describeManagedLoginBrandingByClient(
+    args: DescribeManagedLoginBrandingByClientCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: DescribeManagedLoginBrandingByClientCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link DescribeResourceServerCommand}
    */
@@ -1590,6 +1752,23 @@ export interface CognitoIdentityProvider {
     cb: (err: any, data?: GetUserAttributeVerificationCodeCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link GetUserAuthFactorsCommand}
+   */
+  getUserAuthFactors(
+    args: GetUserAuthFactorsCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<GetUserAuthFactorsCommandOutput>;
+  getUserAuthFactors(
+    args: GetUserAuthFactorsCommandInput,
+    cb: (err: any, data?: GetUserAuthFactorsCommandOutput) => void
+  ): void;
+  getUserAuthFactors(
+    args: GetUserAuthFactorsCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: GetUserAuthFactorsCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link GetUserPoolMfaConfigCommand}
    */
@@ -1775,6 +1954,23 @@ export interface CognitoIdentityProvider {
     cb: (err: any, data?: ListUsersInGroupCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link ListWebAuthnCredentialsCommand}
+   */
+  listWebAuthnCredentials(
+    args: ListWebAuthnCredentialsCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<ListWebAuthnCredentialsCommandOutput>;
+  listWebAuthnCredentials(
+    args: ListWebAuthnCredentialsCommandInput,
+    cb: (err: any, data?: ListWebAuthnCredentialsCommandOutput) => void
+  ): void;
+  listWebAuthnCredentials(
+    args: ListWebAuthnCredentialsCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: ListWebAuthnCredentialsCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link ResendConfirmationCodeCommand}
    */
@@ -1947,6 +2143,23 @@ export interface CognitoIdentityProvider {
     cb: (err: any, data?: StartUserImportJobCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link StartWebAuthnRegistrationCommand}
+   */
+  startWebAuthnRegistration(
+    args: StartWebAuthnRegistrationCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<StartWebAuthnRegistrationCommandOutput>;
+  startWebAuthnRegistration(
+    args: StartWebAuthnRegistrationCommandInput,
+    cb: (err: any, data?: StartWebAuthnRegistrationCommandOutput) => void
+  ): void;
+  startWebAuthnRegistration(
+    args: StartWebAuthnRegistrationCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: StartWebAuthnRegistrationCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link StopUserImportJobCommand}
    */
@@ -2048,6 +2261,24 @@ export interface CognitoIdentityProvider {
     cb: (err: any, data?: UpdateIdentityProviderCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link UpdateManagedLoginBrandingCommand}
+   */
+  updateManagedLoginBranding(): Promise<UpdateManagedLoginBrandingCommandOutput>;
+  updateManagedLoginBranding(
+    args: UpdateManagedLoginBrandingCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<UpdateManagedLoginBrandingCommandOutput>;
+  updateManagedLoginBranding(
+    args: UpdateManagedLoginBrandingCommandInput,
+    cb: (err: any, data?: UpdateManagedLoginBrandingCommandOutput) => void
+  ): void;
+  updateManagedLoginBranding(
+    args: UpdateManagedLoginBrandingCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: UpdateManagedLoginBrandingCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link UpdateResourceServerCommand}
    */
diff --git a/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts b/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts
index aadd6087b22a..f36925f0313e 100644
--- a/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts
+++ b/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts
@@ -136,6 +136,10 @@ import {
   AssociateSoftwareTokenCommandOutput,
 } from "./commands/AssociateSoftwareTokenCommand";
 import { ChangePasswordCommandInput, ChangePasswordCommandOutput } from "./commands/ChangePasswordCommand";
+import {
+  CompleteWebAuthnRegistrationCommandInput,
+  CompleteWebAuthnRegistrationCommandOutput,
+} from "./commands/CompleteWebAuthnRegistrationCommand";
 import { ConfirmDeviceCommandInput, ConfirmDeviceCommandOutput } from "./commands/ConfirmDeviceCommand";
 import {
   ConfirmForgotPasswordCommandInput,
@@ -147,6 +151,10 @@ import {
   CreateIdentityProviderCommandInput,
   CreateIdentityProviderCommandOutput,
 } from "./commands/CreateIdentityProviderCommand";
+import {
+  CreateManagedLoginBrandingCommandInput,
+  CreateManagedLoginBrandingCommandOutput,
+} from "./commands/CreateManagedLoginBrandingCommand";
 import {
   CreateResourceServerCommandInput,
   CreateResourceServerCommandOutput,
@@ -169,6 +177,10 @@ import {
   DeleteIdentityProviderCommandInput,
   DeleteIdentityProviderCommandOutput,
 } from "./commands/DeleteIdentityProviderCommand";
+import {
+  DeleteManagedLoginBrandingCommandInput,
+  DeleteManagedLoginBrandingCommandOutput,
+} from "./commands/DeleteManagedLoginBrandingCommand";
 import {
   DeleteResourceServerCommandInput,
   DeleteResourceServerCommandOutput,
@@ -187,10 +199,22 @@ import {
   DeleteUserPoolDomainCommandInput,
   DeleteUserPoolDomainCommandOutput,
 } from "./commands/DeleteUserPoolDomainCommand";
+import {
+  DeleteWebAuthnCredentialCommandInput,
+  DeleteWebAuthnCredentialCommandOutput,
+} from "./commands/DeleteWebAuthnCredentialCommand";
 import {
   DescribeIdentityProviderCommandInput,
   DescribeIdentityProviderCommandOutput,
 } from "./commands/DescribeIdentityProviderCommand";
+import {
+  DescribeManagedLoginBrandingByClientCommandInput,
+  DescribeManagedLoginBrandingByClientCommandOutput,
+} from "./commands/DescribeManagedLoginBrandingByClientCommand";
+import {
+  DescribeManagedLoginBrandingCommandInput,
+  DescribeManagedLoginBrandingCommandOutput,
+} from "./commands/DescribeManagedLoginBrandingCommand";
 import {
   DescribeResourceServerCommandInput,
   DescribeResourceServerCommandOutput,
@@ -234,6 +258,7 @@ import {
   GetUserAttributeVerificationCodeCommandInput,
   GetUserAttributeVerificationCodeCommandOutput,
 } from "./commands/GetUserAttributeVerificationCodeCommand";
+import { GetUserAuthFactorsCommandInput, GetUserAuthFactorsCommandOutput } from "./commands/GetUserAuthFactorsCommand";
 import { GetUserCommandInput, GetUserCommandOutput } from "./commands/GetUserCommand";
 import {
   GetUserPoolMfaConfigCommandInput,
@@ -263,6 +288,10 @@ import {
 import { ListUserPoolsCommandInput, ListUserPoolsCommandOutput } from "./commands/ListUserPoolsCommand";
 import { ListUsersCommandInput, ListUsersCommandOutput } from "./commands/ListUsersCommand";
 import { ListUsersInGroupCommandInput, ListUsersInGroupCommandOutput } from "./commands/ListUsersInGroupCommand";
+import {
+  ListWebAuthnCredentialsCommandInput,
+  ListWebAuthnCredentialsCommandOutput,
+} from "./commands/ListWebAuthnCredentialsCommand";
 import {
   ResendConfirmationCodeCommandInput,
   ResendConfirmationCodeCommandOutput,
@@ -292,6 +321,10 @@ import {
 import { SetUserSettingsCommandInput, SetUserSettingsCommandOutput } from "./commands/SetUserSettingsCommand";
 import { SignUpCommandInput, SignUpCommandOutput } from "./commands/SignUpCommand";
 import { StartUserImportJobCommandInput, StartUserImportJobCommandOutput } from "./commands/StartUserImportJobCommand";
+import {
+  StartWebAuthnRegistrationCommandInput,
+  StartWebAuthnRegistrationCommandOutput,
+} from "./commands/StartWebAuthnRegistrationCommand";
 import { StopUserImportJobCommandInput, StopUserImportJobCommandOutput } from "./commands/StopUserImportJobCommand";
 import { TagResourceCommandInput, TagResourceCommandOutput } from "./commands/TagResourceCommand";
 import { UntagResourceCommandInput, UntagResourceCommandOutput } from "./commands/UntagResourceCommand";
@@ -305,6 +338,10 @@ import {
   UpdateIdentityProviderCommandInput,
   UpdateIdentityProviderCommandOutput,
 } from "./commands/UpdateIdentityProviderCommand";
+import {
+  UpdateManagedLoginBrandingCommandInput,
+  UpdateManagedLoginBrandingCommandOutput,
+} from "./commands/UpdateManagedLoginBrandingCommand";
 import {
   UpdateResourceServerCommandInput,
   UpdateResourceServerCommandOutput,
@@ -374,11 +411,13 @@ export type ServiceInputTypes =
   | AdminUserGlobalSignOutCommandInput
   | AssociateSoftwareTokenCommandInput
   | ChangePasswordCommandInput
+  | CompleteWebAuthnRegistrationCommandInput
   | ConfirmDeviceCommandInput
   | ConfirmForgotPasswordCommandInput
   | ConfirmSignUpCommandInput
   | CreateGroupCommandInput
   | CreateIdentityProviderCommandInput
+  | CreateManagedLoginBrandingCommandInput
   | CreateResourceServerCommandInput
   | CreateUserImportJobCommandInput
   | CreateUserPoolClientCommandInput
@@ -386,13 +425,17 @@ export type ServiceInputTypes =
   | CreateUserPoolDomainCommandInput
   | DeleteGroupCommandInput
   | DeleteIdentityProviderCommandInput
+  | DeleteManagedLoginBrandingCommandInput
   | DeleteResourceServerCommandInput
   | DeleteUserAttributesCommandInput
   | DeleteUserCommandInput
   | DeleteUserPoolClientCommandInput
   | DeleteUserPoolCommandInput
   | DeleteUserPoolDomainCommandInput
+  | DeleteWebAuthnCredentialCommandInput
   | DescribeIdentityProviderCommandInput
+  | DescribeManagedLoginBrandingByClientCommandInput
+  | DescribeManagedLoginBrandingCommandInput
   | DescribeResourceServerCommandInput
   | DescribeRiskConfigurationCommandInput
   | DescribeUserImportJobCommandInput
@@ -409,6 +452,7 @@ export type ServiceInputTypes =
   | GetSigningCertificateCommandInput
   | GetUICustomizationCommandInput
   | GetUserAttributeVerificationCodeCommandInput
+  | GetUserAuthFactorsCommandInput
   | GetUserCommandInput
   | GetUserPoolMfaConfigCommandInput
   | GlobalSignOutCommandInput
@@ -423,6 +467,7 @@ export type ServiceInputTypes =
   | ListUserPoolsCommandInput
   | ListUsersCommandInput
   | ListUsersInGroupCommandInput
+  | ListWebAuthnCredentialsCommandInput
   | ResendConfirmationCodeCommandInput
   | RespondToAuthChallengeCommandInput
   | RevokeTokenCommandInput
@@ -434,6 +479,7 @@ export type ServiceInputTypes =
   | SetUserSettingsCommandInput
   | SignUpCommandInput
   | StartUserImportJobCommandInput
+  | StartWebAuthnRegistrationCommandInput
   | StopUserImportJobCommandInput
   | TagResourceCommandInput
   | UntagResourceCommandInput
@@ -441,6 +487,7 @@ export type ServiceInputTypes =
   | UpdateDeviceStatusCommandInput
   | UpdateGroupCommandInput
   | UpdateIdentityProviderCommandInput
+  | UpdateManagedLoginBrandingCommandInput
   | UpdateResourceServerCommandInput
   | UpdateUserAttributesCommandInput
   | UpdateUserPoolClientCommandInput
@@ -482,11 +529,13 @@ export type ServiceOutputTypes =
   | AdminUserGlobalSignOutCommandOutput
   | AssociateSoftwareTokenCommandOutput
   | ChangePasswordCommandOutput
+  | CompleteWebAuthnRegistrationCommandOutput
   | ConfirmDeviceCommandOutput
   | ConfirmForgotPasswordCommandOutput
   | ConfirmSignUpCommandOutput
   | CreateGroupCommandOutput
   | CreateIdentityProviderCommandOutput
+  | CreateManagedLoginBrandingCommandOutput
   | CreateResourceServerCommandOutput
   | CreateUserImportJobCommandOutput
   | CreateUserPoolClientCommandOutput
@@ -494,13 +543,17 @@ export type ServiceOutputTypes =
   | CreateUserPoolDomainCommandOutput
   | DeleteGroupCommandOutput
   | DeleteIdentityProviderCommandOutput
+  | DeleteManagedLoginBrandingCommandOutput
   | DeleteResourceServerCommandOutput
   | DeleteUserAttributesCommandOutput
   | DeleteUserCommandOutput
   | DeleteUserPoolClientCommandOutput
   | DeleteUserPoolCommandOutput
   | DeleteUserPoolDomainCommandOutput
+  | DeleteWebAuthnCredentialCommandOutput
   | DescribeIdentityProviderCommandOutput
+  | DescribeManagedLoginBrandingByClientCommandOutput
+  | DescribeManagedLoginBrandingCommandOutput
   | DescribeResourceServerCommandOutput
   | DescribeRiskConfigurationCommandOutput
   | DescribeUserImportJobCommandOutput
@@ -517,6 +570,7 @@ export type ServiceOutputTypes =
   | GetSigningCertificateCommandOutput
   | GetUICustomizationCommandOutput
   | GetUserAttributeVerificationCodeCommandOutput
+  | GetUserAuthFactorsCommandOutput
   | GetUserCommandOutput
   | GetUserPoolMfaConfigCommandOutput
   | GlobalSignOutCommandOutput
@@ -531,6 +585,7 @@ export type ServiceOutputTypes =
   | ListUserPoolsCommandOutput
   | ListUsersCommandOutput
   | ListUsersInGroupCommandOutput
+  | ListWebAuthnCredentialsCommandOutput
   | ResendConfirmationCodeCommandOutput
   | RespondToAuthChallengeCommandOutput
   | RevokeTokenCommandOutput
@@ -542,6 +597,7 @@ export type ServiceOutputTypes =
   | SetUserSettingsCommandOutput
   | SignUpCommandOutput
   | StartUserImportJobCommandOutput
+  | StartWebAuthnRegistrationCommandOutput
   | StopUserImportJobCommandOutput
   | TagResourceCommandOutput
   | UntagResourceCommandOutput
@@ -549,6 +605,7 @@ export type ServiceOutputTypes =
   | UpdateDeviceStatusCommandOutput
   | UpdateGroupCommandOutput
   | UpdateIdentityProviderCommandOutput
+  | UpdateManagedLoginBrandingCommandOutput
   | UpdateResourceServerCommandOutput
   | UpdateUserAttributesCommandOutput
   | UpdateUserPoolClientCommandOutput
diff --git a/clients/client-cognito-identity-provider/src/auth/httpAuthSchemeProvider.ts b/clients/client-cognito-identity-provider/src/auth/httpAuthSchemeProvider.ts
index b1754f1389a0..232ede813427 100644
--- a/clients/client-cognito-identity-provider/src/auth/httpAuthSchemeProvider.ts
+++ b/clients/client-cognito-identity-provider/src/auth/httpAuthSchemeProvider.ts
@@ -107,6 +107,10 @@ export const defaultCognitoIdentityProviderHttpAuthSchemeProvider: CognitoIdenti
       options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
       break;
     }
+    case "CompleteWebAuthnRegistration": {
+      options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
+      break;
+    }
     case "ConfirmDevice": {
       options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
       break;
@@ -127,6 +131,10 @@ export const defaultCognitoIdentityProviderHttpAuthSchemeProvider: CognitoIdenti
       options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
       break;
     }
+    case "DeleteWebAuthnCredential": {
+      options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
+      break;
+    }
     case "ForgetDevice": {
       options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
       break;
@@ -147,6 +155,10 @@ export const defaultCognitoIdentityProviderHttpAuthSchemeProvider: CognitoIdenti
       options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
       break;
     }
+    case "GetUserAuthFactors": {
+      options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
+      break;
+    }
     case "GlobalSignOut": {
       options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
       break;
@@ -159,6 +171,10 @@ export const defaultCognitoIdentityProviderHttpAuthSchemeProvider: CognitoIdenti
       options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
       break;
     }
+    case "ListWebAuthnCredentials": {
+      options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
+      break;
+    }
     case "ResendConfirmationCode": {
       options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
       break;
@@ -183,6 +199,10 @@ export const defaultCognitoIdentityProviderHttpAuthSchemeProvider: CognitoIdenti
       options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
       break;
     }
+    case "StartWebAuthnRegistration": {
+      options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
+      break;
+    }
     case "UpdateAuthEventFeedback": {
       options.push(createSmithyApiNoAuthHttpAuthOption(authParameters));
       break;
diff --git a/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts
index d9479780a715..fa93c848a0c8 100644
--- a/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts
@@ -48,7 +48,7 @@ export interface AdminCreateUserCommandOutput extends AdminCreateUserResponse, _
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -62,8 +62,13 @@ export interface AdminCreateUserCommandOutput extends AdminCreateUserResponse, _
  *             placeholders for user name and temporary password.</p>
  *          <p>Alternatively, you can call <code>AdminCreateUser</code> with <code>SUPPRESS</code>
  *             for the <code>MessageAction</code> parameter, and Amazon Cognito won't send any email. </p>
- *          <p>In either case, the user will be in the <code>FORCE_CHANGE_PASSWORD</code> state until
- *             they sign in and change their password.</p>
+ *          <p>In either case, if the user has a password, they will be in the
+ *                 <code>FORCE_CHANGE_PASSWORD</code> state until they sign in and set their password.
+ *             Your invitation message template must have the <code>\{####\}</code> password placeholder
+ *             if your users have passwords. If your template doesn't have this placeholder, Amazon Cognito
+ *             doesn't deliver the invitation message. In this case, you must update your message
+ *             template and resend the password with a new <code>AdminCreateUser</code> request with a
+ *                 <code>MessageAction</code> value of <code>RESEND</code>.</p>
  *          <note>
  *             <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For
  *     this operation, you must use IAM credentials to authorize requests, and you must
@@ -171,7 +176,7 @@ export interface AdminCreateUserCommandOutput extends AdminCreateUserResponse, _
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link NotAuthorizedException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/AdminGetUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminGetUserCommand.ts
index 66f3f6fef715..dfa3206c8c6b 100644
--- a/clients/client-cognito-identity-provider/src/commands/AdminGetUserCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/AdminGetUserCommand.ts
@@ -38,7 +38,8 @@ export interface AdminGetUserCommandOutput extends AdminGetUserResponse, __Metad
 
 /**
  * <p>Gets the specified user by user name in a user pool as an administrator. Works on any
- *             user.</p>
+ *             user. This operation contributes to your monthly active user (MAU) count for the purpose
+ *             of billing.</p>
  *          <note>
  *             <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For
  *     this operation, you must use IAM credentials to authorize requests, and you must
diff --git a/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts
index 58b3f6b788e4..31691d63725e 100644
--- a/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts
@@ -46,7 +46,7 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -84,7 +84,7 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons
  * const input = { // AdminInitiateAuthRequest
  *   UserPoolId: "STRING_VALUE", // required
  *   ClientId: "STRING_VALUE", // required
- *   AuthFlow: "USER_SRP_AUTH" || "REFRESH_TOKEN_AUTH" || "REFRESH_TOKEN" || "CUSTOM_AUTH" || "ADMIN_NO_SRP_AUTH" || "USER_PASSWORD_AUTH" || "ADMIN_USER_PASSWORD_AUTH", // required
+ *   AuthFlow: "USER_SRP_AUTH" || "REFRESH_TOKEN_AUTH" || "REFRESH_TOKEN" || "CUSTOM_AUTH" || "ADMIN_NO_SRP_AUTH" || "USER_PASSWORD_AUTH" || "ADMIN_USER_PASSWORD_AUTH" || "USER_AUTH", // required
  *   AuthParameters: { // AuthParametersType
  *     "<keys>": "STRING_VALUE",
  *   },
@@ -106,11 +106,12 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons
  *     ],
  *     EncodedData: "STRING_VALUE",
  *   },
+ *   Session: "STRING_VALUE",
  * };
  * const command = new AdminInitiateAuthCommand(input);
  * const response = await client.send(command);
  * // { // AdminInitiateAuthResponse
- * //   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED",
+ * //   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "SELECT_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED" || "SMS_OTP" || "PASSWORD" || "WEB_AUTHN" || "PASSWORD_SRP",
  * //   Session: "STRING_VALUE",
  * //   ChallengeParameters: { // ChallengeParametersType
  * //     "<keys>": "STRING_VALUE",
@@ -157,7 +158,7 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link InvalidUserPoolConfigurationException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/AdminListDevicesCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminListDevicesCommand.ts
index 41e8cc8d0064..fc5a23111b62 100644
--- a/clients/client-cognito-identity-provider/src/commands/AdminListDevicesCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/AdminListDevicesCommand.ts
@@ -37,7 +37,7 @@ export interface AdminListDevicesCommandInput extends AdminListDevicesRequest {}
 export interface AdminListDevicesCommandOutput extends AdminListDevicesResponse, __MetadataBearer {}
 
 /**
- * <p>Lists devices, as an administrator.</p>
+ * <p>Lists a user's registered devices.</p>
  *          <note>
  *             <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For
  *     this operation, you must use IAM credentials to authorize requests, and you must
diff --git a/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts
index 3b2b3b183fd9..46422675b737 100644
--- a/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts
@@ -48,7 +48,7 @@ export interface AdminResetUserPasswordCommandOutput extends AdminResetUserPassw
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -131,7 +131,7 @@ export interface AdminResetUserPasswordCommandOutput extends AdminResetUserPassw
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link LimitExceededException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts
index eba9b83da479..cbb68792c6cf 100644
--- a/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts
@@ -54,7 +54,7 @@ export interface AdminRespondToAuthChallengeCommandOutput
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -92,7 +92,7 @@ export interface AdminRespondToAuthChallengeCommandOutput
  * const input = { // AdminRespondToAuthChallengeRequest
  *   UserPoolId: "STRING_VALUE", // required
  *   ClientId: "STRING_VALUE", // required
- *   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", // required
+ *   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "SELECT_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED" || "SMS_OTP" || "PASSWORD" || "WEB_AUTHN" || "PASSWORD_SRP", // required
  *   ChallengeResponses: { // ChallengeResponsesType
  *     "<keys>": "STRING_VALUE",
  *   },
@@ -119,7 +119,7 @@ export interface AdminRespondToAuthChallengeCommandOutput
  * const command = new AdminRespondToAuthChallengeCommand(input);
  * const response = await client.send(command);
  * // { // AdminRespondToAuthChallengeResponse
- * //   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED",
+ * //   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "SELECT_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED" || "SMS_OTP" || "PASSWORD" || "WEB_AUTHN" || "PASSWORD_SRP",
  * //   Session: "STRING_VALUE",
  * //   ChallengeParameters: { // ChallengeParametersType
  * //     "<keys>": "STRING_VALUE",
@@ -183,7 +183,7 @@ export interface AdminRespondToAuthChallengeCommandOutput
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link InvalidUserPoolConfigurationException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts
index 94fbd0ee83f0..1e802778ca71 100644
--- a/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts
@@ -44,7 +44,7 @@ export interface AdminUpdateUserAttributesCommandOutput extends AdminUpdateUserA
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -139,7 +139,7 @@ export interface AdminUpdateUserAttributesCommandOutput extends AdminUpdateUserA
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link NotAuthorizedException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts
index 53c59c3afa35..24fb1b9ad7c6 100644
--- a/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts
@@ -51,7 +51,7 @@ export interface ChangePasswordCommandOutput extends ChangePasswordResponse, __M
  * // const { CognitoIdentityProviderClient, ChangePasswordCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
  * const client = new CognitoIdentityProviderClient(config);
  * const input = { // ChangePasswordRequest
- *   PreviousPassword: "STRING_VALUE", // required
+ *   PreviousPassword: "STRING_VALUE",
  *   ProposedPassword: "STRING_VALUE", // required
  *   AccessToken: "STRING_VALUE", // required
  * };
diff --git a/clients/client-cognito-identity-provider/src/commands/CompleteWebAuthnRegistrationCommand.ts b/clients/client-cognito-identity-provider/src/commands/CompleteWebAuthnRegistrationCommand.ts
new file mode 100644
index 000000000000..9b586196e7f0
--- /dev/null
+++ b/clients/client-cognito-identity-provider/src/commands/CompleteWebAuthnRegistrationCommand.ts
@@ -0,0 +1,153 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import {
+  CognitoIdentityProviderClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../CognitoIdentityProviderClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import {
+  CompleteWebAuthnRegistrationRequest,
+  CompleteWebAuthnRegistrationRequestFilterSensitiveLog,
+  CompleteWebAuthnRegistrationResponse,
+} from "../models/models_0";
+import {
+  de_CompleteWebAuthnRegistrationCommand,
+  se_CompleteWebAuthnRegistrationCommand,
+} from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link CompleteWebAuthnRegistrationCommand}.
+ */
+export interface CompleteWebAuthnRegistrationCommandInput extends CompleteWebAuthnRegistrationRequest {}
+/**
+ * @public
+ *
+ * The output of {@link CompleteWebAuthnRegistrationCommand}.
+ */
+export interface CompleteWebAuthnRegistrationCommandOutput
+  extends CompleteWebAuthnRegistrationResponse,
+    __MetadataBearer {}
+
+/**
+ * <p>Completes registration of a passkey authenticator for the current user. Your
+ *             application provides data from a successful registration request with the data from the
+ *             output of a <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_StartWebAuthnRegistration.html"> StartWebAuthnRegistration</a>.</p>
+ *          <p>Authorize this action with a signed-in user's access token. It must include the scope <code>aws.cognito.signin.user.admin</code>.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CognitoIdentityProviderClient, CompleteWebAuthnRegistrationCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import
+ * // const { CognitoIdentityProviderClient, CompleteWebAuthnRegistrationCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
+ * const client = new CognitoIdentityProviderClient(config);
+ * const input = { // CompleteWebAuthnRegistrationRequest
+ *   AccessToken: "STRING_VALUE", // required
+ *   Credential: "DOCUMENT_VALUE", // required
+ * };
+ * const command = new CompleteWebAuthnRegistrationCommand(input);
+ * const response = await client.send(command);
+ * // {};
+ *
+ * ```
+ *
+ * @param CompleteWebAuthnRegistrationCommandInput - {@link CompleteWebAuthnRegistrationCommandInput}
+ * @returns {@link CompleteWebAuthnRegistrationCommandOutput}
+ * @see {@link CompleteWebAuthnRegistrationCommandInput} for command's `input` shape.
+ * @see {@link CompleteWebAuthnRegistrationCommandOutput} for command's `response` shape.
+ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
+ *
+ * @throws {@link ForbiddenException} (client fault)
+ *  <p>This exception is thrown when WAF doesn't allow your request based on a web
+ *             ACL that's associated with your user pool.</p>
+ *
+ * @throws {@link InternalErrorException} (server fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters an invalid
+ *             parameter.</p>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>This exception is thrown when a user exceeds the limit for a requested Amazon Web Services
+ *             resource.</p>
+ *
+ * @throws {@link NotAuthorizedException} (client fault)
+ *  <p>This exception is thrown when a user isn't authorized.</p>
+ *
+ * @throws {@link TooManyRequestsException} (client fault)
+ *  <p>This exception is thrown when the user has made too many requests for a given
+ *             operation.</p>
+ *
+ * @throws {@link WebAuthnChallengeNotFoundException} (client fault)
+ *  <p>This exception is thrown when the challenge from <code>StartWebAuthn</code>
+ *             registration has expired.</p>
+ *
+ * @throws {@link WebAuthnClientMismatchException} (client fault)
+ *  <p>This exception is thrown when the access token is for a different client than the one
+ *             in the original <code>StartWebAuthnRegistration</code> request.</p>
+ *
+ * @throws {@link WebAuthnCredentialNotSupportedException} (client fault)
+ *  <p>This exception is thrown when a user presents passkey credentials from an unsupported
+ *             device or provider.</p>
+ *
+ * @throws {@link WebAuthnNotEnabledException} (client fault)
+ *  <p>This exception is thrown when the passkey feature isn't enabled for the user
+ *             pool.</p>
+ *
+ * @throws {@link WebAuthnOriginNotAllowedException} (client fault)
+ *  <p>This exception is thrown when the passkey credential's registration origin does not
+ *             align with the user pool relying party id.</p>
+ *
+ * @throws {@link WebAuthnRelyingPartyMismatchException} (client fault)
+ *  <p>This exception is thrown when the given passkey credential is associated with a
+ *             different relying party ID than the user pool relying party ID.</p>
+ *
+ * @throws {@link CognitoIdentityProviderServiceException}
+ * <p>Base exception class for all service exceptions from CognitoIdentityProvider service.</p>
+ *
+ * @public
+ */
+export class CompleteWebAuthnRegistrationCommand extends $Command
+  .classBuilder<
+    CompleteWebAuthnRegistrationCommandInput,
+    CompleteWebAuthnRegistrationCommandOutput,
+    CognitoIdentityProviderClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CognitoIdentityProviderClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AWSCognitoIdentityProviderService", "CompleteWebAuthnRegistration", {})
+  .n("CognitoIdentityProviderClient", "CompleteWebAuthnRegistrationCommand")
+  .f(CompleteWebAuthnRegistrationRequestFilterSensitiveLog, void 0)
+  .ser(se_CompleteWebAuthnRegistrationCommand)
+  .de(de_CompleteWebAuthnRegistrationCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: CompleteWebAuthnRegistrationRequest;
+      output: {};
+    };
+    sdk: {
+      input: CompleteWebAuthnRegistrationCommandInput;
+      output: CompleteWebAuthnRegistrationCommandOutput;
+    };
+  };
+}
diff --git a/clients/client-cognito-identity-provider/src/commands/ConfirmSignUpCommand.ts b/clients/client-cognito-identity-provider/src/commands/ConfirmSignUpCommand.ts
index 005570f9fe69..a06ff99befd5 100644
--- a/clients/client-cognito-identity-provider/src/commands/ConfirmSignUpCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ConfirmSignUpCommand.ts
@@ -14,6 +14,7 @@ import {
   ConfirmSignUpRequest,
   ConfirmSignUpRequestFilterSensitiveLog,
   ConfirmSignUpResponse,
+  ConfirmSignUpResponseFilterSensitiveLog,
 } from "../models/models_0";
 import { de_ConfirmSignUpCommand, se_ConfirmSignUpCommand } from "../protocols/Aws_json1_1";
 
@@ -76,10 +77,13 @@ export interface ConfirmSignUpCommandOutput extends ConfirmSignUpResponse, __Met
  *   ClientMetadata: { // ClientMetadataType
  *     "<keys>": "STRING_VALUE",
  *   },
+ *   Session: "STRING_VALUE",
  * };
  * const command = new ConfirmSignUpCommand(input);
  * const response = await client.send(command);
- * // {};
+ * // { // ConfirmSignUpResponse
+ * //   Session: "STRING_VALUE",
+ * // };
  *
  * ```
  *
@@ -169,7 +173,7 @@ export class ConfirmSignUpCommand extends $Command
   })
   .s("AWSCognitoIdentityProviderService", "ConfirmSignUp", {})
   .n("CognitoIdentityProviderClient", "ConfirmSignUpCommand")
-  .f(ConfirmSignUpRequestFilterSensitiveLog, void 0)
+  .f(ConfirmSignUpRequestFilterSensitiveLog, ConfirmSignUpResponseFilterSensitiveLog)
   .ser(se_ConfirmSignUpCommand)
   .de(de_ConfirmSignUpCommand)
   .build() {
@@ -177,7 +181,7 @@ export class ConfirmSignUpCommand extends $Command
   protected declare static __types: {
     api: {
       input: ConfirmSignUpRequest;
-      output: {};
+      output: ConfirmSignUpResponse;
     };
     sdk: {
       input: ConfirmSignUpCommandInput;
diff --git a/clients/client-cognito-identity-provider/src/commands/CreateManagedLoginBrandingCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateManagedLoginBrandingCommand.ts
new file mode 100644
index 000000000000..e80d6ad287b1
--- /dev/null
+++ b/clients/client-cognito-identity-provider/src/commands/CreateManagedLoginBrandingCommand.ts
@@ -0,0 +1,191 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import {
+  CognitoIdentityProviderClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../CognitoIdentityProviderClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import {
+  CreateManagedLoginBrandingRequest,
+  CreateManagedLoginBrandingRequestFilterSensitiveLog,
+  CreateManagedLoginBrandingResponse,
+} from "../models/models_0";
+import { de_CreateManagedLoginBrandingCommand, se_CreateManagedLoginBrandingCommand } from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link CreateManagedLoginBrandingCommand}.
+ */
+export interface CreateManagedLoginBrandingCommandInput extends CreateManagedLoginBrandingRequest {}
+/**
+ * @public
+ *
+ * The output of {@link CreateManagedLoginBrandingCommand}.
+ */
+export interface CreateManagedLoginBrandingCommandOutput extends CreateManagedLoginBrandingResponse, __MetadataBearer {}
+
+/**
+ * <p>Creates a new set of branding settings for a user pool style and associates it with an
+ *             app client. This operation is the programmatic option for the creation of a new style in
+ *             the branding designer.</p>
+ *          <p>Provides values for UI customization in a <code>Settings</code> JSON object and image
+ *             files in an <code>Assets</code> array. To send the JSON object <code>Document</code>
+ *             type parameter in <code>Settings</code>, you might need to update to the most recent
+ *             version of your Amazon Web Services SDK. </p>
+ *          <p> This operation has a 2-megabyte request-size limit and include the CSS settings and
+ *             image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito
+ *             doesn't require that you pass all parameters in one request and preserves existing
+ *             style settings that you don't specify. If your request is larger than 2MB, separate it
+ *             into multiple requests, each with a size smaller than the limit. </p>
+ *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-brandingdesigner.html#branding-designer-api">API and SDK operations for managed login branding</a>
+ *          </p>
+ *          <note>
+ *             <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For
+ *     this operation, you must use IAM credentials to authorize requests, and you must
+ *     grant yourself the corresponding IAM permission in a policy.</p>
+ *             <p class="title">
+ *                <b>Learn more</b>
+ *             </p>
+ *             <ul>
+ *                <li>
+ *                   <p>
+ *                      <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html">Signing Amazon Web Services API Requests</a>
+ *                   </p>
+ *                </li>
+ *                <li>
+ *                   <p>
+ *                      <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html">Using the Amazon Cognito user pools API and user pool endpoints</a>
+ *                   </p>
+ *                </li>
+ *             </ul>
+ *          </note>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CognitoIdentityProviderClient, CreateManagedLoginBrandingCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import
+ * // const { CognitoIdentityProviderClient, CreateManagedLoginBrandingCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
+ * const client = new CognitoIdentityProviderClient(config);
+ * const input = { // CreateManagedLoginBrandingRequest
+ *   UserPoolId: "STRING_VALUE", // required
+ *   ClientId: "STRING_VALUE", // required
+ *   UseCognitoProvidedValues: true || false,
+ *   Settings: "DOCUMENT_VALUE",
+ *   Assets: [ // AssetListType
+ *     { // AssetType
+ *       Category: "FAVICON_ICO" || "FAVICON_SVG" || "EMAIL_GRAPHIC" || "SMS_GRAPHIC" || "AUTH_APP_GRAPHIC" || "PASSWORD_GRAPHIC" || "PASSKEY_GRAPHIC" || "PAGE_HEADER_LOGO" || "PAGE_HEADER_BACKGROUND" || "PAGE_FOOTER_LOGO" || "PAGE_FOOTER_BACKGROUND" || "PAGE_BACKGROUND" || "FORM_BACKGROUND" || "FORM_LOGO" || "IDP_BUTTON_ICON", // required
+ *       ColorMode: "LIGHT" || "DARK" || "DYNAMIC", // required
+ *       Extension: "ICO" || "JPEG" || "PNG" || "SVG" || "WEBP", // required
+ *       Bytes: new Uint8Array(), // e.g. Buffer.from("") or new TextEncoder().encode("")
+ *       ResourceId: "STRING_VALUE",
+ *     },
+ *   ],
+ * };
+ * const command = new CreateManagedLoginBrandingCommand(input);
+ * const response = await client.send(command);
+ * // { // CreateManagedLoginBrandingResponse
+ * //   ManagedLoginBranding: { // ManagedLoginBrandingType
+ * //     ManagedLoginBrandingId: "STRING_VALUE",
+ * //     UserPoolId: "STRING_VALUE",
+ * //     UseCognitoProvidedValues: true || false,
+ * //     Settings: "DOCUMENT_VALUE",
+ * //     Assets: [ // AssetListType
+ * //       { // AssetType
+ * //         Category: "FAVICON_ICO" || "FAVICON_SVG" || "EMAIL_GRAPHIC" || "SMS_GRAPHIC" || "AUTH_APP_GRAPHIC" || "PASSWORD_GRAPHIC" || "PASSKEY_GRAPHIC" || "PAGE_HEADER_LOGO" || "PAGE_HEADER_BACKGROUND" || "PAGE_FOOTER_LOGO" || "PAGE_FOOTER_BACKGROUND" || "PAGE_BACKGROUND" || "FORM_BACKGROUND" || "FORM_LOGO" || "IDP_BUTTON_ICON", // required
+ * //         ColorMode: "LIGHT" || "DARK" || "DYNAMIC", // required
+ * //         Extension: "ICO" || "JPEG" || "PNG" || "SVG" || "WEBP", // required
+ * //         Bytes: new Uint8Array(),
+ * //         ResourceId: "STRING_VALUE",
+ * //       },
+ * //     ],
+ * //     CreationDate: new Date("TIMESTAMP"),
+ * //     LastModifiedDate: new Date("TIMESTAMP"),
+ * //   },
+ * // };
+ *
+ * ```
+ *
+ * @param CreateManagedLoginBrandingCommandInput - {@link CreateManagedLoginBrandingCommandInput}
+ * @returns {@link CreateManagedLoginBrandingCommandOutput}
+ * @see {@link CreateManagedLoginBrandingCommandInput} for command's `input` shape.
+ * @see {@link CreateManagedLoginBrandingCommandOutput} for command's `response` shape.
+ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
+ *
+ * @throws {@link ConcurrentModificationException} (client fault)
+ *  <p>This exception is thrown if two or more modifications are happening
+ *             concurrently.</p>
+ *
+ * @throws {@link InternalErrorException} (server fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters an invalid
+ *             parameter.</p>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>This exception is thrown when a user exceeds the limit for a requested Amazon Web Services
+ *             resource.</p>
+ *
+ * @throws {@link ManagedLoginBrandingExistsException} (client fault)
+ *  <p>This exception is thrown when you attempt to apply a managed login branding style to
+ *             an app client that already has an assigned style.</p>
+ *
+ * @throws {@link NotAuthorizedException} (client fault)
+ *  <p>This exception is thrown when a user isn't authorized.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service can't find the requested
+ *             resource.</p>
+ *
+ * @throws {@link TooManyRequestsException} (client fault)
+ *  <p>This exception is thrown when the user has made too many requests for a given
+ *             operation.</p>
+ *
+ * @throws {@link CognitoIdentityProviderServiceException}
+ * <p>Base exception class for all service exceptions from CognitoIdentityProvider service.</p>
+ *
+ * @public
+ */
+export class CreateManagedLoginBrandingCommand extends $Command
+  .classBuilder<
+    CreateManagedLoginBrandingCommandInput,
+    CreateManagedLoginBrandingCommandOutput,
+    CognitoIdentityProviderClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CognitoIdentityProviderClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AWSCognitoIdentityProviderService", "CreateManagedLoginBranding", {})
+  .n("CognitoIdentityProviderClient", "CreateManagedLoginBrandingCommand")
+  .f(CreateManagedLoginBrandingRequestFilterSensitiveLog, void 0)
+  .ser(se_CreateManagedLoginBrandingCommand)
+  .de(de_CreateManagedLoginBrandingCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: CreateManagedLoginBrandingRequest;
+      output: CreateManagedLoginBrandingResponse;
+    };
+    sdk: {
+      input: CreateManagedLoginBrandingCommandInput;
+      output: CreateManagedLoginBrandingCommandOutput;
+    };
+  };
+}
diff --git a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolClientCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolClientCommand.ts
index 6233eec1002b..b8d92ff15c1e 100644
--- a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolClientCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolClientCommand.ts
@@ -87,7 +87,7 @@ export interface CreateUserPoolClientCommandOutput extends CreateUserPoolClientR
  *     "STRING_VALUE",
  *   ],
  *   ExplicitAuthFlows: [ // ExplicitAuthFlowsListType
- *     "ADMIN_NO_SRP_AUTH" || "CUSTOM_AUTH_FLOW_ONLY" || "USER_PASSWORD_AUTH" || "ALLOW_ADMIN_USER_PASSWORD_AUTH" || "ALLOW_CUSTOM_AUTH" || "ALLOW_USER_PASSWORD_AUTH" || "ALLOW_USER_SRP_AUTH" || "ALLOW_REFRESH_TOKEN_AUTH",
+ *     "ADMIN_NO_SRP_AUTH" || "CUSTOM_AUTH_FLOW_ONLY" || "USER_PASSWORD_AUTH" || "ALLOW_ADMIN_USER_PASSWORD_AUTH" || "ALLOW_CUSTOM_AUTH" || "ALLOW_USER_PASSWORD_AUTH" || "ALLOW_USER_SRP_AUTH" || "ALLOW_REFRESH_TOKEN_AUTH" || "ALLOW_USER_AUTH",
  *   ],
  *   SupportedIdentityProviders: [ // SupportedIdentityProvidersListType
  *     "STRING_VALUE",
@@ -143,7 +143,7 @@ export interface CreateUserPoolClientCommandOutput extends CreateUserPoolClientR
  * //       "STRING_VALUE",
  * //     ],
  * //     ExplicitAuthFlows: [ // ExplicitAuthFlowsListType
- * //       "ADMIN_NO_SRP_AUTH" || "CUSTOM_AUTH_FLOW_ONLY" || "USER_PASSWORD_AUTH" || "ALLOW_ADMIN_USER_PASSWORD_AUTH" || "ALLOW_CUSTOM_AUTH" || "ALLOW_USER_PASSWORD_AUTH" || "ALLOW_USER_SRP_AUTH" || "ALLOW_REFRESH_TOKEN_AUTH",
+ * //       "ADMIN_NO_SRP_AUTH" || "CUSTOM_AUTH_FLOW_ONLY" || "USER_PASSWORD_AUTH" || "ALLOW_ADMIN_USER_PASSWORD_AUTH" || "ALLOW_CUSTOM_AUTH" || "ALLOW_USER_PASSWORD_AUTH" || "ALLOW_USER_SRP_AUTH" || "ALLOW_REFRESH_TOKEN_AUTH" || "ALLOW_USER_AUTH",
  * //     ],
  * //     SupportedIdentityProviders: [ // SupportedIdentityProvidersListType
  * //       "STRING_VALUE",
diff --git a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts
index b692a7c42340..de67982aaae7 100644
--- a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts
@@ -40,7 +40,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -92,6 +92,11 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  *       PasswordHistorySize: Number("int"),
  *       TemporaryPasswordValidityDays: Number("int"),
  *     },
+ *     SignInPolicy: { // SignInPolicyType
+ *       AllowedFirstAuthFactors: [ // AllowedFirstAuthFactorsListType
+ *         "PASSWORD" || "EMAIL_OTP" || "SMS_OTP" || "WEB_AUTHN",
+ *       ],
+ *     },
  *   },
  *   DeletionProtection: "ACTIVE" || "INACTIVE",
  *   LambdaConfig: { // LambdaConfigType
@@ -208,6 +213,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  *       },
  *     ],
  *   },
+ *   UserPoolTier: "LITE" || "ESSENTIALS" || "PLUS",
  * };
  * const command = new CreateUserPoolCommand(input);
  * const response = await client.send(command);
@@ -225,6 +231,11 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  * //         PasswordHistorySize: Number("int"),
  * //         TemporaryPasswordValidityDays: Number("int"),
  * //       },
+ * //       SignInPolicy: { // SignInPolicyType
+ * //         AllowedFirstAuthFactors: [ // AllowedFirstAuthFactorsListType
+ * //           "PASSWORD" || "EMAIL_OTP" || "SMS_OTP" || "WEB_AUTHN",
+ * //         ],
+ * //       },
  * //     },
  * //     DeletionProtection: "ACTIVE" || "INACTIVE",
  * //     LambdaConfig: { // LambdaConfigType
@@ -350,6 +361,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  * //         },
  * //       ],
  * //     },
+ * //     UserPoolTier: "LITE" || "ESSENTIALS" || "PLUS",
  * //   },
  * // };
  *
@@ -361,6 +373,10 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  * @see {@link CreateUserPoolCommandOutput} for command's `response` shape.
  * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
  *
+ * @throws {@link FeatureUnavailableInTierException} (client fault)
+ *  <p>This exception is thrown when a feature you attempted to configure isn't
+ *             available in your current feature plan.</p>
+ *
  * @throws {@link InternalErrorException} (server fault)
  *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
  *
@@ -379,7 +395,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link LimitExceededException} (client fault)
@@ -389,6 +405,10 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M
  * @throws {@link NotAuthorizedException} (client fault)
  *  <p>This exception is thrown when a user isn't authorized.</p>
  *
+ * @throws {@link TierChangeNotAllowedException} (client fault)
+ *  <p>This exception is thrown when you've attempted to change your feature plan but
+ *             the operation isn't permitted.</p>
+ *
  * @throws {@link TooManyRequestsException} (client fault)
  *  <p>This exception is thrown when the user has made too many requests for a given
  *             operation.</p>
diff --git a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolDomainCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolDomainCommand.ts
index 99b9d5aee225..16276e6abc34 100644
--- a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolDomainCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolDomainCommand.ts
@@ -32,7 +32,8 @@ export interface CreateUserPoolDomainCommandInput extends CreateUserPoolDomainRe
 export interface CreateUserPoolDomainCommandOutput extends CreateUserPoolDomainResponse, __MetadataBearer {}
 
 /**
- * <p>Creates a new domain for a user pool.</p>
+ * <p>Creates a new domain for a user pool. The domain hosts user pool domain services like
+ *             managed login, the hosted UI (classic), and the user pool authorization server.</p>
  *          <note>
  *             <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For
  *     this operation, you must use IAM credentials to authorize requests, and you must
@@ -62,6 +63,7 @@ export interface CreateUserPoolDomainCommandOutput extends CreateUserPoolDomainR
  * const input = { // CreateUserPoolDomainRequest
  *   Domain: "STRING_VALUE", // required
  *   UserPoolId: "STRING_VALUE", // required
+ *   ManagedLoginVersion: Number("int"),
  *   CustomDomainConfig: { // CustomDomainConfigType
  *     CertificateArn: "STRING_VALUE", // required
  *   },
@@ -69,6 +71,7 @@ export interface CreateUserPoolDomainCommandOutput extends CreateUserPoolDomainR
  * const command = new CreateUserPoolDomainCommand(input);
  * const response = await client.send(command);
  * // { // CreateUserPoolDomainResponse
+ * //   ManagedLoginVersion: Number("int"),
  * //   CloudFrontDomain: "STRING_VALUE",
  * // };
  *
@@ -80,6 +83,10 @@ export interface CreateUserPoolDomainCommandOutput extends CreateUserPoolDomainR
  * @see {@link CreateUserPoolDomainCommandOutput} for command's `response` shape.
  * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
  *
+ * @throws {@link FeatureUnavailableInTierException} (client fault)
+ *  <p>This exception is thrown when a feature you attempted to configure isn't
+ *             available in your current feature plan.</p>
+ *
  * @throws {@link InternalErrorException} (server fault)
  *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
  *
diff --git a/clients/client-cognito-identity-provider/src/commands/DeleteManagedLoginBrandingCommand.ts b/clients/client-cognito-identity-provider/src/commands/DeleteManagedLoginBrandingCommand.ts
new file mode 100644
index 000000000000..bde924e88598
--- /dev/null
+++ b/clients/client-cognito-identity-provider/src/commands/DeleteManagedLoginBrandingCommand.ts
@@ -0,0 +1,138 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import {
+  CognitoIdentityProviderClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../CognitoIdentityProviderClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import { DeleteManagedLoginBrandingRequest } from "../models/models_0";
+import { de_DeleteManagedLoginBrandingCommand, se_DeleteManagedLoginBrandingCommand } from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link DeleteManagedLoginBrandingCommand}.
+ */
+export interface DeleteManagedLoginBrandingCommandInput extends DeleteManagedLoginBrandingRequest {}
+/**
+ * @public
+ *
+ * The output of {@link DeleteManagedLoginBrandingCommand}.
+ */
+export interface DeleteManagedLoginBrandingCommandOutput extends __MetadataBearer {}
+
+/**
+ * <p>Deletes a managed login branding style. When you delete a style, you delete the
+ *             branding association for an app client and restore it to default settings.</p>
+ *          <note>
+ *             <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For
+ *     this operation, you must use IAM credentials to authorize requests, and you must
+ *     grant yourself the corresponding IAM permission in a policy.</p>
+ *             <p class="title">
+ *                <b>Learn more</b>
+ *             </p>
+ *             <ul>
+ *                <li>
+ *                   <p>
+ *                      <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html">Signing Amazon Web Services API Requests</a>
+ *                   </p>
+ *                </li>
+ *                <li>
+ *                   <p>
+ *                      <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html">Using the Amazon Cognito user pools API and user pool endpoints</a>
+ *                   </p>
+ *                </li>
+ *             </ul>
+ *          </note>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CognitoIdentityProviderClient, DeleteManagedLoginBrandingCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import
+ * // const { CognitoIdentityProviderClient, DeleteManagedLoginBrandingCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
+ * const client = new CognitoIdentityProviderClient(config);
+ * const input = { // DeleteManagedLoginBrandingRequest
+ *   ManagedLoginBrandingId: "STRING_VALUE", // required
+ *   UserPoolId: "STRING_VALUE", // required
+ * };
+ * const command = new DeleteManagedLoginBrandingCommand(input);
+ * const response = await client.send(command);
+ * // {};
+ *
+ * ```
+ *
+ * @param DeleteManagedLoginBrandingCommandInput - {@link DeleteManagedLoginBrandingCommandInput}
+ * @returns {@link DeleteManagedLoginBrandingCommandOutput}
+ * @see {@link DeleteManagedLoginBrandingCommandInput} for command's `input` shape.
+ * @see {@link DeleteManagedLoginBrandingCommandOutput} for command's `response` shape.
+ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
+ *
+ * @throws {@link ConcurrentModificationException} (client fault)
+ *  <p>This exception is thrown if two or more modifications are happening
+ *             concurrently.</p>
+ *
+ * @throws {@link InternalErrorException} (server fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters an invalid
+ *             parameter.</p>
+ *
+ * @throws {@link NotAuthorizedException} (client fault)
+ *  <p>This exception is thrown when a user isn't authorized.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service can't find the requested
+ *             resource.</p>
+ *
+ * @throws {@link TooManyRequestsException} (client fault)
+ *  <p>This exception is thrown when the user has made too many requests for a given
+ *             operation.</p>
+ *
+ * @throws {@link CognitoIdentityProviderServiceException}
+ * <p>Base exception class for all service exceptions from CognitoIdentityProvider service.</p>
+ *
+ * @public
+ */
+export class DeleteManagedLoginBrandingCommand extends $Command
+  .classBuilder<
+    DeleteManagedLoginBrandingCommandInput,
+    DeleteManagedLoginBrandingCommandOutput,
+    CognitoIdentityProviderClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CognitoIdentityProviderClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AWSCognitoIdentityProviderService", "DeleteManagedLoginBranding", {})
+  .n("CognitoIdentityProviderClient", "DeleteManagedLoginBrandingCommand")
+  .f(void 0, void 0)
+  .ser(se_DeleteManagedLoginBrandingCommand)
+  .de(de_DeleteManagedLoginBrandingCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: DeleteManagedLoginBrandingRequest;
+      output: {};
+    };
+    sdk: {
+      input: DeleteManagedLoginBrandingCommandInput;
+      output: DeleteManagedLoginBrandingCommandOutput;
+    };
+  };
+}
diff --git a/clients/client-cognito-identity-provider/src/commands/DeleteWebAuthnCredentialCommand.ts b/clients/client-cognito-identity-provider/src/commands/DeleteWebAuthnCredentialCommand.ts
new file mode 100644
index 000000000000..ccca388c1521
--- /dev/null
+++ b/clients/client-cognito-identity-provider/src/commands/DeleteWebAuthnCredentialCommand.ts
@@ -0,0 +1,119 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import {
+  CognitoIdentityProviderClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../CognitoIdentityProviderClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import {
+  DeleteWebAuthnCredentialRequest,
+  DeleteWebAuthnCredentialRequestFilterSensitiveLog,
+  DeleteWebAuthnCredentialResponse,
+} from "../models/models_0";
+import { de_DeleteWebAuthnCredentialCommand, se_DeleteWebAuthnCredentialCommand } from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link DeleteWebAuthnCredentialCommand}.
+ */
+export interface DeleteWebAuthnCredentialCommandInput extends DeleteWebAuthnCredentialRequest {}
+/**
+ * @public
+ *
+ * The output of {@link DeleteWebAuthnCredentialCommand}.
+ */
+export interface DeleteWebAuthnCredentialCommandOutput extends DeleteWebAuthnCredentialResponse, __MetadataBearer {}
+
+/**
+ * <p>Deletes a registered passkey, or webauthN, device for the currently signed-in
+ *             user.</p>
+ *          <p>Authorize this action with a signed-in user's access token. It must include the scope <code>aws.cognito.signin.user.admin</code>.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CognitoIdentityProviderClient, DeleteWebAuthnCredentialCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import
+ * // const { CognitoIdentityProviderClient, DeleteWebAuthnCredentialCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
+ * const client = new CognitoIdentityProviderClient(config);
+ * const input = { // DeleteWebAuthnCredentialRequest
+ *   AccessToken: "STRING_VALUE", // required
+ *   CredentialId: "STRING_VALUE", // required
+ * };
+ * const command = new DeleteWebAuthnCredentialCommand(input);
+ * const response = await client.send(command);
+ * // {};
+ *
+ * ```
+ *
+ * @param DeleteWebAuthnCredentialCommandInput - {@link DeleteWebAuthnCredentialCommandInput}
+ * @returns {@link DeleteWebAuthnCredentialCommandOutput}
+ * @see {@link DeleteWebAuthnCredentialCommandInput} for command's `input` shape.
+ * @see {@link DeleteWebAuthnCredentialCommandOutput} for command's `response` shape.
+ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
+ *
+ * @throws {@link ForbiddenException} (client fault)
+ *  <p>This exception is thrown when WAF doesn't allow your request based on a web
+ *             ACL that's associated with your user pool.</p>
+ *
+ * @throws {@link InternalErrorException} (server fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters an invalid
+ *             parameter.</p>
+ *
+ * @throws {@link NotAuthorizedException} (client fault)
+ *  <p>This exception is thrown when a user isn't authorized.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service can't find the requested
+ *             resource.</p>
+ *
+ * @throws {@link CognitoIdentityProviderServiceException}
+ * <p>Base exception class for all service exceptions from CognitoIdentityProvider service.</p>
+ *
+ * @public
+ */
+export class DeleteWebAuthnCredentialCommand extends $Command
+  .classBuilder<
+    DeleteWebAuthnCredentialCommandInput,
+    DeleteWebAuthnCredentialCommandOutput,
+    CognitoIdentityProviderClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CognitoIdentityProviderClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AWSCognitoIdentityProviderService", "DeleteWebAuthnCredential", {})
+  .n("CognitoIdentityProviderClient", "DeleteWebAuthnCredentialCommand")
+  .f(DeleteWebAuthnCredentialRequestFilterSensitiveLog, void 0)
+  .ser(se_DeleteWebAuthnCredentialCommand)
+  .de(de_DeleteWebAuthnCredentialCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: DeleteWebAuthnCredentialRequest;
+      output: {};
+    };
+    sdk: {
+      input: DeleteWebAuthnCredentialCommandInput;
+      output: DeleteWebAuthnCredentialCommandOutput;
+    };
+  };
+}
diff --git a/clients/client-cognito-identity-provider/src/commands/DescribeManagedLoginBrandingByClientCommand.ts b/clients/client-cognito-identity-provider/src/commands/DescribeManagedLoginBrandingByClientCommand.ts
new file mode 100644
index 000000000000..9012db91f0e8
--- /dev/null
+++ b/clients/client-cognito-identity-provider/src/commands/DescribeManagedLoginBrandingByClientCommand.ts
@@ -0,0 +1,142 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import {
+  CognitoIdentityProviderClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../CognitoIdentityProviderClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import {
+  DescribeManagedLoginBrandingByClientRequest,
+  DescribeManagedLoginBrandingByClientRequestFilterSensitiveLog,
+  DescribeManagedLoginBrandingByClientResponse,
+} from "../models/models_0";
+import {
+  de_DescribeManagedLoginBrandingByClientCommand,
+  se_DescribeManagedLoginBrandingByClientCommand,
+} from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link DescribeManagedLoginBrandingByClientCommand}.
+ */
+export interface DescribeManagedLoginBrandingByClientCommandInput extends DescribeManagedLoginBrandingByClientRequest {}
+/**
+ * @public
+ *
+ * The output of {@link DescribeManagedLoginBrandingByClientCommand}.
+ */
+export interface DescribeManagedLoginBrandingByClientCommandOutput
+  extends DescribeManagedLoginBrandingByClientResponse,
+    __MetadataBearer {}
+
+/**
+ * <p>When given the ID of a user pool app client, returns detailed information about the
+ *             style assigned to the app client.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CognitoIdentityProviderClient, DescribeManagedLoginBrandingByClientCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import
+ * // const { CognitoIdentityProviderClient, DescribeManagedLoginBrandingByClientCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
+ * const client = new CognitoIdentityProviderClient(config);
+ * const input = { // DescribeManagedLoginBrandingByClientRequest
+ *   UserPoolId: "STRING_VALUE", // required
+ *   ClientId: "STRING_VALUE", // required
+ *   ReturnMergedResources: true || false,
+ * };
+ * const command = new DescribeManagedLoginBrandingByClientCommand(input);
+ * const response = await client.send(command);
+ * // { // DescribeManagedLoginBrandingByClientResponse
+ * //   ManagedLoginBranding: { // ManagedLoginBrandingType
+ * //     ManagedLoginBrandingId: "STRING_VALUE",
+ * //     UserPoolId: "STRING_VALUE",
+ * //     UseCognitoProvidedValues: true || false,
+ * //     Settings: "DOCUMENT_VALUE",
+ * //     Assets: [ // AssetListType
+ * //       { // AssetType
+ * //         Category: "FAVICON_ICO" || "FAVICON_SVG" || "EMAIL_GRAPHIC" || "SMS_GRAPHIC" || "AUTH_APP_GRAPHIC" || "PASSWORD_GRAPHIC" || "PASSKEY_GRAPHIC" || "PAGE_HEADER_LOGO" || "PAGE_HEADER_BACKGROUND" || "PAGE_FOOTER_LOGO" || "PAGE_FOOTER_BACKGROUND" || "PAGE_BACKGROUND" || "FORM_BACKGROUND" || "FORM_LOGO" || "IDP_BUTTON_ICON", // required
+ * //         ColorMode: "LIGHT" || "DARK" || "DYNAMIC", // required
+ * //         Extension: "ICO" || "JPEG" || "PNG" || "SVG" || "WEBP", // required
+ * //         Bytes: new Uint8Array(),
+ * //         ResourceId: "STRING_VALUE",
+ * //       },
+ * //     ],
+ * //     CreationDate: new Date("TIMESTAMP"),
+ * //     LastModifiedDate: new Date("TIMESTAMP"),
+ * //   },
+ * // };
+ *
+ * ```
+ *
+ * @param DescribeManagedLoginBrandingByClientCommandInput - {@link DescribeManagedLoginBrandingByClientCommandInput}
+ * @returns {@link DescribeManagedLoginBrandingByClientCommandOutput}
+ * @see {@link DescribeManagedLoginBrandingByClientCommandInput} for command's `input` shape.
+ * @see {@link DescribeManagedLoginBrandingByClientCommandOutput} for command's `response` shape.
+ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
+ *
+ * @throws {@link InternalErrorException} (server fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters an invalid
+ *             parameter.</p>
+ *
+ * @throws {@link NotAuthorizedException} (client fault)
+ *  <p>This exception is thrown when a user isn't authorized.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service can't find the requested
+ *             resource.</p>
+ *
+ * @throws {@link TooManyRequestsException} (client fault)
+ *  <p>This exception is thrown when the user has made too many requests for a given
+ *             operation.</p>
+ *
+ * @throws {@link CognitoIdentityProviderServiceException}
+ * <p>Base exception class for all service exceptions from CognitoIdentityProvider service.</p>
+ *
+ * @public
+ */
+export class DescribeManagedLoginBrandingByClientCommand extends $Command
+  .classBuilder<
+    DescribeManagedLoginBrandingByClientCommandInput,
+    DescribeManagedLoginBrandingByClientCommandOutput,
+    CognitoIdentityProviderClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CognitoIdentityProviderClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AWSCognitoIdentityProviderService", "DescribeManagedLoginBrandingByClient", {})
+  .n("CognitoIdentityProviderClient", "DescribeManagedLoginBrandingByClientCommand")
+  .f(DescribeManagedLoginBrandingByClientRequestFilterSensitiveLog, void 0)
+  .ser(se_DescribeManagedLoginBrandingByClientCommand)
+  .de(de_DescribeManagedLoginBrandingByClientCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: DescribeManagedLoginBrandingByClientRequest;
+      output: DescribeManagedLoginBrandingByClientResponse;
+    };
+    sdk: {
+      input: DescribeManagedLoginBrandingByClientCommandInput;
+      output: DescribeManagedLoginBrandingByClientCommandOutput;
+    };
+  };
+}
diff --git a/clients/client-cognito-identity-provider/src/commands/DescribeManagedLoginBrandingCommand.ts b/clients/client-cognito-identity-provider/src/commands/DescribeManagedLoginBrandingCommand.ts
new file mode 100644
index 000000000000..3a671042aba5
--- /dev/null
+++ b/clients/client-cognito-identity-provider/src/commands/DescribeManagedLoginBrandingCommand.ts
@@ -0,0 +1,138 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import {
+  CognitoIdentityProviderClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../CognitoIdentityProviderClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import { DescribeManagedLoginBrandingRequest, DescribeManagedLoginBrandingResponse } from "../models/models_0";
+import {
+  de_DescribeManagedLoginBrandingCommand,
+  se_DescribeManagedLoginBrandingCommand,
+} from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link DescribeManagedLoginBrandingCommand}.
+ */
+export interface DescribeManagedLoginBrandingCommandInput extends DescribeManagedLoginBrandingRequest {}
+/**
+ * @public
+ *
+ * The output of {@link DescribeManagedLoginBrandingCommand}.
+ */
+export interface DescribeManagedLoginBrandingCommandOutput
+  extends DescribeManagedLoginBrandingResponse,
+    __MetadataBearer {}
+
+/**
+ * <p>When given the ID of a managed login branding style, returns detailed information
+ *             about the style.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CognitoIdentityProviderClient, DescribeManagedLoginBrandingCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import
+ * // const { CognitoIdentityProviderClient, DescribeManagedLoginBrandingCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
+ * const client = new CognitoIdentityProviderClient(config);
+ * const input = { // DescribeManagedLoginBrandingRequest
+ *   UserPoolId: "STRING_VALUE", // required
+ *   ManagedLoginBrandingId: "STRING_VALUE", // required
+ *   ReturnMergedResources: true || false,
+ * };
+ * const command = new DescribeManagedLoginBrandingCommand(input);
+ * const response = await client.send(command);
+ * // { // DescribeManagedLoginBrandingResponse
+ * //   ManagedLoginBranding: { // ManagedLoginBrandingType
+ * //     ManagedLoginBrandingId: "STRING_VALUE",
+ * //     UserPoolId: "STRING_VALUE",
+ * //     UseCognitoProvidedValues: true || false,
+ * //     Settings: "DOCUMENT_VALUE",
+ * //     Assets: [ // AssetListType
+ * //       { // AssetType
+ * //         Category: "FAVICON_ICO" || "FAVICON_SVG" || "EMAIL_GRAPHIC" || "SMS_GRAPHIC" || "AUTH_APP_GRAPHIC" || "PASSWORD_GRAPHIC" || "PASSKEY_GRAPHIC" || "PAGE_HEADER_LOGO" || "PAGE_HEADER_BACKGROUND" || "PAGE_FOOTER_LOGO" || "PAGE_FOOTER_BACKGROUND" || "PAGE_BACKGROUND" || "FORM_BACKGROUND" || "FORM_LOGO" || "IDP_BUTTON_ICON", // required
+ * //         ColorMode: "LIGHT" || "DARK" || "DYNAMIC", // required
+ * //         Extension: "ICO" || "JPEG" || "PNG" || "SVG" || "WEBP", // required
+ * //         Bytes: new Uint8Array(),
+ * //         ResourceId: "STRING_VALUE",
+ * //       },
+ * //     ],
+ * //     CreationDate: new Date("TIMESTAMP"),
+ * //     LastModifiedDate: new Date("TIMESTAMP"),
+ * //   },
+ * // };
+ *
+ * ```
+ *
+ * @param DescribeManagedLoginBrandingCommandInput - {@link DescribeManagedLoginBrandingCommandInput}
+ * @returns {@link DescribeManagedLoginBrandingCommandOutput}
+ * @see {@link DescribeManagedLoginBrandingCommandInput} for command's `input` shape.
+ * @see {@link DescribeManagedLoginBrandingCommandOutput} for command's `response` shape.
+ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
+ *
+ * @throws {@link InternalErrorException} (server fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters an invalid
+ *             parameter.</p>
+ *
+ * @throws {@link NotAuthorizedException} (client fault)
+ *  <p>This exception is thrown when a user isn't authorized.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service can't find the requested
+ *             resource.</p>
+ *
+ * @throws {@link TooManyRequestsException} (client fault)
+ *  <p>This exception is thrown when the user has made too many requests for a given
+ *             operation.</p>
+ *
+ * @throws {@link CognitoIdentityProviderServiceException}
+ * <p>Base exception class for all service exceptions from CognitoIdentityProvider service.</p>
+ *
+ * @public
+ */
+export class DescribeManagedLoginBrandingCommand extends $Command
+  .classBuilder<
+    DescribeManagedLoginBrandingCommandInput,
+    DescribeManagedLoginBrandingCommandOutput,
+    CognitoIdentityProviderClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CognitoIdentityProviderClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AWSCognitoIdentityProviderService", "DescribeManagedLoginBranding", {})
+  .n("CognitoIdentityProviderClient", "DescribeManagedLoginBrandingCommand")
+  .f(void 0, void 0)
+  .ser(se_DescribeManagedLoginBrandingCommand)
+  .de(de_DescribeManagedLoginBrandingCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: DescribeManagedLoginBrandingRequest;
+      output: DescribeManagedLoginBrandingResponse;
+    };
+    sdk: {
+      input: DescribeManagedLoginBrandingCommandInput;
+      output: DescribeManagedLoginBrandingCommandOutput;
+    };
+  };
+}
diff --git a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolClientCommand.ts b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolClientCommand.ts
index b68bdb4530b7..fa8966c152c8 100644
--- a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolClientCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolClientCommand.ts
@@ -94,7 +94,7 @@ export interface DescribeUserPoolClientCommandOutput extends DescribeUserPoolCli
  * //       "STRING_VALUE",
  * //     ],
  * //     ExplicitAuthFlows: [ // ExplicitAuthFlowsListType
- * //       "ADMIN_NO_SRP_AUTH" || "CUSTOM_AUTH_FLOW_ONLY" || "USER_PASSWORD_AUTH" || "ALLOW_ADMIN_USER_PASSWORD_AUTH" || "ALLOW_CUSTOM_AUTH" || "ALLOW_USER_PASSWORD_AUTH" || "ALLOW_USER_SRP_AUTH" || "ALLOW_REFRESH_TOKEN_AUTH",
+ * //       "ADMIN_NO_SRP_AUTH" || "CUSTOM_AUTH_FLOW_ONLY" || "USER_PASSWORD_AUTH" || "ALLOW_ADMIN_USER_PASSWORD_AUTH" || "ALLOW_CUSTOM_AUTH" || "ALLOW_USER_PASSWORD_AUTH" || "ALLOW_USER_SRP_AUTH" || "ALLOW_REFRESH_TOKEN_AUTH" || "ALLOW_USER_AUTH",
  * //     ],
  * //     SupportedIdentityProviders: [ // SupportedIdentityProvidersListType
  * //       "STRING_VALUE",
diff --git a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts
index b9ff553e5f2d..b3b5b7378a13 100644
--- a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts
@@ -78,6 +78,11 @@ export interface DescribeUserPoolCommandOutput extends DescribeUserPoolResponse,
  * //         PasswordHistorySize: Number("int"),
  * //         TemporaryPasswordValidityDays: Number("int"),
  * //       },
+ * //       SignInPolicy: { // SignInPolicyType
+ * //         AllowedFirstAuthFactors: [ // AllowedFirstAuthFactorsListType
+ * //           "PASSWORD" || "EMAIL_OTP" || "SMS_OTP" || "WEB_AUTHN",
+ * //         ],
+ * //       },
  * //     },
  * //     DeletionProtection: "ACTIVE" || "INACTIVE",
  * //     LambdaConfig: { // LambdaConfigType
@@ -203,6 +208,7 @@ export interface DescribeUserPoolCommandOutput extends DescribeUserPoolResponse,
  * //         },
  * //       ],
  * //     },
+ * //     UserPoolTier: "LITE" || "ESSENTIALS" || "PLUS",
  * //   },
  * // };
  *
diff --git a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolDomainCommand.ts b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolDomainCommand.ts
index 993c4a4409fd..2d4fa1a3ae17 100644
--- a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolDomainCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolDomainCommand.ts
@@ -56,6 +56,7 @@ export interface DescribeUserPoolDomainCommandOutput extends DescribeUserPoolDom
  * //     CustomDomainConfig: { // CustomDomainConfigType
  * //       CertificateArn: "STRING_VALUE", // required
  * //     },
+ * //     ManagedLoginVersion: Number("int"),
  * //   },
  * // };
  *
diff --git a/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts
index be5e30841fa0..54f84918c1a4 100644
--- a/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts
@@ -62,7 +62,7 @@ export interface ForgotPasswordCommandOutput extends ForgotPasswordResponse, __M
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -139,7 +139,7 @@ export interface ForgotPasswordCommandOutput extends ForgotPasswordResponse, __M
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link LimitExceededException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts
index acf352f458b1..91cb3270c9f1 100644
--- a/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts
@@ -59,7 +59,7 @@ export interface GetUserAttributeVerificationCodeCommandOutput
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -128,7 +128,7 @@ export interface GetUserAttributeVerificationCodeCommandOutput
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link LimitExceededException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/GetUserAuthFactorsCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetUserAuthFactorsCommand.ts
new file mode 100644
index 000000000000..8770abffead4
--- /dev/null
+++ b/clients/client-cognito-identity-provider/src/commands/GetUserAuthFactorsCommand.ts
@@ -0,0 +1,150 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import {
+  CognitoIdentityProviderClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../CognitoIdentityProviderClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import {
+  GetUserAuthFactorsRequest,
+  GetUserAuthFactorsRequestFilterSensitiveLog,
+  GetUserAuthFactorsResponse,
+  GetUserAuthFactorsResponseFilterSensitiveLog,
+} from "../models/models_0";
+import { de_GetUserAuthFactorsCommand, se_GetUserAuthFactorsCommand } from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link GetUserAuthFactorsCommand}.
+ */
+export interface GetUserAuthFactorsCommandInput extends GetUserAuthFactorsRequest {}
+/**
+ * @public
+ *
+ * The output of {@link GetUserAuthFactorsCommand}.
+ */
+export interface GetUserAuthFactorsCommandOutput extends GetUserAuthFactorsResponse, __MetadataBearer {}
+
+/**
+ * <p>Lists the authentication options for the currently signed-in user. Returns the
+ *             following:</p>
+ *          <ol>
+ *             <li>
+ *                <p>The user's multi-factor authentication (MFA) preferences.</p>
+ *             </li>
+ *             <li>
+ *                <p>The user's options in the <code>USER_AUTH</code> flow that they can
+ *                     select in a <code>SELECT_CHALLENGE</code> response or request in a
+ *                         <code>PREFERRED_CHALLENGE</code>request.</p>
+ *             </li>
+ *          </ol>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CognitoIdentityProviderClient, GetUserAuthFactorsCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import
+ * // const { CognitoIdentityProviderClient, GetUserAuthFactorsCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
+ * const client = new CognitoIdentityProviderClient(config);
+ * const input = { // GetUserAuthFactorsRequest
+ *   AccessToken: "STRING_VALUE", // required
+ * };
+ * const command = new GetUserAuthFactorsCommand(input);
+ * const response = await client.send(command);
+ * // { // GetUserAuthFactorsResponse
+ * //   Username: "STRING_VALUE", // required
+ * //   PreferredMfaSetting: "STRING_VALUE",
+ * //   UserMFASettingList: [ // UserMFASettingListType
+ * //     "STRING_VALUE",
+ * //   ],
+ * //   ConfiguredUserAuthFactors: [ // ConfiguredUserAuthFactorsListType
+ * //     "PASSWORD" || "EMAIL_OTP" || "SMS_OTP" || "WEB_AUTHN",
+ * //   ],
+ * // };
+ *
+ * ```
+ *
+ * @param GetUserAuthFactorsCommandInput - {@link GetUserAuthFactorsCommandInput}
+ * @returns {@link GetUserAuthFactorsCommandOutput}
+ * @see {@link GetUserAuthFactorsCommandInput} for command's `input` shape.
+ * @see {@link GetUserAuthFactorsCommandOutput} for command's `response` shape.
+ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
+ *
+ * @throws {@link ForbiddenException} (client fault)
+ *  <p>This exception is thrown when WAF doesn't allow your request based on a web
+ *             ACL that's associated with your user pool.</p>
+ *
+ * @throws {@link InternalErrorException} (server fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters an invalid
+ *             parameter.</p>
+ *
+ * @throws {@link NotAuthorizedException} (client fault)
+ *  <p>This exception is thrown when a user isn't authorized.</p>
+ *
+ * @throws {@link PasswordResetRequiredException} (client fault)
+ *  <p>This exception is thrown when a password reset is required.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service can't find the requested
+ *             resource.</p>
+ *
+ * @throws {@link TooManyRequestsException} (client fault)
+ *  <p>This exception is thrown when the user has made too many requests for a given
+ *             operation.</p>
+ *
+ * @throws {@link UserNotConfirmedException} (client fault)
+ *  <p>This exception is thrown when a user isn't confirmed successfully.</p>
+ *
+ * @throws {@link UserNotFoundException} (client fault)
+ *  <p>This exception is thrown when a user isn't found.</p>
+ *
+ * @throws {@link CognitoIdentityProviderServiceException}
+ * <p>Base exception class for all service exceptions from CognitoIdentityProvider service.</p>
+ *
+ * @public
+ */
+export class GetUserAuthFactorsCommand extends $Command
+  .classBuilder<
+    GetUserAuthFactorsCommandInput,
+    GetUserAuthFactorsCommandOutput,
+    CognitoIdentityProviderClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CognitoIdentityProviderClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AWSCognitoIdentityProviderService", "GetUserAuthFactors", {})
+  .n("CognitoIdentityProviderClient", "GetUserAuthFactorsCommand")
+  .f(GetUserAuthFactorsRequestFilterSensitiveLog, GetUserAuthFactorsResponseFilterSensitiveLog)
+  .ser(se_GetUserAuthFactorsCommand)
+  .de(de_GetUserAuthFactorsCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: GetUserAuthFactorsRequest;
+      output: GetUserAuthFactorsResponse;
+    };
+    sdk: {
+      input: GetUserAuthFactorsCommandInput;
+      output: GetUserAuthFactorsCommandOutput;
+    };
+  };
+}
diff --git a/clients/client-cognito-identity-provider/src/commands/GetUserPoolMfaConfigCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetUserPoolMfaConfigCommand.ts
index 9f944e455c39..f409045e13be 100644
--- a/clients/client-cognito-identity-provider/src/commands/GetUserPoolMfaConfigCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/GetUserPoolMfaConfigCommand.ts
@@ -10,7 +10,8 @@ import {
   ServiceOutputTypes,
 } from "../CognitoIdentityProviderClient";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { GetUserPoolMfaConfigRequest, GetUserPoolMfaConfigResponse } from "../models/models_0";
+import { GetUserPoolMfaConfigRequest } from "../models/models_0";
+import { GetUserPoolMfaConfigResponse } from "../models/models_1";
 import { de_GetUserPoolMfaConfigCommand, se_GetUserPoolMfaConfigCommand } from "../protocols/Aws_json1_1";
 
 /**
@@ -61,6 +62,10 @@ export interface GetUserPoolMfaConfigCommandOutput extends GetUserPoolMfaConfigR
  * //     Subject: "STRING_VALUE",
  * //   },
  * //   MfaConfiguration: "OFF" || "ON" || "OPTIONAL",
+ * //   WebAuthnConfiguration: { // WebAuthnConfigurationType
+ * //     RelyingPartyId: "STRING_VALUE",
+ * //     UserVerification: "required" || "preferred",
+ * //   },
  * // };
  *
  * ```
diff --git a/clients/client-cognito-identity-provider/src/commands/GlobalSignOutCommand.ts b/clients/client-cognito-identity-provider/src/commands/GlobalSignOutCommand.ts
index 8d31f1c1b12e..42a0d6238067 100644
--- a/clients/client-cognito-identity-provider/src/commands/GlobalSignOutCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/GlobalSignOutCommand.ts
@@ -14,7 +14,7 @@ import {
   GlobalSignOutRequest,
   GlobalSignOutRequestFilterSensitiveLog,
   GlobalSignOutResponse,
-} from "../models/models_0";
+} from "../models/models_1";
 import { de_GlobalSignOutCommand, se_GlobalSignOutCommand } from "../protocols/Aws_json1_1";
 
 /**
diff --git a/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts b/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts
index 99e39ffc6321..667e3ba19a67 100644
--- a/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts
@@ -15,7 +15,7 @@ import {
   InitiateAuthRequestFilterSensitiveLog,
   InitiateAuthResponse,
   InitiateAuthResponseFilterSensitiveLog,
-} from "../models/models_0";
+} from "../models/models_1";
 import { de_InitiateAuthCommand, se_InitiateAuthCommand } from "../protocols/Aws_json1_1";
 
 /**
@@ -53,7 +53,7 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -69,7 +69,7 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad
  * // const { CognitoIdentityProviderClient, InitiateAuthCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
  * const client = new CognitoIdentityProviderClient(config);
  * const input = { // InitiateAuthRequest
- *   AuthFlow: "USER_SRP_AUTH" || "REFRESH_TOKEN_AUTH" || "REFRESH_TOKEN" || "CUSTOM_AUTH" || "ADMIN_NO_SRP_AUTH" || "USER_PASSWORD_AUTH" || "ADMIN_USER_PASSWORD_AUTH", // required
+ *   AuthFlow: "USER_SRP_AUTH" || "REFRESH_TOKEN_AUTH" || "REFRESH_TOKEN" || "CUSTOM_AUTH" || "ADMIN_NO_SRP_AUTH" || "USER_PASSWORD_AUTH" || "ADMIN_USER_PASSWORD_AUTH" || "USER_AUTH", // required
  *   AuthParameters: { // AuthParametersType
  *     "<keys>": "STRING_VALUE",
  *   },
@@ -84,11 +84,12 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad
  *     IpAddress: "STRING_VALUE",
  *     EncodedData: "STRING_VALUE",
  *   },
+ *   Session: "STRING_VALUE",
  * };
  * const command = new InitiateAuthCommand(input);
  * const response = await client.send(command);
  * // { // InitiateAuthResponse
- * //   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED",
+ * //   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "SELECT_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED" || "SMS_OTP" || "PASSWORD" || "WEB_AUTHN" || "PASSWORD_SRP",
  * //   Session: "STRING_VALUE",
  * //   ChallengeParameters: { // ChallengeParametersType
  * //     "<keys>": "STRING_VALUE",
@@ -104,6 +105,9 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad
  * //       DeviceGroupKey: "STRING_VALUE",
  * //     },
  * //   },
+ * //   AvailableChallenges: [ // AvailableChallengeListType
+ * //     "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "SELECT_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED" || "SMS_OTP" || "PASSWORD" || "WEB_AUTHN" || "PASSWORD_SRP",
+ * //   ],
  * // };
  *
  * ```
@@ -139,7 +143,7 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link InvalidUserPoolConfigurationException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/ListDevicesCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListDevicesCommand.ts
index fc2e49bfda02..4a241d35cb0f 100644
--- a/clients/client-cognito-identity-provider/src/commands/ListDevicesCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ListDevicesCommand.ts
@@ -15,7 +15,7 @@ import {
   ListDevicesRequestFilterSensitiveLog,
   ListDevicesResponse,
   ListDevicesResponseFilterSensitiveLog,
-} from "../models/models_0";
+} from "../models/models_1";
 import { de_ListDevicesCommand, se_ListDevicesCommand } from "../protocols/Aws_json1_1";
 
 /**
diff --git a/clients/client-cognito-identity-provider/src/commands/ListGroupsCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListGroupsCommand.ts
index cddcf95c6faa..b26d8fbe1631 100644
--- a/clients/client-cognito-identity-provider/src/commands/ListGroupsCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ListGroupsCommand.ts
@@ -10,7 +10,7 @@ import {
   ServiceOutputTypes,
 } from "../CognitoIdentityProviderClient";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { ListGroupsRequest, ListGroupsResponse } from "../models/models_0";
+import { ListGroupsRequest, ListGroupsResponse } from "../models/models_1";
 import { de_ListGroupsCommand, se_ListGroupsCommand } from "../protocols/Aws_json1_1";
 
 /**
diff --git a/clients/client-cognito-identity-provider/src/commands/ListIdentityProvidersCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListIdentityProvidersCommand.ts
index 041a2f468ac8..e286d582b6f1 100644
--- a/clients/client-cognito-identity-provider/src/commands/ListIdentityProvidersCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ListIdentityProvidersCommand.ts
@@ -10,7 +10,7 @@ import {
   ServiceOutputTypes,
 } from "../CognitoIdentityProviderClient";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { ListIdentityProvidersRequest, ListIdentityProvidersResponse } from "../models/models_0";
+import { ListIdentityProvidersRequest, ListIdentityProvidersResponse } from "../models/models_1";
 import { de_ListIdentityProvidersCommand, se_ListIdentityProvidersCommand } from "../protocols/Aws_json1_1";
 
 /**
diff --git a/clients/client-cognito-identity-provider/src/commands/ListResourceServersCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListResourceServersCommand.ts
index f4c2d2029e27..8c789cf804fb 100644
--- a/clients/client-cognito-identity-provider/src/commands/ListResourceServersCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ListResourceServersCommand.ts
@@ -10,7 +10,7 @@ import {
   ServiceOutputTypes,
 } from "../CognitoIdentityProviderClient";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { ListResourceServersRequest, ListResourceServersResponse } from "../models/models_0";
+import { ListResourceServersRequest, ListResourceServersResponse } from "../models/models_1";
 import { de_ListResourceServersCommand, se_ListResourceServersCommand } from "../protocols/Aws_json1_1";
 
 /**
diff --git a/clients/client-cognito-identity-provider/src/commands/ListTagsForResourceCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListTagsForResourceCommand.ts
index 17f6bcafd5db..e6e9bb2305db 100644
--- a/clients/client-cognito-identity-provider/src/commands/ListTagsForResourceCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ListTagsForResourceCommand.ts
@@ -10,7 +10,7 @@ import {
   ServiceOutputTypes,
 } from "../CognitoIdentityProviderClient";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { ListTagsForResourceRequest, ListTagsForResourceResponse } from "../models/models_0";
+import { ListTagsForResourceRequest, ListTagsForResourceResponse } from "../models/models_1";
 import { de_ListTagsForResourceCommand, se_ListTagsForResourceCommand } from "../protocols/Aws_json1_1";
 
 /**
diff --git a/clients/client-cognito-identity-provider/src/commands/ListUserImportJobsCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListUserImportJobsCommand.ts
index add38d4e8568..4ecf06af5b98 100644
--- a/clients/client-cognito-identity-provider/src/commands/ListUserImportJobsCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ListUserImportJobsCommand.ts
@@ -10,7 +10,7 @@ import {
   ServiceOutputTypes,
 } from "../CognitoIdentityProviderClient";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { ListUserImportJobsRequest, ListUserImportJobsResponse } from "../models/models_0";
+import { ListUserImportJobsRequest, ListUserImportJobsResponse } from "../models/models_1";
 import { de_ListUserImportJobsCommand, se_ListUserImportJobsCommand } from "../protocols/Aws_json1_1";
 
 /**
diff --git a/clients/client-cognito-identity-provider/src/commands/ListUserPoolClientsCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListUserPoolClientsCommand.ts
index a8f74e22e155..f4bb2a857bc4 100644
--- a/clients/client-cognito-identity-provider/src/commands/ListUserPoolClientsCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ListUserPoolClientsCommand.ts
@@ -14,7 +14,7 @@ import {
   ListUserPoolClientsRequest,
   ListUserPoolClientsResponse,
   ListUserPoolClientsResponseFilterSensitiveLog,
-} from "../models/models_0";
+} from "../models/models_1";
 import { de_ListUserPoolClientsCommand, se_ListUserPoolClientsCommand } from "../protocols/Aws_json1_1";
 
 /**
diff --git a/clients/client-cognito-identity-provider/src/commands/ListUserPoolsCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListUserPoolsCommand.ts
index d4d10d93581a..ff4d6c515f4e 100644
--- a/clients/client-cognito-identity-provider/src/commands/ListUserPoolsCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ListUserPoolsCommand.ts
@@ -10,7 +10,7 @@ import {
   ServiceOutputTypes,
 } from "../CognitoIdentityProviderClient";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { ListUserPoolsRequest, ListUserPoolsResponse } from "../models/models_0";
+import { ListUserPoolsRequest, ListUserPoolsResponse } from "../models/models_1";
 import { de_ListUserPoolsCommand, se_ListUserPoolsCommand } from "../protocols/Aws_json1_1";
 
 /**
diff --git a/clients/client-cognito-identity-provider/src/commands/ListUsersCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListUsersCommand.ts
index 103abba18d71..24a8b5c02864 100644
--- a/clients/client-cognito-identity-provider/src/commands/ListUsersCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ListUsersCommand.ts
@@ -10,7 +10,7 @@ import {
   ServiceOutputTypes,
 } from "../CognitoIdentityProviderClient";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { ListUsersRequest, ListUsersResponse, ListUsersResponseFilterSensitiveLog } from "../models/models_0";
+import { ListUsersRequest, ListUsersResponse, ListUsersResponseFilterSensitiveLog } from "../models/models_1";
 import { de_ListUsersCommand, se_ListUsersCommand } from "../protocols/Aws_json1_1";
 
 /**
diff --git a/clients/client-cognito-identity-provider/src/commands/ListUsersInGroupCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListUsersInGroupCommand.ts
index f5b9415a2f3a..8ebce7420211 100644
--- a/clients/client-cognito-identity-provider/src/commands/ListUsersInGroupCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ListUsersInGroupCommand.ts
@@ -14,7 +14,7 @@ import {
   ListUsersInGroupRequest,
   ListUsersInGroupResponse,
   ListUsersInGroupResponseFilterSensitiveLog,
-} from "../models/models_0";
+} from "../models/models_1";
 import { de_ListUsersInGroupCommand, se_ListUsersInGroupCommand } from "../protocols/Aws_json1_1";
 
 /**
diff --git a/clients/client-cognito-identity-provider/src/commands/ListWebAuthnCredentialsCommand.ts b/clients/client-cognito-identity-provider/src/commands/ListWebAuthnCredentialsCommand.ts
new file mode 100644
index 000000000000..c3458e496d50
--- /dev/null
+++ b/clients/client-cognito-identity-provider/src/commands/ListWebAuthnCredentialsCommand.ts
@@ -0,0 +1,129 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import {
+  CognitoIdentityProviderClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../CognitoIdentityProviderClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import {
+  ListWebAuthnCredentialsRequest,
+  ListWebAuthnCredentialsRequestFilterSensitiveLog,
+  ListWebAuthnCredentialsResponse,
+} from "../models/models_1";
+import { de_ListWebAuthnCredentialsCommand, se_ListWebAuthnCredentialsCommand } from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link ListWebAuthnCredentialsCommand}.
+ */
+export interface ListWebAuthnCredentialsCommandInput extends ListWebAuthnCredentialsRequest {}
+/**
+ * @public
+ *
+ * The output of {@link ListWebAuthnCredentialsCommand}.
+ */
+export interface ListWebAuthnCredentialsCommandOutput extends ListWebAuthnCredentialsResponse, __MetadataBearer {}
+
+/**
+ * <p>Generates a list of the current user's registered passkey, or webauthN,
+ *             credentials.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CognitoIdentityProviderClient, ListWebAuthnCredentialsCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import
+ * // const { CognitoIdentityProviderClient, ListWebAuthnCredentialsCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
+ * const client = new CognitoIdentityProviderClient(config);
+ * const input = { // ListWebAuthnCredentialsRequest
+ *   AccessToken: "STRING_VALUE", // required
+ *   NextToken: "STRING_VALUE",
+ *   MaxResults: Number("int"),
+ * };
+ * const command = new ListWebAuthnCredentialsCommand(input);
+ * const response = await client.send(command);
+ * // { // ListWebAuthnCredentialsResponse
+ * //   Credentials: [ // WebAuthnCredentialDescriptionListType // required
+ * //     { // WebAuthnCredentialDescription
+ * //       CredentialId: "STRING_VALUE", // required
+ * //       FriendlyCredentialName: "STRING_VALUE", // required
+ * //       RelyingPartyId: "STRING_VALUE", // required
+ * //       AuthenticatorAttachment: "STRING_VALUE",
+ * //       AuthenticatorTransports: [ // WebAuthnAuthenticatorTransportsList // required
+ * //         "STRING_VALUE",
+ * //       ],
+ * //       CreatedAt: new Date("TIMESTAMP"), // required
+ * //     },
+ * //   ],
+ * //   NextToken: "STRING_VALUE",
+ * // };
+ *
+ * ```
+ *
+ * @param ListWebAuthnCredentialsCommandInput - {@link ListWebAuthnCredentialsCommandInput}
+ * @returns {@link ListWebAuthnCredentialsCommandOutput}
+ * @see {@link ListWebAuthnCredentialsCommandInput} for command's `input` shape.
+ * @see {@link ListWebAuthnCredentialsCommandOutput} for command's `response` shape.
+ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
+ *
+ * @throws {@link ForbiddenException} (client fault)
+ *  <p>This exception is thrown when WAF doesn't allow your request based on a web
+ *             ACL that's associated with your user pool.</p>
+ *
+ * @throws {@link InternalErrorException} (server fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters an invalid
+ *             parameter.</p>
+ *
+ * @throws {@link NotAuthorizedException} (client fault)
+ *  <p>This exception is thrown when a user isn't authorized.</p>
+ *
+ * @throws {@link CognitoIdentityProviderServiceException}
+ * <p>Base exception class for all service exceptions from CognitoIdentityProvider service.</p>
+ *
+ * @public
+ */
+export class ListWebAuthnCredentialsCommand extends $Command
+  .classBuilder<
+    ListWebAuthnCredentialsCommandInput,
+    ListWebAuthnCredentialsCommandOutput,
+    CognitoIdentityProviderClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CognitoIdentityProviderClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AWSCognitoIdentityProviderService", "ListWebAuthnCredentials", {})
+  .n("CognitoIdentityProviderClient", "ListWebAuthnCredentialsCommand")
+  .f(ListWebAuthnCredentialsRequestFilterSensitiveLog, void 0)
+  .ser(se_ListWebAuthnCredentialsCommand)
+  .de(de_ListWebAuthnCredentialsCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: ListWebAuthnCredentialsRequest;
+      output: ListWebAuthnCredentialsResponse;
+    };
+    sdk: {
+      input: ListWebAuthnCredentialsCommandInput;
+      output: ListWebAuthnCredentialsCommandOutput;
+    };
+  };
+}
diff --git a/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts b/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts
index 8879356dcf41..5d6e0d013f24 100644
--- a/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts
@@ -14,7 +14,7 @@ import {
   ResendConfirmationCodeRequest,
   ResendConfirmationCodeRequestFilterSensitiveLog,
   ResendConfirmationCodeResponse,
-} from "../models/models_0";
+} from "../models/models_1";
 import { de_ResendConfirmationCodeCommand, se_ResendConfirmationCodeCommand } from "../protocols/Aws_json1_1";
 
 /**
@@ -52,7 +52,7 @@ export interface ResendConfirmationCodeCommandOutput extends ResendConfirmationC
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -129,7 +129,7 @@ export interface ResendConfirmationCodeCommandOutput extends ResendConfirmationC
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link LimitExceededException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts b/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts
index a20e2e65cfa2..bea71336555c 100644
--- a/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts
@@ -10,8 +10,12 @@ import {
   ServiceOutputTypes,
 } from "../CognitoIdentityProviderClient";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { RespondToAuthChallengeRequest, RespondToAuthChallengeRequestFilterSensitiveLog } from "../models/models_0";
-import { RespondToAuthChallengeResponse, RespondToAuthChallengeResponseFilterSensitiveLog } from "../models/models_1";
+import {
+  RespondToAuthChallengeRequest,
+  RespondToAuthChallengeRequestFilterSensitiveLog,
+  RespondToAuthChallengeResponse,
+  RespondToAuthChallengeResponseFilterSensitiveLog,
+} from "../models/models_1";
 import { de_RespondToAuthChallengeCommand, se_RespondToAuthChallengeCommand } from "../protocols/Aws_json1_1";
 
 /**
@@ -54,7 +58,7 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -71,7 +75,7 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle
  * const client = new CognitoIdentityProviderClient(config);
  * const input = { // RespondToAuthChallengeRequest
  *   ClientId: "STRING_VALUE", // required
- *   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", // required
+ *   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "SELECT_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED" || "SMS_OTP" || "PASSWORD" || "WEB_AUTHN" || "PASSWORD_SRP", // required
  *   Session: "STRING_VALUE",
  *   ChallengeResponses: { // ChallengeResponsesType
  *     "<keys>": "STRING_VALUE",
@@ -90,7 +94,7 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle
  * const command = new RespondToAuthChallengeCommand(input);
  * const response = await client.send(command);
  * // { // RespondToAuthChallengeResponse
- * //   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED",
+ * //   ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "SELECT_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED" || "SMS_OTP" || "PASSWORD" || "WEB_AUTHN" || "PASSWORD_SRP",
  * //   Session: "STRING_VALUE",
  * //   ChallengeParameters: { // ChallengeParametersType
  * //     "<keys>": "STRING_VALUE",
@@ -158,7 +162,7 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link InvalidUserPoolConfigurationException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts
index c2a585397e13..40f6d9d4e245 100644
--- a/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts
@@ -91,6 +91,10 @@ export interface SetLogDeliveryConfigurationCommandOutput
  * @see {@link SetLogDeliveryConfigurationCommandOutput} for command's `response` shape.
  * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
  *
+ * @throws {@link FeatureUnavailableInTierException} (client fault)
+ *  <p>This exception is thrown when a feature you attempted to configure isn't
+ *             available in your current feature plan.</p>
+ *
  * @throws {@link InternalErrorException} (server fault)
  *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
  *
diff --git a/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts
index f63dab15dee1..2254a0304ff8 100644
--- a/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts
@@ -32,7 +32,7 @@ export interface SetUserPoolMfaConfigCommandInput extends SetUserPoolMfaConfigRe
 export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigResponse, __MetadataBearer {}
 
 /**
- * <p>Sets the user pool multi-factor authentication (MFA) configuration.</p>
+ * <p>Sets the user pool multi-factor authentication (MFA) and passkey configuration.</p>
  *          <note>
  *             <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers
  *             require you to register an origination phone number before you can send SMS messages
@@ -41,7 +41,7 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -74,6 +74,10 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR
  *     Subject: "STRING_VALUE",
  *   },
  *   MfaConfiguration: "OFF" || "ON" || "OPTIONAL",
+ *   WebAuthnConfiguration: { // WebAuthnConfigurationType
+ *     RelyingPartyId: "STRING_VALUE",
+ *     UserVerification: "required" || "preferred",
+ *   },
  * };
  * const command = new SetUserPoolMfaConfigCommand(input);
  * const response = await client.send(command);
@@ -94,6 +98,10 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR
  * //     Subject: "STRING_VALUE",
  * //   },
  * //   MfaConfiguration: "OFF" || "ON" || "OPTIONAL",
+ * //   WebAuthnConfiguration: { // WebAuthnConfigurationType
+ * //     RelyingPartyId: "STRING_VALUE",
+ * //     UserVerification: "required" || "preferred",
+ * //   },
  * // };
  *
  * ```
@@ -108,6 +116,10 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR
  *  <p>This exception is thrown if two or more modifications are happening
  *             concurrently.</p>
  *
+ * @throws {@link FeatureUnavailableInTierException} (client fault)
+ *  <p>This exception is thrown when a feature you attempted to configure isn't
+ *             available in your current feature plan.</p>
+ *
  * @throws {@link InternalErrorException} (server fault)
  *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
  *
@@ -122,7 +134,7 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link NotAuthorizedException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts b/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts
index e528f4960bdb..b31ef0f7451d 100644
--- a/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts
@@ -10,7 +10,12 @@ import {
   ServiceOutputTypes,
 } from "../CognitoIdentityProviderClient";
 import { commonParams } from "../endpoint/EndpointParameters";
-import { SignUpRequest, SignUpRequestFilterSensitiveLog, SignUpResponse } from "../models/models_1";
+import {
+  SignUpRequest,
+  SignUpRequestFilterSensitiveLog,
+  SignUpResponse,
+  SignUpResponseFilterSensitiveLog,
+} from "../models/models_1";
 import { de_SignUpCommand, se_SignUpCommand } from "../protocols/Aws_json1_1";
 
 /**
@@ -48,7 +53,7 @@ export interface SignUpCommandOutput extends SignUpResponse, __MetadataBearer {}
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -57,6 +62,13 @@ export interface SignUpCommandOutput extends SignUpResponse, __MetadataBearer {}
  *             of the sandbox and into production. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito
  *                 Developer Guide</i>.</p>
  *          </note>
+ *          <p>You might receive a <code>LimitExceeded</code> exception in response to this request
+ *             if you have exceeded a rate quota for email or SMS messages, and if your user pool
+ *             automatically verifies email addresses or phone numbers. When you get this exception in
+ *             the response, the user is successfully created and is in an <code>UNCONFIRMED</code>
+ *             state. You can send a new code with the <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ResendConfirmationCode.html"> ResendConfirmationCode</a> request, or confirm the user as an administrator
+ *             with an <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminConfirmSignUp.html">
+ *                 AdminConfirmSignUp</a> request.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -67,7 +79,7 @@ export interface SignUpCommandOutput extends SignUpResponse, __MetadataBearer {}
  *   ClientId: "STRING_VALUE", // required
  *   SecretHash: "STRING_VALUE",
  *   Username: "STRING_VALUE", // required
- *   Password: "STRING_VALUE", // required
+ *   Password: "STRING_VALUE",
  *   UserAttributes: [ // AttributeListType
  *     { // AttributeType
  *       Name: "STRING_VALUE", // required
@@ -101,6 +113,7 @@ export interface SignUpCommandOutput extends SignUpResponse, __MetadataBearer {}
  * //     AttributeName: "STRING_VALUE",
  * //   },
  * //   UserSub: "STRING_VALUE", // required
+ * //   Session: "STRING_VALUE",
  * // };
  *
  * ```
@@ -143,7 +156,7 @@ export interface SignUpCommandOutput extends SignUpResponse, __MetadataBearer {}
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link LimitExceededException} (client fault)
@@ -195,7 +208,7 @@ export class SignUpCommand extends $Command
   })
   .s("AWSCognitoIdentityProviderService", "SignUp", {})
   .n("CognitoIdentityProviderClient", "SignUpCommand")
-  .f(SignUpRequestFilterSensitiveLog, void 0)
+  .f(SignUpRequestFilterSensitiveLog, SignUpResponseFilterSensitiveLog)
   .ser(se_SignUpCommand)
   .de(de_SignUpCommand)
   .build() {
diff --git a/clients/client-cognito-identity-provider/src/commands/StartWebAuthnRegistrationCommand.ts b/clients/client-cognito-identity-provider/src/commands/StartWebAuthnRegistrationCommand.ts
new file mode 100644
index 000000000000..a97f2d6e0f46
--- /dev/null
+++ b/clients/client-cognito-identity-provider/src/commands/StartWebAuthnRegistrationCommand.ts
@@ -0,0 +1,136 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import {
+  CognitoIdentityProviderClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../CognitoIdentityProviderClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import {
+  StartWebAuthnRegistrationRequest,
+  StartWebAuthnRegistrationRequestFilterSensitiveLog,
+  StartWebAuthnRegistrationResponse,
+} from "../models/models_1";
+import { de_StartWebAuthnRegistrationCommand, se_StartWebAuthnRegistrationCommand } from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link StartWebAuthnRegistrationCommand}.
+ */
+export interface StartWebAuthnRegistrationCommandInput extends StartWebAuthnRegistrationRequest {}
+/**
+ * @public
+ *
+ * The output of {@link StartWebAuthnRegistrationCommand}.
+ */
+export interface StartWebAuthnRegistrationCommandOutput extends StartWebAuthnRegistrationResponse, __MetadataBearer {}
+
+/**
+ * <p>Requests credential creation options from your user pool for registration of a passkey
+ *             authenticator. Returns information about the user pool, the user profile, and
+ *             authentication requirements. Users must provide this information in their request to
+ *             enroll your application with their passkey provider.</p>
+ *          <p>After users present this data and register with their passkey provider, return the
+ *             response to your user pool in a <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CompleteWebAuthnRegistration.html"> CompleteWebAuthnRegistration</a> API request.</p>
+ *          <p>Authorize this action with a signed-in user's access token. It must include the scope <code>aws.cognito.signin.user.admin</code>.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CognitoIdentityProviderClient, StartWebAuthnRegistrationCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import
+ * // const { CognitoIdentityProviderClient, StartWebAuthnRegistrationCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
+ * const client = new CognitoIdentityProviderClient(config);
+ * const input = { // StartWebAuthnRegistrationRequest
+ *   AccessToken: "STRING_VALUE", // required
+ * };
+ * const command = new StartWebAuthnRegistrationCommand(input);
+ * const response = await client.send(command);
+ * // { // StartWebAuthnRegistrationResponse
+ * //   CredentialCreationOptions: "DOCUMENT_VALUE", // required
+ * // };
+ *
+ * ```
+ *
+ * @param StartWebAuthnRegistrationCommandInput - {@link StartWebAuthnRegistrationCommandInput}
+ * @returns {@link StartWebAuthnRegistrationCommandOutput}
+ * @see {@link StartWebAuthnRegistrationCommandInput} for command's `input` shape.
+ * @see {@link StartWebAuthnRegistrationCommandOutput} for command's `response` shape.
+ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
+ *
+ * @throws {@link ForbiddenException} (client fault)
+ *  <p>This exception is thrown when WAF doesn't allow your request based on a web
+ *             ACL that's associated with your user pool.</p>
+ *
+ * @throws {@link InternalErrorException} (server fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters an invalid
+ *             parameter.</p>
+ *
+ * @throws {@link LimitExceededException} (client fault)
+ *  <p>This exception is thrown when a user exceeds the limit for a requested Amazon Web Services
+ *             resource.</p>
+ *
+ * @throws {@link NotAuthorizedException} (client fault)
+ *  <p>This exception is thrown when a user isn't authorized.</p>
+ *
+ * @throws {@link TooManyRequestsException} (client fault)
+ *  <p>This exception is thrown when the user has made too many requests for a given
+ *             operation.</p>
+ *
+ * @throws {@link WebAuthnConfigurationMissingException} (client fault)
+ *  <p>This exception is thrown when a user pool doesn't have a configured relying party
+ *             id or a user pool domain.</p>
+ *
+ * @throws {@link WebAuthnNotEnabledException} (client fault)
+ *  <p>This exception is thrown when the passkey feature isn't enabled for the user
+ *             pool.</p>
+ *
+ * @throws {@link CognitoIdentityProviderServiceException}
+ * <p>Base exception class for all service exceptions from CognitoIdentityProvider service.</p>
+ *
+ * @public
+ */
+export class StartWebAuthnRegistrationCommand extends $Command
+  .classBuilder<
+    StartWebAuthnRegistrationCommandInput,
+    StartWebAuthnRegistrationCommandOutput,
+    CognitoIdentityProviderClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CognitoIdentityProviderClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AWSCognitoIdentityProviderService", "StartWebAuthnRegistration", {})
+  .n("CognitoIdentityProviderClient", "StartWebAuthnRegistrationCommand")
+  .f(StartWebAuthnRegistrationRequestFilterSensitiveLog, void 0)
+  .ser(se_StartWebAuthnRegistrationCommand)
+  .de(de_StartWebAuthnRegistrationCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: StartWebAuthnRegistrationRequest;
+      output: StartWebAuthnRegistrationResponse;
+    };
+    sdk: {
+      input: StartWebAuthnRegistrationCommandInput;
+      output: StartWebAuthnRegistrationCommandOutput;
+    };
+  };
+}
diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateManagedLoginBrandingCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateManagedLoginBrandingCommand.ts
new file mode 100644
index 000000000000..3889bdaab388
--- /dev/null
+++ b/clients/client-cognito-identity-provider/src/commands/UpdateManagedLoginBrandingCommand.ts
@@ -0,0 +1,175 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import {
+  CognitoIdentityProviderClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../CognitoIdentityProviderClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import { UpdateManagedLoginBrandingRequest, UpdateManagedLoginBrandingResponse } from "../models/models_1";
+import { de_UpdateManagedLoginBrandingCommand, se_UpdateManagedLoginBrandingCommand } from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link UpdateManagedLoginBrandingCommand}.
+ */
+export interface UpdateManagedLoginBrandingCommandInput extends UpdateManagedLoginBrandingRequest {}
+/**
+ * @public
+ *
+ * The output of {@link UpdateManagedLoginBrandingCommand}.
+ */
+export interface UpdateManagedLoginBrandingCommandOutput extends UpdateManagedLoginBrandingResponse, __MetadataBearer {}
+
+/**
+ * <p>Configures the branding settings for a user pool style. This operation is the
+ *             programmatic option for the configuration of a style in the branding designer.</p>
+ *          <p>Provides values for UI customization in a <code>Settings</code> JSON object and image
+ *             files in an <code>Assets</code> array.</p>
+ *          <p> This operation has a 2-megabyte request-size limit and include the CSS settings and
+ *             image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito
+ *             doesn't require that you pass all parameters in one request and preserves existing
+ *             style settings that you don't specify. If your request is larger than 2MB, separate it
+ *             into multiple requests, each with a size smaller than the limit. </p>
+ *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-brandingdesigner.html#branding-designer-api">API and SDK operations for managed login branding</a>.</p>
+ *          <note>
+ *             <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For
+ *     this operation, you must use IAM credentials to authorize requests, and you must
+ *     grant yourself the corresponding IAM permission in a policy.</p>
+ *             <p class="title">
+ *                <b>Learn more</b>
+ *             </p>
+ *             <ul>
+ *                <li>
+ *                   <p>
+ *                      <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html">Signing Amazon Web Services API Requests</a>
+ *                   </p>
+ *                </li>
+ *                <li>
+ *                   <p>
+ *                      <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html">Using the Amazon Cognito user pools API and user pool endpoints</a>
+ *                   </p>
+ *                </li>
+ *             </ul>
+ *          </note>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CognitoIdentityProviderClient, UpdateManagedLoginBrandingCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import
+ * // const { CognitoIdentityProviderClient, UpdateManagedLoginBrandingCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
+ * const client = new CognitoIdentityProviderClient(config);
+ * const input = { // UpdateManagedLoginBrandingRequest
+ *   UserPoolId: "STRING_VALUE",
+ *   ManagedLoginBrandingId: "STRING_VALUE",
+ *   UseCognitoProvidedValues: true || false,
+ *   Settings: "DOCUMENT_VALUE",
+ *   Assets: [ // AssetListType
+ *     { // AssetType
+ *       Category: "FAVICON_ICO" || "FAVICON_SVG" || "EMAIL_GRAPHIC" || "SMS_GRAPHIC" || "AUTH_APP_GRAPHIC" || "PASSWORD_GRAPHIC" || "PASSKEY_GRAPHIC" || "PAGE_HEADER_LOGO" || "PAGE_HEADER_BACKGROUND" || "PAGE_FOOTER_LOGO" || "PAGE_FOOTER_BACKGROUND" || "PAGE_BACKGROUND" || "FORM_BACKGROUND" || "FORM_LOGO" || "IDP_BUTTON_ICON", // required
+ *       ColorMode: "LIGHT" || "DARK" || "DYNAMIC", // required
+ *       Extension: "ICO" || "JPEG" || "PNG" || "SVG" || "WEBP", // required
+ *       Bytes: new Uint8Array(), // e.g. Buffer.from("") or new TextEncoder().encode("")
+ *       ResourceId: "STRING_VALUE",
+ *     },
+ *   ],
+ * };
+ * const command = new UpdateManagedLoginBrandingCommand(input);
+ * const response = await client.send(command);
+ * // { // UpdateManagedLoginBrandingResponse
+ * //   ManagedLoginBranding: { // ManagedLoginBrandingType
+ * //     ManagedLoginBrandingId: "STRING_VALUE",
+ * //     UserPoolId: "STRING_VALUE",
+ * //     UseCognitoProvidedValues: true || false,
+ * //     Settings: "DOCUMENT_VALUE",
+ * //     Assets: [ // AssetListType
+ * //       { // AssetType
+ * //         Category: "FAVICON_ICO" || "FAVICON_SVG" || "EMAIL_GRAPHIC" || "SMS_GRAPHIC" || "AUTH_APP_GRAPHIC" || "PASSWORD_GRAPHIC" || "PASSKEY_GRAPHIC" || "PAGE_HEADER_LOGO" || "PAGE_HEADER_BACKGROUND" || "PAGE_FOOTER_LOGO" || "PAGE_FOOTER_BACKGROUND" || "PAGE_BACKGROUND" || "FORM_BACKGROUND" || "FORM_LOGO" || "IDP_BUTTON_ICON", // required
+ * //         ColorMode: "LIGHT" || "DARK" || "DYNAMIC", // required
+ * //         Extension: "ICO" || "JPEG" || "PNG" || "SVG" || "WEBP", // required
+ * //         Bytes: new Uint8Array(),
+ * //         ResourceId: "STRING_VALUE",
+ * //       },
+ * //     ],
+ * //     CreationDate: new Date("TIMESTAMP"),
+ * //     LastModifiedDate: new Date("TIMESTAMP"),
+ * //   },
+ * // };
+ *
+ * ```
+ *
+ * @param UpdateManagedLoginBrandingCommandInput - {@link UpdateManagedLoginBrandingCommandInput}
+ * @returns {@link UpdateManagedLoginBrandingCommandOutput}
+ * @see {@link UpdateManagedLoginBrandingCommandInput} for command's `input` shape.
+ * @see {@link UpdateManagedLoginBrandingCommandOutput} for command's `response` shape.
+ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
+ *
+ * @throws {@link ConcurrentModificationException} (client fault)
+ *  <p>This exception is thrown if two or more modifications are happening
+ *             concurrently.</p>
+ *
+ * @throws {@link InternalErrorException} (server fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters an invalid
+ *             parameter.</p>
+ *
+ * @throws {@link NotAuthorizedException} (client fault)
+ *  <p>This exception is thrown when a user isn't authorized.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service can't find the requested
+ *             resource.</p>
+ *
+ * @throws {@link TooManyRequestsException} (client fault)
+ *  <p>This exception is thrown when the user has made too many requests for a given
+ *             operation.</p>
+ *
+ * @throws {@link CognitoIdentityProviderServiceException}
+ * <p>Base exception class for all service exceptions from CognitoIdentityProvider service.</p>
+ *
+ * @public
+ */
+export class UpdateManagedLoginBrandingCommand extends $Command
+  .classBuilder<
+    UpdateManagedLoginBrandingCommandInput,
+    UpdateManagedLoginBrandingCommandOutput,
+    CognitoIdentityProviderClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CognitoIdentityProviderClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AWSCognitoIdentityProviderService", "UpdateManagedLoginBranding", {})
+  .n("CognitoIdentityProviderClient", "UpdateManagedLoginBrandingCommand")
+  .f(void 0, void 0)
+  .ser(se_UpdateManagedLoginBrandingCommand)
+  .de(de_UpdateManagedLoginBrandingCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: UpdateManagedLoginBrandingRequest;
+      output: UpdateManagedLoginBrandingResponse;
+    };
+    sdk: {
+      input: UpdateManagedLoginBrandingCommandInput;
+      output: UpdateManagedLoginBrandingCommandOutput;
+    };
+  };
+}
diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts
index e9423589c40a..b12f6f02d379 100644
--- a/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts
@@ -56,7 +56,7 @@ export interface UpdateUserAttributesCommandOutput extends UpdateUserAttributesR
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -146,7 +146,7 @@ export interface UpdateUserAttributesCommandOutput extends UpdateUserAttributesR
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link NotAuthorizedException} (client fault)
diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolClientCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolClientCommand.ts
index f6986ee80b56..426267267247 100644
--- a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolClientCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolClientCommand.ts
@@ -89,7 +89,7 @@ export interface UpdateUserPoolClientCommandOutput extends UpdateUserPoolClientR
  *     "STRING_VALUE",
  *   ],
  *   ExplicitAuthFlows: [ // ExplicitAuthFlowsListType
- *     "ADMIN_NO_SRP_AUTH" || "CUSTOM_AUTH_FLOW_ONLY" || "USER_PASSWORD_AUTH" || "ALLOW_ADMIN_USER_PASSWORD_AUTH" || "ALLOW_CUSTOM_AUTH" || "ALLOW_USER_PASSWORD_AUTH" || "ALLOW_USER_SRP_AUTH" || "ALLOW_REFRESH_TOKEN_AUTH",
+ *     "ADMIN_NO_SRP_AUTH" || "CUSTOM_AUTH_FLOW_ONLY" || "USER_PASSWORD_AUTH" || "ALLOW_ADMIN_USER_PASSWORD_AUTH" || "ALLOW_CUSTOM_AUTH" || "ALLOW_USER_PASSWORD_AUTH" || "ALLOW_USER_SRP_AUTH" || "ALLOW_REFRESH_TOKEN_AUTH" || "ALLOW_USER_AUTH",
  *   ],
  *   SupportedIdentityProviders: [ // SupportedIdentityProvidersListType
  *     "STRING_VALUE",
@@ -145,7 +145,7 @@ export interface UpdateUserPoolClientCommandOutput extends UpdateUserPoolClientR
  * //       "STRING_VALUE",
  * //     ],
  * //     ExplicitAuthFlows: [ // ExplicitAuthFlowsListType
- * //       "ADMIN_NO_SRP_AUTH" || "CUSTOM_AUTH_FLOW_ONLY" || "USER_PASSWORD_AUTH" || "ALLOW_ADMIN_USER_PASSWORD_AUTH" || "ALLOW_CUSTOM_AUTH" || "ALLOW_USER_PASSWORD_AUTH" || "ALLOW_USER_SRP_AUTH" || "ALLOW_REFRESH_TOKEN_AUTH",
+ * //       "ADMIN_NO_SRP_AUTH" || "CUSTOM_AUTH_FLOW_ONLY" || "USER_PASSWORD_AUTH" || "ALLOW_ADMIN_USER_PASSWORD_AUTH" || "ALLOW_CUSTOM_AUTH" || "ALLOW_USER_PASSWORD_AUTH" || "ALLOW_USER_SRP_AUTH" || "ALLOW_REFRESH_TOKEN_AUTH" || "ALLOW_USER_AUTH",
  * //     ],
  * //     SupportedIdentityProviders: [ // SupportedIdentityProvidersListType
  * //       "STRING_VALUE",
diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts
index 80d391d10a11..33040f967413 100644
--- a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts
@@ -40,7 +40,7 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M
  *             Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must
  *             receive SMS messages might not be able to sign up, activate their accounts, or sign
  *             in.</p>
- *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,
+ *             <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,
  *             Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>
  *                   <a href="https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html">sandbox
  *                     mode</a>
@@ -92,6 +92,11 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M
  *       PasswordHistorySize: Number("int"),
  *       TemporaryPasswordValidityDays: Number("int"),
  *     },
+ *     SignInPolicy: { // SignInPolicyType
+ *       AllowedFirstAuthFactors: [ // AllowedFirstAuthFactorsListType
+ *         "PASSWORD" || "EMAIL_OTP" || "SMS_OTP" || "WEB_AUTHN",
+ *       ],
+ *     },
  *   },
  *   DeletionProtection: "ACTIVE" || "INACTIVE",
  *   LambdaConfig: { // LambdaConfigType
@@ -182,6 +187,8 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M
  *       },
  *     ],
  *   },
+ *   PoolName: "STRING_VALUE",
+ *   UserPoolTier: "LITE" || "ESSENTIALS" || "PLUS",
  * };
  * const command = new UpdateUserPoolCommand(input);
  * const response = await client.send(command);
@@ -199,6 +206,10 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M
  *  <p>This exception is thrown if two or more modifications are happening
  *             concurrently.</p>
  *
+ * @throws {@link FeatureUnavailableInTierException} (client fault)
+ *  <p>This exception is thrown when a feature you attempted to configure isn't
+ *             available in your current feature plan.</p>
+ *
  * @throws {@link InternalErrorException} (server fault)
  *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
  *
@@ -217,7 +228,7 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M
  * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault)
  *  <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  *
  * @throws {@link NotAuthorizedException} (client fault)
@@ -227,6 +238,10 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M
  *  <p>This exception is thrown when the Amazon Cognito service can't find the requested
  *             resource.</p>
  *
+ * @throws {@link TierChangeNotAllowedException} (client fault)
+ *  <p>This exception is thrown when you've attempted to change your feature plan but
+ *             the operation isn't permitted.</p>
+ *
  * @throws {@link TooManyRequestsException} (client fault)
  *  <p>This exception is thrown when the user has made too many requests for a given
  *             operation.</p>
diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolDomainCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolDomainCommand.ts
index 3f753adf200d..f0e0452be9bb 100644
--- a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolDomainCommand.ts
+++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolDomainCommand.ts
@@ -80,6 +80,7 @@ export interface UpdateUserPoolDomainCommandOutput extends UpdateUserPoolDomainR
  * const input = { // UpdateUserPoolDomainRequest
  *   Domain: "STRING_VALUE", // required
  *   UserPoolId: "STRING_VALUE", // required
+ *   ManagedLoginVersion: Number("int"),
  *   CustomDomainConfig: { // CustomDomainConfigType
  *     CertificateArn: "STRING_VALUE", // required
  *   },
@@ -87,6 +88,7 @@ export interface UpdateUserPoolDomainCommandOutput extends UpdateUserPoolDomainR
  * const command = new UpdateUserPoolDomainCommand(input);
  * const response = await client.send(command);
  * // { // UpdateUserPoolDomainResponse
+ * //   ManagedLoginVersion: Number("int"),
  * //   CloudFrontDomain: "STRING_VALUE",
  * // };
  *
@@ -98,6 +100,10 @@ export interface UpdateUserPoolDomainCommandOutput extends UpdateUserPoolDomainR
  * @see {@link UpdateUserPoolDomainCommandOutput} for command's `response` shape.
  * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
  *
+ * @throws {@link FeatureUnavailableInTierException} (client fault)
+ *  <p>This exception is thrown when a feature you attempted to configure isn't
+ *             available in your current feature plan.</p>
+ *
  * @throws {@link InternalErrorException} (server fault)
  *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
  *
diff --git a/clients/client-cognito-identity-provider/src/commands/index.ts b/clients/client-cognito-identity-provider/src/commands/index.ts
index fa54dc3f6a53..ed0343f57db2 100644
--- a/clients/client-cognito-identity-provider/src/commands/index.ts
+++ b/clients/client-cognito-identity-provider/src/commands/index.ts
@@ -28,11 +28,13 @@ export * from "./AdminUpdateUserAttributesCommand";
 export * from "./AdminUserGlobalSignOutCommand";
 export * from "./AssociateSoftwareTokenCommand";
 export * from "./ChangePasswordCommand";
+export * from "./CompleteWebAuthnRegistrationCommand";
 export * from "./ConfirmDeviceCommand";
 export * from "./ConfirmForgotPasswordCommand";
 export * from "./ConfirmSignUpCommand";
 export * from "./CreateGroupCommand";
 export * from "./CreateIdentityProviderCommand";
+export * from "./CreateManagedLoginBrandingCommand";
 export * from "./CreateResourceServerCommand";
 export * from "./CreateUserImportJobCommand";
 export * from "./CreateUserPoolClientCommand";
@@ -40,13 +42,17 @@ export * from "./CreateUserPoolCommand";
 export * from "./CreateUserPoolDomainCommand";
 export * from "./DeleteGroupCommand";
 export * from "./DeleteIdentityProviderCommand";
+export * from "./DeleteManagedLoginBrandingCommand";
 export * from "./DeleteResourceServerCommand";
 export * from "./DeleteUserAttributesCommand";
 export * from "./DeleteUserCommand";
 export * from "./DeleteUserPoolClientCommand";
 export * from "./DeleteUserPoolCommand";
 export * from "./DeleteUserPoolDomainCommand";
+export * from "./DeleteWebAuthnCredentialCommand";
 export * from "./DescribeIdentityProviderCommand";
+export * from "./DescribeManagedLoginBrandingByClientCommand";
+export * from "./DescribeManagedLoginBrandingCommand";
 export * from "./DescribeResourceServerCommand";
 export * from "./DescribeRiskConfigurationCommand";
 export * from "./DescribeUserImportJobCommand";
@@ -63,6 +69,7 @@ export * from "./GetLogDeliveryConfigurationCommand";
 export * from "./GetSigningCertificateCommand";
 export * from "./GetUICustomizationCommand";
 export * from "./GetUserAttributeVerificationCodeCommand";
+export * from "./GetUserAuthFactorsCommand";
 export * from "./GetUserCommand";
 export * from "./GetUserPoolMfaConfigCommand";
 export * from "./GlobalSignOutCommand";
@@ -77,6 +84,7 @@ export * from "./ListUserPoolClientsCommand";
 export * from "./ListUserPoolsCommand";
 export * from "./ListUsersCommand";
 export * from "./ListUsersInGroupCommand";
+export * from "./ListWebAuthnCredentialsCommand";
 export * from "./ResendConfirmationCodeCommand";
 export * from "./RespondToAuthChallengeCommand";
 export * from "./RevokeTokenCommand";
@@ -88,6 +96,7 @@ export * from "./SetUserPoolMfaConfigCommand";
 export * from "./SetUserSettingsCommand";
 export * from "./SignUpCommand";
 export * from "./StartUserImportJobCommand";
+export * from "./StartWebAuthnRegistrationCommand";
 export * from "./StopUserImportJobCommand";
 export * from "./TagResourceCommand";
 export * from "./UntagResourceCommand";
@@ -95,6 +104,7 @@ export * from "./UpdateAuthEventFeedbackCommand";
 export * from "./UpdateDeviceStatusCommand";
 export * from "./UpdateGroupCommand";
 export * from "./UpdateIdentityProviderCommand";
+export * from "./UpdateManagedLoginBrandingCommand";
 export * from "./UpdateResourceServerCommand";
 export * from "./UpdateUserAttributesCommand";
 export * from "./UpdateUserPoolClientCommand";
diff --git a/clients/client-cognito-identity-provider/src/models/models_0.ts b/clients/client-cognito-identity-provider/src/models/models_0.ts
index 63ab14a5dac8..78f9f1d7864f 100644
--- a/clients/client-cognito-identity-provider/src/models/models_0.ts
+++ b/clients/client-cognito-identity-provider/src/models/models_0.ts
@@ -1,6 +1,8 @@
 // smithy-typescript generated code
 import { ExceptionOptionType as __ExceptionOptionType, SENSITIVE_STRING } from "@smithy/smithy-client";
 
+import { DocumentType as __DocumentType } from "@smithy/types";
+
 import { CognitoIdentityProviderServiceException as __BaseException } from "./CognitoIdentityProviderServiceException";
 
 /**
@@ -19,31 +21,45 @@ export const RecoveryOptionNameType = {
 export type RecoveryOptionNameType = (typeof RecoveryOptionNameType)[keyof typeof RecoveryOptionNameType];
 
 /**
- * <p>A map containing a priority as a key, and recovery method name as a value.</p>
+ * <p>A recovery option for a user. The <code>AccountRecoverySettingType</code> data type is
+ *             an array of this object. Each <code>RecoveryOptionType</code> has a priority property
+ *             that determines whether it is a primary or secondary option.</p>
+ *          <p>For example, if <code>verified_email</code> has a priority of <code>1</code> and
+ *                 <code>verified_phone_number</code> has a priority of <code>2</code>, your user pool
+ *             sends account-recovery messages to a verified email address but falls back to an SMS
+ *             message if the user has a verified phone number. The <code>admin_only</code> option
+ *             prevents self-service account recovery.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface RecoveryOptionType {
   /**
-   * <p>A positive integer specifying priority of a method with 1 being the highest
-   *             priority.</p>
+   * <p>Your priority preference for using the specified attribute in account recovery. The
+   *             highest priority is <code>1</code>.</p>
    * @public
    */
   Priority: number | undefined;
 
   /**
-   * <p>The recovery method for a user.</p>
+   * <p>The recovery method that this object sets a recovery option for.</p>
    * @public
    */
   Name: RecoveryOptionNameType | undefined;
 }
 
 /**
- * <p>The data type for <code>AccountRecoverySetting</code>.</p>
+ * <p>The settings for user message delivery in forgot-password operations. Contains
+ *             preference for email or SMS message delivery of password reset codes, or for admin-only
+ *             password reset.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface AccountRecoverySettingType {
   /**
-   * <p>The list of <code>RecoveryOptionTypes</code>.</p>
+   * <p>The list of options and priorities for user message delivery in forgot-password
+   *             operations. Sets or displays user pool preferences for email or SMS message priority,
+   *             whether users should fall back to a second delivery method, and whether passwords should
+   *             only be reset by administrators.</p>
    * @public
    */
   RecoveryMechanisms?: RecoveryOptionType[] | undefined;
@@ -67,37 +83,46 @@ export type AccountTakeoverEventActionType =
   (typeof AccountTakeoverEventActionType)[keyof typeof AccountTakeoverEventActionType];
 
 /**
- * <p>Account takeover action type.</p>
+ * <p>The automated response to a risk level for adaptive authentication in full-function,
+ *             or <code>ENFORCED</code>, mode. You can assign an action to each risk level that
+ *             advanced security features evaluates.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>.</p>
  * @public
  */
 export interface AccountTakeoverActionType {
   /**
-   * <p>Flag specifying whether to send a notification.</p>
+   * <p>Determines whether Amazon Cognito sends a user a notification message when your user pools
+   *             assesses a user's session at the associated risk level.</p>
    * @public
    */
   Notify: boolean | undefined;
 
   /**
-   * <p>The action to take in response to the account takeover action. Valid values are as
-   *             follows:</p>
+   * <p>The action to take for the attempted account takeover action for the associated risk
+   *             level. Valid values are as follows:</p>
    *          <ul>
    *             <li>
    *                <p>
-   *                   <code>BLOCK</code> Choosing this action will block the request.</p>
+   *                   <code>BLOCK</code>: Block the request.</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>MFA_IF_CONFIGURED</code> Present an MFA challenge if user has configured
-   *                     it, else allow the request.</p>
+   *                   <code>MFA_IF_CONFIGURED</code>: Present an MFA challenge if possible. MFA is
+   *                     possible if the user pool has active MFA methods that the user can set up. For
+   *                     example, if the user pool only supports SMS message MFA but the user
+   *                     doesn't have a phone number attribute, MFA setup isn't possible. If MFA
+   *                     setup isn't possible, allow the request.</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>MFA_REQUIRED</code> Present an MFA challenge if user has configured it,
-   *                     else block the request.</p>
+   *                   <code>MFA_REQUIRED</code>: Present an MFA challenge if possible. Block the
+   *                     request if a user hasn't set up MFA. To sign in with required MFA, users must
+   *                     have an email address or phone number attribute, or a registered TOTP
+   *                     factor.</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>NO_ACTION</code> Allow the user to sign in.</p>
+   *                   <code>NO_ACTION</code>: Take no action. Permit sign-in.</p>
    *             </li>
    *          </ul>
    * @public
@@ -106,67 +131,83 @@ export interface AccountTakeoverActionType {
 }
 
 /**
- * <p>Account takeover actions type.</p>
+ * <p>A list of account-takeover actions for each level of risk that Amazon Cognito might assess with
+ *             advanced security features.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>.</p>
  * @public
  */
 export interface AccountTakeoverActionsType {
   /**
-   * <p>Action to take for a low risk.</p>
+   * <p>The action that you assign to a low-risk assessment by advanced security
+   *             features.</p>
    * @public
    */
   LowAction?: AccountTakeoverActionType | undefined;
 
   /**
-   * <p>Action to take for a medium risk.</p>
+   * <p>The action that you assign to a medium-risk assessment by advanced security
+   *             features.</p>
    * @public
    */
   MediumAction?: AccountTakeoverActionType | undefined;
 
   /**
-   * <p>Action to take for a high risk.</p>
+   * <p>The action that you assign to a high-risk assessment by advanced security
+   *             features.</p>
    * @public
    */
   HighAction?: AccountTakeoverActionType | undefined;
 }
 
 /**
- * <p>The notify email type.</p>
+ * <p>The template for email messages that advanced security features sends to a user when
+ *             your threat protection automated response has a <i>Notify</i>
+ *             action.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>.</p>
  * @public
  */
 export interface NotifyEmailType {
   /**
-   * <p>The email subject.</p>
+   * <p>The subject of the threat protection email notification.</p>
    * @public
    */
   Subject: string | undefined;
 
   /**
-   * <p>The email HTML body.</p>
+   * <p>The body of an email notification formatted in HTML. Choose an <code>HtmlBody</code>
+   *             or a <code>TextBody</code> to send an HTML-formatted or plaintext message,
+   *             respectively.</p>
    * @public
    */
   HtmlBody?: string | undefined;
 
   /**
-   * <p>The email text body.</p>
+   * <p>The body of an email notification formatted in plaintext. Choose an
+   *                 <code>HtmlBody</code> or a <code>TextBody</code> to send an HTML-formatted or
+   *             plaintext message, respectively.</p>
    * @public
    */
   TextBody?: string | undefined;
 }
 
 /**
- * <p>The notify configuration type.</p>
+ * <p>The configuration for Amazon SES email messages that advanced security features sends to a
+ *             user when your adaptive authentication automated response has a
+ *                 <i>Notify</i> action.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>.</p>
  * @public
  */
 export interface NotifyConfigurationType {
   /**
-   * <p>The email address that is sending the email. The address must be either individually
-   *             verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES.</p>
+   * <p>The email address that sends the email message. The address must be either
+   *             individually verified with Amazon Simple Email Service, or from a domain that has been verified with
+   *             Amazon SES.</p>
    * @public
    */
   From?: string | undefined;
 
   /**
-   * <p>The destination to which the receiver of an email should reply to.</p>
+   * <p>The reply-to email address of an email template.</p>
    * @public
    */
   ReplyTo?: string | undefined;
@@ -180,39 +221,46 @@ export interface NotifyConfigurationType {
   SourceArn: string | undefined;
 
   /**
-   * <p>Email template used when a detected risk event is blocked.</p>
+   * <p>The template for the email message that your user pool sends when a detected risk
+   *             event is blocked.</p>
    * @public
    */
   BlockEmail?: NotifyEmailType | undefined;
 
   /**
-   * <p>The email template used when a detected risk event is allowed.</p>
+   * <p>The template for the email message that your user pool sends when no action is taken
+   *             in response to a detected risk.</p>
    * @public
    */
   NoActionEmail?: NotifyEmailType | undefined;
 
   /**
-   * <p>The multi-factor authentication (MFA) email template used when MFA is challenged as
-   *             part of a detected risk.</p>
+   * <p>The template for the email message that your user pool sends when MFA is challenged in
+   *             response to a detected risk.</p>
    * @public
    */
   MfaEmail?: NotifyEmailType | undefined;
 }
 
 /**
- * <p>Configuration for mitigation actions and notification for different levels of risk
- *             detected for a potential account takeover.</p>
+ * <p>The settings for automated responses and notification templates for adaptive
+ *             authentication with advanced security features.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>.</p>
  * @public
  */
 export interface AccountTakeoverRiskConfigurationType {
   /**
-   * <p>The notify configuration used to construct email notifications.</p>
+   * <p>The settings for composing and sending an email message when advanced security
+   *             features assesses a risk level with adaptive authentication. When you choose to notify
+   *             users in <code>AccountTakeoverRiskConfiguration</code>, Amazon Cognito sends an email message
+   *             using the method and template that you set with this data type.</p>
    * @public
    */
   NotifyConfiguration?: NotifyConfigurationType | undefined;
 
   /**
-   * <p>Account takeover risk configuration actions.</p>
+   * <p>A list of account-takeover actions for each level of risk that Amazon Cognito might assess with
+   *             advanced security features.</p>
    * @public
    */
   Actions: AccountTakeoverActionsType | undefined;
@@ -235,7 +283,12 @@ export const AttributeDataType = {
 export type AttributeDataType = (typeof AttributeDataType)[keyof typeof AttributeDataType];
 
 /**
- * <p>The minimum and maximum values of an attribute that is of the number data type.</p>
+ * <p>The minimum and maximum values of an attribute that is of the number type, for example
+ *                 <code>custom:age</code>.</p>
+ *          <p>This data type is part of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html">SchemaAttributeType</a>. It defines the length constraints
+ *             on number-type attributes that you configure in <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and displays the length constraints of
+ *             all number-type attributes in the response to <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>
+ *          </p>
  * @public
  */
 export interface NumberAttributeConstraintsType {
@@ -255,12 +308,17 @@ export interface NumberAttributeConstraintsType {
 }
 
 /**
- * <p>The constraints associated with a string attribute.</p>
+ * <p>The minimum and maximum length values of an attribute that is of the string type, for
+ *             example <code>custom:department</code>.</p>
+ *          <p>This data type is part of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html">SchemaAttributeType</a>. It defines the length constraints
+ *             on string-type attributes that you configure in <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and displays the length constraints of
+ *             all string-type attributes in the response to <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>
+ *          </p>
  * @public
  */
 export interface StringAttributeConstraintsType {
   /**
-   * <p>The minimum length.</p>
+   * <p>The minimum length of a string attribute value.</p>
    * @public
    */
   MinLength?: string | undefined;
@@ -280,9 +338,11 @@ export interface StringAttributeConstraintsType {
  *             prefix, and developer attributes with a <code>dev:</code> prefix. For more information,
  *             see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html">User pool
  *                 attributes</a>.</p>
- *          <p>Developer-only attributes are a legacy feature of user pools, are read-only to all app
- *             clients. You can create and update developer-only attributes only with IAM-authenticated
- *             API operations. Use app client read/write permissions instead.</p>
+ *          <p>Developer-only <code>dev:</code> attributes are a legacy feature of user pools, and
+ *             are read-only to all app clients. You can create and update developer-only attributes
+ *             only with IAM-authenticated API operations. Use app client read/write permissions
+ *             instead.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface SchemaAttributeType {
@@ -407,6 +467,12 @@ export class InternalErrorException extends __BaseException {
 export class InvalidParameterException extends __BaseException {
   readonly name: "InvalidParameterException" = "InvalidParameterException";
   readonly $fault: "client" = "client";
+  /**
+   * <p>The reason code of the exception.</p>
+   * @public
+   */
+  reasonCode?: string | undefined;
+
   /**
    * @internal
    */
@@ -417,6 +483,7 @@ export class InvalidParameterException extends __BaseException {
       ...opts,
     });
     Object.setPrototypeOf(this, InvalidParameterException.prototype);
+    this.reasonCode = opts.reasonCode;
   }
 }
 
@@ -748,7 +815,8 @@ export const MessageActionType = {
 export type MessageActionType = (typeof MessageActionType)[keyof typeof MessageActionType];
 
 /**
- * <p>Specifies whether the attribute is standard or custom.</p>
+ * <p>The name and value of a user attribute.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html">AdminUpdateUserAttributes</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html">UpdateUserAttributes</a>.</p>
  * @public
  */
 export interface AttributeType {
@@ -766,7 +834,7 @@ export interface AttributeType {
 }
 
 /**
- * <p>Represents the request to create a user in the specified user pool.</p>
+ * <p>Creates a new user in the specified user pool.</p>
  * @public
  */
 export interface AdminCreateUserRequest {
@@ -811,6 +879,10 @@ export interface AdminCreateUserRequest {
    *             address or phone number. You can do this in your call to AdminCreateUser or in the
    *                 <b>Users</b> tab of the Amazon Cognito console for managing your
    *             user pools.</p>
+   *          <p>You must also provide an email address or phone number when you expect the user to do
+   *             passwordless sign-in with an email or SMS OTP. These attributes must be provided when
+   *             passwordless options are the only available, or when you don't submit a
+   *                 <code>TemporaryPassword</code>.</p>
    *          <p>In your call to <code>AdminCreateUser</code>, you can set the
    *                 <code>email_verified</code> attribute to <code>True</code>, and you can set the
    *                 <code>phone_number_verified</code> attribute to <code>True</code>. You can also do
@@ -854,11 +926,15 @@ export interface AdminCreateUserRequest {
   /**
    * <p>The user's temporary password. This password must conform to the password policy that
    *             you specified when you created the user pool.</p>
+   *          <p>The exception to the requirement for a password is when your user pool supports
+   *             passwordless sign-in with email or SMS OTPs. To create a user with no password, omit
+   *             this parameter or submit a blank value. You can only create a passwordless user when
+   *             passwordless sign-in is available. See <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignInPolicyType.html">the SignInPolicyType</a> property of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>.</p>
    *          <p>The temporary password is valid only once. To complete the Admin Create User flow, the
    *             user must enter the temporary password in the sign-in page, along with a new password to
    *             be used in all future sign-ins.</p>
-   *          <p>This parameter isn't required. If you don't specify a value, Amazon Cognito generates one for
-   *             you.</p>
+   *          <p>If you don't specify a value, Amazon Cognito generates one for you unless you have passwordless
+   *             options active for your user pool.</p>
    *          <p>The temporary password can only be used until the user account expiration limit that
    *             you set for your user pool. To reset the account after that time limit, you must call
    *                 <code>AdminCreateUser</code> again and specify <code>RESEND</code> for the
@@ -981,23 +1057,25 @@ export type UserStatusType = (typeof UserStatusType)[keyof typeof UserStatusType
 
 /**
  * <p>A user profile in a Amazon Cognito user pool.</p>
+ *          <p>This data type is a response parameter to <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html">AdminCreateUser</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html">ListUsers</a>. </p>
  * @public
  */
 export interface UserType {
   /**
-   * <p>The user name of the user you want to describe.</p>
+   * <p>The user's username.</p>
    * @public
    */
   Username?: string | undefined;
 
   /**
-   * <p>A container with information about the user type attributes.</p>
+   * <p>Names and values of a user's attributes, for example <code>email</code>.</p>
    * @public
    */
   Attributes?: AttributeType[] | undefined;
 
   /**
-   * <p>The creation date of the user.</p>
+   * <p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
    * @public
    */
   UserCreateDate?: Date | undefined;
@@ -1010,7 +1088,7 @@ export interface UserType {
   UserLastModifiedDate?: Date | undefined;
 
   /**
-   * <p>Specifies whether the user is enabled.</p>
+   * <p>Indicates whether the user's account is enabled or disabled.</p>
    * @public
    */
   Enabled?: boolean | undefined;
@@ -1045,7 +1123,7 @@ export interface UserType {
   UserStatus?: UserStatusType | undefined;
 
   /**
-   * <p>The MFA options for the user.</p>
+   * <p>The user's MFA configuration.</p>
    * @public
    */
   MFAOptions?: MFAOptionType[] | undefined;
@@ -1128,7 +1206,7 @@ export class InvalidSmsRoleAccessPolicyException extends __BaseException {
 /**
  * <p>This exception is thrown when the trust relationship is not valid for the role
  *             provided for SMS configuration. This can happen if you don't trust
- *             <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
+ *                 <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does
  *             not match what is provided in the SMS configuration for the user pool.</p>
  * @public
  */
@@ -1234,35 +1312,39 @@ export interface MessageTemplateType {
 }
 
 /**
- * <p>The configuration for creating a new user profile.</p>
+ * <p>The settings for administrator creation of users in a user pool. Contains settings for
+ *             allowing user sign-up, customizing invitation messages to new users, and the amount of
+ *             time before temporary passwords expire.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface AdminCreateUserConfigType {
   /**
-   * <p>Set to <code>True</code> if only the administrator is allowed to create user profiles.
-   *             Set to <code>False</code> if users can sign themselves up via an app.</p>
+   * <p>The setting for allowing self-service sign-up. When <code>true</code>, only
+   *             administrators can create new user profiles. When <code>false</code>, users can register
+   *             themselves and create a new user profile with the <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html">SignUp</a> operation.</p>
    * @public
    */
   AllowAdminCreateUserOnly?: boolean | undefined;
 
   /**
-   * <p>The user account expiration limit, in days, after which a new account that hasn't
-   *             signed in is no longer usable. To reset the account after that time limit, you must call
-   *                 <code>AdminCreateUser</code> again, specifying <code>"RESEND"</code> for the
-   *                 <code>MessageAction</code> parameter. The default value for this parameter is
-   *             7.</p>
-   *          <note>
-   *             <p>If you set a value for <code>TemporaryPasswordValidityDays</code> in
-   *                     <code>PasswordPolicy</code>, that value will be used, and
-   *                     <code>UnusedAccountValidityDays</code> will be no longer be an available
-   *                 parameter for that user pool.</p>
-   *          </note>
+   * <p>This parameter is no longer in use. Configure the duration of temporary passwords with
+   *             the <code>TemporaryPasswordValidityDays</code> parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_PasswordPolicyType.html">PasswordPolicyType</a>. For older user pools that have a
+   *                 <code>UnusedAccountValidityDays</code> configuration, that value is effective until
+   *             you set a value for <code>TemporaryPasswordValidityDays</code>.</p>
+   *          <p>The password expiration limit in days for administrator-created users. When this time
+   *             expires, the user can't sign in with their temporary password. To reset the account
+   *             after that time limit, you must call <code>AdminCreateUser</code> again, specifying
+   *                 <code>RESEND</code> for the <code>MessageAction</code> parameter. </p>
+   *          <p>The default value for this parameter is 7.</p>
    * @public
    */
   UnusedAccountValidityDays?: number | undefined;
 
   /**
-   * <p>The message template to be used for the welcome message to new users.</p>
+   * <p>The template for the welcome message to new users. This template must include the
+   *                 <code>\{####\}</code> temporary password placeholder if you are creating users with
+   *             passwords. If your users don't have passwords, you can omit the placeholder.</p>
    *          <p>See also <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization">Customizing User Invitation Messages</a>.</p>
    * @public
    */
@@ -1329,7 +1411,9 @@ export interface AdminDeleteUserAttributesRequest {
 export interface AdminDeleteUserAttributesResponse {}
 
 /**
- * <p>A container for information about an IdP for a user pool.</p>
+ * <p>The characteristics of a source or destination user for linking a federated user
+ *             profile to a local user profile.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html">AdminLinkProviderForUser</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminDisableProviderForUser.html">AdminDisableProviderForUser</a>.</p>
  * @public
  */
 export interface ProviderUserIdentifierType {
@@ -1534,24 +1618,28 @@ export interface AdminGetDeviceRequest {
 }
 
 /**
- * <p>The device type.</p>
+ * <p>Information about a user's device that they've registered for device SRP
+ *             authentication in your application. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html">Working with user devices in your user pool</a>.</p>
+ *          <p>The data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminGetDevice.html">AdminGetDevice</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListDevices.html">AdminListDevices</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetDevice.html">GetDevice</a>.</p>
  * @public
  */
 export interface DeviceType {
   /**
-   * <p>The device key.</p>
+   * <p>The device key, for example
+   *                 <code>us-west-2_EXAMPLE-a1b2c3d4-5678-90ab-cdef-EXAMPLE22222</code>.</p>
    * @public
    */
   DeviceKey?: string | undefined;
 
   /**
-   * <p>The device attributes.</p>
+   * <p>Metadata about a user's device, like name and last-access source IP.</p>
    * @public
    */
   DeviceAttributes?: AttributeType[] | undefined;
 
   /**
-   * <p>The creation date of the device.</p>
+   * <p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
    * @public
    */
   DeviceCreateDate?: Date | undefined;
@@ -1564,7 +1652,7 @@ export interface DeviceType {
   DeviceLastModifiedDate?: Date | undefined;
 
   /**
-   * <p>The date when the device was last authenticated.</p>
+   * <p>The date when the user last signed in with the device.</p>
    * @public
    */
   DeviceLastAuthenticatedDate?: Date | undefined;
@@ -1687,22 +1775,26 @@ export interface AdminGetUserResponse {
 
   /**
    * <p>The MFA options that are activated for the user. The possible values in this list are
-   *             <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and <code>SOFTWARE_TOKEN_MFA</code>.</p>
+   *                 <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and
+   *             <code>SOFTWARE_TOKEN_MFA</code>.</p>
    * @public
    */
   UserMFASettingList?: string[] | undefined;
 }
 
 /**
- * <p>An Amazon Pinpoint analytics endpoint.</p>
- *          <p>An endpoint uniquely identifies a mobile device, email address, or phone number that
+ * <p>Information that your application adds to authentication requests. Applies an endpoint
+ *             ID to the analytics data that your user pool sends to Amazon Pinpoint.</p>
+ *          <p>An endpoint ID uniquely identifies a mobile device, email address or phone number that
  *             can receive messages from Amazon Pinpoint analytics. For more information about Amazon Web Services Regions that
  *             can contain Amazon Pinpoint resources for use with Amazon Cognito user pools, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html">Using Amazon Pinpoint analytics with Amazon Cognito user pools</a>.</p>
+ *          <p>This data type is a request parameter of authentication operations like <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html">InitiateAuth</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html">AdminInitiateAuth</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html">RespondToAuthChallenge</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html">AdminRespondToAuthChallenge</a>.</p>
  * @public
  */
 export interface AnalyticsMetadataType {
   /**
-   * <p>The endpoint ID.</p>
+   * <p>The endpoint ID. Information that you want to pass to Amazon Pinpoint about where to send
+   *             notifications.</p>
    * @public
    */
   AnalyticsEndpointId?: string | undefined;
@@ -1718,6 +1810,7 @@ export const AuthFlowType = {
   CUSTOM_AUTH: "CUSTOM_AUTH",
   REFRESH_TOKEN: "REFRESH_TOKEN",
   REFRESH_TOKEN_AUTH: "REFRESH_TOKEN_AUTH",
+  USER_AUTH: "USER_AUTH",
   USER_PASSWORD_AUTH: "USER_PASSWORD_AUTH",
   USER_SRP_AUTH: "USER_SRP_AUTH",
 } as const;
@@ -1728,7 +1821,9 @@ export const AuthFlowType = {
 export type AuthFlowType = (typeof AuthFlowType)[keyof typeof AuthFlowType];
 
 /**
- * <p>The HTTP header.</p>
+ * <p>The HTTP header in the <code>ContextData</code> parameter.</p>
+ *          <p>This data type is a request parameter of server-side authentication operations like
+ *                 <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html">AdminInitiateAuth</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html">AdminRespondToAuthChallenge</a>.</p>
  * @public
  */
 export interface HttpHeader {
@@ -1746,8 +1841,10 @@ export interface HttpHeader {
 }
 
 /**
- * <p>Contextual user data type used for evaluating the risk of an unexpected event by Amazon Cognito
- *             advanced security.</p>
+ * <p>Contextual user data used for evaluating the risk of an authentication event by user
+ *             pool threat protection.</p>
+ *          <p>This data type is a request parameter of server-side authentication operations like
+ *                 <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html">AdminInitiateAuth</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html">AdminRespondToAuthChallenge</a>.</p>
  * @public
  */
 export interface ContextDataType {
@@ -1758,19 +1855,19 @@ export interface ContextDataType {
   IpAddress: string | undefined;
 
   /**
-   * <p>Your server endpoint where this API is invoked.</p>
+   * <p>The name of your application's service endpoint.</p>
    * @public
    */
   ServerName: string | undefined;
 
   /**
-   * <p>Your server path where this API is invoked.</p>
+   * <p>The path of your application's service endpoint.</p>
    * @public
    */
   ServerPath: string | undefined;
 
   /**
-   * <p>HttpHeaders received on your server in same order.</p>
+   * <p>The HTTP headers from your user's authentication request.</p>
    * @public
    */
   HttpHeaders: HttpHeader[] | undefined;
@@ -1801,57 +1898,68 @@ export interface AdminInitiateAuthRequest {
   ClientId: string | undefined;
 
   /**
-   * <p>The authentication flow for this call to run. The API action will depend on this
-   *             value. For example:</p>
-   *          <ul>
-   *             <li>
-   *                <p>
-   *                   <code>REFRESH_TOKEN_AUTH</code> will take in a valid refresh token and return
-   *                     new tokens.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>USER_SRP_AUTH</code> will take in <code>USERNAME</code> and
-   *                         <code>SRP_A</code> and return the Secure Remote Password (SRP) protocol
-   *                     variables to be used for next challenge execution.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>ADMIN_USER_PASSWORD_AUTH</code> will take in <code>USERNAME</code> and
-   *                         <code>PASSWORD</code> and return the next challenge or tokens.</p>
-   *             </li>
-   *          </ul>
-   *          <p>Valid values include:</p>
+   * <p>The authentication flow that you want to initiate. The <code>AuthParameters</code>
+   *             that you must submit are linked to the flow that you submit. For example:</p>
    *          <ul>
    *             <li>
    *                <p>
-   *                   <code>USER_SRP_AUTH</code>: Authentication flow for the Secure Remote Password
-   *                     (SRP) protocol.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>REFRESH_TOKEN_AUTH</code>/<code>REFRESH_TOKEN</code>: Authentication
-   *                     flow for refreshing the access token and ID token by supplying a valid refresh
-   *                     token.</p>
+   *                   <code>USER_AUTH</code>: Request a preferred authentication type or review
+   *                     available authentication types. From the offered authentication types, select
+   *                     one in a challenge response and then authenticate with that method in an
+   *                     additional challenge response.</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>CUSTOM_AUTH</code>: Custom authentication flow.</p>
+   *                   <code>REFRESH_TOKEN_AUTH</code>: Receive new ID and access tokens when you
+   *                     pass a <code>REFRESH_TOKEN</code> parameter with a valid refresh token as the
+   *                     value.</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>ADMIN_NO_SRP_AUTH</code>: Non-SRP authentication flow; you can pass in
-   *                     the USERNAME and PASSWORD directly if the flow is enabled for calling the app
-   *                     client.</p>
+   *                   <code>USER_SRP_AUTH</code>: Receive secure remote password (SRP) variables for
+   *                     the next challenge, <code>PASSWORD_VERIFIER</code>, when you pass
+   *                         <code>USERNAME</code> and <code>SRP_A</code> parameters..</p>
    *             </li>
    *             <li>
    *                <p>
-   *                   <code>ADMIN_USER_PASSWORD_AUTH</code>: Admin-based user password
-   *                     authentication. This replaces the <code>ADMIN_NO_SRP_AUTH</code> authentication
-   *                     flow. In this flow, Amazon Cognito receives the password in the request instead of using
-   *                     the SRP process to verify passwords.</p>
+   *                   <code>ADMIN_USER_PASSWORD_AUTH</code>: Receive new tokens or the next
+   *                     challenge, for example <code>SOFTWARE_TOKEN_MFA</code>, when you pass
+   *                         <code>USERNAME</code> and <code>PASSWORD</code> parameters.</p>
    *             </li>
    *          </ul>
+   *          <p>Valid values include the following:</p>
+   *          <dl>
+   *             <dt>USER_AUTH</dt>
+   *             <dd>
+   *                <p>The entry point for sign-in with passwords, one-time passwords, biometric
+   *                         devices, and security keys.</p>
+   *             </dd>
+   *             <dt>USER_SRP_AUTH</dt>
+   *             <dd>
+   *                <p>Username-password authentication with the Secure Remote Password (SRP)
+   *                         protocol. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow">Use SRP password verification in custom
+   *                             authentication flow</a>.</p>
+   *             </dd>
+   *             <dt>REFRESH_TOKEN_AUTH and REFRESH_TOKEN</dt>
+   *             <dd>
+   *                <p>Provide a valid refresh token and receive new ID and access tokens. For
+   *                         more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html">Using the refresh token</a>.</p>
+   *             </dd>
+   *             <dt>CUSTOM_AUTH</dt>
+   *             <dd>
+   *                <p>Custom authentication with Lambda triggers. For more information, see
+   *                             <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html">Custom authentication challenge Lambda
+   *                             triggers</a>.</p>
+   *             </dd>
+   *             <dt>ADMIN_USER_PASSWORD_AUTH</dt>
+   *             <dd>
+   *                <p>Username-password authentication with the password sent directly in the
+   *                         request. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges">Admin authentication flow</a>.</p>
+   *             </dd>
+   *          </dl>
+   *          <p>
+   *             <code>USER_PASSWORD_AUTH</code> is a flow type of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html">InitiateAuth</a> and isn't valid for
+   *             AdminInitiateAuth.</p>
    * @public
    */
   AuthFlow: AuthFlowType | undefined;
@@ -1862,6 +1970,13 @@ export interface AdminInitiateAuthRequest {
    *             of <code>AuthFlow</code>:</p>
    *          <ul>
    *             <li>
+   *                <p>For <code>USER_AUTH</code>: <code>USERNAME</code> (required),
+   *                         <code>PREFERRED_CHALLENGE</code>. If you don't provide a value for
+   *                         <code>PREFERRED_CHALLENGE</code>, Amazon Cognito responds with the
+   *                         <code>AvailableChallenges</code> parameter that specifies the available
+   *                     sign-in methods.</p>
+   *             </li>
+   *             <li>
    *                <p>For <code>USER_SRP_AUTH</code>: <code>USERNAME</code> (required),
    *                         <code>SRP_A</code> (required), <code>SECRET_HASH</code> (required if the app
    *                     client is configured with a client secret), <code>DEVICE_KEY</code>.</p>
@@ -1932,6 +2047,12 @@ export interface AdminInitiateAuthRequest {
    *             <li>
    *                <p>Define auth challenge</p>
    *             </li>
+   *             <li>
+   *                <p>Custom email sender</p>
+   *             </li>
+   *             <li>
+   *                <p>Custom SMS sender</p>
+   *             </li>
    *          </ul>
    *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html">
    * Customizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>
@@ -1972,34 +2093,49 @@ export interface AdminInitiateAuthRequest {
    * @public
    */
   ContextData?: ContextDataType | undefined;
+
+  /**
+   * <p>The optional session ID from a <code>ConfirmSignUp</code> API request. You can sign in
+   *             a user directly from the sign-up process with the <code>USER_AUTH</code> authentication
+   *             flow.</p>
+   * @public
+   */
+  Session?: string | undefined;
 }
 
 /**
- * <p>The new device metadata type.</p>
+ * <p>Information that your user pool responds with in <code>AuthenticationResult</code>when
+ *             you configure it to remember devices and a user signs in with an unrecognized device.
+ *             Amazon Cognito presents a new device key that you can use to set up <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html">device authentication</a> in a "Remember me on this device"
+ *             authentication model.</p>
+ *          <p>This data type is a response parameter of authentication operations like <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html">InitiateAuth</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html">AdminInitiateAuth</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html">RespondToAuthChallenge</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html">AdminRespondToAuthChallenge</a>.</p>
  * @public
  */
 export interface NewDeviceMetadataType {
   /**
-   * <p>The device key.</p>
+   * <p>The device key, an identifier used in generating the
+   *                 <code>DEVICE_PASSWORD_VERIFIER</code> for device SRP authentication.</p>
    * @public
    */
   DeviceKey?: string | undefined;
 
   /**
-   * <p>The device group key.</p>
+   * <p>The device group key, an identifier used in generating the
+   *                 <code>DEVICE_PASSWORD_VERIFIER</code> for device SRP authentication.</p>
    * @public
    */
   DeviceGroupKey?: string | undefined;
 }
 
 /**
- * <p>The authentication result.</p>
+ * <p>The object that your application receives after authentication. Contains tokens and
+ *             information for device authentication.</p>
+ *          <p>This data type is a response parameter of authentication operations like <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html">InitiateAuth</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html">AdminInitiateAuth</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html">RespondToAuthChallenge</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html">AdminRespondToAuthChallenge</a>.</p>
  * @public
  */
 export interface AuthenticationResultType {
   /**
-   * <p>A valid access token that Amazon Cognito issued to the user who you want to
-   *             authenticate.</p>
+   * <p>Your user's access token.</p>
    * @public
    */
   AccessToken?: string | undefined;
@@ -2011,19 +2147,19 @@ export interface AuthenticationResultType {
   ExpiresIn?: number | undefined;
 
   /**
-   * <p>The token type.</p>
+   * <p>The intended use of the token, for example <code>Bearer</code>.</p>
    * @public
    */
   TokenType?: string | undefined;
 
   /**
-   * <p>The refresh token.</p>
+   * <p>Your user's refresh token.</p>
    * @public
    */
   RefreshToken?: string | undefined;
 
   /**
-   * <p>The ID token.</p>
+   * <p>Your user's ID token.</p>
    * @public
    */
   IdToken?: string | undefined;
@@ -2047,10 +2183,15 @@ export const ChallengeNameType = {
   EMAIL_OTP: "EMAIL_OTP",
   MFA_SETUP: "MFA_SETUP",
   NEW_PASSWORD_REQUIRED: "NEW_PASSWORD_REQUIRED",
+  PASSWORD: "PASSWORD",
+  PASSWORD_SRP: "PASSWORD_SRP",
   PASSWORD_VERIFIER: "PASSWORD_VERIFIER",
+  SELECT_CHALLENGE: "SELECT_CHALLENGE",
   SELECT_MFA_TYPE: "SELECT_MFA_TYPE",
   SMS_MFA: "SMS_MFA",
+  SMS_OTP: "SMS_OTP",
   SOFTWARE_TOKEN_MFA: "SOFTWARE_TOKEN_MFA",
+  WEB_AUTHN: "WEB_AUTHN",
 } as const;
 
 /**
@@ -2070,6 +2211,33 @@ export interface AdminInitiateAuthResponse {
    *          <ul>
    *             <li>
    *                <p>
+   *                   <code>WEB_AUTHN</code>: Respond to the challenge with the results of a
+   *                     successful authentication with a passkey, or webauthN, factor. These are
+   *                     typically biometric devices or security keys.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>PASSWORD</code>: Respond with <code>USER_PASSWORD_AUTH</code>
+   *                     parameters: <code>USERNAME</code> (required), <code>PASSWORD</code> (required),
+   *                         <code>SECRET_HASH</code> (required if the app client is configured with a
+   *                     client secret), <code>DEVICE_KEY</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>PASSWORD_SRP</code>: Respond with <code>USER_SRP_AUTH</code> parameters:
+   *                         <code>USERNAME</code> (required), <code>SRP_A</code> (required),
+   *                         <code>SECRET_HASH</code> (required if the app client is configured with a
+   *                     client secret), <code>DEVICE_KEY</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>SELECT_CHALLENGE</code>: Respond to the challenge with
+   *                         <code>USERNAME</code> and an <code>ANSWER</code> that matches one of the
+   *                     challenge types in the <code>AvailableChallenges</code> response
+   *                     parameter.</p>
+   *             </li>
+   *             <li>
+   *                <p>
    *                   <code>MFA_SETUP</code>: If MFA is required, users who don't have at least one
    *                     of the MFA methods set up are presented with an <code>MFA_SETUP</code>
    *                     challenge. The user must set up at least one MFA type to continue to
@@ -2078,21 +2246,20 @@ export interface AdminInitiateAuthResponse {
    *             <li>
    *                <p>
    *                   <code>SELECT_MFA_TYPE</code>: Selects the MFA type. Valid MFA options are
-   *                     <code>SMS_MFA</code> for SMS message MFA, <code>EMAIL_OTP</code> for email
+   *                         <code>SMS_MFA</code> for SMS message MFA, <code>EMAIL_OTP</code> for email
    *                     message MFA, and <code>SOFTWARE_TOKEN_MFA</code> for time-based one-time
    *                     password (TOTP) software token MFA.</p>
    *             </li>
    *             <li>
    *                <p>
    *                   <code>SMS_MFA</code>: Next challenge is to supply an
-   *                     <code>SMS_MFA_CODE</code>that your user pool delivered
-   *                     in an SMS message.</p>
+   *                     <code>SMS_MFA_CODE</code>that your user pool delivered in an SMS message.</p>
    *             </li>
    *             <li>
    *                <p>
    *                   <code>EMAIL_OTP</code>: Next challenge is to supply an
-   *                     <code>EMAIL_OTP_CODE</code> that your user pool delivered
-   *                     in an email message.</p>
+   *                         <code>EMAIL_OTP_CODE</code> that your user pool delivered in an email
+   *                     message.</p>
    *             </li>
    *             <li>
    *                <p>
@@ -2132,6 +2299,13 @@ export interface AdminInitiateAuthResponse {
    *                     the <code>requiredAttributes</code> parameter. You can also set values for
    *                     attributes that aren't required by your user pool and that your app client can
    *                     write. For more information, see <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html">AdminRespondToAuthChallenge</a>.</p>
+   *                <p>Amazon Cognito only returns this challenge for users who have temporary passwords.
+   *                     Because of this, and because in some cases you can create users who don't have
+   *                     values for required attributes, take care to collect and submit
+   *                     required-attribute values for all users who don't have passwords. You can create
+   *                     a user in the Amazon Cognito console without, for example, a required
+   *                         <code>birthdate</code> attribute. The API response from Amazon Cognito won't prompt
+   *                     you to submit a birthdate for the user if they don't have a password.</p>
    *                <note>
    *                   <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value.
    * In <code>AdminRespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter,
@@ -2320,20 +2494,26 @@ export interface AdminLinkProviderForUserRequest {
    *                 <code>ProviderAttributeValue</code> for the user must be the same value as the
    *                 <code>id</code>, <code>sub</code>, or <code>user_id</code> value found in the social
    *             IdP token.</p>
-   *          <p></p>
-   *          <p>For OIDC, the <code>ProviderAttributeName</code> can be any value that matches a claim
-   *             in the ID token, or that your app retrieves from the <code>userInfo</code> endpoint. You
-   *             must map the claim to a user pool attribute in your IdP configuration, and set the user
-   *             pool attribute name as the value of <code>ProviderAttributeName</code> in your
-   *                 <code>AdminLinkProviderForUser</code> request.</p>
-   *          <p>For SAML, the <code>ProviderAttributeName</code> can be any value that matches a claim
-   *             in the SAML assertion. To link SAML users based on the subject of the SAML assertion,
-   *             map the subject to a claim through the SAML IdP and set that claim name as the value of
-   *                 <code>ProviderAttributeName</code> in your <code>AdminLinkProviderForUser</code>
-   *             request.</p>
-   *          <p>For both OIDC and SAML users, when you set <code>ProviderAttributeName</code> to
-   *                 <code>Cognito_Subject</code>, Amazon Cognito will automatically parse the default unique
-   *             identifier found in the subject from the IdP token.</p>
+   *          <p>For OIDC, the <code>ProviderAttributeName</code> can be any mapped value from a claim
+   *             in the ID token, or that your app retrieves from the <code>userInfo</code> endpoint. For
+   *             SAML, the <code>ProviderAttributeName</code> can be any mapped value from a claim in the
+   *             SAML assertion.</p>
+   *          <p>The following additional considerations apply to <code>SourceUser</code> for OIDC and
+   *             SAML providers.</p>
+   *          <ul>
+   *             <li>
+   *                <p>You must map the claim to a user pool attribute in your IdP configuration, and
+   *                     set the user pool attribute name as the value of
+   *                         <code>ProviderAttributeName</code> in your
+   *                         <code>AdminLinkProviderForUser</code> request. For example,
+   *                         <code>email</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>When you set <code>ProviderAttributeName</code> to
+   *                         <code>Cognito_Subject</code>, Amazon Cognito will automatically parse the default
+   *                     unique identifier found in the subject from the IdP token.</p>
+   *             </li>
+   *          </ul>
    * @public
    */
   SourceUser: ProviderUserIdentifierType | undefined;
@@ -2437,7 +2617,11 @@ export interface AdminListGroupsForUserRequest {
 }
 
 /**
- * <p>The group type.</p>
+ * <p>A user pool group. Contains details about the group and the way that it contributes to
+ *             IAM role decisions with identity pools. Identity pools can make decisions about the
+ *             IAM role to assign based on groups: users get credentials for the role associated with
+ *             their highest-priority group.</p>
+ *          <p>This data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListGroupsForUser.html">AdminListGroupsForUser</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html">CreateGroup</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetGroup.html">GetGroup</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListGroups.html">ListGroups</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateGroup.html">UpdateGroup</a>.</p>
  * @public
  */
 export interface GroupType {
@@ -2448,19 +2632,21 @@ export interface GroupType {
   GroupName?: string | undefined;
 
   /**
-   * <p>The user pool ID for the user pool.</p>
+   * <p>The ID of the user pool that contains the group.</p>
    * @public
    */
   UserPoolId?: string | undefined;
 
   /**
-   * <p>A string containing the description of the group.</p>
+   * <p>A friendly description of the group.</p>
    * @public
    */
   Description?: string | undefined;
 
   /**
-   * <p>The role Amazon Resource Name (ARN) for the group.</p>
+   * <p>The ARN of the IAM role associated with the group. If a group has the highest
+   *             priority of a user's groups, users who authenticate with an identity pool get
+   *             credentials for the <code>RoleArn</code> that's associated with the group.</p>
    * @public
    */
   RoleArn?: string | undefined;
@@ -2479,7 +2665,7 @@ export interface GroupType {
    *                 <code>cognito:preferred_role</code> claim in tokens for users in each group. If the
    *             two groups have different role ARNs, the <code>cognito:preferred_role</code> claim isn't
    *             set in users' tokens.</p>
-   *          <p>The default <code>Precedence</code> value is null.</p>
+   *          <p>The default <code>Precedence</code> value is <code>null</code>.</p>
    * @public
    */
   Precedence?: number | undefined;
@@ -2581,25 +2767,201 @@ export const ChallengeResponse = {
 export type ChallengeResponse = (typeof ChallengeResponse)[keyof typeof ChallengeResponse];
 
 /**
- * <p>The challenge response type.</p>
+ * <p>The responses to the challenge that you received in the previous request. Each
+ *     challenge has its own required response parameters. The following examples are partial
+ *     JSON request bodies that highlight challenge-response parameters.</p>
+ *          <important>
+ *             <p>You must provide a SECRET_HASH parameter in all challenge responses to an app
+ *         client that has a client secret. Include a <code>DEVICE_KEY</code> for device
+ *         authentication.</p>
+ *          </important>
+ *          <dl>
+ *             <dt>SELECT_CHALLENGE</dt>
+ *             <dd>
+ *                <p>
+ *                   <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+ *             "USERNAME": "[username]",
+ *             "ANSWER": "[Challenge name]"\}</code>
+ *                </p>
+ *                <p>Available challenges are <code>PASSWORD</code>, <code>PASSWORD_SRP</code>,
+ *             <code>EMAIL_OTP</code>, <code>SMS_OTP</code>, and <code>WEB_AUTHN</code>.</p>
+ *                <p>Complete authentication in the <code>SELECT_CHALLENGE</code> response for
+ *             <code>PASSWORD</code>, <code>PASSWORD_SRP</code>, and <code>WEB_AUTHN</code>:</p>
+ *                <ul>
+ *                   <li>
+ *                      <p>
+ *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+ *                   "ANSWER": "WEB_AUTHN",
+ *                   "USERNAME": "[username]",
+ *                   "CREDENTIAL": "[AuthenticationResponseJSON]"\}</code>
+ *                      </p>
+ *                      <p>See <a href="https://www.w3.org/TR/webauthn-3/#dictdef-authenticationresponsejson">
+ *                   AuthenticationResponseJSON</a>.</p>
+ *                   </li>
+ *                   <li>
+ *                      <p>
+ *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+ *                   "ANSWER": "PASSWORD",
+ *                   "USERNAME": "[username]",
+ *                   "PASSWORD": "[password]"\}</code>
+ *                      </p>
+ *                   </li>
+ *                   <li>
+ *                      <p>
+ *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+ *                   "ANSWER": "PASSWORD_SRP",
+ *                   "USERNAME": "[username]",
+ *                   "SRP_A": "[SRP_A]"\}</code>
+ *                      </p>
+ *                   </li>
+ *                </ul>
+ *                <p>For <code>SMS_OTP</code> and <code>EMAIL_OTP</code>, respond with the
+ *             username and answer. Your user pool will send a code for the user to submit in
+ *             the next challenge response.</p>
+ *                <ul>
+ *                   <li>
+ *                      <p>
+ *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+ *                   "ANSWER": "SMS_OTP",
+ *                   "USERNAME": "[username]"\}</code>
+ *                      </p>
+ *                   </li>
+ *                   <li>
+ *                      <p>
+ *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+ *                   "ANSWER": "EMAIL_OTP",
+ *                   "USERNAME": "[username]"\}</code>
+ *                      </p>
+ *                   </li>
+ *                </ul>
+ *             </dd>
+ *             <dt>SMS_OTP</dt>
+ *             <dd>
+ *                <p>
+ *                   <code>"ChallengeName": "SMS_OTP", "ChallengeResponses":
+ *             \{"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"\}</code>
+ *                </p>
+ *             </dd>
+ *             <dt>EMAIL_OTP</dt>
+ *             <dd>
+ *                <p>
+ *                   <code>"ChallengeName": "EMAIL_OTP", "ChallengeResponses": \{"EMAIL_OTP_CODE":
+ *                     "[code]", "USERNAME": "[username]"\}</code>
+ *                </p>
+ *             </dd>
+ *             <dt>SMS_MFA</dt>
+ *             <dd>
+ *                <p>
+ *                   <code>"ChallengeName": "SMS_MFA", "ChallengeResponses": \{"SMS_MFA_CODE":
+ *                     "[code]", "USERNAME": "[username]"\}</code>
+ *                </p>
+ *             </dd>
+ *             <dt>PASSWORD_VERIFIER</dt>
+ *             <dd>
+ *                <p>This challenge response is part of the SRP flow. Amazon Cognito requires
+ *             that your application respond to this challenge within a few seconds. When
+ *             the response time exceeds this period, your user pool returns a
+ *             <code>NotAuthorizedException</code> error.</p>
+ *                <p>
+ *                   <code>"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
+ *                     \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
+ *                     "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
+ *                     [timestamp], "USERNAME": "[username]"\}</code>
+ *                </p>
+ *                <p>Add <code>"DEVICE_KEY"</code> when you sign in with a remembered
+ *                 device.</p>
+ *             </dd>
+ *             <dt>CUSTOM_CHALLENGE</dt>
+ *             <dd>
+ *                <p>
+ *                   <code>"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses":
+ *                     \{"USERNAME": "[username]", "ANSWER": "[challenge_answer]"\}</code>
+ *                </p>
+ *                <p>Add <code>"DEVICE_KEY"</code> when you sign in with a remembered
+ *                 device.</p>
+ *             </dd>
+ *             <dt>NEW_PASSWORD_REQUIRED</dt>
+ *             <dd>
+ *                <p>
+ *                   <code>"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses":
+ *                     \{"NEW_PASSWORD": "[new_password]", "USERNAME":
+ *                 "[username]"\}</code>
+ *                </p>
+ *                <p>To set any required attributes that <code>InitiateAuth</code> returned in
+ *                 an <code>requiredAttributes</code> parameter, add
+ *                     <code>"userAttributes.[attribute_name]": "[attribute_value]"</code>.
+ *                 This parameter can also set values for writable attributes that aren't
+ *                 required by your user pool.</p>
+ *                <note>
+ *                   <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value.
+ * In <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter,
+ * then use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>
+ *                </note>
+ *             </dd>
+ *             <dt>SOFTWARE_TOKEN_MFA</dt>
+ *             <dd>
+ *                <p>
+ *                   <code>"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses":
+ *                     \{"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE":
+ *                     [authenticator_code]\}</code>
+ *                </p>
+ *             </dd>
+ *             <dt>DEVICE_SRP_AUTH</dt>
+ *             <dd>
+ *                <p>
+ *                   <code>"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses": \{"USERNAME":
+ *                 "[username]", "DEVICE_KEY": "[device_key]", "SRP_A":
+ *                 "[srp_a]"\}</code>
+ *                </p>
+ *             </dd>
+ *             <dt>DEVICE_PASSWORD_VERIFIER</dt>
+ *             <dd>
+ *                <p>
+ *                   <code>"ChallengeName": "DEVICE_PASSWORD_VERIFIER", "ChallengeResponses":
+ *                 \{"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE":
+ *                 "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]",
+ *                 "TIMESTAMP": [timestamp], "USERNAME": "[username]"\}</code>
+ *                </p>
+ *             </dd>
+ *             <dt>MFA_SETUP</dt>
+ *             <dd>
+ *                <p>
+ *                   <code>"ChallengeName": "MFA_SETUP", "ChallengeResponses": \{"USERNAME":
+ *                 "[username]"\}, "SESSION": "[Session ID from
+ *                 VerifySoftwareToken]"</code>
+ *                </p>
+ *             </dd>
+ *             <dt>SELECT_MFA_TYPE</dt>
+ *             <dd>
+ *                <p>
+ *                   <code>"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": \{"USERNAME":
+ *                 "[username]", "ANSWER": "[SMS_MFA or SOFTWARE_TOKEN_MFA]"\}</code>
+ *                </p>
+ *             </dd>
+ *          </dl>
+ *          <p>For more information about <code>SECRET_HASH</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash">Computing secret hash values</a>. For information about
+ *     <code>DEVICE_KEY</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html">Working with user devices in your user pool</a>.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html">RespondToAuthChallenge</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html">AdminRespondToAuthChallenge</a>.</p>
  * @public
  */
 export interface ChallengeResponseType {
   /**
-   * <p>The challenge name.</p>
+   * <p>The type of challenge that your previous authentication request returned in the
+   *             parameter <code>ChallengeName</code>, for example <code>SMS_MFA</code>.</p>
    * @public
    */
   ChallengeName?: ChallengeName | undefined;
 
   /**
-   * <p>The challenge response.</p>
+   * <p>The set of key-value pairs that provides a response to the requested challenge.</p>
    * @public
    */
   ChallengeResponse?: ChallengeResponse | undefined;
 }
 
 /**
- * <p>Specifies the user context data captured at the time of an event request.</p>
+ * <p>The context data that your application submitted in an authentication request with
+ *             advanced security features, as displayed in an <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListUserAuthEvents.html">AdminListUserAuthEvents</a> response.</p>
  * @public
  */
 export interface EventContextDataType {
@@ -2649,7 +3011,8 @@ export const FeedbackValueType = {
 export type FeedbackValueType = (typeof FeedbackValueType)[keyof typeof FeedbackValueType];
 
 /**
- * <p>Specifies the event feedback type.</p>
+ * <p>The feedback that your application submitted to an advanced security features event
+ *             log, as displayed in an <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListUserAuthEvents.html">AdminListUserAuthEvents</a> response.</p>
  * @public
  */
 export interface EventFeedbackType {
@@ -2664,13 +3027,14 @@ export interface EventFeedbackType {
   FeedbackValue: FeedbackValueType | undefined;
 
   /**
-   * <p>The provider.</p>
+   * <p>The submitter of the event feedback. For example, if you submit event feedback in the
+   *             Amazon Cognito console, this value is <code>Admin</code>.</p>
    * @public
    */
   Provider: string | undefined;
 
   /**
-   * <p>The event feedback date.</p>
+   * <p>The date that you or your user submitted the feedback.</p>
    * @public
    */
   FeedbackDate?: Date | undefined;
@@ -2722,18 +3086,24 @@ export const RiskLevelType = {
 export type RiskLevelType = (typeof RiskLevelType)[keyof typeof RiskLevelType];
 
 /**
- * <p>The event risk type.</p>
+ * <p>The risk evaluation by adaptive authentication, as displayed in an <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListUserAuthEvents.html">AdminListUserAuthEvents</a> response. Contains evaluations
+ *             of compromised-credentials detection and assessed risk level and action taken by
+ *             adaptive authentication.</p>
  * @public
  */
 export interface EventRiskType {
   /**
-   * <p>The risk decision.</p>
+   * <p>The action taken by adaptive authentication. If <code>NoRisk</code>, your user pool
+   *             took no action. If <code>AccountTakeover</code>, your user pool applied the adaptive
+   *             authentication automated response that you configured. If <code>Block</code>, your user
+   *             pool prevented the attempt.</p>
    * @public
    */
   RiskDecision?: RiskDecisionType | undefined;
 
   /**
-   * <p>The risk level.</p>
+   * <p>The risk level that adaptive authentication assessed for the authentication
+   *             event.</p>
    * @public
    */
   RiskLevel?: RiskLevelType | undefined;
@@ -2764,7 +3134,10 @@ export const EventType = {
 export type EventType = (typeof EventType)[keyof typeof EventType];
 
 /**
- * <p>The authentication event type.</p>
+ * <p>One authentication event that Amazon Cognito logged in a user pool with advanced security
+ *             features active. Contains user and device metadata and a risk assessment from your user
+ *             pool.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListUserAuthEvents.html">AdminListUserAuthEvents</a>.</p>
  * @public
  */
 export interface AuthEventType {
@@ -2775,7 +3148,7 @@ export interface AuthEventType {
   EventId?: string | undefined;
 
   /**
-   * <p>The event type.</p>
+   * <p>The type of authentication event.</p>
    * @public
    */
   EventType?: EventType | undefined;
@@ -2794,13 +3167,16 @@ export interface AuthEventType {
   EventResponse?: EventResponseType | undefined;
 
   /**
-   * <p>The event risk.</p>
+   * <p>The threat evaluation from your user pool about an event. Contains information about
+   *             whether your user pool detected compromised credentials, whether the event triggered an
+   *             automated response, and the level of risk.</p>
    * @public
    */
   EventRisk?: EventRiskType | undefined;
 
   /**
-   * <p>The challenge responses.</p>
+   * <p>A list of the challenges that the user was requested to answer, for example
+   *                 <code>Password</code>, and the result, for example <code>Success</code>.</p>
    * @public
    */
   ChallengeResponses?: ChallengeResponseType[] | undefined;
@@ -2813,8 +3189,12 @@ export interface AuthEventType {
   EventContextData?: EventContextDataType | undefined;
 
   /**
-   * <p>A flag specifying the user feedback captured at the time of an event request is good
-   *             or bad. </p>
+   * <p>The <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateAuthEventFeedback.html">UpdateAuthEventFeedback</a> or <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateAuthEventFeedback.html">AdminUpdateAuthEventFeedback</a> feedback that you or your
+   *             user provided in response to the event. A value of <code>Valid</code> indicates that you
+   *             disagreed with the level of risk that your user pool assigned, and evaluated a session
+   *             to be valid, or likely safe. A value of <code>Invalid</code> indicates that you agreed
+   *             with the user pool risk level and evaluated a session to be invalid, or likely
+   *             malicious.</p>
    * @public
    */
   EventFeedback?: EventFeedbackType | undefined;
@@ -2980,14 +3360,74 @@ export interface AdminRespondToAuthChallengeRequest {
    *     JSON request bodies that highlight challenge-response parameters.</p>
    *          <important>
    *             <p>You must provide a SECRET_HASH parameter in all challenge responses to an app
-   *         client that has a client secret.</p>
+   *         client that has a client secret. Include a <code>DEVICE_KEY</code> for device
+   *         authentication.</p>
    *          </important>
    *          <dl>
-   *             <dt>SMS_MFA</dt>
+   *             <dt>SELECT_CHALLENGE</dt>
    *             <dd>
    *                <p>
-   *                   <code>"ChallengeName": "SMS_MFA", "ChallengeResponses": \{"SMS_MFA_CODE":
-   *                     "[code]", "USERNAME": "[username]"\}</code>
+   *                   <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *             "USERNAME": "[username]",
+   *             "ANSWER": "[Challenge name]"\}</code>
+   *                </p>
+   *                <p>Available challenges are <code>PASSWORD</code>, <code>PASSWORD_SRP</code>,
+   *             <code>EMAIL_OTP</code>, <code>SMS_OTP</code>, and <code>WEB_AUTHN</code>.</p>
+   *                <p>Complete authentication in the <code>SELECT_CHALLENGE</code> response for
+   *             <code>PASSWORD</code>, <code>PASSWORD_SRP</code>, and <code>WEB_AUTHN</code>:</p>
+   *                <ul>
+   *                   <li>
+   *                      <p>
+   *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *                   "ANSWER": "WEB_AUTHN",
+   *                   "USERNAME": "[username]",
+   *                   "CREDENTIAL": "[AuthenticationResponseJSON]"\}</code>
+   *                      </p>
+   *                      <p>See <a href="https://www.w3.org/TR/webauthn-3/#dictdef-authenticationresponsejson">
+   *                   AuthenticationResponseJSON</a>.</p>
+   *                   </li>
+   *                   <li>
+   *                      <p>
+   *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *                   "ANSWER": "PASSWORD",
+   *                   "USERNAME": "[username]",
+   *                   "PASSWORD": "[password]"\}</code>
+   *                      </p>
+   *                   </li>
+   *                   <li>
+   *                      <p>
+   *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *                   "ANSWER": "PASSWORD_SRP",
+   *                   "USERNAME": "[username]",
+   *                   "SRP_A": "[SRP_A]"\}</code>
+   *                      </p>
+   *                   </li>
+   *                </ul>
+   *                <p>For <code>SMS_OTP</code> and <code>EMAIL_OTP</code>, respond with the
+   *             username and answer. Your user pool will send a code for the user to submit in
+   *             the next challenge response.</p>
+   *                <ul>
+   *                   <li>
+   *                      <p>
+   *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *                   "ANSWER": "SMS_OTP",
+   *                   "USERNAME": "[username]"\}</code>
+   *                      </p>
+   *                   </li>
+   *                   <li>
+   *                      <p>
+   *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *                   "ANSWER": "EMAIL_OTP",
+   *                   "USERNAME": "[username]"\}</code>
+   *                      </p>
+   *                   </li>
+   *                </ul>
+   *             </dd>
+   *             <dt>SMS_OTP</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "SMS_OTP", "ChallengeResponses":
+   *             \{"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"\}</code>
    *                </p>
    *             </dd>
    *             <dt>EMAIL_OTP</dt>
@@ -2997,6 +3437,13 @@ export interface AdminRespondToAuthChallengeRequest {
    *                     "[code]", "USERNAME": "[username]"\}</code>
    *                </p>
    *             </dd>
+   *             <dt>SMS_MFA</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "SMS_MFA", "ChallengeResponses": \{"SMS_MFA_CODE":
+   *                     "[code]", "USERNAME": "[username]"\}</code>
+   *                </p>
+   *             </dd>
    *             <dt>PASSWORD_VERIFIER</dt>
    *             <dd>
    *                <p>This challenge response is part of the SRP flow. Amazon Cognito requires
@@ -3296,6 +3743,7 @@ export class SoftwareTokenMFANotFoundException extends __BaseException {
  *             deactivates email MFA and sets it as the preferred MFA method when multiple methods are
  *             available. To activate this setting, <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html">
  *                      advanced security features</a> must be active in your user pool.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html">SetUserMFAPreference</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html">AdminSetUserMFAPreference</a>. </p>
  * @public
  */
 export interface EmailMfaSettingsType {
@@ -3315,12 +3763,11 @@ export interface EmailMfaSettingsType {
 }
 
 /**
- * <p>The type used for enabling SMS multi-factor authentication (MFA) at the user level.
- *             Phone numbers don't need to be verified to be used for SMS MFA. If an MFA type is
- *             activated for a user, the user will be prompted for MFA during all sign-in attempts,
- *             unless device tracking is turned on and the device has been trusted. If you would like
- *             MFA to be applied selectively based on the assessed risk level of sign-in attempts,
- *             deactivate MFA for users and turn on Adaptive Authentication for the user pool.</p>
+ * <p>A user's preference for using SMS message multi-factor authentication (MFA). Turns SMS
+ *             MFA on and off, and can set SMS as preferred when other MFA options are available. You
+ *             can't turn off SMS MFA for any of your users when MFA is required in your user pool; you
+ *             can only set the type that your user prefers. </p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html">SetUserMFAPreference</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html">AdminSetUserMFAPreference</a>. </p>
  * @public
  */
 export interface SMSMfaSettingsType {
@@ -3333,18 +3780,20 @@ export interface SMSMfaSettingsType {
   Enabled?: boolean | undefined;
 
   /**
-   * <p>Specifies whether SMS is the preferred MFA method.</p>
+   * <p>Specifies whether SMS is the preferred MFA method. If true, your user pool prompts the
+   *             specified user for a code delivered by SMS message after username-password sign-in
+   *             succeeds. </p>
    * @public
    */
   PreferredMfa?: boolean | undefined;
 }
 
 /**
- * <p>The type used for enabling software token MFA at the user level. If an MFA type is
- *             activated for a user, the user will be prompted for MFA during all sign-in attempts,
- *             unless device tracking is turned on and the device has been trusted. If you want MFA to
- *             be applied selectively based on the assessed risk level of sign-in attempts, deactivate
- *             MFA for users and turn on Adaptive Authentication for the user pool.</p>
+ * <p>A user's preference for using time-based one-time password (TOTP) multi-factor
+ *             authentication (MFA). Turns TOTP MFA on and off, and can set TOTP as preferred when
+ *             other MFA options are available. You can't turn off TOTP MFA for any of your users when
+ *             MFA is required in your user pool; you can only set the type that your user prefers. </p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html">SetUserMFAPreference</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html">AdminSetUserMFAPreference</a>. </p>
  * @public
  */
 export interface SoftwareTokenMfaSettingsType {
@@ -3615,12 +4064,12 @@ export interface AdminUpdateUserAttributesRequest {
    *             attribute. After your user receives and responds to a verification message to verify the
    *             new value, Amazon Cognito updates the attribute value. Your user can sign in and receive messages
    *             with the original attribute value until they verify the new value.</p>
-   *          <p>To update the value of an attribute that requires verification in the same API
-   *             request, include the <code>email_verified</code> or <code>phone_number_verified</code>
-   *             attribute, with a value of <code>true</code>. If you set the <code>email_verified</code>
-   *             or <code>phone_number_verified</code> value for an <code>email</code> or
-   *                 <code>phone_number</code> attribute that requires verification to <code>true</code>,
-   *             Amazon Cognito doesn’t send a verification message to your user.</p>
+   *          <p>To skip the verification message and update the value of an attribute that requires
+   *             verification in the same API request, include the <code>email_verified</code> or
+   *                 <code>phone_number_verified</code> attribute, with a value of <code>true</code>. If
+   *             you set the <code>email_verified</code> or <code>phone_number_verified</code> value for
+   *             an <code>email</code> or <code>phone_number</code> attribute that requires verification
+   *             to <code>true</code>, Amazon Cognito doesn’t send a verification message to your user.</p>
    * @public
    */
   UserAttributes: AttributeType[] | undefined;
@@ -3721,10 +4170,8 @@ export type AdvancedSecurityEnabledModeType =
  */
 export interface AdvancedSecurityAdditionalFlowsType {
   /**
-   * <p>The operating mode of advanced security features in custom authentication with
-   *             <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html">
-   *                 Custom authentication challenge Lambda triggers</a>.
-   *         </p>
+   * <p>The operating mode of advanced security features in custom authentication with <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html"> Custom
+   *                 authentication challenge Lambda triggers</a>. </p>
    * @public
    */
   CustomAuthMode?: AdvancedSecurityEnabledModeType | undefined;
@@ -3761,39 +4208,59 @@ export const AliasAttributeType = {
 export type AliasAttributeType = (typeof AliasAttributeType)[keyof typeof AliasAttributeType];
 
 /**
- * <p>The Amazon Pinpoint analytics configuration necessary to collect metrics for a user
- *             pool.</p>
- *          <note>
- *             <p>In Regions where Amazon Pinpoint isn't available, user pools only support sending
- *                 events to Amazon Pinpoint projects in us-east-1. In Regions where Amazon Pinpoint is available, user
- *                 pools support sending events to Amazon Pinpoint projects within that same Region.</p>
- *          </note>
+ * @public
+ * @enum
+ */
+export const AuthFactorType = {
+  EMAIL_OTP: "EMAIL_OTP",
+  PASSWORD: "PASSWORD",
+  SMS_OTP: "SMS_OTP",
+  WEB_AUTHN: "WEB_AUTHN",
+} as const;
+
+/**
+ * @public
+ */
+export type AuthFactorType = (typeof AuthFactorType)[keyof typeof AuthFactorType];
+
+/**
+ * <p>The settings for Amazon Pinpoint analytics configuration. With an analytics configuration,
+ *             your application can collect user-activity metrics for user notifications with a Amazon Pinpoint
+ *             campaign.</p>
+ *          <p>Amazon Pinpoint isn't available in all Amazon Web Services Regions. For a list of available Regions, see
+ *                 <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings">Amazon Cognito and Amazon Pinpoint Region availability</a>.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html">CreateUserPoolClient</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html">UpdateUserPoolClient</a>, and a response parameter of
+ *                 <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html">DescribeUserPoolClient</a>.</p>
  * @public
  */
 export interface AnalyticsConfigurationType {
   /**
-   * <p>The application ID for an Amazon Pinpoint application.</p>
+   * <p>Your Amazon Pinpoint project ID.</p>
    * @public
    */
   ApplicationId?: string | undefined;
 
   /**
-   * <p>The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You can use the Amazon Pinpoint project
-   *             to integrate with the chosen user pool Client. Amazon Cognito publishes events to the Amazon Pinpoint
-   *             project that the app ARN declares.</p>
+   * <p>The Amazon Resource Name (ARN) of an Amazon Pinpoint project that you want to connect to
+   *             your user pool app client. Amazon Cognito publishes events to the Amazon Pinpoint project that
+   *                 <code>ApplicationArn</code> declares. You can also configure your application to
+   *             pass an endpoint ID in the <code>AnalyticsMetadata</code> parameter of sign-in
+   *             operations. The endpoint ID is information about the destination for push
+   *             notifications</p>
    * @public
    */
   ApplicationArn?: string | undefined;
 
   /**
-   * <p>The ARN of an Identity and Access Management role that authorizes Amazon Cognito to publish events to Amazon Pinpoint
-   *             analytics.</p>
+   * <p>The ARN of an Identity and Access Management role that has the permissions required for Amazon Cognito to publish
+   *             events to Amazon Pinpoint analytics.</p>
    * @public
    */
   RoleArn?: string | undefined;
 
   /**
-   * <p>The external ID.</p>
+   * <p>The <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html">external ID</a> of the role that Amazon Cognito assumes to send
+   *             analytics data to Amazon Pinpoint.</p>
    * @public
    */
   ExternalId?: string | undefined;
@@ -3806,6 +4273,107 @@ export interface AnalyticsConfigurationType {
   UserDataShared?: boolean | undefined;
 }
 
+/**
+ * @public
+ * @enum
+ */
+export const AssetCategoryType = {
+  AUTH_APP_GRAPHIC: "AUTH_APP_GRAPHIC",
+  EMAIL_GRAPHIC: "EMAIL_GRAPHIC",
+  FAVICON_ICO: "FAVICON_ICO",
+  FAVICON_SVG: "FAVICON_SVG",
+  FORM_BACKGROUND: "FORM_BACKGROUND",
+  FORM_LOGO: "FORM_LOGO",
+  IDP_BUTTON_ICON: "IDP_BUTTON_ICON",
+  PAGE_BACKGROUND: "PAGE_BACKGROUND",
+  PAGE_FOOTER_BACKGROUND: "PAGE_FOOTER_BACKGROUND",
+  PAGE_FOOTER_LOGO: "PAGE_FOOTER_LOGO",
+  PAGE_HEADER_BACKGROUND: "PAGE_HEADER_BACKGROUND",
+  PAGE_HEADER_LOGO: "PAGE_HEADER_LOGO",
+  PASSKEY_GRAPHIC: "PASSKEY_GRAPHIC",
+  PASSWORD_GRAPHIC: "PASSWORD_GRAPHIC",
+  SMS_GRAPHIC: "SMS_GRAPHIC",
+} as const;
+
+/**
+ * @public
+ */
+export type AssetCategoryType = (typeof AssetCategoryType)[keyof typeof AssetCategoryType];
+
+/**
+ * @public
+ * @enum
+ */
+export const AssetExtensionType = {
+  ICO: "ICO",
+  JPEG: "JPEG",
+  PNG: "PNG",
+  SVG: "SVG",
+  WEBP: "WEBP",
+} as const;
+
+/**
+ * @public
+ */
+export type AssetExtensionType = (typeof AssetExtensionType)[keyof typeof AssetExtensionType];
+
+/**
+ * @public
+ * @enum
+ */
+export const ColorSchemeModeType = {
+  DARK: "DARK",
+  DYNAMIC: "DYNAMIC",
+  LIGHT: "LIGHT",
+} as const;
+
+/**
+ * @public
+ */
+export type ColorSchemeModeType = (typeof ColorSchemeModeType)[keyof typeof ColorSchemeModeType];
+
+/**
+ * <p>An image file from a managed login branding style in a user pool.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateManagedLoginBranding.html">CreateManagedLoginBranding</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateManagedLoginBranding.html">UpdateManagedLoginBranding</a>, and a response parameter of
+ *                 <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBranding.html">DescribeManagedLoginBranding</a>.</p>
+ * @public
+ */
+export interface AssetType {
+  /**
+   * <p>The category that the image corresponds to in your managed login configuration.
+   *             Managed login has asset categories for different types of logos, backgrounds, and
+   *             icons.</p>
+   * @public
+   */
+  Category: AssetCategoryType | undefined;
+
+  /**
+   * <p>The display-mode target of the asset: light, dark, or browser-adaptive. For example,
+   *             Amazon Cognito displays a dark-mode image only when the browser or application is in dark mode,
+   *             but displays a browser-adaptive file in all contexts.</p>
+   * @public
+   */
+  ColorMode: ColorSchemeModeType | undefined;
+
+  /**
+   * <p>The file type of the image file.</p>
+   * @public
+   */
+  Extension: AssetExtensionType | undefined;
+
+  /**
+   * <p>The image file, in Base64-encoded binary.</p>
+   * @public
+   */
+  Bytes?: Uint8Array | undefined;
+
+  /**
+   * <p>The ID of the asset.</p>
+   * @public
+   */
+  ResourceId?: string | undefined;
+}
+
 /**
  * @public
  */
@@ -3906,10 +4474,12 @@ export type VerifiedAttributeType = (typeof VerifiedAttributeType)[keyof typeof
  */
 export interface ChangePasswordRequest {
   /**
-   * <p>The old password.</p>
+   * <p>The user's previous password. Required if the user has a password. If the user
+   *             has no password and only signs in with passwordless authentication options, you can omit
+   *             this parameter.</p>
    * @public
    */
-  PreviousPassword: string | undefined;
+  PreviousPassword?: string | undefined;
 
   /**
    * <p>The new password.</p>
@@ -3932,98 +4502,251 @@ export interface ChangePasswordRequest {
 export interface ChangePasswordResponse {}
 
 /**
- * <p>The device verifier against which it is authenticated.</p>
  * @public
  */
-export interface DeviceSecretVerifierConfigType {
+export interface CompleteWebAuthnRegistrationRequest {
   /**
-   * <p>The password verifier.</p>
+   * <p>A valid access token that Amazon Cognito issued to the user whose passkey registration you want
+   *             to verify.</p>
    * @public
    */
-  PasswordVerifier?: string | undefined;
+  AccessToken: string | undefined;
 
   /**
-   * <p>The <a href="https://en.wikipedia.org/wiki/Salt_(cryptography)">salt</a>
-   *          </p>
+   * <p>A <a href="https://www.w3.org/TR/webauthn-3/#dictdef-registrationresponsejson">RegistrationResponseJSON</a> public-key credential response from the
+   *             user's passkey provider.</p>
    * @public
    */
-  Salt?: string | undefined;
+  Credential: __DocumentType | undefined;
 }
 
 /**
- * <p>Confirms the device request.</p>
  * @public
  */
-export interface ConfirmDeviceRequest {
-  /**
-   * <p>A valid access token that Amazon Cognito issued to the user whose device you want to
-   *             confirm.</p>
-   * @public
-   */
-  AccessToken: string | undefined;
-
-  /**
-   * <p>The device key.</p>
-   * @public
-   */
-  DeviceKey: string | undefined;
+export interface CompleteWebAuthnRegistrationResponse {}
 
+/**
+ * <p>This exception is thrown when the challenge from <code>StartWebAuthn</code>
+ *             registration has expired.</p>
+ * @public
+ */
+export class WebAuthnChallengeNotFoundException extends __BaseException {
+  readonly name: "WebAuthnChallengeNotFoundException" = "WebAuthnChallengeNotFoundException";
+  readonly $fault: "client" = "client";
   /**
-   * <p>The configuration of the device secret verifier.</p>
-   * @public
+   * @internal
    */
-  DeviceSecretVerifierConfig?: DeviceSecretVerifierConfigType | undefined;
+  constructor(opts: __ExceptionOptionType<WebAuthnChallengeNotFoundException, __BaseException>) {
+    super({
+      name: "WebAuthnChallengeNotFoundException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, WebAuthnChallengeNotFoundException.prototype);
+  }
+}
 
+/**
+ * <p>This exception is thrown when the access token is for a different client than the one
+ *             in the original <code>StartWebAuthnRegistration</code> request.</p>
+ * @public
+ */
+export class WebAuthnClientMismatchException extends __BaseException {
+  readonly name: "WebAuthnClientMismatchException" = "WebAuthnClientMismatchException";
+  readonly $fault: "client" = "client";
   /**
-   * <p>The device name.</p>
-   * @public
+   * @internal
    */
-  DeviceName?: string | undefined;
+  constructor(opts: __ExceptionOptionType<WebAuthnClientMismatchException, __BaseException>) {
+    super({
+      name: "WebAuthnClientMismatchException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, WebAuthnClientMismatchException.prototype);
+  }
 }
 
 /**
- * <p>Confirms the device response.</p>
+ * <p>This exception is thrown when a user presents passkey credentials from an unsupported
+ *             device or provider.</p>
  * @public
  */
-export interface ConfirmDeviceResponse {
+export class WebAuthnCredentialNotSupportedException extends __BaseException {
+  readonly name: "WebAuthnCredentialNotSupportedException" = "WebAuthnCredentialNotSupportedException";
+  readonly $fault: "client" = "client";
   /**
-   * <p>Indicates whether the user confirmation must confirm the device response.</p>
-   * @public
+   * @internal
    */
-  UserConfirmationNecessary?: boolean | undefined;
+  constructor(opts: __ExceptionOptionType<WebAuthnCredentialNotSupportedException, __BaseException>) {
+    super({
+      name: "WebAuthnCredentialNotSupportedException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, WebAuthnCredentialNotSupportedException.prototype);
+  }
 }
 
 /**
- * <p>Contextual data, such as the user's device fingerprint, IP address, or location, used
- *             for evaluating the risk of an unexpected event by Amazon Cognito advanced security.</p>
+ * <p>This exception is thrown when the passkey feature isn't enabled for the user
+ *             pool.</p>
  * @public
  */
-export interface UserContextDataType {
+export class WebAuthnNotEnabledException extends __BaseException {
+  readonly name: "WebAuthnNotEnabledException" = "WebAuthnNotEnabledException";
+  readonly $fault: "client" = "client";
   /**
-   * <p>The source IP address of your user's device.</p>
-   * @public
+   * @internal
    */
-  IpAddress?: string | undefined;
+  constructor(opts: __ExceptionOptionType<WebAuthnNotEnabledException, __BaseException>) {
+    super({
+      name: "WebAuthnNotEnabledException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, WebAuthnNotEnabledException.prototype);
+  }
+}
 
+/**
+ * <p>This exception is thrown when the passkey credential's registration origin does not
+ *             align with the user pool relying party id.</p>
+ * @public
+ */
+export class WebAuthnOriginNotAllowedException extends __BaseException {
+  readonly name: "WebAuthnOriginNotAllowedException" = "WebAuthnOriginNotAllowedException";
+  readonly $fault: "client" = "client";
   /**
-   * <p>Encoded device-fingerprint details that your app collected with the Amazon Cognito
-   *             context data collection library. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint">Adding user device and session data to API requests</a>.</p>
-   * @public
+   * @internal
    */
-  EncodedData?: string | undefined;
+  constructor(opts: __ExceptionOptionType<WebAuthnOriginNotAllowedException, __BaseException>) {
+    super({
+      name: "WebAuthnOriginNotAllowedException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, WebAuthnOriginNotAllowedException.prototype);
+  }
 }
 
 /**
- * <p>The request representing the confirmation for a password reset.</p>
+ * <p>This exception is thrown when the given passkey credential is associated with a
+ *             different relying party ID than the user pool relying party ID.</p>
  * @public
  */
-export interface ConfirmForgotPasswordRequest {
+export class WebAuthnRelyingPartyMismatchException extends __BaseException {
+  readonly name: "WebAuthnRelyingPartyMismatchException" = "WebAuthnRelyingPartyMismatchException";
+  readonly $fault: "client" = "client";
   /**
-   * <p>The app client ID of the app associated with the user pool.</p>
-   * @public
+   * @internal
    */
-  ClientId: string | undefined;
-
+  constructor(opts: __ExceptionOptionType<WebAuthnRelyingPartyMismatchException, __BaseException>) {
+    super({
+      name: "WebAuthnRelyingPartyMismatchException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, WebAuthnRelyingPartyMismatchException.prototype);
+  }
+}
+
+/**
+ * <p>A Secure Remote Password (SRP) value that your application generates when you register
+ *             a user's device. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-getting-a-device-key">Getting a device key</a>.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html">ConfirmDevice</a>.</p>
+ * @public
+ */
+export interface DeviceSecretVerifierConfigType {
+  /**
+   * <p>A password verifier for a user's device. Used in SRP authentication.</p>
+   * @public
+   */
+  PasswordVerifier?: string | undefined;
+
+  /**
+   * <p>The salt that you want to use in SRP authentication with the user's device.</p>
+   * @public
+   */
+  Salt?: string | undefined;
+}
+
+/**
+ * <p>Confirms the device request.</p>
+ * @public
+ */
+export interface ConfirmDeviceRequest {
+  /**
+   * <p>A valid access token that Amazon Cognito issued to the user whose device you want to
+   *             confirm.</p>
+   * @public
+   */
+  AccessToken: string | undefined;
+
+  /**
+   * <p>The device key.</p>
+   * @public
+   */
+  DeviceKey: string | undefined;
+
+  /**
+   * <p>The configuration of the device secret verifier.</p>
+   * @public
+   */
+  DeviceSecretVerifierConfig?: DeviceSecretVerifierConfigType | undefined;
+
+  /**
+   * <p>The device name.</p>
+   * @public
+   */
+  DeviceName?: string | undefined;
+}
+
+/**
+ * <p>Confirms the device response.</p>
+ * @public
+ */
+export interface ConfirmDeviceResponse {
+  /**
+   * <p>Indicates whether the user confirmation must confirm the device response.</p>
+   * @public
+   */
+  UserConfirmationNecessary?: boolean | undefined;
+}
+
+/**
+ * <p>Contextual data, such as the user's device fingerprint, IP address, or location, used
+ *             for evaluating the risk of an unexpected event by Amazon Cognito advanced security.</p>
+ *          <p>This data type is a request parameter of public-client authentication operations like
+ *                 <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html">InitiateAuth</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html">RespondToAuthChallenge</a>.</p>
+ * @public
+ */
+export interface UserContextDataType {
+  /**
+   * <p>The source IP address of your user's device.</p>
+   * @public
+   */
+  IpAddress?: string | undefined;
+
+  /**
+   * <p>Encoded device-fingerprint details that your app collected with the Amazon Cognito
+   *             context data collection library. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint">Adding user device and session data to API requests</a>.</p>
+   * @public
+   */
+  EncodedData?: string | undefined;
+}
+
+/**
+ * <p>The request representing the confirmation for a password reset.</p>
+ * @public
+ */
+export interface ConfirmForgotPasswordRequest {
+  /**
+   * <p>The app client ID of the app associated with the user pool.</p>
+   * @public
+   */
+  ClientId: string | undefined;
+
   /**
    * <p>A keyed-hash message authentication code (HMAC) calculated using the secret key of a
    *             user pool client and username plus the client ID in the message. For more information
@@ -4209,13 +4932,30 @@ export interface ConfirmSignUpRequest {
    * @public
    */
   ClientMetadata?: Record<string, string> | undefined;
+
+  /**
+   * <p>The optional session ID from a <code>SignUp</code> API request. You can sign in a user
+   *             directly from the sign-up process with the <code>USER_AUTH</code> authentication
+   *             flow.</p>
+   * @public
+   */
+  Session?: string | undefined;
 }
 
 /**
  * <p>Represents the response from the server for the registration confirmation.</p>
  * @public
  */
-export interface ConfirmSignUpResponse {}
+export interface ConfirmSignUpResponse {
+  /**
+   * <p>You can automatically sign users in with the one-time password that they provided in a
+   *             successful <code>ConfirmSignUp</code> request. To do this, pass the <code>Session</code>
+   *             parameter from the <code>ConfirmSignUp</code> response in the <code>Session</code>
+   *             parameter of an <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html">InitiateAuth</a> or <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html">AdminInitiateAuth</a> request.</p>
+   * @public
+   */
+  Session?: string | undefined;
+}
 
 /**
  * @public
@@ -4476,24 +5216,27 @@ export interface CreateIdentityProviderRequest {
 }
 
 /**
- * <p>A container for information about an IdP.</p>
+ * <p>A user pool identity provider (IdP). Contains information about a third-party IdP to a
+ *             user pool, the attributes that it populates to user profiles, and the trust relationship
+ *             between the IdP and your user pool.</p>
+ *          <p>This data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateIdentityProvider.html">CreateIdentityProvider</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeIdentityProvider.html">DescribeIdentityProvider</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetIdentityProviderByIdentifier.html">GetIdentityProviderByIdentifier</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateIdentityProvider.html">UpdateIdentityProvider</a>.</p>
  * @public
  */
 export interface IdentityProviderType {
   /**
-   * <p>The user pool ID.</p>
+   * <p>The ID of the user pool associated with the IdP.</p>
    * @public
    */
   UserPoolId?: string | undefined;
 
   /**
-   * <p>The IdP name.</p>
+   * <p>A friendly name for the IdP.</p>
    * @public
    */
   ProviderName?: string | undefined;
 
   /**
-   * <p>The IdP type.</p>
+   * <p>The type of IdP. Either SAML, OIDC, or a named social identity provider.</p>
    * @public
    */
   ProviderType?: IdentityProviderTypeType | undefined;
@@ -4629,7 +5372,11 @@ export interface IdentityProviderType {
   AttributeMapping?: Record<string, string> | undefined;
 
   /**
-   * <p>A list of IdP identifiers.</p>
+   * <p>A list of IdP identifiers. IdP identifiers are strings that represent friendly names
+   *             or domain names of IdPs, for example <code>MyIdP</code> or
+   *             <code>auth.example.com</code>. You can choose to route user authorization requests to
+   *             the right IdP with either IdP identifiers or IdP names. For more information, see
+   *                 <code>identity_provider</code> and <code>idp_identifier</code> at <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html#get-authorize-request-parameters">Authorize endpoint</a>.</p>
    * @public
    */
   IdpIdentifiers?: string[] | undefined;
@@ -4682,18 +5429,156 @@ export class DuplicateProviderException extends __BaseException {
 }
 
 /**
- * <p>A resource server scope.</p>
+ * @public
+ */
+export interface CreateManagedLoginBrandingRequest {
+  /**
+   * <p>The ID of the user pool where you want to create a new branding style.</p>
+   * @public
+   */
+  UserPoolId: string | undefined;
+
+  /**
+   * <p>The app client that you want to create the branding style for. Each style is
+   *             permanently linked to an app client. To change the style for an app client, delete the
+   *             existing style with <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DeleteManagedLoginBranding.html">DeleteManagedLoginBranding</a> and create a new one.</p>
+   * @public
+   */
+  ClientId: string | undefined;
+
+  /**
+   * <p>When true, applies the default branding style options. This option reverts to default
+   *             style options that are managed by Amazon Cognito. You can modify them later in the branding
+   *             designer.</p>
+   *          <p>When you specify <code>true</code> for this option, you must also omit values for
+   *                 <code>Settings</code> and <code>Assets</code> in the request.</p>
+   * @public
+   */
+  UseCognitoProvidedValues?: boolean | undefined;
+
+  /**
+   * <p>A JSON file, encoded as a <code>Document</code> type, with the the settings that you
+   *             want to apply to your style.</p>
+   * @public
+   */
+  Settings?: __DocumentType | undefined;
+
+  /**
+   * <p>An array of image files that you want to apply to roles like backgrounds, logos, and
+   *             icons. Each object must also indicate whether it is for dark mode, light mode, or
+   *             browser-adaptive mode.</p>
+   * @public
+   */
+  Assets?: AssetType[] | undefined;
+}
+
+/**
+ * <p>A managed login branding style that's assigned to a user pool app client.</p>
+ *          <p>This data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateManagedLoginBranding.html">CreateManagedLoginBranding</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateManagedLoginBranding.html">UpdateManagedLoginBranding</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBranding.html">DescribeManagedLoginBranding</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBrandingByClient.html">DescribeManagedLoginBrandingByClient</a>.</p>
+ * @public
+ */
+export interface ManagedLoginBrandingType {
+  /**
+   * <p>The ID of the managed login branding style.</p>
+   * @public
+   */
+  ManagedLoginBrandingId?: string | undefined;
+
+  /**
+   * <p>The user pool where the branding style is assigned.</p>
+   * @public
+   */
+  UserPoolId?: string | undefined;
+
+  /**
+   * <p>When true, applies the default branding style options. This option reverts to a
+   *             "blank" style that you can modify later in the branding designer.</p>
+   * @public
+   */
+  UseCognitoProvidedValues?: boolean | undefined;
+
+  /**
+   * <p>A JSON file, encoded as a <code>Document</code> type, with the the settings that you
+   *             want to apply to your style.</p>
+   * @public
+   */
+  Settings?: __DocumentType | undefined;
+
+  /**
+   * <p>An array of image files that you want to apply to roles like backgrounds, logos, and
+   *             icons. Each object must also indicate whether it is for dark mode, light mode, or
+   *             browser-adaptive mode.</p>
+   * @public
+   */
+  Assets?: AssetType[] | undefined;
+
+  /**
+   * <p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
+   * @public
+   */
+  CreationDate?: Date | undefined;
+
+  /**
+   * <p>The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
+   * @public
+   */
+  LastModifiedDate?: Date | undefined;
+}
+
+/**
+ * @public
+ */
+export interface CreateManagedLoginBrandingResponse {
+  /**
+   * <p>The details of the branding style that you created.</p>
+   * @public
+   */
+  ManagedLoginBranding?: ManagedLoginBrandingType | undefined;
+}
+
+/**
+ * <p>This exception is thrown when you attempt to apply a managed login branding style to
+ *             an app client that already has an assigned style.</p>
+ * @public
+ */
+export class ManagedLoginBrandingExistsException extends __BaseException {
+  readonly name: "ManagedLoginBrandingExistsException" = "ManagedLoginBrandingExistsException";
+  readonly $fault: "client" = "client";
+  /**
+   * @internal
+   */
+  constructor(opts: __ExceptionOptionType<ManagedLoginBrandingExistsException, __BaseException>) {
+    super({
+      name: "ManagedLoginBrandingExistsException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, ManagedLoginBrandingExistsException.prototype);
+  }
+}
+
+/**
+ * <p>One custom scope associated with a user pool resource server. This data type is a
+ *             member of <code>ResourceServerScopeType</code>. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html">
+ *                 Scopes, M2M, and API authorization with resource servers</a>. </p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateResourceServer.html">CreateResourceServer</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeResourceServer.html">DescribeResourceServer</a>. </p>
  * @public
  */
 export interface ResourceServerScopeType {
   /**
-   * <p>The name of the scope.</p>
+   * <p>The name of the scope. Amazon Cognito renders custom scopes in the format
+   *                 <code>resourceServerIdentifier/ScopeName</code>. For example, if this parameter is
+   *                 <code>exampleScope</code> in the resource server with the identifier
+   *                 <code>exampleResourceServer</code>, you request and receive the scope
+   *                 <code>exampleResourceServer/exampleScope</code>.</p>
    * @public
    */
   ScopeName: string | undefined;
 
   /**
-   * <p>A description of the scope.</p>
+   * <p>A friendly description of a custom scope.</p>
    * @public
    */
   ScopeDescription: string | undefined;
@@ -4735,12 +5620,14 @@ export interface CreateResourceServerRequest {
 }
 
 /**
- * <p>A container for information about a resource server for a user pool.</p>
+ * <p>The details of a resource server configuration and associated custom scopes in a user
+ *             pool.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateResourceServer.html">CreateResourceServer</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeResourceServer.html">DescribeResourceServer</a>. </p>
  * @public
  */
 export interface ResourceServerType {
   /**
-   * <p>The user pool ID for the user pool that hosts the resource server.</p>
+   * <p>The ID of the user pool that contains the resource server configuration.</p>
    * @public
    */
   UserPoolId?: string | undefined;
@@ -4825,30 +5712,32 @@ export const UserImportJobStatusType = {
 export type UserImportJobStatusType = (typeof UserImportJobStatusType)[keyof typeof UserImportJobStatusType];
 
 /**
- * <p>The user import job type.</p>
+ * <p>A user import job in a user pool. Describes the status of user import with a CSV file.
+ *             For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool.html">Importing users into user pools from a CSV file</a>.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserImportJob.html">CreateUserImportJob</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserImportJob.html">DescribeUserImportJob</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUserImportJobs.html">ListUserImportJobs</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_StartUserImportJob.html">StartUserImportJob</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_StopUserImportJob.html">StopUserImportJob</a>.</p>
  * @public
  */
 export interface UserImportJobType {
   /**
-   * <p>The job name for the user import job.</p>
+   * <p>The friendly name of the user import job.</p>
    * @public
    */
   JobName?: string | undefined;
 
   /**
-   * <p>The job ID for the user import job.</p>
+   * <p>The ID of the user import job.</p>
    * @public
    */
   JobId?: string | undefined;
 
   /**
-   * <p>The user pool ID for the user pool that the users are being imported into.</p>
+   * <p>The ID of the user pool that the users are being imported into.</p>
    * @public
    */
   UserPoolId?: string | undefined;
 
   /**
-   * <p>The pre-signed URL to be used to upload the <code>.csv</code> file.</p>
+   * <p>The pre-signed URL target for uploading the CSV file.</p>
    * @public
    */
   PreSignedUrl?: string | undefined;
@@ -4995,6 +5884,7 @@ export type DeletionProtectionType = (typeof DeletionProtectionType)[keyof typeo
  *          <note>
  *             <p>When you provide a value for any property of <code>DeviceConfiguration</code>, you
  *                 activate the device remembering for the user pool.</p>
+ *             <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  *          </note>
  * @public
  */
@@ -5049,6 +5939,8 @@ export type EmailSendingAccountType = (typeof EmailSendingAccountType)[keyof typ
  *                 you created your user pool, and in alternate Regions in some cases. For more
  *                 information on the supported Regions, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html">Email settings for Amazon Cognito user pools</a>.</p>
  *          </note>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html">SetUserPoolMfaConfig</a>, and a response parameter of
+ *                 <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html">GetUserPoolMfaConfig</a>.</p>
  * @public
  */
 export interface EmailConfigurationType {
@@ -5177,6 +6069,7 @@ export type CustomEmailSenderLambdaVersionType =
 
 /**
  * <p>The properties of a custom email sender Lambda trigger.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface CustomEmailLambdaVersionConfigType {
@@ -5211,6 +6104,7 @@ export type CustomSMSSenderLambdaVersionType =
 
 /**
  * <p>The properties of a custom SMS sender Lambda trigger.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface CustomSMSLambdaVersionConfigType {
@@ -5246,6 +6140,7 @@ export type PreTokenGenerationLambdaVersionType =
 
 /**
  * <p>The properties of a pre token generation Lambda trigger.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface PreTokenGenerationVersionConfigType {
@@ -5266,100 +6161,119 @@ export interface PreTokenGenerationVersionConfigType {
 }
 
 /**
- * <p>Specifies the configuration for Lambda triggers.</p>
+ * <p>A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible
+ *             stages of user pool operations. Triggers can modify the outcome of the operations that
+ *             invoked them.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface LambdaConfigType {
   /**
-   * <p>A pre-registration Lambda trigger.</p>
+   * <p>The configuration of a <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html">pre sign-up Lambda trigger</a> in a user pool. This trigger
+   *             evaluates new users and can bypass confirmation, <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html">link a federated user profile</a>, or block sign-up
+   *             requests.</p>
    * @public
    */
   PreSignUp?: string | undefined;
 
   /**
-   * <p>A custom Message Lambda trigger.</p>
+   * <p>A custom message Lambda trigger. This trigger is an opportunity to customize all SMS
+   *             and email messages from your user pool. When a custom message trigger is active, your
+   *             user pool routes all messages to a Lambda function that returns a runtime-customized
+   *             message subject and body for your user pool to deliver to a user.</p>
    * @public
    */
   CustomMessage?: string | undefined;
 
   /**
-   * <p>A post-confirmation Lambda trigger.</p>
+   * <p>The configuration of a <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-confirmation.html">post confirmation Lambda trigger</a> in a user pool. This
+   *             trigger can take custom actions after a user confirms their user account and their email
+   *             address or phone number.</p>
    * @public
    */
   PostConfirmation?: string | undefined;
 
   /**
-   * <p>A pre-authentication Lambda trigger.</p>
+   * <p>The configuration of a <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-authentication.html">pre authentication trigger</a> in a user pool. This trigger
+   *             can evaluate and modify user sign-in events.</p>
    * @public
    */
   PreAuthentication?: string | undefined;
 
   /**
-   * <p>A post-authentication Lambda trigger.</p>
+   * <p>The configuration of a <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html">post authentication Lambda trigger</a> in a user pool. This
+   *             trigger can take custom actions after a user signs in.</p>
    * @public
    */
   PostAuthentication?: string | undefined;
 
   /**
-   * <p>Defines the authentication challenge.</p>
+   * <p>The configuration of a define auth challenge Lambda trigger, one of three triggers in
+   *             the sequence of the <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html">custom authentication challenge triggers</a>.</p>
    * @public
    */
   DefineAuthChallenge?: string | undefined;
 
   /**
-   * <p>Creates an authentication challenge.</p>
+   * <p>The configuration of a create auth challenge Lambda trigger, one of three triggers in
+   *             the sequence of the <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html">custom authentication challenge triggers</a>.</p>
    * @public
    */
   CreateAuthChallenge?: string | undefined;
 
   /**
-   * <p>Verifies the authentication challenge response.</p>
+   * <p>The configuration of a verify auth challenge Lambda trigger, one of three triggers in
+   *             the sequence of the <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html">custom authentication challenge triggers</a>.</p>
    * @public
    */
   VerifyAuthChallengeResponse?: string | undefined;
 
   /**
-   * <p>The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.</p>
+   * <p>The legacy configuration of a <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html">pre token generation Lambda trigger</a> in a user
+   *             pool.</p>
    *          <p>Set this parameter for legacy purposes. If you also set an ARN in
    *                 <code>PreTokenGenerationConfig</code>, its value must be identical to
    *                 <code>PreTokenGeneration</code>. For new instances of pre token generation triggers,
    *             set the <code>LambdaArn</code> of <code>PreTokenGenerationConfig</code>.</p>
-   *          <p>You can set <code></code>
-   *          </p>
    * @public
    */
   PreTokenGeneration?: string | undefined;
 
   /**
-   * <p>The user migration Lambda config type.</p>
+   * <p>The configuration of a <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html">migrate user Lambda trigger</a> in a user pool. This trigger
+   *             can create user profiles when users sign in or attempt to reset their password with
+   *             credentials that don't exist yet.</p>
    * @public
    */
   UserMigration?: string | undefined;
 
   /**
-   * <p>The detailed configuration of a pre token generation trigger. If you also set an ARN
-   *             in <code>PreTokenGeneration</code>, its value must be identical to
+   * <p>The detailed configuration of a <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html">pre token generation Lambda trigger</a> in a user pool. If
+   *             you also set an ARN in <code>PreTokenGeneration</code>, its value must be identical to
    *                 <code>PreTokenGenerationConfig</code>.</p>
    * @public
    */
   PreTokenGenerationConfig?: PreTokenGenerationVersionConfigType | undefined;
 
   /**
-   * <p>A custom SMS sender Lambda trigger.</p>
+   * <p>The configuration of a custom SMS sender Lambda trigger. This trigger routes all SMS
+   *             notifications from a user pool to a Lambda function that delivers the message using
+   *             custom logic.</p>
    * @public
    */
   CustomSMSSender?: CustomSMSLambdaVersionConfigType | undefined;
 
   /**
-   * <p>A custom email sender Lambda trigger.</p>
+   * <p>The configuration of a custom email sender Lambda trigger. This trigger routes all
+   *             email notifications from a user pool to a Lambda function that delivers the message using
+   *             custom logic.</p>
    * @public
    */
   CustomEmailSender?: CustomEmailLambdaVersionConfigType | undefined;
 
   /**
-   * <p>The Amazon Resource Name (ARN) of an <a href="/kms/latest/developerguide/concepts.html#master_keys">KMS key</a>. Amazon Cognito
-   *             uses the key to encrypt codes and temporary passwords sent to
-   *                 <code>CustomEmailSender</code> and <code>CustomSMSSender</code>.</p>
+   * <p>The ARN of an <a href="https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys">KMS key</a>. Amazon Cognito uses the key to encrypt codes and temporary passwords sent to
+   *             custom sender Lambda triggers.</p>
    * @public
    */
   KMSKeyID?: string | undefined;
@@ -5381,7 +6295,9 @@ export const UserPoolMfaType = {
 export type UserPoolMfaType = (typeof UserPoolMfaType)[keyof typeof UserPoolMfaType];
 
 /**
- * <p>The password policy type.</p>
+ * <p>The password policy settings for a user pool, including complexity, history, and
+ *             length requirements.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface PasswordPolicyType {
@@ -5393,29 +6309,29 @@ export interface PasswordPolicyType {
   MinimumLength?: number | undefined;
 
   /**
-   * <p>In the password policy that you have set, refers to whether you have required users to
-   *             use at least one uppercase letter in their password.</p>
+   * <p>The requirement in a password policy that users must include at least one uppercase
+   *             letter in their password.</p>
    * @public
    */
   RequireUppercase?: boolean | undefined;
 
   /**
-   * <p>In the password policy that you have set, refers to whether you have required users to
-   *             use at least one lowercase letter in their password.</p>
+   * <p>The requirement in a password policy that users must include at least one lowercase
+   *             letter in their password.</p>
    * @public
    */
   RequireLowercase?: boolean | undefined;
 
   /**
-   * <p>In the password policy that you have set, refers to whether you have required users to
-   *             use at least one number in their password.</p>
+   * <p>The requirement in a password policy that users must include at least one number in
+   *             their password.</p>
    * @public
    */
   RequireNumbers?: boolean | undefined;
 
   /**
-   * <p>In the password policy that you have set, refers to whether you have required users to
-   *             use at least one symbol in their password.</p>
+   * <p>The requirement in a password policy that users must include at least one symbol in
+   *             their password.</p>
    * @public
    */
   RequireSymbols?: boolean | undefined;
@@ -5447,22 +6363,47 @@ export interface PasswordPolicyType {
 }
 
 /**
- * <p>The policy associated with a user pool.</p>
+ * <p>The policy for allowed types of authentication in a user pool.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
+ * @public
+ */
+export interface SignInPolicyType {
+  /**
+   * <p>The sign-in methods that a user pool supports as the first factor. You can permit
+   *             users to start authentication with a standard username and password, or with other
+   *             one-time password and hardware factors.</p>
+   * @public
+   */
+  AllowedFirstAuthFactors?: AuthFactorType[] | undefined;
+}
+
+/**
+ * <p>A list of user pool policies. Contains the policy that sets password-complexity
+ *             requirements.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface UserPoolPolicyType {
   /**
-   * <p>The password policy.</p>
+   * <p>The password policy settings for a user pool, including complexity, history, and
+   *             length requirements.</p>
    * @public
    */
   PasswordPolicy?: PasswordPolicyType | undefined;
+
+  /**
+   * <p>The policy for allowed types of authentication in a user pool.</p>
+   * @public
+   */
+  SignInPolicy?: SignInPolicyType | undefined;
 }
 
 /**
- * <p>The SMS configuration type is the settings that your Amazon Cognito user pool must use to send
- *             an SMS message from your Amazon Web Services account through Amazon Simple Notification Service. To send SMS
+ * <p>User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS
  *             messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an
  *             Identity and Access Management (IAM) role in your Amazon Web Services account.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html">SetUserPoolMfaConfig</a>, and a response parameter of
+ *                 <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html">GetUserPoolMfaConfig</a>.</p>
  * @public
  */
 export interface SmsConfigurationType {
@@ -5486,8 +6427,7 @@ export interface SmsConfigurationType {
    *             <code>ExternalId</code>.</p>
    *          <p>For more information about the <code>ExternalId</code> of a role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html">How to use an
    *                 external ID when granting access to your Amazon Web Services resources to a third
-   *                 party</a>
-   *          </p>
+   *                 party</a>.</p>
    * @public
    */
   ExternalId?: string | undefined;
@@ -5509,6 +6449,7 @@ export interface SmsConfigurationType {
  * a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For
  * more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates">
  * Verifying updates to email addresses and phone numbers</a>.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface UserAttributeUpdateSettingsType {
@@ -5545,7 +6486,8 @@ export const UsernameAttributeType = {
 export type UsernameAttributeType = (typeof UsernameAttributeType)[keyof typeof UsernameAttributeType];
 
 /**
- * <p>The username configuration type. </p>
+ * <p>The configuration of a user pool for username case sensitivity.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface UsernameConfigurationType {
@@ -5557,16 +6499,16 @@ export interface UsernameConfigurationType {
    *             capitalization of their user name.</p>
    *          <p>Valid values include:</p>
    *          <dl>
-   *             <dt>True</dt>
+   *             <dt>true</dt>
    *             <dd>
    *                <p>Enables case sensitivity for all username input. When this option is set
-   *                         to <code>True</code>, users must sign in using the exact capitalization of
+   *                         to <code>true</code>, users must sign in using the exact capitalization of
    *                         their given username, such as “UserName”. This is the default value.</p>
    *             </dd>
-   *             <dt>False</dt>
+   *             <dt>false</dt>
    *             <dd>
    *                <p>Enables case insensitivity for all username input. For example, when this
-   *                         option is set to <code>False</code>, users can sign in using
+   *                         option is set to <code>false</code>, users can sign in using
    *                             <code>username</code>, <code>USERNAME</code>, or <code>UserName</code>.
    *                         This option also enables both <code>preferred_username</code> and
    *                             <code>email</code> alias to be case insensitive, in addition to the
@@ -5584,14 +6526,14 @@ export interface UsernameConfigurationType {
  *     configure automatic security responses to risky traffic to your user pool, set to
  *         <code>ENFORCED</code>.</p>
  *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html">Adding advanced security to a user pool</a>.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface UserPoolAddOnsType {
   /**
-   * <p>The operating mode of advanced security features for standard authentication types
-   *             in your user pool, including username-password and secure remote password (SRP)
-   *             authentication.
-   *         </p>
+   * <p>The operating mode of advanced security features for standard authentication types in
+   *             your user pool, including username-password and secure remote password (SRP)
+   *             authentication. </p>
    * @public
    */
   AdvancedSecurityMode: AdvancedSecurityModeType | undefined;
@@ -5605,6 +6547,21 @@ export interface UserPoolAddOnsType {
   AdvancedSecurityAdditionalFlows?: AdvancedSecurityAdditionalFlowsType | undefined;
 }
 
+/**
+ * @public
+ * @enum
+ */
+export const UserPoolTierType = {
+  ESSENTIALS: "ESSENTIALS",
+  LITE: "LITE",
+  PLUS: "PLUS",
+} as const;
+
+/**
+ * @public
+ */
+export type UserPoolTierType = (typeof UserPoolTierType)[keyof typeof UserPoolTierType];
+
 /**
  * @public
  * @enum
@@ -5620,7 +6577,9 @@ export const DefaultEmailOptionType = {
 export type DefaultEmailOptionType = (typeof DefaultEmailOptionType)[keyof typeof DefaultEmailOptionType];
 
 /**
- * <p>The template for verification messages.</p>
+ * <p>The template for the verification message that your user pool delivers to users who
+ *             set an email address or phone number attribute.</p>
+ *          <p>This data type is a request and response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface VerificationMessageTemplateType {
@@ -5664,7 +6623,11 @@ export interface VerificationMessageTemplateType {
   EmailSubjectByLink?: string | undefined;
 
   /**
-   * <p>The default email option.</p>
+   * <p>The configuration of verification emails to contain a clickable link or a verification
+   *             code.</p>
+   *          <p>For link, your template body must contain link text in the format <code>\{##Click
+   *                 here##\}</code>. "Click here" in the example is a customizable string. For code, your
+   *             template body must contain a code placeholder in the format <code>\{####\}</code>.</p>
    * @public
    */
   DefaultEmailOption?: DefaultEmailOptionType | undefined;
@@ -5700,17 +6663,9 @@ export interface CreateUserPoolRequest {
   DeletionProtection?: DeletionProtectionType | undefined;
 
   /**
-   * <p>The Lambda trigger configuration information for the new user pool.</p>
-   *          <note>
-   *             <p>In a push model, event sources (such as Amazon S3 and custom applications) need
-   *                 permission to invoke a function. So you must make an extra call to add permission
-   *                 for these event sources to invoke your Lambda function.</p>
-   *             <p></p>
-   *             <p>For more information on using the Lambda API to add permission, see<a href="https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html">
-   *                     AddPermission </a>. </p>
-   *             <p>For adding permission using the CLI, see<a href="https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html"> add-permission
-   *                 </a>.</p>
-   *          </note>
+   * <p>A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible
+   *             stages of authentication operations. Triggers can modify the outcome of the operations
+   *             that invoked them.</p>
    * @public
    */
   LambdaConfig?: LambdaConfigType | undefined;
@@ -5754,8 +6709,14 @@ export interface CreateUserPoolRequest {
   EmailVerificationSubject?: string | undefined;
 
   /**
-   * <p>The template for the verification message that the user sees when the app requests
-   *             permission to access the user's information.</p>
+   * <p>The template for the verification message that your user pool delivers to users who
+   *             set an email address or phone number attribute.</p>
+   *          <p>Set the email message type that corresponds to your <code>DefaultEmailOption</code>
+   *             selection. For <code>CONFIRM_WITH_LINK</code>, specify an
+   *                 <code>EmailMessageByLink</code> and leave <code>EmailMessage</code> blank. For
+   *                 <code>CONFIRM_WITH_CODE</code>, specify an <code>EmailMessage</code> and leave
+   *                 <code>EmailMessageByLink</code> blank. When you supply both parameters with either
+   *             choice, Amazon Cognito returns an error.</p>
    * @public
    */
   VerificationMessageTemplate?: VerificationMessageTemplateType | undefined;
@@ -5865,6 +6826,14 @@ export interface CreateUserPoolRequest {
    * @public
    */
   AccountRecoverySetting?: AccountRecoverySettingType | undefined;
+
+  /**
+   * <p>The user pool <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html">feature plan</a>, or tier. This parameter determines the
+   *             eligibility of the user pool for features like managed login, access-token
+   *             customization, and threat protection. Defaults to <code>ESSENTIALS</code>.</p>
+   * @public
+   */
+  UserPoolTier?: UserPoolTierType | undefined;
 }
 
 /**
@@ -5882,7 +6851,8 @@ export const StatusType = {
 export type StatusType = (typeof StatusType)[keyof typeof StatusType];
 
 /**
- * <p>A container for information about the user pool.</p>
+ * <p>The configuration of a user pool.</p>
+ *          <p>This data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a>, <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>, and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html">DescribeUserPool</a>.</p>
  * @public
  */
 export interface UserPoolType {
@@ -5899,7 +6869,8 @@ export interface UserPoolType {
   Name?: string | undefined;
 
   /**
-   * <p>The policies associated with the user pool.</p>
+   * <p>A list of user pool policies. Contains the policy that sets password-complexity
+   *             requirements.</p>
    * @public
    */
   Policies?: UserPoolPolicyType | undefined;
@@ -5917,7 +6888,9 @@ export interface UserPoolType {
   DeletionProtection?: DeletionProtectionType | undefined;
 
   /**
-   * <p>The Lambda triggers associated with the user pool.</p>
+   * <p>A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible
+   *             stages of user pool operations. Triggers can modify the outcome of the operations that
+   *             invoked them.</p>
    * @public
    */
   LambdaConfig?: LambdaConfigType | undefined;
@@ -5950,9 +6923,9 @@ export interface UserPoolType {
    *             prefix, and developer attributes with a <code>dev:</code> prefix. For more information,
    *             see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html">User pool
    *                 attributes</a>.</p>
-   *          <p>Developer-only attributes are a legacy feature of user pools, are read-only to all app
-   *             clients. You can create and update developer-only attributes only with IAM-authenticated
-   *             API operations. Use app client read/write permissions instead.</p>
+   *          <p>Developer-only attributes are a legacy feature of user pools, and are read-only to all
+   *             app clients. You can create and update developer-only attributes only with
+   *             IAM-authenticated API operations. Use app client read/write permissions instead.</p>
    * @public
    */
   SchemaAttributes?: SchemaAttributeType[] | undefined;
@@ -5964,7 +6937,8 @@ export interface UserPoolType {
   AutoVerifiedAttributes?: VerifiedAttributeType[] | undefined;
 
   /**
-   * <p>The attributes that are aliased in a user pool.</p>
+   * <p>Attributes supported as an alias for this user pool. An alias is an attribute that
+   *             users can enter as an alternative username. Possible values: <b>phone_number</b>, <b>email</b>, or <b>preferred_username</b>.</p>
    * @public
    */
   AliasAttributes?: AliasAttributeType[] | undefined;
@@ -5995,7 +6969,8 @@ export interface UserPoolType {
   EmailVerificationSubject?: string | undefined;
 
   /**
-   * <p>The template for verification messages.</p>
+   * <p>The template for the verification message that your user pool delivers to users who
+   *             set an email address or phone number attribute.</p>
    * @public
    */
   VerificationMessageTemplate?: VerificationMessageTemplateType | undefined;
@@ -6064,10 +7039,9 @@ export interface UserPoolType {
   EmailConfiguration?: EmailConfigurationType | undefined;
 
   /**
-   * <p>The SMS configuration with the settings that your Amazon Cognito user pool must use to send an
-   *             SMS message from your Amazon Web Services account through Amazon Simple Notification Service. To send SMS messages
-   *             with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an Identity and Access Management
-   *             (IAM) role in your Amazon Web Services account.</p>
+   * <p>User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS
+   *             messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an
+   *             Identity and Access Management (IAM) role in your Amazon Web Services account.</p>
    * @public
    */
   SmsConfiguration?: SmsConfigurationType | undefined;
@@ -6144,16 +7118,22 @@ export interface UserPoolType {
   UserPoolAddOns?: UserPoolAddOnsType | undefined;
 
   /**
-   * <p>Case sensitivity of the username input for the selected sign-in option. For example,
-   *             when case sensitivity is set to <code>False</code>, users can sign in using either
-   *             "username" or "Username". This configuration is immutable once it has been set. For more
-   *             information, see <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html">UsernameConfigurationType</a>.</p>
+   * <p>Case sensitivity of the username input for the selected sign-in option. When case
+   *             sensitivity is set to <code>False</code> (case insensitive), users can sign in with any
+   *             combination of capital and lowercase letters. For example, <code>username</code>,
+   *                 <code>USERNAME</code>, or <code>UserName</code>, or for email,
+   *                 <code>email@example.com</code> or <code>EMaiL@eXamplE.Com</code>. For most use
+   *             cases, set case sensitivity to <code>False</code> (case insensitive) as a best practice.
+   *             When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in
+   *             case as the same user, and prevents a case variation from being assigned to the same
+   *             attribute for a different user.</p>
+   *          <p>This configuration is immutable after you set it. For more information, see <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html">UsernameConfigurationType</a>.</p>
    * @public
    */
   UsernameConfiguration?: UsernameConfigurationType | undefined;
 
   /**
-   * <p>The Amazon Resource Name (ARN) for the user pool.</p>
+   * <p>The Amazon Resource Name (ARN) of the user pool.</p>
    * @public
    */
   Arn?: string | undefined;
@@ -6168,6 +7148,14 @@ export interface UserPoolType {
    * @public
    */
   AccountRecoverySetting?: AccountRecoverySettingType | undefined;
+
+  /**
+   * <p>The user pool <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html">feature plan</a>, or tier. This parameter determines the
+   *             eligibility of the user pool for features like managed login, access-token
+   *             customization, and threat protection. Defaults to <code>ESSENTIALS</code>.</p>
+   * @public
+   */
+  UserPoolTier?: UserPoolTierType | undefined;
 }
 
 /**
@@ -6183,16 +7171,58 @@ export interface CreateUserPoolResponse {
 }
 
 /**
- * <p>This exception is thrown when a user pool tag can't be set or updated.</p>
+ * <p>This exception is thrown when a feature you attempted to configure isn't
+ *             available in your current feature plan.</p>
  * @public
  */
-export class UserPoolTaggingException extends __BaseException {
-  readonly name: "UserPoolTaggingException" = "UserPoolTaggingException";
+export class FeatureUnavailableInTierException extends __BaseException {
+  readonly name: "FeatureUnavailableInTierException" = "FeatureUnavailableInTierException";
   readonly $fault: "client" = "client";
   /**
    * @internal
    */
-  constructor(opts: __ExceptionOptionType<UserPoolTaggingException, __BaseException>) {
+  constructor(opts: __ExceptionOptionType<FeatureUnavailableInTierException, __BaseException>) {
+    super({
+      name: "FeatureUnavailableInTierException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, FeatureUnavailableInTierException.prototype);
+  }
+}
+
+/**
+ * <p>This exception is thrown when you've attempted to change your feature plan but
+ *             the operation isn't permitted.</p>
+ * @public
+ */
+export class TierChangeNotAllowedException extends __BaseException {
+  readonly name: "TierChangeNotAllowedException" = "TierChangeNotAllowedException";
+  readonly $fault: "client" = "client";
+  /**
+   * @internal
+   */
+  constructor(opts: __ExceptionOptionType<TierChangeNotAllowedException, __BaseException>) {
+    super({
+      name: "TierChangeNotAllowedException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, TierChangeNotAllowedException.prototype);
+  }
+}
+
+/**
+ * <p>This exception is thrown when a user pool tag can't be set or updated.</p>
+ * @public
+ */
+export class UserPoolTaggingException extends __BaseException {
+  readonly name: "UserPoolTaggingException" = "UserPoolTaggingException";
+  readonly $fault: "client" = "client";
+  /**
+   * @internal
+   */
+  constructor(opts: __ExceptionOptionType<UserPoolTaggingException, __BaseException>) {
     super({
       name: "UserPoolTaggingException",
       $fault: "client",
@@ -6226,6 +7256,7 @@ export const ExplicitAuthFlowsType = {
   ALLOW_ADMIN_USER_PASSWORD_AUTH: "ALLOW_ADMIN_USER_PASSWORD_AUTH",
   ALLOW_CUSTOM_AUTH: "ALLOW_CUSTOM_AUTH",
   ALLOW_REFRESH_TOKEN_AUTH: "ALLOW_REFRESH_TOKEN_AUTH",
+  ALLOW_USER_AUTH: "ALLOW_USER_AUTH",
   ALLOW_USER_PASSWORD_AUTH: "ALLOW_USER_PASSWORD_AUTH",
   ALLOW_USER_SRP_AUTH: "ALLOW_USER_SRP_AUTH",
   CUSTOM_AUTH_FLOW_ONLY: "CUSTOM_AUTH_FLOW_ONLY",
@@ -6269,15 +7300,18 @@ export const TimeUnitsType = {
 export type TimeUnitsType = (typeof TimeUnitsType)[keyof typeof TimeUnitsType];
 
 /**
- * <p>The data type TokenValidityUnits specifies the time units you use when you set the
- *             duration of ID, access, and refresh tokens.</p>
+ * <p>The time units that, with <code>IdTokenValidity</code>,
+ *                 <code>AccessTokenValidity</code>, and <code>RefreshTokenValidity</code>, set and
+ *             display the duration of ID, access, and refresh tokens for an app client. You can assign
+ *             a separate token validity unit to each type of token. </p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html">CreateUserPoolClient</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html">UpdateUserPoolClient</a>, and a response parameter of
+ *                 <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html">DescribeUserPoolClient</a>.</p>
  * @public
  */
 export interface TokenValidityUnitsType {
   /**
-   * <p> A time unit of <code>seconds</code>, <code>minutes</code>, <code>hours</code>, or
-   *                 <code>days</code> for the value that you set in the <code>AccessTokenValidity</code>
-   *             parameter. The default <code>AccessTokenValidity</code> time unit is hours.
+   * <p> A time unit for the value that you set in the <code>AccessTokenValidity</code>
+   *             parameter. The default <code>AccessTokenValidity</code> time unit is <code>hours</code>.
    *                 <code>AccessTokenValidity</code> duration can range from five minutes to one
    *             day.</p>
    * @public
@@ -6285,19 +7319,16 @@ export interface TokenValidityUnitsType {
   AccessToken?: TimeUnitsType | undefined;
 
   /**
-   * <p>A time unit of <code>seconds</code>, <code>minutes</code>, <code>hours</code>, or
-   *                 <code>days</code> for the value that you set in the <code>IdTokenValidity</code>
-   *             parameter. The default <code>IdTokenValidity</code> time unit is hours.
+   * <p>A time unit for the value that you set in the <code>IdTokenValidity</code> parameter.
+   *             The default <code>IdTokenValidity</code> time unit is <code>hours</code>.
    *                 <code>IdTokenValidity</code> duration can range from five minutes to one day.</p>
    * @public
    */
   IdToken?: TimeUnitsType | undefined;
 
   /**
-   * <p>A time unit of <code>seconds</code>, <code>minutes</code>, <code>hours</code>, or
-   *                 <code>days</code> for the value that you set in the
-   *                 <code>RefreshTokenValidity</code> parameter. The default
-   *                 <code>RefreshTokenValidity</code> time unit is days.
+   * <p>A time unit for the value that you set in the <code>RefreshTokenValidity</code>
+   *             parameter. The default <code>RefreshTokenValidity</code> time unit is <code>days</code>.
    *                 <code>RefreshTokenValidity</code> duration can range from 60 minutes to 10
    *             years.</p>
    * @public
@@ -6438,6 +7469,18 @@ export interface CreateUserPoolClientRequest {
    *          <ul>
    *             <li>
    *                <p>
+   *                   <code>ALLOW_USER_AUTH</code>: Enable selection-based sign-in
+   *             with <code>USER_AUTH</code>. This setting covers username-password,
+   *             secure remote password (SRP), passwordless, and passkey authentication.
+   *             This authentiation flow can do username-password and SRP authentication
+   *             without other <code>ExplicitAuthFlows</code> permitting them. For example
+   *             users can complete an SRP challenge through <code>USER_AUTH</code>
+   *             without the flow <code>USER_SRP_AUTH</code> being active for the app
+   *             client. This flow doesn't include <code>CUSTOM_AUTH</code>.
+   *         </p>
+   *             </li>
+   *             <li>
+   *                <p>
    *                   <code>ALLOW_ADMIN_USER_PASSWORD_AUTH</code>: Enable admin based user password
    *             authentication flow <code>ADMIN_USER_PASSWORD_AUTH</code>. This setting replaces
    *             the <code>ADMIN_NO_SRP_AUTH</code> setting. With this authentication flow, your app
@@ -6478,6 +7521,11 @@ export interface CreateUserPoolClientRequest {
    *                 <code>Google</code>, <code>SignInWithApple</code>, and <code>LoginWithAmazon</code>.
    *             You can also specify the names that you configured for the SAML and OIDC IdPs in your
    *             user pool, for example <code>MySAMLIdP</code> or <code>MyOIDCIdP</code>.</p>
+   *          <p>This setting applies to providers that you can access with the <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html">hosted
+   *                 UI and OAuth 2.0 authorization server</a>. The removal of <code>COGNITO</code>
+   *             from this list doesn't prevent authentication operations for local users with the
+   *             user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to
+   *             block access with a <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html">WAF rule</a>.</p>
    * @public
    */
   SupportedIdentityProviders?: string[] | undefined;
@@ -6653,7 +7701,7 @@ export interface CreateUserPoolClientRequest {
 
   /**
    * <p>Activates the propagation of additional user context data. For more information about
-   *             propagation of user context data, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html"> Adding advanced security to a user pool</a>. If you don’t include this
+   *             propagation of user context data, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html"> Adding advanced security to a user pool</a>. If you don’t include this
    *             parameter, you can't send device fingerprint information, including source IP address,
    *             to Amazon Cognito advanced security. You can only activate
    *                 <code>EnablePropagateAdditionalUserContextData</code> in an app client that has a
@@ -6671,30 +7719,32 @@ export interface CreateUserPoolClientRequest {
 }
 
 /**
- * <p>Contains information about a user pool client.</p>
+ * <p>The configuration of a user pool client.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html">CreateUserPoolClient</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html">UpdateUserPoolClient</a>, and a response parameter of
+ *                 <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html">DescribeUserPoolClient</a>.</p>
  * @public
  */
 export interface UserPoolClientType {
   /**
-   * <p>The user pool ID for the user pool client.</p>
+   * <p>The ID of the user pool associated with the app client.</p>
    * @public
    */
   UserPoolId?: string | undefined;
 
   /**
-   * <p>The client name from the user pool request of the client type.</p>
+   * <p>The name of the app client.</p>
    * @public
    */
   ClientName?: string | undefined;
 
   /**
-   * <p>The ID of the client associated with the user pool.</p>
+   * <p>The ID of the app client.</p>
    * @public
    */
   ClientId?: string | undefined;
 
   /**
-   * <p>The client secret from the user pool request of the client type.</p>
+   * <p>The app client secret.</p>
    * @public
    */
   ClientSecret?: string | undefined;
@@ -6764,8 +7814,10 @@ export interface UserPoolClientType {
   IdTokenValidity?: number | undefined;
 
   /**
-   * <p>The time units used to specify the token validity times of each token type: ID,
-   *             access, and refresh.</p>
+   * <p>The time units that, with <code>IdTokenValidity</code>,
+   *                 <code>AccessTokenValidity</code>, and <code>RefreshTokenValidity</code>, set and
+   *             display the duration of ID, access, and refresh tokens for an app client. You can assign
+   *             a separate token validity unit to each type of token. </p>
    * @public
    */
   TokenValidityUnits?: TokenValidityUnitsType | undefined;
@@ -6822,6 +7874,18 @@ export interface UserPoolClientType {
    *          <ul>
    *             <li>
    *                <p>
+   *                   <code>ALLOW_USER_AUTH</code>: Enable selection-based sign-in
+   *             with <code>USER_AUTH</code>. This setting covers username-password,
+   *             secure remote password (SRP), passwordless, and passkey authentication.
+   *             This authentiation flow can do username-password and SRP authentication
+   *             without other <code>ExplicitAuthFlows</code> permitting them. For example
+   *             users can complete an SRP challenge through <code>USER_AUTH</code>
+   *             without the flow <code>USER_SRP_AUTH</code> being active for the app
+   *             client. This flow doesn't include <code>CUSTOM_AUTH</code>.
+   *         </p>
+   *             </li>
+   *             <li>
+   *                <p>
    *                   <code>ALLOW_ADMIN_USER_PASSWORD_AUTH</code>: Enable admin based user password
    *             authentication flow <code>ADMIN_USER_PASSWORD_AUTH</code>. This setting replaces
    *             the <code>ADMIN_NO_SRP_AUTH</code> setting. With this authentication flow, your app
@@ -6857,10 +7921,16 @@ export interface UserPoolClientType {
   ExplicitAuthFlows?: ExplicitAuthFlowsType[] | undefined;
 
   /**
-   * <p>A list of provider names for the IdPs that this client supports. The following are
-   *             supported: <code>COGNITO</code>, <code>Facebook</code>, <code>Google</code>,
-   *                 <code>SignInWithApple</code>, <code>LoginWithAmazon</code>, and the names of your
-   *             own SAML and OIDC providers.</p>
+   * <p>A list of provider names for the identity providers (IdPs) that are supported on this
+   *             client. The following are supported: <code>COGNITO</code>, <code>Facebook</code>,
+   *                 <code>Google</code>, <code>SignInWithApple</code>, and <code>LoginWithAmazon</code>.
+   *             You can also specify the names that you configured for the SAML and OIDC IdPs in your
+   *             user pool, for example <code>MySAMLIdP</code> or <code>MyOIDCIdP</code>.</p>
+   *          <p>This setting applies to providers that you can access with the <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html">hosted
+   *                 UI and OAuth 2.0 authorization server</a>. The removal of <code>COGNITO</code>
+   *             from this list doesn't prevent authentication operations for local users with the
+   *             user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to
+   *             block access with a <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html">WAF rule</a>.</p>
    * @public
    */
   SupportedIdentityProviders?: string[] | undefined;
@@ -6918,7 +7988,9 @@ export interface UserPoolClientType {
   DefaultRedirectURI?: string | undefined;
 
   /**
-   * <p>The allowed OAuth flows.</p>
+   * <p>The OAuth grant types that you want your app client to generate. To create an app
+   *             client that generates client credentials grants, you must add
+   *                 <code>client_credentials</code> as the only allowed OAuth flow.</p>
    *          <dl>
    *             <dt>code</dt>
    *             <dd>
@@ -6943,11 +8015,11 @@ export interface UserPoolClientType {
   AllowedOAuthFlows?: OAuthFlowType[] | undefined;
 
   /**
-   * <p>The OAuth scopes that your app client supports. Possible values that OAuth provides
-   *             are <code>phone</code>, <code>email</code>, <code>openid</code>, and
-   *                 <code>profile</code>. Possible values that Amazon Web Services provides are
-   *                 <code>aws.cognito.signin.user.admin</code>. Amazon Cognito also supports custom scopes that
-   *             you create in Resource Servers.</p>
+   * <p>The OAuth 2.0 scopes that you want your app client to support. Can include standard
+   *             OAuth scopes like <code>phone</code>, <code>email</code>, <code>openid</code>, and
+   *                 <code>profile</code>. Can also include the
+   *                 <code>aws.cognito.signin.user.admin</code> scope that authorizes user profile
+   *             self-service operations and custom scopes from resource servers.</p>
    * @public
    */
   AllowedOAuthScopes?: string[] | undefined;
@@ -6985,11 +8057,13 @@ export interface UserPoolClientType {
   AllowedOAuthFlowsUserPoolClient?: boolean | undefined;
 
   /**
-   * <p>The Amazon Pinpoint analytics configuration for the user pool client.</p>
+   * <p>The user pool analytics configuration for collecting metrics and sending them to your
+   *             Amazon Pinpoint campaign.</p>
    *          <note>
-   *             <p>Amazon Cognito user pools only support sending events to Amazon Pinpoint projects in the US East
-   *                 (N. Virginia) us-east-1 Region, regardless of the Region where the user pool
-   *                 resides.</p>
+   *             <p>In Amazon Web Services Regions where Amazon Pinpoint isn't available, user pools only support sending
+   *                 events to Amazon Pinpoint projects in Amazon Web Services Region us-east-1. In Regions where Amazon Pinpoint is
+   *                 available, user pools support sending events to Amazon Pinpoint projects within that same
+   *                 Region.</p>
    *          </note>
    * @public
    */
@@ -7110,8 +8184,8 @@ export class ScopeDoesNotExistException extends __BaseException {
 }
 
 /**
- * <p>The configuration for a custom domain that hosts the sign-up and sign-in webpages for
- *             your application.</p>
+ * <p>The configuration for a hosted UI custom domain.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolDomain.html">CreateUserPoolDomain</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolDomain.html">UpdateUserPoolDomain</a>.</p>
  * @public
  */
 export interface CustomDomainConfigType {
@@ -7136,11 +8210,20 @@ export interface CreateUserPoolDomainRequest {
   Domain: string | undefined;
 
   /**
-   * <p>The user pool ID.</p>
+   * <p>The ID of the user pool where you want to add a domain.</p>
    * @public
    */
   UserPoolId: string | undefined;
 
+  /**
+   * <p>The version of managed login branding that you want to apply to your domain. A value
+   *             of <code>1</code> indicates hosted UI (classic) branding and a version of <code>2</code>
+   *             indicates managed login branding.</p>
+   *          <p>Managed login requires that your user pool be configured for any <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html">feature plan</a> other than <code>Lite</code>.</p>
+   * @public
+   */
+  ManagedLoginVersion?: number | undefined;
+
   /**
    * <p>The configuration for a custom domain that hosts the sign-up and sign-in webpages for
    *             your application.</p>
@@ -7157,6 +8240,14 @@ export interface CreateUserPoolDomainRequest {
  * @public
  */
 export interface CreateUserPoolDomainResponse {
+  /**
+   * <p>The version of managed login branding applied your domain. A value of <code>1</code>
+   *             indicates hosted UI (classic) branding and a version of <code>2</code> indicates managed
+   *             login branding.</p>
+   * @public
+   */
+  ManagedLoginVersion?: number | undefined;
+
   /**
    * <p>The Amazon CloudFront endpoint that you use as the target of the alias that you set up with
    *             your Domain Name Service (DNS) provider. Amazon Cognito returns this value if you set a custom
@@ -7221,6 +8312,24 @@ export class UnsupportedIdentityProviderException extends __BaseException {
   }
 }
 
+/**
+ * @public
+ */
+export interface DeleteManagedLoginBrandingRequest {
+  /**
+   * <p>The ID of the managed login branding style that you want to delete.</p>
+   * @public
+   */
+  ManagedLoginBrandingId: string | undefined;
+
+  /**
+   * <p>The ID of the user pool that contains the managed login branding style that you want
+   *             to delete.</p>
+   * @public
+   */
+  UserPoolId: string | undefined;
+}
+
 /**
  * @public
  */
@@ -7332,6 +8441,30 @@ export interface DeleteUserPoolDomainRequest {
  */
 export interface DeleteUserPoolDomainResponse {}
 
+/**
+ * @public
+ */
+export interface DeleteWebAuthnCredentialRequest {
+  /**
+   * <p>A valid access token that Amazon Cognito issued to the user whose passkey you want to
+   *             delete.</p>
+   * @public
+   */
+  AccessToken: string | undefined;
+
+  /**
+   * <p>The unique identifier of the passkey that you want to delete. Look up registered
+   *             devices with <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListWebAuthnCredentials.html"> ListWebAuthnCredentials</a>.</p>
+   * @public
+   */
+  CredentialId: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface DeleteWebAuthnCredentialResponse {}
+
 /**
  * @public
  */
@@ -7360,6 +8493,82 @@ export interface DescribeIdentityProviderResponse {
   IdentityProvider: IdentityProviderType | undefined;
 }
 
+/**
+ * @public
+ */
+export interface DescribeManagedLoginBrandingRequest {
+  /**
+   * <p>The ID of the user pool that contains the managed login branding style that you want
+   *             to get information about.</p>
+   * @public
+   */
+  UserPoolId: string | undefined;
+
+  /**
+   * <p>The ID of the managed login branding style that you want to get more information
+   *             about.</p>
+   * @public
+   */
+  ManagedLoginBrandingId: string | undefined;
+
+  /**
+   * <p>When <code>true</code>, returns values for branding options that are unchanged from
+   *             Amazon Cognito defaults. When <code>false</code> or when you omit this parameter, returns only
+   *             values that you customized in your branding style.</p>
+   * @public
+   */
+  ReturnMergedResources?: boolean | undefined;
+}
+
+/**
+ * @public
+ */
+export interface DescribeManagedLoginBrandingResponse {
+  /**
+   * <p>The details of the requested branding style.</p>
+   * @public
+   */
+  ManagedLoginBranding?: ManagedLoginBrandingType | undefined;
+}
+
+/**
+ * @public
+ */
+export interface DescribeManagedLoginBrandingByClientRequest {
+  /**
+   * <p>The ID of the user pool that contains the app client where you want more information
+   *             about the managed login branding style.</p>
+   * @public
+   */
+  UserPoolId: string | undefined;
+
+  /**
+   * <p>The app client that's assigned to the branding style that you want more information
+   *             about.</p>
+   * @public
+   */
+  ClientId: string | undefined;
+
+  /**
+   * <p>When <code>true</code>, returns values for branding options that are unchanged from
+   *             Amazon Cognito defaults. When <code>false</code> or when you omit this parameter, returns only
+   *             values that you customized in your branding style.</p>
+   * @public
+   */
+  ReturnMergedResources?: boolean | undefined;
+}
+
+/**
+ * @public
+ */
+export interface DescribeManagedLoginBrandingByClientResponse {
+  /**
+   * <p>The details of the requested branding style.</p>
+   * @public
+   */
+  ManagedLoginBranding?: ManagedLoginBrandingType | undefined;
+}
+
 /**
  * @public
  */
@@ -7426,12 +8635,14 @@ export type CompromisedCredentialsEventActionType =
   (typeof CompromisedCredentialsEventActionType)[keyof typeof CompromisedCredentialsEventActionType];
 
 /**
- * <p>The compromised credentials actions type.</p>
+ * <p>Settings for user pool actions when Amazon Cognito detects compromised credentials with
+ *             advanced security features in full-function <code>ENFORCED</code> mode.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>.</p>
  * @public
  */
 export interface CompromisedCredentialsActionsType {
   /**
-   * <p>The event action.</p>
+   * <p>The action that Amazon Cognito takes when it detects compromised credentials.</p>
    * @public
    */
   EventAction: CompromisedCredentialsEventActionType | undefined;
@@ -7453,79 +8664,87 @@ export const EventFilterType = {
 export type EventFilterType = (typeof EventFilterType)[keyof typeof EventFilterType];
 
 /**
- * <p>The compromised credentials risk configuration type.</p>
+ * <p>Settings for compromised-credentials actions and authentication-event sources with
+ *             advanced security features in full-function <code>ENFORCED</code> mode.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>.</p>
  * @public
  */
 export interface CompromisedCredentialsRiskConfigurationType {
   /**
-   * <p>Perform the action for these events. The default is to perform all events if no event
-   *             filter is specified.</p>
+   * <p>Settings for the sign-in activity where you want to configure compromised-credentials
+   *             actions. Defaults to all events.</p>
    * @public
    */
   EventFilter?: EventFilterType[] | undefined;
 
   /**
-   * <p>The compromised credentials risk configuration actions.</p>
+   * <p>Settings for the actions that you want your user pool to take when Amazon Cognito detects
+   *             compromised credentials.</p>
    * @public
    */
   Actions: CompromisedCredentialsActionsType | undefined;
 }
 
 /**
- * <p>The type of the configuration to override the risk decision.</p>
+ * <p>Exceptions to the risk evaluation configuration, including always-allow and
+ *             always-block IP address ranges. </p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a>.</p>
  * @public
  */
 export interface RiskExceptionConfigurationType {
   /**
-   * <p>Overrides the risk decision to always block the pre-authentication requests. The IP
-   *             range is in CIDR notation, a compact representation of an IP address and its routing
-   *             prefix.</p>
+   * <p>An always-block IP address list. Overrides the risk decision and always blocks
+   *             authentication requests. This parameter is displayed and set in CIDR notation.</p>
    * @public
    */
   BlockedIPRangeList?: string[] | undefined;
 
   /**
-   * <p>Risk detection isn't performed on the IP addresses in this range list. The IP range is
-   *             in CIDR notation.</p>
+   * <p>An always-allow IP address list. Risk detection isn't performed on the IP addresses in
+   *             this range list. This parameter is displayed and set in CIDR notation.</p>
    * @public
    */
   SkippedIPRangeList?: string[] | undefined;
 }
 
 /**
- * <p>The risk configuration type.</p>
+ * <p>The settings of risk configuration for threat protection with advanced security
+ *             features in a user pool.</p>
+ *          <p>This data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html">DescribeRiskConfiguration</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html">SetRiskConfiguration</a>.</p>
  * @public
  */
 export interface RiskConfigurationType {
   /**
-   * <p>The user pool ID.</p>
+   * <p>The ID of the user pool that has the risk configuration applied.</p>
    * @public
    */
   UserPoolId?: string | undefined;
 
   /**
-   * <p>The app client ID.</p>
+   * <p>The app client where this configuration is applied. When this parameter isn't present,
+   *             the risk configuration applies to all user pool app clients that don't have
+   *             client-level settings.</p>
    * @public
    */
   ClientId?: string | undefined;
 
   /**
-   * <p>The compromised credentials risk configuration object, including the
-   *                 <code>EventFilter</code> and the <code>EventAction</code>.</p>
+   * <p>Settings for compromised-credentials actions and authentication types with advanced
+   *             security features in full-function <code>ENFORCED</code> mode.</p>
    * @public
    */
   CompromisedCredentialsRiskConfiguration?: CompromisedCredentialsRiskConfigurationType | undefined;
 
   /**
-   * <p>The account takeover risk configuration object, including the
-   *                 <code>NotifyConfiguration</code> object and <code>Actions</code> to take if there is
-   *             an account takeover.</p>
+   * <p>The settings for automated responses and notification templates for adaptive
+   *             authentication with advanced security features.</p>
    * @public
    */
   AccountTakeoverRiskConfiguration?: AccountTakeoverRiskConfigurationType | undefined;
 
   /**
-   * <p>The configuration to override the risk decision.</p>
+   * <p>Exceptions to the risk evaluation configuration, including always-allow and
+   *             always-block IP address ranges. </p>
    * @public
    */
   RiskExceptionConfiguration?: RiskExceptionConfigurationType | undefined;
@@ -7666,18 +8885,20 @@ export const DomainStatusType = {
 export type DomainStatusType = (typeof DomainStatusType)[keyof typeof DomainStatusType];
 
 /**
- * <p>A container for information about a domain.</p>
+ * <p>A container for information about the user pool domain associated with the hosted UI
+ *             and OAuth endpoints.</p>
+ *          <p>This data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolDomain.html">DescribeUserPoolDomain</a>.</p>
  * @public
  */
 export interface DomainDescriptionType {
   /**
-   * <p>The user pool ID.</p>
+   * <p>The ID of the user pool that the domain is attached to.</p>
    * @public
    */
   UserPoolId?: string | undefined;
 
   /**
-   * <p>The Amazon Web Services ID for the user pool owner.</p>
+   * <p>The Amazon Web Services account that you created the user pool in.</p>
    * @public
    */
   AWSAccountId?: string | undefined;
@@ -7697,8 +8918,7 @@ export interface DomainDescriptionType {
   S3Bucket?: string | undefined;
 
   /**
-   * <p>The Amazon CloudFront endpoint that you use as the target of the alias that you set up with
-   *             your Domain Name Service (DNS) provider.</p>
+   * <p>The Amazon CloudFront endpoint that hosts your custom domain.</p>
    * @public
    */
   CloudFrontDistribution?: string | undefined;
@@ -7721,6 +8941,15 @@ export interface DomainDescriptionType {
    * @public
    */
   CustomDomainConfig?: CustomDomainConfigType | undefined;
+
+  /**
+   * <p>The version of managed login branding that you want to apply to your domain. A value
+   *             of <code>1</code> indicates hosted UI (classic) branding and a version of <code>2</code>
+   *             indicates managed login branding.</p>
+   *          <p>Managed login requires that your user pool be configured for any <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html">feature plan</a> other than <code>Lite</code>.</p>
+   * @public
+   */
+  ManagedLoginVersion?: number | undefined;
 }
 
 /**
@@ -7838,6 +9067,8 @@ export interface ForgotPasswordRequest {
 /**
  * <p>The delivery details for an email or SMS message that Amazon Cognito sent for authentication or
  *             verification.</p>
+ *          <p>This data type is a response parameter of operations that send a code for user profile
+ *             confirmation, verification, or management, for example <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html">ForgotPassword</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html">SignUp</a>.</p>
  * @public
  */
 export interface CodeDeliveryDetailsType {
@@ -8007,6 +9238,8 @@ export interface GetLogDeliveryConfigurationRequest {
 /**
  * <p>Configuration for the CloudWatch log group destination of user pool detailed activity
  *             logging, or of user activity log export with advanced security features.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html">SetLogDeliveryConfiguration</a> and a response parameter of
+ *                 <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html">GetLogDeliveryConfiguration</a>.</p>
  * @public
  */
 export interface CloudWatchLogsConfigurationType {
@@ -8080,7 +9313,10 @@ export interface S3ConfigurationType {
 }
 
 /**
- * <p>The logging parameters of a user pool.</p>
+ * <p>The configuration of user event logs to an external Amazon Web Services service like
+ *                 Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html">SetLogDeliveryConfiguration</a> and a response parameter of
+ *                 <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html">GetLogDeliveryConfiguration</a>.</p>
  * @public
  */
 export interface LogConfigurationType {
@@ -8129,8 +9365,7 @@ export interface LogConfigurationType {
 }
 
 /**
- * <p>The logging parameters of a user pool returned in response to
- *                 <code>GetLogDeliveryConfiguration</code>.</p>
+ * <p>The logging parameters of a user pool, as returned in the response to a <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html">GetLogDeliveryConfiguration</a> request.</p>
  * @public
  */
 export interface LogDeliveryConfigurationType {
@@ -8201,31 +9436,35 @@ export interface GetUICustomizationRequest {
 }
 
 /**
- * <p>A container for the UI customization information for a user pool's built-in app
- *             UI.</p>
+ * <p>A container for the UI customization information for the hosted UI in a user
+ *             pool.</p>
+ *          <p>This data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html">GetUICustomization</a>.</p>
  * @public
  */
 export interface UICustomizationType {
   /**
-   * <p>The user pool ID for the user pool.</p>
+   * <p>The ID of the user pool with hosted UI customizations.</p>
    * @public
    */
   UserPoolId?: string | undefined;
 
   /**
-   * <p>The client ID for the client app.</p>
+   * <p>The app client ID for your UI customization. When this value isn't present, the
+   *             customization applies to all user pool app clients that don't have client-level
+   *             settings..</p>
    * @public
    */
   ClientId?: string | undefined;
 
   /**
-   * <p>The logo image for the UI customization.</p>
+   * <p>A URL path to the hosted logo image of your UI customization.</p>
    * @public
    */
   ImageUrl?: string | undefined;
 
   /**
-   * <p>The CSS values in the UI customization.</p>
+   * <p>The CSS values in the UI customization. To get a template with your UI customization
+   *             options, make a <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUiCustomization.html">GetUiCustomization</a> request.</p>
    * @public
    */
   CSS?: string | undefined;
@@ -8313,7 +9552,8 @@ export interface GetUserResponse {
 
   /**
    * <p>The MFA options that are activated for the user. The possible values in this list are
-   *             <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and <code>SOFTWARE_TOKEN_MFA</code>.</p>
+   *                 <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and
+   *             <code>SOFTWARE_TOKEN_MFA</code>.</p>
    * @public
    */
   UserMFASettingList?: string[] | undefined;
@@ -8389,6 +9629,50 @@ export interface GetUserAttributeVerificationCodeResponse {
   CodeDeliveryDetails?: CodeDeliveryDetailsType | undefined;
 }
 
+/**
+ * @public
+ */
+export interface GetUserAuthFactorsRequest {
+  /**
+   * <p>A valid access token that Amazon Cognito issued to the user whose authentication factors you
+   *             want to view.</p>
+   * @public
+   */
+  AccessToken: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface GetUserAuthFactorsResponse {
+  /**
+   * <p>The username of the currently sign-in user.</p>
+   * @public
+   */
+  Username: string | undefined;
+
+  /**
+   * <p>The user's preferred MFA setting.</p>
+   * @public
+   */
+  PreferredMfaSetting?: string | undefined;
+
+  /**
+   * <p>The MFA options that are activated for the user. The possible values in this list are
+   *                 <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and
+   *             <code>SOFTWARE_TOKEN_MFA</code>.</p>
+   * @public
+   */
+  UserMFASettingList?: string[] | undefined;
+
+  /**
+   * <p>The authentication types that are available to the user with <code>USER_AUTH</code>
+   *             sign-in. </p>
+   * @public
+   */
+  ConfiguredUserAuthFactors?: AuthFactorType[] | undefined;
+}
+
 /**
  * @public
  */
@@ -8404,6 +9688,7 @@ export interface GetUserPoolMfaConfigRequest {
  * <p>Sets or shows user pool email message configuration for MFA. Includes the subject and
  *             body of the email message template for MFA messages. To activate this setting, <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html">
  *                      advanced security features</a> must be active in your user pool.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html">SetUserPoolMfaConfig</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html">GetUserPoolMfaConfig</a>.</p>
  * @public
  */
 export interface EmailMfaConfigType {
@@ -8425,38 +9710,41 @@ export interface EmailMfaConfigType {
 }
 
 /**
- * <p>Configures user pool SMS messages for multi-factor authentication (MFA). Sets the
- *             message template and the SMS message sending configuration for Amazon SNS.</p>
+ * <p>The configuration of multi-factor authentication (MFA) with SMS messages in a user
+ *             pool.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html">SetUserPoolMfaConfig</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html">GetUserPoolMfaConfig</a>.</p>
  * @public
  */
 export interface SmsMfaConfigType {
   /**
-   * <p>The SMS message that your user pool sends to users with an MFA code. The message must
-   *             contain the <code>\{####\}</code> placeholder. In the message, Amazon Cognito replaces this
-   *             placeholder with the code. If you don't provide this parameter, Amazon Cognito sends
-   *             messages in the default format.</p>
+   * <p>The SMS authentication message that will be sent to users with the code they must sign
+   *             in with. The message must contain the <code>\{####\}</code> placeholder. Your user pool
+   *             replaces the placeholder with the MFA code. If this parameter isn't provided, your user
+   *             pool sends a default message.</p>
    * @public
    */
   SmsAuthenticationMessage?: string | undefined;
 
   /**
-   * <p>The SMS configuration with the settings that your Amazon Cognito user pool must use to send an
-   *             SMS message from your Amazon Web Services account through Amazon Simple Notification Service. To request Amazon SNS in
-   *             the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an Identity and Access Management (IAM) role that
-   *             you provide for your Amazon Web Services account.</p>
+   * <p>User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS
+   *             messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an
+   *             Identity and Access Management (IAM) role in your Amazon Web Services account.</p>
+   *          <p>You can set <code>SmsConfiguration</code> in <code>CreateUserPool</code> and <code>
+   *                 UpdateUserPool</code>, or in <code>SetUserPoolMfaConfig</code>.</p>
    * @public
    */
   SmsConfiguration?: SmsConfigurationType | undefined;
 }
 
 /**
- * <p>Configures a user pool for time-based one-time password (TOTP) multi-factor
- *             authentication (MFA). Enables or disables TOTP.</p>
+ * <p>Settings for time-based one-time password (TOTP) multi-factor authentication (MFA) in
+ *             a user pool. Enables and disables availability of this feature.</p>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html">SetUserPoolMfaConfig</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html">GetUserPoolMfaConfig</a>. </p>
  * @public
  */
 export interface SoftwareTokenMfaConfigType {
   /**
-   * <p>Specifies whether software token MFA is activated.</p>
+   * <p>The activation state of TOTP MFA.</p>
    * @public
    */
   Enabled?: boolean | undefined;
@@ -8464,1324 +9752,44 @@ export interface SoftwareTokenMfaConfigType {
 
 /**
  * @public
+ * @enum
  */
-export interface GetUserPoolMfaConfigResponse {
-  /**
-   * <p>Shows user pool SMS message configuration for MFA. Includes the message template and
-   *             the SMS message sending configuration for Amazon SNS.</p>
-   * @public
-   */
-  SmsMfaConfiguration?: SmsMfaConfigType | undefined;
-
-  /**
-   * <p>Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes
-   *             TOTP enabled or disabled state.</p>
-   * @public
-   */
-  SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType | undefined;
+export const UserVerificationType = {
+  PREFERRED: "preferred",
+  REQUIRED: "required",
+} as const;
 
-  /**
-   * <p>Shows user pool email message configuration for MFA. Includes the subject and body of
-   *             the email message template for MFA messages. To activate this setting, <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html">
-   *                      advanced security features</a> must be active in your user pool.</p>
-   * @public
-   */
-  EmailMfaConfiguration?: EmailMfaConfigType | undefined;
+/**
+ * @public
+ */
+export type UserVerificationType = (typeof UserVerificationType)[keyof typeof UserVerificationType];
 
-  /**
-   * <p>The multi-factor authentication (MFA) configuration. Valid values include:</p>
-   *          <ul>
-   *             <li>
-   *                <p>
-   *                   <code>OFF</code> MFA won't be used for any users.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>ON</code> MFA is required for all users to sign in.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>OPTIONAL</code> MFA will be required only for individual users who have
-   *                     an MFA factor activated.</p>
-   *             </li>
-   *          </ul>
-   * @public
-   */
-  MfaConfiguration?: UserPoolMfaType | undefined;
-}
+/**
+ * @internal
+ */
+export const AdminAddUserToGroupRequestFilterSensitiveLog = (obj: AdminAddUserToGroupRequest): any => ({
+  ...obj,
+  ...(obj.Username && { Username: SENSITIVE_STRING }),
+});
 
 /**
- * <p>Represents the request to sign out all devices.</p>
- * @public
+ * @internal
  */
-export interface GlobalSignOutRequest {
-  /**
-   * <p>A valid access token that Amazon Cognito issued to the user who you want to sign out.</p>
-   * @public
-   */
-  AccessToken: string | undefined;
-}
+export const AdminConfirmSignUpRequestFilterSensitiveLog = (obj: AdminConfirmSignUpRequest): any => ({
+  ...obj,
+  ...(obj.Username && { Username: SENSITIVE_STRING }),
+});
 
 /**
- * <p>The response to the request to sign out all devices.</p>
- * @public
+ * @internal
  */
-export interface GlobalSignOutResponse {}
+export const AttributeTypeFilterSensitiveLog = (obj: AttributeType): any => ({
+  ...obj,
+  ...(obj.Value && { Value: SENSITIVE_STRING }),
+});
 
 /**
- * <p>Initiates the authentication request.</p>
- * @public
- */
-export interface InitiateAuthRequest {
-  /**
-   * <p>The authentication flow for this call to run. The API action will depend on this
-   *             value. For example:</p>
-   *          <ul>
-   *             <li>
-   *                <p>
-   *                   <code>REFRESH_TOKEN_AUTH</code> takes in a valid refresh token and returns new
-   *                     tokens.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>USER_SRP_AUTH</code> takes in <code>USERNAME</code> and
-   *                         <code>SRP_A</code> and returns the SRP variables to be used for next
-   *                     challenge execution.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>USER_PASSWORD_AUTH</code> takes in <code>USERNAME</code> and
-   *                         <code>PASSWORD</code> and returns the next challenge or tokens.</p>
-   *             </li>
-   *          </ul>
-   *          <p>Valid values include:</p>
-   *          <ul>
-   *             <li>
-   *                <p>
-   *                   <code>USER_SRP_AUTH</code>: Authentication flow for the Secure Remote Password
-   *                     (SRP) protocol.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>REFRESH_TOKEN_AUTH</code>/<code>REFRESH_TOKEN</code>: Authentication
-   *                     flow for refreshing the access token and ID token by supplying a valid refresh
-   *                     token.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>CUSTOM_AUTH</code>: Custom authentication flow.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>USER_PASSWORD_AUTH</code>: Non-SRP authentication flow; user name and
-   *                     password are passed directly. If a user migration Lambda trigger is set, this
-   *                     flow will invoke the user migration Lambda if it doesn't find the user name in
-   *                     the user pool. </p>
-   *             </li>
-   *          </ul>
-   *          <p>
-   *             <code>ADMIN_NO_SRP_AUTH</code> isn't a valid value.</p>
-   * @public
-   */
-  AuthFlow: AuthFlowType | undefined;
-
-  /**
-   * <p>The authentication parameters. These are inputs corresponding to the
-   *                 <code>AuthFlow</code> that you're invoking. The required values depend on the value
-   *             of <code>AuthFlow</code>:</p>
-   *          <ul>
-   *             <li>
-   *                <p>For <code>USER_SRP_AUTH</code>: <code>USERNAME</code> (required),
-   *                         <code>SRP_A</code> (required), <code>SECRET_HASH</code> (required if the app
-   *                     client is configured with a client secret), <code>DEVICE_KEY</code>.</p>
-   *             </li>
-   *             <li>
-   *                <p>For <code>USER_PASSWORD_AUTH</code>: <code>USERNAME</code> (required),
-   *                         <code>PASSWORD</code> (required), <code>SECRET_HASH</code> (required if the
-   *                     app client is configured with a client secret), <code>DEVICE_KEY</code>.</p>
-   *             </li>
-   *             <li>
-   *                <p>For <code>REFRESH_TOKEN_AUTH/REFRESH_TOKEN</code>: <code>REFRESH_TOKEN</code>
-   *                     (required), <code>SECRET_HASH</code> (required if the app client is configured
-   *                     with a client secret), <code>DEVICE_KEY</code>.</p>
-   *             </li>
-   *             <li>
-   *                <p>For <code>CUSTOM_AUTH</code>: <code>USERNAME</code> (required),
-   *                         <code>SECRET_HASH</code> (if app client is configured with client secret),
-   *                         <code>DEVICE_KEY</code>. To start the authentication flow with password
-   *                     verification, include <code>ChallengeName: SRP_A</code> and <code>SRP_A: (The
-   *                         SRP_A Value)</code>.</p>
-   *             </li>
-   *          </ul>
-   *          <p>For more information about <code>SECRET_HASH</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash">Computing secret hash values</a>. For information about
-   *             <code>DEVICE_KEY</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html">Working with user devices in your user pool</a>.</p>
-   * @public
-   */
-  AuthParameters?: Record<string, string> | undefined;
-
-  /**
-   * <p>A map of custom key-value pairs that you can provide as input for certain custom
-   *             workflows that this action triggers.</p>
-   *          <p>You create custom workflows by assigning Lambda functions to user pool triggers.
-   *             When you use the InitiateAuth API action, Amazon Cognito invokes the Lambda functions that are
-   *             specified for various triggers. The ClientMetadata value is passed as input to the
-   *             functions for only the following triggers:</p>
-   *          <ul>
-   *             <li>
-   *                <p>Pre signup</p>
-   *             </li>
-   *             <li>
-   *                <p>Pre authentication</p>
-   *             </li>
-   *             <li>
-   *                <p>User migration</p>
-   *             </li>
-   *          </ul>
-   *          <p>When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which
-   *             the function receives as input. This payload contains a <code>validationData</code>
-   *             attribute, which provides the data that you assigned to the ClientMetadata parameter in
-   *             your InitiateAuth request. In your function code in Lambda, you can process the
-   *                 <code>validationData</code> value to enhance your workflow for your specific
-   *             needs.</p>
-   *          <p>When you use the InitiateAuth API action, Amazon Cognito also invokes the functions for the
-   *             following triggers, but it doesn't provide the ClientMetadata value as input:</p>
-   *          <ul>
-   *             <li>
-   *                <p>Post authentication</p>
-   *             </li>
-   *             <li>
-   *                <p>Custom message</p>
-   *             </li>
-   *             <li>
-   *                <p>Pre token generation</p>
-   *             </li>
-   *             <li>
-   *                <p>Create auth challenge</p>
-   *             </li>
-   *             <li>
-   *                <p>Define auth challenge</p>
-   *             </li>
-   *          </ul>
-   *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html">
-   * Customizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>
-   *          <note>
-   *             <p>When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the
-   *                 following:</p>
-   *             <ul>
-   *                <li>
-   *                   <p>Store the ClientMetadata value. This data is available only to Lambda
-   *                         triggers that are assigned to a user pool to support custom workflows. If
-   *                         your user pool configuration doesn't include triggers, the ClientMetadata
-   *                         parameter serves no purpose.</p>
-   *                </li>
-   *                <li>
-   *                   <p>Validate the ClientMetadata value.</p>
-   *                </li>
-   *                <li>
-   *                   <p>Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive
-   *                         information.</p>
-   *                </li>
-   *             </ul>
-   *          </note>
-   * @public
-   */
-  ClientMetadata?: Record<string, string> | undefined;
-
-  /**
-   * <p>The app client ID.</p>
-   * @public
-   */
-  ClientId: string | undefined;
-
-  /**
-   * <p>The Amazon Pinpoint analytics metadata that contributes to your metrics for
-   *                 <code>InitiateAuth</code> calls.</p>
-   * @public
-   */
-  AnalyticsMetadata?: AnalyticsMetadataType | undefined;
-
-  /**
-   * <p>Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced
-   * security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito
-   * when it makes API requests.</p>
-   * @public
-   */
-  UserContextData?: UserContextDataType | undefined;
-}
-
-/**
- * <p>Initiates the authentication response.</p>
- * @public
- */
-export interface InitiateAuthResponse {
-  /**
-   * <p>The name of the challenge that you're responding to with this call. This name is
-   *             returned in the <code>InitiateAuth</code> response if you must pass another
-   *             challenge.</p>
-   *          <p>Valid values include the following:</p>
-   *          <note>
-   *             <p>All of the following challenges require <code>USERNAME</code> and
-   *                     <code>SECRET_HASH</code> (if applicable) in the parameters.</p>
-   *          </note>
-   *          <ul>
-   *             <li>
-   *                <p>
-   *                   <code>SMS_MFA</code>: Next challenge is to supply an
-   *                     <code>SMS_MFA_CODE</code>that your user pool delivered
-   *                     in an SMS message.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>EMAIL_OTP</code>: Next challenge is to supply an
-   *                     <code>EMAIL_OTP_CODE</code> that your user pool delivered
-   *                     in an email message.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>PASSWORD_VERIFIER</code>: Next challenge is to supply
-   *                         <code>PASSWORD_CLAIM_SIGNATURE</code>,
-   *                         <code>PASSWORD_CLAIM_SECRET_BLOCK</code>, and <code>TIMESTAMP</code> after
-   *                     the client-side SRP calculations.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>CUSTOM_CHALLENGE</code>: This is returned if your custom authentication
-   *                     flow determines that the user should pass another challenge before tokens are
-   *                     issued.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>DEVICE_SRP_AUTH</code>: If device tracking was activated on your user
-   *                     pool and the previous challenges were passed, this challenge is returned so that
-   *                     Amazon Cognito can start tracking this device.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>DEVICE_PASSWORD_VERIFIER</code>: Similar to
-   *                         <code>PASSWORD_VERIFIER</code>, but for devices only.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>NEW_PASSWORD_REQUIRED</code>: For users who are required to change their
-   *                     passwords after successful first login. </p>
-   *                <p>Respond to this challenge with <code>NEW_PASSWORD</code> and any required
-   *                     attributes that Amazon Cognito returned in the <code>requiredAttributes</code> parameter.
-   *                     You can also set values for attributes that aren't required by your user pool
-   *                     and that your app client can write. For more information, see <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html">RespondToAuthChallenge</a>.</p>
-   *                <note>
-   *                   <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value.
-   * In <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter,
-   * then use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>
-   *                </note>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>MFA_SETUP</code>: For users who are required to setup an MFA factor
-   *                     before they can sign in. The MFA types activated for the user pool will be
-   *                     listed in the challenge parameters <code>MFAS_CAN_SETUP</code> value. </p>
-   *                <p> To set up software token MFA, use the session returned here from
-   *                         <code>InitiateAuth</code> as an input to
-   *                     <code>AssociateSoftwareToken</code>. Use the session returned by
-   *                         <code>VerifySoftwareToken</code> as an input to
-   *                         <code>RespondToAuthChallenge</code> with challenge name
-   *                         <code>MFA_SETUP</code> to complete sign-in. To set up SMS MFA, an
-   *                     administrator should help the user to add a phone number to their account, and
-   *                     then the user should call <code>InitiateAuth</code> again to restart
-   *                     sign-in.</p>
-   *             </li>
-   *          </ul>
-   * @public
-   */
-  ChallengeName?: ChallengeNameType | undefined;
-
-  /**
-   * <p>The session that should pass both ways in challenge-response calls to the service. If
-   *             the caller must pass another challenge, they return a session with other challenge
-   *             parameters. This session should be passed as it is to the next
-   *                 <code>RespondToAuthChallenge</code> API call.</p>
-   * @public
-   */
-  Session?: string | undefined;
-
-  /**
-   * <p>The challenge parameters. These are returned in the <code>InitiateAuth</code> response
-   *             if you must pass another challenge. The responses in this parameter should be used to
-   *             compute inputs to the next call (<code>RespondToAuthChallenge</code>). </p>
-   *          <p>All challenges require <code>USERNAME</code> and <code>SECRET_HASH</code> (if
-   *             applicable).</p>
-   * @public
-   */
-  ChallengeParameters?: Record<string, string> | undefined;
-
-  /**
-   * <p>The result of the authentication response. This result is only returned if the caller
-   *             doesn't need to pass another challenge. If the caller does need to pass another
-   *             challenge before it gets tokens, <code>ChallengeName</code>,
-   *                 <code>ChallengeParameters</code>, and <code>Session</code> are returned.</p>
-   * @public
-   */
-  AuthenticationResult?: AuthenticationResultType | undefined;
-}
-
-/**
- * <p>Represents the request to list the devices.</p>
- * @public
- */
-export interface ListDevicesRequest {
-  /**
-   * <p>A valid access token that Amazon Cognito issued to the user whose list of devices you want to
-   *             view.</p>
-   * @public
-   */
-  AccessToken: string | undefined;
-
-  /**
-   * <p>The limit of the device request.</p>
-   * @public
-   */
-  Limit?: number | undefined;
-
-  /**
-   * <p>This API operation returns a limited number of results. The pagination token is
-   * an identifier that you can present in an additional API request with the same parameters. When
-   * you include the pagination token, Amazon Cognito returns the next set of items after the current list.
-   * Subsequent requests return a new pagination token. By use of this token, you can paginate
-   * through the full list of items.</p>
-   * @public
-   */
-  PaginationToken?: string | undefined;
-}
-
-/**
- * <p>Represents the response to list devices.</p>
- * @public
- */
-export interface ListDevicesResponse {
-  /**
-   * <p>The devices returned in the list devices response.</p>
-   * @public
-   */
-  Devices?: DeviceType[] | undefined;
-
-  /**
-   * <p>The identifier that Amazon Cognito returned with the previous request to this operation. When
-   * you include a pagination token in your request, Amazon Cognito returns the next set of items in
-   * the list. By use of this token, you can paginate through the full list of items.</p>
-   * @public
-   */
-  PaginationToken?: string | undefined;
-}
-
-/**
- * @public
- */
-export interface ListGroupsRequest {
-  /**
-   * <p>The user pool ID for the user pool.</p>
-   * @public
-   */
-  UserPoolId: string | undefined;
-
-  /**
-   * <p>The limit of the request to list groups.</p>
-   * @public
-   */
-  Limit?: number | undefined;
-
-  /**
-   * <p>An identifier that was returned from the previous call to this operation, which can be
-   *             used to return the next set of items in the list.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-}
-
-/**
- * @public
- */
-export interface ListGroupsResponse {
-  /**
-   * <p>The group objects for the groups.</p>
-   * @public
-   */
-  Groups?: GroupType[] | undefined;
-
-  /**
-   * <p>An identifier that was returned from the previous call to this operation, which can be
-   *             used to return the next set of items in the list.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-}
-
-/**
- * @public
- */
-export interface ListIdentityProvidersRequest {
-  /**
-   * <p>The user pool ID.</p>
-   * @public
-   */
-  UserPoolId: string | undefined;
-
-  /**
-   * <p>The maximum number of IdPs to return.</p>
-   * @public
-   */
-  MaxResults?: number | undefined;
-
-  /**
-   * <p>A pagination token.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-}
-
-/**
- * <p>A container for IdP details.</p>
- * @public
- */
-export interface ProviderDescription {
-  /**
-   * <p>The IdP name.</p>
-   * @public
-   */
-  ProviderName?: string | undefined;
-
-  /**
-   * <p>The IdP type.</p>
-   * @public
-   */
-  ProviderType?: IdentityProviderTypeType | undefined;
-
-  /**
-   * <p>The date the provider was last modified.</p>
-   * @public
-   */
-  LastModifiedDate?: Date | undefined;
-
-  /**
-   * <p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
-   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
-   * @public
-   */
-  CreationDate?: Date | undefined;
-}
-
-/**
- * @public
- */
-export interface ListIdentityProvidersResponse {
-  /**
-   * <p>A list of IdP objects.</p>
-   * @public
-   */
-  Providers: ProviderDescription[] | undefined;
-
-  /**
-   * <p>A pagination token.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-}
-
-/**
- * @public
- */
-export interface ListResourceServersRequest {
-  /**
-   * <p>The user pool ID for the user pool.</p>
-   * @public
-   */
-  UserPoolId: string | undefined;
-
-  /**
-   * <p>The maximum number of resource servers to return.</p>
-   * @public
-   */
-  MaxResults?: number | undefined;
-
-  /**
-   * <p>A pagination token.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-}
-
-/**
- * @public
- */
-export interface ListResourceServersResponse {
-  /**
-   * <p>The resource servers.</p>
-   * @public
-   */
-  ResourceServers: ResourceServerType[] | undefined;
-
-  /**
-   * <p>A pagination token.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-}
-
-/**
- * @public
- */
-export interface ListTagsForResourceRequest {
-  /**
-   * <p>The Amazon Resource Name (ARN) of the user pool that the tags are assigned to.</p>
-   * @public
-   */
-  ResourceArn: string | undefined;
-}
-
-/**
- * @public
- */
-export interface ListTagsForResourceResponse {
-  /**
-   * <p>The tags that are assigned to the user pool.</p>
-   * @public
-   */
-  Tags?: Record<string, string> | undefined;
-}
-
-/**
- * <p>Represents the request to list the user import jobs.</p>
- * @public
- */
-export interface ListUserImportJobsRequest {
-  /**
-   * <p>The user pool ID for the user pool that the users are being imported into.</p>
-   * @public
-   */
-  UserPoolId: string | undefined;
-
-  /**
-   * <p>The maximum number of import jobs you want the request to return.</p>
-   * @public
-   */
-  MaxResults: number | undefined;
-
-  /**
-   * <p>This API operation returns a limited number of results. The pagination token is
-   * an identifier that you can present in an additional API request with the same parameters. When
-   * you include the pagination token, Amazon Cognito returns the next set of items after the current list.
-   * Subsequent requests return a new pagination token. By use of this token, you can paginate
-   * through the full list of items.</p>
-   * @public
-   */
-  PaginationToken?: string | undefined;
-}
-
-/**
- * <p>Represents the response from the server to the request to list the user import
- *             jobs.</p>
- * @public
- */
-export interface ListUserImportJobsResponse {
-  /**
-   * <p>The user import jobs.</p>
-   * @public
-   */
-  UserImportJobs?: UserImportJobType[] | undefined;
-
-  /**
-   * <p>The identifier that Amazon Cognito returned with the previous request to this operation. When
-   * you include a pagination token in your request, Amazon Cognito returns the next set of items in
-   * the list. By use of this token, you can paginate through the full list of items.</p>
-   * @public
-   */
-  PaginationToken?: string | undefined;
-}
-
-/**
- * <p>Represents the request to list the user pool clients.</p>
- * @public
- */
-export interface ListUserPoolClientsRequest {
-  /**
-   * <p>The user pool ID for the user pool where you want to list user pool clients.</p>
-   * @public
-   */
-  UserPoolId: string | undefined;
-
-  /**
-   * <p>The maximum number of results you want the request to return when listing the user
-   *             pool clients.</p>
-   * @public
-   */
-  MaxResults?: number | undefined;
-
-  /**
-   * <p>An identifier that was returned from the previous call to this operation, which can be
-   *             used to return the next set of items in the list.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-}
-
-/**
- * <p>The description of the user pool client.</p>
- * @public
- */
-export interface UserPoolClientDescription {
-  /**
-   * <p>The ID of the client associated with the user pool.</p>
-   * @public
-   */
-  ClientId?: string | undefined;
-
-  /**
-   * <p>The user pool ID for the user pool where you want to describe the user pool
-   *             client.</p>
-   * @public
-   */
-  UserPoolId?: string | undefined;
-
-  /**
-   * <p>The client name from the user pool client description.</p>
-   * @public
-   */
-  ClientName?: string | undefined;
-}
-
-/**
- * <p>Represents the response from the server that lists user pool clients.</p>
- * @public
- */
-export interface ListUserPoolClientsResponse {
-  /**
-   * <p>The user pool clients in the response that lists user pool clients.</p>
-   * @public
-   */
-  UserPoolClients?: UserPoolClientDescription[] | undefined;
-
-  /**
-   * <p>An identifier that was returned from the previous call to this operation, which can be
-   *             used to return the next set of items in the list.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-}
-
-/**
- * <p>Represents the request to list user pools.</p>
- * @public
- */
-export interface ListUserPoolsRequest {
-  /**
-   * <p>An identifier that was returned from the previous call to this operation, which can be
-   *             used to return the next set of items in the list.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-
-  /**
-   * <p>The maximum number of results you want the request to return when listing the user
-   *             pools.</p>
-   * @public
-   */
-  MaxResults: number | undefined;
-}
-
-/**
- * <p>A user pool description.</p>
- * @public
- */
-export interface UserPoolDescriptionType {
-  /**
-   * <p>The ID in a user pool description.</p>
-   * @public
-   */
-  Id?: string | undefined;
-
-  /**
-   * <p>The name in a user pool description.</p>
-   * @public
-   */
-  Name?: string | undefined;
-
-  /**
-   * <p>The Lambda configuration information in a user pool description.</p>
-   * @public
-   */
-  LambdaConfig?: LambdaConfigType | undefined;
-
-  /**
-   * @deprecated
-   *
-   * <p>The user pool status in a user pool description.</p>
-   * @public
-   */
-  Status?: StatusType | undefined;
-
-  /**
-   * <p>The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
-   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
-   * @public
-   */
-  LastModifiedDate?: Date | undefined;
-
-  /**
-   * <p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
-   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
-   * @public
-   */
-  CreationDate?: Date | undefined;
-}
-
-/**
- * <p>Represents the response to list user pools.</p>
- * @public
- */
-export interface ListUserPoolsResponse {
-  /**
-   * <p>The user pools from the response to list users.</p>
-   * @public
-   */
-  UserPools?: UserPoolDescriptionType[] | undefined;
-
-  /**
-   * <p>An identifier that was returned from the previous call to this operation, which can be
-   *             used to return the next set of items in the list.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-}
-
-/**
- * <p>Represents the request to list users.</p>
- * @public
- */
-export interface ListUsersRequest {
-  /**
-   * <p>The user pool ID for the user pool on which the search should be performed.</p>
-   * @public
-   */
-  UserPoolId: string | undefined;
-
-  /**
-   * <p>A JSON array of user attribute names, for example <code>given_name</code>, that you
-   *             want Amazon Cognito to include in the response for each user. When you don't provide an
-   *                 <code>AttributesToGet</code> parameter, Amazon Cognito returns all attributes for each
-   *             user.</p>
-   *          <p>Use <code>AttributesToGet</code> with required attributes in your user pool, or in
-   *             conjunction with <code>Filter</code>. Amazon Cognito returns an error if not all users in the
-   *             results have set a value for the attribute you request. Attributes that you can't
-   *             filter on, including custom attributes, must have a value set in every user profile
-   *             before an <code>AttributesToGet</code> parameter returns results.</p>
-   * @public
-   */
-  AttributesToGet?: string[] | undefined;
-
-  /**
-   * <p>Maximum number of users to be returned.</p>
-   * @public
-   */
-  Limit?: number | undefined;
-
-  /**
-   * <p>This API operation returns a limited number of results. The pagination token is
-   * an identifier that you can present in an additional API request with the same parameters. When
-   * you include the pagination token, Amazon Cognito returns the next set of items after the current list.
-   * Subsequent requests return a new pagination token. By use of this token, you can paginate
-   * through the full list of items.</p>
-   * @public
-   */
-  PaginationToken?: string | undefined;
-
-  /**
-   * <p>A filter string of the form "<i>AttributeName</i>
-   *             <i>Filter-Type</i> "<i>AttributeValue</i>"". Quotation marks
-   *             within the filter string must be escaped using the backslash (<code>\</code>) character.
-   *             For example, <code>"family_name = \"Reddy\""</code>.</p>
-   *          <ul>
-   *             <li>
-   *                <p>
-   *                   <i>AttributeName</i>: The name of the attribute to search for.
-   *                     You can only search for one attribute at a time.</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <i>Filter-Type</i>: For an exact match, use <code>=</code>, for
-   *                     example, "<code>given_name = \"Jon\"</code>". For a prefix ("starts with")
-   *                     match, use <code>^=</code>, for example, "<code>given_name ^= \"Jon\"</code>".
-   *                 </p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <i>AttributeValue</i>: The attribute value that must be matched
-   *                     for each user.</p>
-   *             </li>
-   *          </ul>
-   *          <p>If the filter string is empty, <code>ListUsers</code> returns all users in the user
-   *             pool.</p>
-   *          <p>You can only search for the following standard attributes:</p>
-   *          <ul>
-   *             <li>
-   *                <p>
-   *                   <code>username</code> (case-sensitive)</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>email</code>
-   *                </p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>phone_number</code>
-   *                </p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>name</code>
-   *                </p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>given_name</code>
-   *                </p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>family_name</code>
-   *                </p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>preferred_username</code>
-   *                </p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>cognito:user_status</code> (called <b>Status</b> in the Console) (case-insensitive)</p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>status (called <b>Enabled</b> in the Console)
-   *                         (case-sensitive)</code>
-   *                </p>
-   *             </li>
-   *             <li>
-   *                <p>
-   *                   <code>sub</code>
-   *                </p>
-   *             </li>
-   *          </ul>
-   *          <p>Custom attributes aren't searchable.</p>
-   *          <note>
-   *             <p>You can also list users with a client-side filter. The server-side filter matches
-   *                 no more than one attribute. For an advanced search, use a client-side filter with
-   *                 the <code>--query</code> parameter of the <code>list-users</code> action in the
-   *                 CLI. When you use a client-side filter, ListUsers returns a paginated list of zero
-   *                 or more users. You can receive multiple pages in a row with zero results. Repeat the
-   *                 query with each pagination token that is returned until you receive a null
-   *                 pagination token value, and then review the combined result. </p>
-   *             <p>For more information about server-side and client-side filtering, see <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html">FilteringCLI output</a> in the <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html">Command Line Interface
-   *                     User Guide</a>. </p>
-   *          </note>
-   *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-using-listusers-api">Searching for Users Using the ListUsers API</a> and <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-listusers-api-examples">Examples of Using the ListUsers API</a> in the <i>Amazon Cognito Developer
-   *                 Guide</i>.</p>
-   * @public
-   */
-  Filter?: string | undefined;
-}
-
-/**
- * <p>The response from the request to list users.</p>
- * @public
- */
-export interface ListUsersResponse {
-  /**
-   * <p>A list of the user pool users, and their attributes, that match your query.</p>
-   *          <note>
-   *             <p>Amazon Cognito creates a profile in your user pool for each native user in your user pool,
-   *                 and each unique user ID from your third-party identity providers (IdPs). When you
-   *                 link users with the <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html">AdminLinkProviderForUser</a> API operation, the output of
-   *                     <code>ListUsers</code> displays both the IdP user and the native user that you
-   *                 linked. You can identify IdP users in the <code>Users</code> object of this API
-   *                 response by the IdP prefix that Amazon Cognito appends to <code>Username</code>.</p>
-   *          </note>
-   * @public
-   */
-  Users?: UserType[] | undefined;
-
-  /**
-   * <p>The identifier that Amazon Cognito returned with the previous request to this operation. When
-   * you include a pagination token in your request, Amazon Cognito returns the next set of items in
-   * the list. By use of this token, you can paginate through the full list of items.</p>
-   * @public
-   */
-  PaginationToken?: string | undefined;
-}
-
-/**
- * @public
- */
-export interface ListUsersInGroupRequest {
-  /**
-   * <p>The user pool ID for the user pool.</p>
-   * @public
-   */
-  UserPoolId: string | undefined;
-
-  /**
-   * <p>The name of the group.</p>
-   * @public
-   */
-  GroupName: string | undefined;
-
-  /**
-   * <p>The maximum number of users that you want to retrieve before pagination.</p>
-   * @public
-   */
-  Limit?: number | undefined;
-
-  /**
-   * <p>An identifier that was returned from the previous call to this operation, which can be
-   *             used to return the next set of items in the list.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-}
-
-/**
- * @public
- */
-export interface ListUsersInGroupResponse {
-  /**
-   * <p>A list of users in the group, and their attributes.</p>
-   * @public
-   */
-  Users?: UserType[] | undefined;
-
-  /**
-   * <p>An identifier that you can use in a later request to return the next set of items in
-   *             the list.</p>
-   * @public
-   */
-  NextToken?: string | undefined;
-}
-
-/**
- * <p>Represents the request to resend the confirmation code.</p>
- * @public
- */
-export interface ResendConfirmationCodeRequest {
-  /**
-   * <p>The ID of the client associated with the user pool.</p>
-   * @public
-   */
-  ClientId: string | undefined;
-
-  /**
-   * <p>A keyed-hash message authentication code (HMAC) calculated using the secret key of a
-   *             user pool client and username plus the client ID in the message.</p>
-   * @public
-   */
-  SecretHash?: string | undefined;
-
-  /**
-   * <p>Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced
-   * security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito
-   * when it makes API requests.</p>
-   * @public
-   */
-  UserContextData?: UserContextDataType | undefined;
-
-  /**
-   * <p>The username of the user that you want to query or modify. The value of this parameter
-   *             is typically your user's username, but it can be any of their alias attributes. If
-   *                 <code>username</code> isn't an alias attribute in your user pool, this value
-   *             must be the <code>sub</code> of a local user or the username of a user from a
-   *             third-party IdP.</p>
-   * @public
-   */
-  Username: string | undefined;
-
-  /**
-   * <p>The Amazon Pinpoint analytics metadata that contributes to your metrics for
-   *                 <code>ResendConfirmationCode</code> calls.</p>
-   * @public
-   */
-  AnalyticsMetadata?: AnalyticsMetadataType | undefined;
-
-  /**
-   * <p>A map of custom key-value pairs that you can provide as input for any custom workflows
-   *             that this action triggers.</p>
-   *          <p>You create custom workflows by assigning Lambda functions to user pool triggers.
-   *             When you use the ResendConfirmationCode API action, Amazon Cognito invokes the function that is
-   *             assigned to the <i>custom message</i> trigger. When Amazon Cognito invokes this
-   *             function, it passes a JSON payload, which the function receives as input. This payload
-   *             contains a <code>clientMetadata</code> attribute, which provides the data that you
-   *             assigned to the ClientMetadata parameter in your ResendConfirmationCode request. In your
-   *             function code in Lambda, you can process the <code>clientMetadata</code> value to enhance
-   *             your workflow for your specific needs.</p>
-   *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html">
-   * Customizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>
-   *          <note>
-   *             <p>When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the
-   *                 following:</p>
-   *             <ul>
-   *                <li>
-   *                   <p>Store the ClientMetadata value. This data is available only to Lambda
-   *                         triggers that are assigned to a user pool to support custom workflows. If
-   *                         your user pool configuration doesn't include triggers, the ClientMetadata
-   *                         parameter serves no purpose.</p>
-   *                </li>
-   *                <li>
-   *                   <p>Validate the ClientMetadata value.</p>
-   *                </li>
-   *                <li>
-   *                   <p>Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive
-   *                         information.</p>
-   *                </li>
-   *             </ul>
-   *          </note>
-   * @public
-   */
-  ClientMetadata?: Record<string, string> | undefined;
-}
-
-/**
- * <p>The response from the server when Amazon Cognito makes the request to resend a confirmation
- *             code.</p>
- * @public
- */
-export interface ResendConfirmationCodeResponse {
-  /**
-   * <p>The code delivery details returned by the server in response to the request to resend
-   *             the confirmation code.</p>
-   * @public
-   */
-  CodeDeliveryDetails?: CodeDeliveryDetailsType | undefined;
-}
-
-/**
- * <p>The request to respond to an authentication challenge.</p>
- * @public
- */
-export interface RespondToAuthChallengeRequest {
-  /**
-   * <p>The app client ID.</p>
-   * @public
-   */
-  ClientId: string | undefined;
-
-  /**
-   * <p>The challenge name. For more information, see <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html">InitiateAuth</a>.</p>
-   *          <p>
-   *             <code>ADMIN_NO_SRP_AUTH</code> isn't a valid value.</p>
-   * @public
-   */
-  ChallengeName: ChallengeNameType | undefined;
-
-  /**
-   * <p>The session that should be passed both ways in challenge-response calls to the
-   *             service. If <code>InitiateAuth</code> or <code>RespondToAuthChallenge</code> API call
-   *             determines that the caller must pass another challenge, they return a session with other
-   *             challenge parameters. This session should be passed as it is to the next
-   *                 <code>RespondToAuthChallenge</code> API call.</p>
-   * @public
-   */
-  Session?: string | undefined;
-
-  /**
-   * <p>The responses to the challenge that you received in the previous request. Each
-   *     challenge has its own required response parameters. The following examples are partial
-   *     JSON request bodies that highlight challenge-response parameters.</p>
-   *          <important>
-   *             <p>You must provide a SECRET_HASH parameter in all challenge responses to an app
-   *         client that has a client secret.</p>
-   *          </important>
-   *          <dl>
-   *             <dt>SMS_MFA</dt>
-   *             <dd>
-   *                <p>
-   *                   <code>"ChallengeName": "SMS_MFA", "ChallengeResponses": \{"SMS_MFA_CODE":
-   *                     "[code]", "USERNAME": "[username]"\}</code>
-   *                </p>
-   *             </dd>
-   *             <dt>EMAIL_OTP</dt>
-   *             <dd>
-   *                <p>
-   *                   <code>"ChallengeName": "EMAIL_OTP", "ChallengeResponses": \{"EMAIL_OTP_CODE":
-   *                     "[code]", "USERNAME": "[username]"\}</code>
-   *                </p>
-   *             </dd>
-   *             <dt>PASSWORD_VERIFIER</dt>
-   *             <dd>
-   *                <p>This challenge response is part of the SRP flow. Amazon Cognito requires
-   *             that your application respond to this challenge within a few seconds. When
-   *             the response time exceeds this period, your user pool returns a
-   *             <code>NotAuthorizedException</code> error.</p>
-   *                <p>
-   *                   <code>"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
-   *                     \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
-   *                     "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
-   *                     [timestamp], "USERNAME": "[username]"\}</code>
-   *                </p>
-   *                <p>Add <code>"DEVICE_KEY"</code> when you sign in with a remembered
-   *                 device.</p>
-   *             </dd>
-   *             <dt>CUSTOM_CHALLENGE</dt>
-   *             <dd>
-   *                <p>
-   *                   <code>"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses":
-   *                     \{"USERNAME": "[username]", "ANSWER": "[challenge_answer]"\}</code>
-   *                </p>
-   *                <p>Add <code>"DEVICE_KEY"</code> when you sign in with a remembered
-   *                 device.</p>
-   *             </dd>
-   *             <dt>NEW_PASSWORD_REQUIRED</dt>
-   *             <dd>
-   *                <p>
-   *                   <code>"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses":
-   *                     \{"NEW_PASSWORD": "[new_password]", "USERNAME":
-   *                 "[username]"\}</code>
-   *                </p>
-   *                <p>To set any required attributes that <code>InitiateAuth</code> returned in
-   *                 an <code>requiredAttributes</code> parameter, add
-   *                     <code>"userAttributes.[attribute_name]": "[attribute_value]"</code>.
-   *                 This parameter can also set values for writable attributes that aren't
-   *                 required by your user pool.</p>
-   *                <note>
-   *                   <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value.
-   * In <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter,
-   * then use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>
-   *                </note>
-   *             </dd>
-   *             <dt>SOFTWARE_TOKEN_MFA</dt>
-   *             <dd>
-   *                <p>
-   *                   <code>"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses":
-   *                     \{"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE":
-   *                     [authenticator_code]\}</code>
-   *                </p>
-   *             </dd>
-   *             <dt>DEVICE_SRP_AUTH</dt>
-   *             <dd>
-   *                <p>
-   *                   <code>"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses": \{"USERNAME":
-   *                 "[username]", "DEVICE_KEY": "[device_key]", "SRP_A":
-   *                 "[srp_a]"\}</code>
-   *                </p>
-   *             </dd>
-   *             <dt>DEVICE_PASSWORD_VERIFIER</dt>
-   *             <dd>
-   *                <p>
-   *                   <code>"ChallengeName": "DEVICE_PASSWORD_VERIFIER", "ChallengeResponses":
-   *                 \{"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE":
-   *                 "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]",
-   *                 "TIMESTAMP": [timestamp], "USERNAME": "[username]"\}</code>
-   *                </p>
-   *             </dd>
-   *             <dt>MFA_SETUP</dt>
-   *             <dd>
-   *                <p>
-   *                   <code>"ChallengeName": "MFA_SETUP", "ChallengeResponses": \{"USERNAME":
-   *                 "[username]"\}, "SESSION": "[Session ID from
-   *                 VerifySoftwareToken]"</code>
-   *                </p>
-   *             </dd>
-   *             <dt>SELECT_MFA_TYPE</dt>
-   *             <dd>
-   *                <p>
-   *                   <code>"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": \{"USERNAME":
-   *                 "[username]", "ANSWER": "[SMS_MFA or SOFTWARE_TOKEN_MFA]"\}</code>
-   *                </p>
-   *             </dd>
-   *          </dl>
-   *          <p>For more information about <code>SECRET_HASH</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash">Computing secret hash values</a>. For information about
-   *     <code>DEVICE_KEY</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html">Working with user devices in your user pool</a>.</p>
-   * @public
-   */
-  ChallengeResponses?: Record<string, string> | undefined;
-
-  /**
-   * <p>The Amazon Pinpoint analytics metadata that contributes to your metrics for
-   *                 <code>RespondToAuthChallenge</code> calls.</p>
-   * @public
-   */
-  AnalyticsMetadata?: AnalyticsMetadataType | undefined;
-
-  /**
-   * <p>Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced
-   * security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito
-   * when it makes API requests.</p>
-   * @public
-   */
-  UserContextData?: UserContextDataType | undefined;
-
-  /**
-   * <p>A map of custom key-value pairs that you can provide as input for any custom workflows
-   *             that this action triggers.</p>
-   *          <p>You create custom workflows by assigning Lambda functions to user pool
-   *             triggers. When you use the RespondToAuthChallenge API action, Amazon Cognito invokes any
-   *             functions that are assigned to the following triggers: <i>post
-   *                 authentication</i>, <i>pre token generation</i>,
-   *                 <i>define auth challenge</i>, <i>create auth
-   *                 challenge</i>, and <i>verify auth challenge</i>. When Amazon Cognito
-   *             invokes any of these functions, it passes a JSON payload, which the function receives as
-   *             input. This payload contains a <code>clientMetadata</code> attribute, which provides the
-   *             data that you assigned to the ClientMetadata parameter in your RespondToAuthChallenge
-   *             request. In your function code in Lambda, you can process the
-   *                 <code>clientMetadata</code> value to enhance your workflow for your specific
-   *             needs.</p>
-   *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html">
-   * Customizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>
-   *          <note>
-   *             <p>When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the
-   *                 following:</p>
-   *             <ul>
-   *                <li>
-   *                   <p>Store the ClientMetadata value. This data is available only to Lambda
-   *                         triggers that are assigned to a user pool to support custom workflows. If
-   *                         your user pool configuration doesn't include triggers, the ClientMetadata
-   *                         parameter serves no purpose.</p>
-   *                </li>
-   *                <li>
-   *                   <p>Validate the ClientMetadata value.</p>
-   *                </li>
-   *                <li>
-   *                   <p>Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive
-   *                         information.</p>
-   *                </li>
-   *             </ul>
-   *          </note>
-   * @public
-   */
-  ClientMetadata?: Record<string, string> | undefined;
-}
-
-/**
- * @internal
- */
-export const AdminAddUserToGroupRequestFilterSensitiveLog = (obj: AdminAddUserToGroupRequest): any => ({
-  ...obj,
-  ...(obj.Username && { Username: SENSITIVE_STRING }),
-});
-
-/**
- * @internal
- */
-export const AdminConfirmSignUpRequestFilterSensitiveLog = (obj: AdminConfirmSignUpRequest): any => ({
-  ...obj,
-  ...(obj.Username && { Username: SENSITIVE_STRING }),
-});
-
-/**
- * @internal
- */
-export const AttributeTypeFilterSensitiveLog = (obj: AttributeType): any => ({
-  ...obj,
-  ...(obj.Value && { Value: SENSITIVE_STRING }),
-});
-
-/**
- * @internal
+ * @internal
  */
 export const AdminCreateUserRequestFilterSensitiveLog = (obj: AdminCreateUserRequest): any => ({
   ...obj,
@@ -9904,6 +9912,7 @@ export const AdminInitiateAuthRequestFilterSensitiveLog = (obj: AdminInitiateAut
   ...obj,
   ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
   ...(obj.AuthParameters && { AuthParameters: SENSITIVE_STRING }),
+  ...(obj.Session && { Session: SENSITIVE_STRING }),
 });
 
 /**
@@ -10087,6 +10096,16 @@ export const ChangePasswordRequestFilterSensitiveLog = (obj: ChangePasswordReque
   ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }),
 });
 
+/**
+ * @internal
+ */
+export const CompleteWebAuthnRegistrationRequestFilterSensitiveLog = (
+  obj: CompleteWebAuthnRegistrationRequest
+): any => ({
+  ...obj,
+  ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }),
+});
+
 /**
  * @internal
  */
@@ -10123,6 +10142,23 @@ export const ConfirmSignUpRequestFilterSensitiveLog = (obj: ConfirmSignUpRequest
   ...(obj.SecretHash && { SecretHash: SENSITIVE_STRING }),
   ...(obj.Username && { Username: SENSITIVE_STRING }),
   ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }),
+  ...(obj.Session && { Session: SENSITIVE_STRING }),
+});
+
+/**
+ * @internal
+ */
+export const ConfirmSignUpResponseFilterSensitiveLog = (obj: ConfirmSignUpResponse): any => ({
+  ...obj,
+  ...(obj.Session && { Session: SENSITIVE_STRING }),
+});
+
+/**
+ * @internal
+ */
+export const CreateManagedLoginBrandingRequestFilterSensitiveLog = (obj: CreateManagedLoginBrandingRequest): any => ({
+  ...obj,
+  ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
 });
 
 /**
@@ -10166,6 +10202,24 @@ export const DeleteUserPoolClientRequestFilterSensitiveLog = (obj: DeleteUserPoo
   ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
 });
 
+/**
+ * @internal
+ */
+export const DeleteWebAuthnCredentialRequestFilterSensitiveLog = (obj: DeleteWebAuthnCredentialRequest): any => ({
+  ...obj,
+  ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }),
+});
+
+/**
+ * @internal
+ */
+export const DescribeManagedLoginBrandingByClientRequestFilterSensitiveLog = (
+  obj: DescribeManagedLoginBrandingByClientRequest
+): any => ({
+  ...obj,
+  ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
+});
+
 /**
  * @internal
  */
@@ -10297,36 +10351,7 @@ export const GetUserAttributeVerificationCodeRequestFilterSensitiveLog = (
 /**
  * @internal
  */
-export const GlobalSignOutRequestFilterSensitiveLog = (obj: GlobalSignOutRequest): any => ({
-  ...obj,
-  ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }),
-});
-
-/**
- * @internal
- */
-export const InitiateAuthRequestFilterSensitiveLog = (obj: InitiateAuthRequest): any => ({
-  ...obj,
-  ...(obj.AuthParameters && { AuthParameters: SENSITIVE_STRING }),
-  ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
-  ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }),
-});
-
-/**
- * @internal
- */
-export const InitiateAuthResponseFilterSensitiveLog = (obj: InitiateAuthResponse): any => ({
-  ...obj,
-  ...(obj.Session && { Session: SENSITIVE_STRING }),
-  ...(obj.AuthenticationResult && {
-    AuthenticationResult: AuthenticationResultTypeFilterSensitiveLog(obj.AuthenticationResult),
-  }),
-});
-
-/**
- * @internal
- */
-export const ListDevicesRequestFilterSensitiveLog = (obj: ListDevicesRequest): any => ({
+export const GetUserAuthFactorsRequestFilterSensitiveLog = (obj: GetUserAuthFactorsRequest): any => ({
   ...obj,
   ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }),
 });
@@ -10334,62 +10359,7 @@ export const ListDevicesRequestFilterSensitiveLog = (obj: ListDevicesRequest): a
 /**
  * @internal
  */
-export const ListDevicesResponseFilterSensitiveLog = (obj: ListDevicesResponse): any => ({
-  ...obj,
-});
-
-/**
- * @internal
- */
-export const UserPoolClientDescriptionFilterSensitiveLog = (obj: UserPoolClientDescription): any => ({
-  ...obj,
-  ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
-});
-
-/**
- * @internal
- */
-export const ListUserPoolClientsResponseFilterSensitiveLog = (obj: ListUserPoolClientsResponse): any => ({
+export const GetUserAuthFactorsResponseFilterSensitiveLog = (obj: GetUserAuthFactorsResponse): any => ({
   ...obj,
-  ...(obj.UserPoolClients && {
-    UserPoolClients: obj.UserPoolClients.map((item) => UserPoolClientDescriptionFilterSensitiveLog(item)),
-  }),
-});
-
-/**
- * @internal
- */
-export const ListUsersResponseFilterSensitiveLog = (obj: ListUsersResponse): any => ({
-  ...obj,
-  ...(obj.Users && { Users: obj.Users.map((item) => UserTypeFilterSensitiveLog(item)) }),
-});
-
-/**
- * @internal
- */
-export const ListUsersInGroupResponseFilterSensitiveLog = (obj: ListUsersInGroupResponse): any => ({
-  ...obj,
-  ...(obj.Users && { Users: obj.Users.map((item) => UserTypeFilterSensitiveLog(item)) }),
-});
-
-/**
- * @internal
- */
-export const ResendConfirmationCodeRequestFilterSensitiveLog = (obj: ResendConfirmationCodeRequest): any => ({
-  ...obj,
-  ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
-  ...(obj.SecretHash && { SecretHash: SENSITIVE_STRING }),
-  ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }),
   ...(obj.Username && { Username: SENSITIVE_STRING }),
 });
-
-/**
- * @internal
- */
-export const RespondToAuthChallengeRequestFilterSensitiveLog = (obj: RespondToAuthChallengeRequest): any => ({
-  ...obj,
-  ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
-  ...(obj.Session && { Session: SENSITIVE_STRING }),
-  ...(obj.ChallengeResponses && { ChallengeResponses: SENSITIVE_STRING }),
-  ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }),
-});
diff --git a/clients/client-cognito-identity-provider/src/models/models_1.ts b/clients/client-cognito-identity-provider/src/models/models_1.ts
index b0f2f82cb743..4976311fbb69 100644
--- a/clients/client-cognito-identity-provider/src/models/models_1.ts
+++ b/clients/client-cognito-identity-provider/src/models/models_1.ts
@@ -1,6 +1,8 @@
 // smithy-typescript generated code
 import { ExceptionOptionType as __ExceptionOptionType, SENSITIVE_STRING } from "@smithy/smithy-client";
 
+import { DocumentType as __DocumentType } from "@smithy/types";
+
 import { CognitoIdentityProviderServiceException as __BaseException } from "./CognitoIdentityProviderServiceException";
 
 import {
@@ -9,10 +11,12 @@ import {
   AdminCreateUserConfigType,
   AnalyticsConfigurationType,
   AnalyticsMetadataType,
+  AssetType,
   AttributeType,
   AttributeTypeFilterSensitiveLog,
   AuthenticationResultType,
   AuthenticationResultTypeFilterSensitiveLog,
+  AuthFlowType,
   ChallengeNameType,
   CodeDeliveryDetailsType,
   CompromisedCredentialsRiskConfigurationType,
@@ -20,6 +24,7 @@ import {
   DeletionProtectionType,
   DeviceConfigurationType,
   DeviceRememberedStatusType,
+  DeviceType,
   EmailConfigurationType,
   EmailMfaConfigType,
   EmailMfaSettingsType,
@@ -27,9 +32,11 @@ import {
   FeedbackValueType,
   GroupType,
   IdentityProviderType,
+  IdentityProviderTypeType,
   LambdaConfigType,
   LogConfigurationType,
   LogDeliveryConfigurationType,
+  ManagedLoginBrandingType,
   MFAOptionType,
   OAuthFlowType,
   PreventUserExistenceErrorTypes,
@@ -43,6 +50,7 @@ import {
   SMSMfaSettingsType,
   SoftwareTokenMfaConfigType,
   SoftwareTokenMfaSettingsType,
+  StatusType,
   TokenValidityUnitsType,
   UICustomizationType,
   UICustomizationTypeFilterSensitiveLog,
@@ -54,10 +62,1612 @@ import {
   UserPoolClientTypeFilterSensitiveLog,
   UserPoolMfaType,
   UserPoolPolicyType,
+  UserPoolTierType,
+  UserType,
+  UserTypeFilterSensitiveLog,
+  UserVerificationType,
   VerificationMessageTemplateType,
   VerifiedAttributeType,
 } from "./models_0";
 
+/**
+ * <p>Settings for multi-factor authentication (MFA) with passkey, or webauthN, biometric
+ *             and security-key devices in a user pool. Configures the following:</p>
+ *          <ul>
+ *             <li>
+ *                <p>Configuration at the user-pool level for whether you want to require passkey
+ *                     configuration as an MFA factor, or include it as a choice.</p>
+ *             </li>
+ *             <li>
+ *                <p>The user pool relying-party ID. This is the user pool domain that user's
+ *                     passkey providers should trust as a receiver of passkey authentication.</p>
+ *             </li>
+ *             <li>
+ *                <p>The providers that you want to allow as origins for passkey
+ *                     authentication.</p>
+ *             </li>
+ *          </ul>
+ *          <p>This data type is a request parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html">SetUserPoolMfaConfig</a> and a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html">GetUserPoolMfaConfig</a>. </p>
+ * @public
+ */
+export interface WebAuthnConfigurationType {
+  /**
+   * <p>Sets or displays the authentication domain, typically your user pool domain, that
+   *             passkey providers must use as a relying party (RP) in their configuration.</p>
+   *          <p>Under the following conditions, the passkey relying party ID must be the
+   *             fully-qualified domain name of your custom domain:</p>
+   *          <ul>
+   *             <li>
+   *                <p>The user pool is configured for passkey authentication.</p>
+   *             </li>
+   *             <li>
+   *                <p>The user pool has a custom domain, whether or not it also has a prefix
+   *                     domain.</p>
+   *             </li>
+   *             <li>
+   *                <p>Your application performs authentication with managed login or the classic
+   *                     hosted UI.</p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  RelyingPartyId?: string | undefined;
+
+  /**
+   * <p>Sets or displays your user-pool treatment for MFA with a passkey. You can override
+   *             other MFA options and require passkey MFA, or you can set it as preferred. When passkey
+   *             MFA is preferred, the hosted UI encourages users to register a passkey at
+   *             sign-in.</p>
+   * @public
+   */
+  UserVerification?: UserVerificationType | undefined;
+}
+
+/**
+ * @public
+ */
+export interface GetUserPoolMfaConfigResponse {
+  /**
+   * <p>Shows user pool SMS message configuration for MFA. Includes the message template and
+   *             the SMS message sending configuration for Amazon SNS.</p>
+   * @public
+   */
+  SmsMfaConfiguration?: SmsMfaConfigType | undefined;
+
+  /**
+   * <p>Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes
+   *             TOTP enabled or disabled state.</p>
+   * @public
+   */
+  SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType | undefined;
+
+  /**
+   * <p>Shows user pool email message configuration for MFA. Includes the subject and body of
+   *             the email message template for MFA messages. To activate this setting, <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html">
+   *                      advanced security features</a> must be active in your user pool.</p>
+   * @public
+   */
+  EmailMfaConfiguration?: EmailMfaConfigType | undefined;
+
+  /**
+   * <p>The multi-factor authentication (MFA) configuration. Valid values include:</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>OFF</code> MFA won't be used for any users.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>ON</code> MFA is required for all users to sign in.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>OPTIONAL</code> MFA will be required only for individual users who have
+   *                     an MFA factor activated.</p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  MfaConfiguration?: UserPoolMfaType | undefined;
+
+  /**
+   * <p>Shows user pool configuration for MFA with passkeys from biometric devices and
+   *             security keys.</p>
+   * @public
+   */
+  WebAuthnConfiguration?: WebAuthnConfigurationType | undefined;
+}
+
+/**
+ * <p>Represents the request to sign out all devices.</p>
+ * @public
+ */
+export interface GlobalSignOutRequest {
+  /**
+   * <p>A valid access token that Amazon Cognito issued to the user who you want to sign out.</p>
+   * @public
+   */
+  AccessToken: string | undefined;
+}
+
+/**
+ * <p>The response to the request to sign out all devices.</p>
+ * @public
+ */
+export interface GlobalSignOutResponse {}
+
+/**
+ * <p>Initiates the authentication request.</p>
+ * @public
+ */
+export interface InitiateAuthRequest {
+  /**
+   * <p>The authentication flow that you want to initiate. The <code>AuthParameters</code>
+   *             that you must submit are linked to the flow that you submit. For example:</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>USER_AUTH</code>: Request a preferred authentication type or review
+   *                     available authentication types. From the offered authentication types, select
+   *                     one in a challenge response and then authenticate with that method in an
+   *                     additional challenge response.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>REFRESH_TOKEN_AUTH</code>: Receive new ID and access tokens when you
+   *                     pass a <code>REFRESH_TOKEN</code> parameter with a valid refresh token as the
+   *                     value.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>USER_SRP_AUTH</code>: Receive secure remote password (SRP) variables for
+   *                     the next challenge, <code>PASSWORD_VERIFIER</code>, when you pass
+   *                         <code>USERNAME</code> and <code>SRP_A</code> parameters.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>USER_PASSWORD_AUTH</code>: Receive new tokens or the next challenge, for
+   *                     example <code>SOFTWARE_TOKEN_MFA</code>, when you pass <code>USERNAME</code> and
+   *                         <code>PASSWORD</code> parameters.</p>
+   *             </li>
+   *          </ul>
+   *          <p>Valid values include the following:</p>
+   *          <dl>
+   *             <dt>USER_AUTH</dt>
+   *             <dd>
+   *                <p>The entry point for sign-in with passwords, one-time passwords, biometric
+   *                         devices, and security keys.</p>
+   *             </dd>
+   *             <dt>USER_SRP_AUTH</dt>
+   *             <dd>
+   *                <p>Username-password authentication with the Secure Remote Password (SRP)
+   *                         protocol. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow">Use SRP password verification in custom
+   *                             authentication flow</a>.</p>
+   *             </dd>
+   *             <dt>REFRESH_TOKEN_AUTH and REFRESH_TOKEN</dt>
+   *             <dd>
+   *                <p>Provide a valid refresh token and receive new ID and access tokens. For
+   *                         more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html">Using the refresh token</a>.</p>
+   *             </dd>
+   *             <dt>CUSTOM_AUTH</dt>
+   *             <dd>
+   *                <p>Custom authentication with Lambda triggers. For more information, see
+   *                             <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html">Custom authentication challenge Lambda
+   *                             triggers</a>.</p>
+   *             </dd>
+   *             <dt>USER_PASSWORD_AUTH</dt>
+   *             <dd>
+   *                <p>Username-password authentication with the password sent directly in the
+   *                         request. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges">Admin authentication flow</a>.</p>
+   *             </dd>
+   *          </dl>
+   *          <p>
+   *             <code>ADMIN_USER_PASSWORD_AUTH</code> is a flow type of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html">AdminInitiateAuth</a> and isn't valid for InitiateAuth.
+   *                 <code>ADMIN_NO_SRP_AUTH</code> is a legacy server-side username-password flow and
+   *             isn't valid for InitiateAuth.</p>
+   * @public
+   */
+  AuthFlow: AuthFlowType | undefined;
+
+  /**
+   * <p>The authentication parameters. These are inputs corresponding to the
+   *                 <code>AuthFlow</code> that you're invoking. The required values depend on the value
+   *             of <code>AuthFlow</code>:</p>
+   *          <ul>
+   *             <li>
+   *                <p>For <code>USER_AUTH</code>: <code>USERNAME</code> (required),
+   *                         <code>PREFERRED_CHALLENGE</code>. If you don't provide a value for
+   *                         <code>PREFERRED_CHALLENGE</code>, Amazon Cognito responds with the
+   *                         <code>AvailableChallenges</code> parameter that specifies the available
+   *                     sign-in methods.</p>
+   *             </li>
+   *             <li>
+   *                <p>For <code>USER_SRP_AUTH</code>: <code>USERNAME</code> (required),
+   *                         <code>SRP_A</code> (required), <code>SECRET_HASH</code> (required if the app
+   *                     client is configured with a client secret), <code>DEVICE_KEY</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>For <code>USER_PASSWORD_AUTH</code>: <code>USERNAME</code> (required),
+   *                         <code>PASSWORD</code> (required), <code>SECRET_HASH</code> (required if the
+   *                     app client is configured with a client secret), <code>DEVICE_KEY</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>For <code>REFRESH_TOKEN_AUTH/REFRESH_TOKEN</code>: <code>REFRESH_TOKEN</code>
+   *                     (required), <code>SECRET_HASH</code> (required if the app client is configured
+   *                     with a client secret), <code>DEVICE_KEY</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>For <code>CUSTOM_AUTH</code>: <code>USERNAME</code> (required),
+   *                         <code>SECRET_HASH</code> (if app client is configured with client secret),
+   *                         <code>DEVICE_KEY</code>. To start the authentication flow with password
+   *                     verification, include <code>ChallengeName: SRP_A</code> and <code>SRP_A: (The
+   *                         SRP_A Value)</code>.</p>
+   *             </li>
+   *          </ul>
+   *          <p>For more information about <code>SECRET_HASH</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash">Computing secret hash values</a>. For information about
+   *             <code>DEVICE_KEY</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html">Working with user devices in your user pool</a>.</p>
+   * @public
+   */
+  AuthParameters?: Record<string, string> | undefined;
+
+  /**
+   * <p>A map of custom key-value pairs that you can provide as input for certain custom
+   *             workflows that this action triggers.</p>
+   *          <p>You create custom workflows by assigning Lambda functions to user pool triggers.
+   *             When you use the InitiateAuth API action, Amazon Cognito invokes the Lambda functions that are
+   *             specified for various triggers. The ClientMetadata value is passed as input to the
+   *             functions for only the following triggers:</p>
+   *          <ul>
+   *             <li>
+   *                <p>Pre signup</p>
+   *             </li>
+   *             <li>
+   *                <p>Pre authentication</p>
+   *             </li>
+   *             <li>
+   *                <p>User migration</p>
+   *             </li>
+   *          </ul>
+   *          <p>When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which
+   *             the function receives as input. This payload contains a <code>validationData</code>
+   *             attribute, which provides the data that you assigned to the ClientMetadata parameter in
+   *             your InitiateAuth request. In your function code in Lambda, you can process the
+   *                 <code>validationData</code> value to enhance your workflow for your specific
+   *             needs.</p>
+   *          <p>When you use the InitiateAuth API action, Amazon Cognito also invokes the functions for the
+   *             following triggers, but it doesn't provide the ClientMetadata value as input:</p>
+   *          <ul>
+   *             <li>
+   *                <p>Post authentication</p>
+   *             </li>
+   *             <li>
+   *                <p>Custom message</p>
+   *             </li>
+   *             <li>
+   *                <p>Pre token generation</p>
+   *             </li>
+   *             <li>
+   *                <p>Create auth challenge</p>
+   *             </li>
+   *             <li>
+   *                <p>Define auth challenge</p>
+   *             </li>
+   *             <li>
+   *                <p>Custom email sender</p>
+   *             </li>
+   *             <li>
+   *                <p>Custom SMS sender</p>
+   *             </li>
+   *          </ul>
+   *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html">
+   * Customizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>
+   *          <note>
+   *             <p>When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the
+   *                 following:</p>
+   *             <ul>
+   *                <li>
+   *                   <p>Store the ClientMetadata value. This data is available only to Lambda
+   *                         triggers that are assigned to a user pool to support custom workflows. If
+   *                         your user pool configuration doesn't include triggers, the ClientMetadata
+   *                         parameter serves no purpose.</p>
+   *                </li>
+   *                <li>
+   *                   <p>Validate the ClientMetadata value.</p>
+   *                </li>
+   *                <li>
+   *                   <p>Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive
+   *                         information.</p>
+   *                </li>
+   *             </ul>
+   *          </note>
+   * @public
+   */
+  ClientMetadata?: Record<string, string> | undefined;
+
+  /**
+   * <p>The app client ID.</p>
+   * @public
+   */
+  ClientId: string | undefined;
+
+  /**
+   * <p>The Amazon Pinpoint analytics metadata that contributes to your metrics for
+   *                 <code>InitiateAuth</code> calls.</p>
+   * @public
+   */
+  AnalyticsMetadata?: AnalyticsMetadataType | undefined;
+
+  /**
+   * <p>Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced
+   * security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito
+   * when it makes API requests.</p>
+   * @public
+   */
+  UserContextData?: UserContextDataType | undefined;
+
+  /**
+   * <p>The optional session ID from a <code>ConfirmSignUp</code> API request. You can sign in
+   *             a user directly from the sign-up process with the <code>USER_AUTH</code> authentication
+   *             flow.</p>
+   * @public
+   */
+  Session?: string | undefined;
+}
+
+/**
+ * <p>Initiates the authentication response.</p>
+ * @public
+ */
+export interface InitiateAuthResponse {
+  /**
+   * <p>The name of the challenge that you're responding to with this call. This name is
+   *             returned in the <code>InitiateAuth</code> response if you must pass another
+   *             challenge.</p>
+   *          <p>Valid values include the following:</p>
+   *          <note>
+   *             <p>All of the following challenges require <code>USERNAME</code> and
+   *                     <code>SECRET_HASH</code> (if applicable) in the parameters.</p>
+   *          </note>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>WEB_AUTHN</code>: Respond to the challenge with the results of a
+   *                     successful authentication with a passkey, or webauthN, factor. These are
+   *                     typically biometric devices or security keys.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>PASSWORD</code>: Respond with <code>USER_PASSWORD_AUTH</code>
+   *                     parameters: <code>USERNAME</code> (required), <code>PASSWORD</code> (required),
+   *                         <code>SECRET_HASH</code> (required if the app client is configured with a
+   *                     client secret), <code>DEVICE_KEY</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>PASSWORD_SRP</code>: Respond with <code>USER_SRP_AUTH</code> parameters:
+   *                         <code>USERNAME</code> (required), <code>SRP_A</code> (required),
+   *                         <code>SECRET_HASH</code> (required if the app client is configured with a
+   *                     client secret), <code>DEVICE_KEY</code>.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>SELECT_CHALLENGE</code>: Respond to the challenge with
+   *                         <code>USERNAME</code> and an <code>ANSWER</code> that matches one of the
+   *                     challenge types in the <code>AvailableChallenges</code> response
+   *                     parameter.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>SMS_MFA</code>: Next challenge is to supply an
+   *                     <code>SMS_MFA_CODE</code>that your user pool delivered in an SMS message.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>EMAIL_OTP</code>: Next challenge is to supply an
+   *                         <code>EMAIL_OTP_CODE</code> that your user pool delivered in an email
+   *                     message.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>PASSWORD_VERIFIER</code>: Next challenge is to supply
+   *                         <code>PASSWORD_CLAIM_SIGNATURE</code>,
+   *                         <code>PASSWORD_CLAIM_SECRET_BLOCK</code>, and <code>TIMESTAMP</code> after
+   *                     the client-side SRP calculations.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>CUSTOM_CHALLENGE</code>: This is returned if your custom authentication
+   *                     flow determines that the user should pass another challenge before tokens are
+   *                     issued.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>DEVICE_SRP_AUTH</code>: If device tracking was activated on your user
+   *                     pool and the previous challenges were passed, this challenge is returned so that
+   *                     Amazon Cognito can start tracking this device.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>DEVICE_PASSWORD_VERIFIER</code>: Similar to
+   *                         <code>PASSWORD_VERIFIER</code>, but for devices only.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>NEW_PASSWORD_REQUIRED</code>: For users who are required to change their
+   *                     passwords after successful first login.</p>
+   *                <p>Respond to this challenge with <code>NEW_PASSWORD</code> and any required
+   *                     attributes that Amazon Cognito returned in the <code>requiredAttributes</code> parameter.
+   *                     You can also set values for attributes that aren't required by your user pool
+   *                     and that your app client can write. For more information, see <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html">RespondToAuthChallenge</a>.</p>
+   *                <p>Amazon Cognito only returns this challenge for users who have temporary passwords.
+   *                     Because of this, and because in some cases you can create users who don't have
+   *                     values for required attributes, take care to collect and submit
+   *                     required-attribute values for all users who don't have passwords. You can create
+   *                     a user in the Amazon Cognito console without, for example, a required
+   *                         <code>birthdate</code> attribute. The API response from Amazon Cognito won't prompt
+   *                     you to submit a birthdate for the user if they don't have a password.</p>
+   *                <note>
+   *                   <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value.
+   * In <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter,
+   * then use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>
+   *                </note>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>MFA_SETUP</code>: For users who are required to setup an MFA factor
+   *                     before they can sign in. The MFA types activated for the user pool will be
+   *                     listed in the challenge parameters <code>MFAS_CAN_SETUP</code> value. </p>
+   *                <p> To set up software token MFA, use the session returned here from
+   *                         <code>InitiateAuth</code> as an input to
+   *                     <code>AssociateSoftwareToken</code>. Use the session returned by
+   *                         <code>VerifySoftwareToken</code> as an input to
+   *                         <code>RespondToAuthChallenge</code> with challenge name
+   *                         <code>MFA_SETUP</code> to complete sign-in. To set up SMS MFA, an
+   *                     administrator should help the user to add a phone number to their account, and
+   *                     then the user should call <code>InitiateAuth</code> again to restart
+   *                     sign-in.</p>
+   *             </li>
+   *          </ul>
+   * @public
+   */
+  ChallengeName?: ChallengeNameType | undefined;
+
+  /**
+   * <p>The session that should pass both ways in challenge-response calls to the service. If
+   *             the caller must pass another challenge, they return a session with other challenge
+   *             parameters. Include this session identifier in a <code>RespondToAuthChallenge</code> API
+   *             request.</p>
+   * @public
+   */
+  Session?: string | undefined;
+
+  /**
+   * <p>The challenge parameters. These are returned in the <code>InitiateAuth</code> response
+   *             if you must pass another challenge. The responses in this parameter should be used to
+   *             compute inputs to the next call (<code>RespondToAuthChallenge</code>). </p>
+   *          <p>All challenges require <code>USERNAME</code>. They also require
+   *                 <code>SECRET_HASH</code> if your app client has a client secret.</p>
+   * @public
+   */
+  ChallengeParameters?: Record<string, string> | undefined;
+
+  /**
+   * <p>The result of the authentication response. This result is only returned if the caller
+   *             doesn't need to pass another challenge. If the caller does need to pass another
+   *             challenge before it gets tokens, <code>ChallengeName</code>,
+   *                 <code>ChallengeParameters</code>, and <code>Session</code> are returned.</p>
+   * @public
+   */
+  AuthenticationResult?: AuthenticationResultType | undefined;
+
+  /**
+   * <p>This response parameter prompts a user to select from multiple available challenges
+   *             that they can complete authentication with. For example, they might be able to continue
+   *             with passwordless authentication or with a one-time password from an SMS message.</p>
+   * @public
+   */
+  AvailableChallenges?: ChallengeNameType[] | undefined;
+}
+
+/**
+ * <p>Represents the request to list the devices.</p>
+ * @public
+ */
+export interface ListDevicesRequest {
+  /**
+   * <p>A valid access token that Amazon Cognito issued to the user whose list of devices you want to
+   *             view.</p>
+   * @public
+   */
+  AccessToken: string | undefined;
+
+  /**
+   * <p>The limit of the device request.</p>
+   * @public
+   */
+  Limit?: number | undefined;
+
+  /**
+   * <p>This API operation returns a limited number of results. The pagination token is
+   * an identifier that you can present in an additional API request with the same parameters. When
+   * you include the pagination token, Amazon Cognito returns the next set of items after the current list.
+   * Subsequent requests return a new pagination token. By use of this token, you can paginate
+   * through the full list of items.</p>
+   * @public
+   */
+  PaginationToken?: string | undefined;
+}
+
+/**
+ * <p>Represents the response to list devices.</p>
+ * @public
+ */
+export interface ListDevicesResponse {
+  /**
+   * <p>The devices returned in the list devices response.</p>
+   * @public
+   */
+  Devices?: DeviceType[] | undefined;
+
+  /**
+   * <p>The identifier that Amazon Cognito returned with the previous request to this operation. When
+   * you include a pagination token in your request, Amazon Cognito returns the next set of items in
+   * the list. By use of this token, you can paginate through the full list of items.</p>
+   * @public
+   */
+  PaginationToken?: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListGroupsRequest {
+  /**
+   * <p>The user pool ID for the user pool.</p>
+   * @public
+   */
+  UserPoolId: string | undefined;
+
+  /**
+   * <p>The limit of the request to list groups.</p>
+   * @public
+   */
+  Limit?: number | undefined;
+
+  /**
+   * <p>An identifier that was returned from the previous call to this operation, which can be
+   *             used to return the next set of items in the list.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListGroupsResponse {
+  /**
+   * <p>The group objects for the groups.</p>
+   * @public
+   */
+  Groups?: GroupType[] | undefined;
+
+  /**
+   * <p>An identifier that was returned from the previous call to this operation, which can be
+   *             used to return the next set of items in the list.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListIdentityProvidersRequest {
+  /**
+   * <p>The user pool ID.</p>
+   * @public
+   */
+  UserPoolId: string | undefined;
+
+  /**
+   * <p>The maximum number of IdPs to return.</p>
+   * @public
+   */
+  MaxResults?: number | undefined;
+
+  /**
+   * <p>A pagination token.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * <p>The details of a user pool identity provider (IdP), including name and type.</p>
+ *          <p>This data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListIdentityProviders.html">ListIdentityProviders</a>.</p>
+ * @public
+ */
+export interface ProviderDescription {
+  /**
+   * <p>The name of the IdP, for example <code>MySAMLProvider</code>.</p>
+   * @public
+   */
+  ProviderName?: string | undefined;
+
+  /**
+   * <p>The type of the provider, for example <code>SAML</code>. Amazon Cognito supports SAML 2.0,
+   *             OIDC, and social IdPs. User pools list supported social IdPs by name in this response
+   *             parameter: Facebook, Google, Login with Amazon, and Sign in with Apple.</p>
+   * @public
+   */
+  ProviderType?: IdentityProviderTypeType | undefined;
+
+  /**
+   * <p>The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
+   * @public
+   */
+  LastModifiedDate?: Date | undefined;
+
+  /**
+   * <p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
+   * @public
+   */
+  CreationDate?: Date | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListIdentityProvidersResponse {
+  /**
+   * <p>A list of IdP objects.</p>
+   * @public
+   */
+  Providers: ProviderDescription[] | undefined;
+
+  /**
+   * <p>A pagination token.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListResourceServersRequest {
+  /**
+   * <p>The user pool ID for the user pool.</p>
+   * @public
+   */
+  UserPoolId: string | undefined;
+
+  /**
+   * <p>The maximum number of resource servers to return.</p>
+   * @public
+   */
+  MaxResults?: number | undefined;
+
+  /**
+   * <p>A pagination token.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListResourceServersResponse {
+  /**
+   * <p>The resource servers.</p>
+   * @public
+   */
+  ResourceServers: ResourceServerType[] | undefined;
+
+  /**
+   * <p>A pagination token.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListTagsForResourceRequest {
+  /**
+   * <p>The Amazon Resource Name (ARN) of the user pool that the tags are assigned to.</p>
+   * @public
+   */
+  ResourceArn: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListTagsForResourceResponse {
+  /**
+   * <p>The tags that are assigned to the user pool.</p>
+   * @public
+   */
+  Tags?: Record<string, string> | undefined;
+}
+
+/**
+ * <p>Represents the request to list the user import jobs.</p>
+ * @public
+ */
+export interface ListUserImportJobsRequest {
+  /**
+   * <p>The user pool ID for the user pool that the users are being imported into.</p>
+   * @public
+   */
+  UserPoolId: string | undefined;
+
+  /**
+   * <p>The maximum number of import jobs you want the request to return.</p>
+   * @public
+   */
+  MaxResults: number | undefined;
+
+  /**
+   * <p>This API operation returns a limited number of results. The pagination token is
+   * an identifier that you can present in an additional API request with the same parameters. When
+   * you include the pagination token, Amazon Cognito returns the next set of items after the current list.
+   * Subsequent requests return a new pagination token. By use of this token, you can paginate
+   * through the full list of items.</p>
+   * @public
+   */
+  PaginationToken?: string | undefined;
+}
+
+/**
+ * <p>Represents the response from the server to the request to list the user import
+ *             jobs.</p>
+ * @public
+ */
+export interface ListUserImportJobsResponse {
+  /**
+   * <p>The user import jobs.</p>
+   * @public
+   */
+  UserImportJobs?: UserImportJobType[] | undefined;
+
+  /**
+   * <p>The identifier that Amazon Cognito returned with the previous request to this operation. When
+   * you include a pagination token in your request, Amazon Cognito returns the next set of items in
+   * the list. By use of this token, you can paginate through the full list of items.</p>
+   * @public
+   */
+  PaginationToken?: string | undefined;
+}
+
+/**
+ * <p>Represents the request to list the user pool clients.</p>
+ * @public
+ */
+export interface ListUserPoolClientsRequest {
+  /**
+   * <p>The user pool ID for the user pool where you want to list user pool clients.</p>
+   * @public
+   */
+  UserPoolId: string | undefined;
+
+  /**
+   * <p>The maximum number of results you want the request to return when listing the user
+   *             pool clients.</p>
+   * @public
+   */
+  MaxResults?: number | undefined;
+
+  /**
+   * <p>An identifier that was returned from the previous call to this operation, which can be
+   *             used to return the next set of items in the list.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * <p>A short description of a user pool app client.</p>
+ *          <p>This data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUserPoolClients.html">ListUserPoolClients</a>. </p>
+ * @public
+ */
+export interface UserPoolClientDescription {
+  /**
+   * <p>The app client ID.</p>
+   * @public
+   */
+  ClientId?: string | undefined;
+
+  /**
+   * <p>The ID of the user pool that's associated with the app client.</p>
+   * @public
+   */
+  UserPoolId?: string | undefined;
+
+  /**
+   * <p>The app client name.</p>
+   * @public
+   */
+  ClientName?: string | undefined;
+}
+
+/**
+ * <p>Represents the response from the server that lists user pool clients.</p>
+ * @public
+ */
+export interface ListUserPoolClientsResponse {
+  /**
+   * <p>The user pool clients in the response that lists user pool clients.</p>
+   * @public
+   */
+  UserPoolClients?: UserPoolClientDescription[] | undefined;
+
+  /**
+   * <p>An identifier that was returned from the previous call to this operation, which can be
+   *             used to return the next set of items in the list.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * <p>Represents the request to list user pools.</p>
+ * @public
+ */
+export interface ListUserPoolsRequest {
+  /**
+   * <p>An identifier that was returned from the previous call to this operation, which can be
+   *             used to return the next set of items in the list.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+
+  /**
+   * <p>The maximum number of results you want the request to return when listing the user
+   *             pools.</p>
+   * @public
+   */
+  MaxResults: number | undefined;
+}
+
+/**
+ * <p>A short description of a user pool.</p>
+ *          <p>This data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUserPools.html">ListUserPools</a>. </p>
+ * @public
+ */
+export interface UserPoolDescriptionType {
+  /**
+   * <p>The user pool ID.</p>
+   * @public
+   */
+  Id?: string | undefined;
+
+  /**
+   * <p>The user pool name.</p>
+   * @public
+   */
+  Name?: string | undefined;
+
+  /**
+   * <p>A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible
+   *             stages of user pool operations. Triggers can modify the outcome of the operations that
+   *             invoked them.</p>
+   * @public
+   */
+  LambdaConfig?: LambdaConfigType | undefined;
+
+  /**
+   * @deprecated
+   *
+   * <p>The user pool status.</p>
+   * @public
+   */
+  Status?: StatusType | undefined;
+
+  /**
+   * <p>The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
+   * @public
+   */
+  LastModifiedDate?: Date | undefined;
+
+  /**
+   * <p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
+   * @public
+   */
+  CreationDate?: Date | undefined;
+}
+
+/**
+ * <p>Represents the response to list user pools.</p>
+ * @public
+ */
+export interface ListUserPoolsResponse {
+  /**
+   * <p>The user pools from the response to list users.</p>
+   * @public
+   */
+  UserPools?: UserPoolDescriptionType[] | undefined;
+
+  /**
+   * <p>An identifier that was returned from the previous call to this operation, which can be
+   *             used to return the next set of items in the list.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * <p>Represents the request to list users.</p>
+ * @public
+ */
+export interface ListUsersRequest {
+  /**
+   * <p>The user pool ID for the user pool on which the search should be performed.</p>
+   * @public
+   */
+  UserPoolId: string | undefined;
+
+  /**
+   * <p>A JSON array of user attribute names, for example <code>given_name</code>, that you
+   *             want Amazon Cognito to include in the response for each user. When you don't provide an
+   *                 <code>AttributesToGet</code> parameter, Amazon Cognito returns all attributes for each
+   *             user.</p>
+   *          <p>Use <code>AttributesToGet</code> with required attributes in your user pool, or in
+   *             conjunction with <code>Filter</code>. Amazon Cognito returns an error if not all users in the
+   *             results have set a value for the attribute you request. Attributes that you can't
+   *             filter on, including custom attributes, must have a value set in every user profile
+   *             before an <code>AttributesToGet</code> parameter returns results.</p>
+   * @public
+   */
+  AttributesToGet?: string[] | undefined;
+
+  /**
+   * <p>Maximum number of users to be returned.</p>
+   * @public
+   */
+  Limit?: number | undefined;
+
+  /**
+   * <p>This API operation returns a limited number of results. The pagination token is
+   * an identifier that you can present in an additional API request with the same parameters. When
+   * you include the pagination token, Amazon Cognito returns the next set of items after the current list.
+   * Subsequent requests return a new pagination token. By use of this token, you can paginate
+   * through the full list of items.</p>
+   * @public
+   */
+  PaginationToken?: string | undefined;
+
+  /**
+   * <p>A filter string of the form <code>"AttributeName Filter-Type "AttributeValue"</code>.
+   *             Quotation marks within the filter string must be escaped using the backslash
+   *                 (<code>\</code>) character. For example, <code>"family_name =
+   *             \"Reddy\""</code>.</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <i>AttributeName</i>: The name of the attribute to search for.
+   *                     You can only search for one attribute at a time.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <i>Filter-Type</i>: For an exact match, use <code>=</code>, for
+   *                     example, "<code>given_name = \"Jon\"</code>". For a prefix ("starts with")
+   *                     match, use <code>^=</code>, for example, "<code>given_name ^= \"Jon\"</code>".
+   *                 </p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <i>AttributeValue</i>: The attribute value that must be matched
+   *                     for each user.</p>
+   *             </li>
+   *          </ul>
+   *          <p>If the filter string is empty, <code>ListUsers</code> returns all users in the user
+   *             pool.</p>
+   *          <p>You can only search for the following standard attributes:</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>username</code> (case-sensitive)</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>email</code>
+   *                </p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>phone_number</code>
+   *                </p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>name</code>
+   *                </p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>given_name</code>
+   *                </p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>family_name</code>
+   *                </p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>preferred_username</code>
+   *                </p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>cognito:user_status</code> (called <b>Status</b> in the Console) (case-insensitive)</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>status (called <b>Enabled</b> in the Console)
+   *                         (case-sensitive)</code>
+   *                </p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>sub</code>
+   *                </p>
+   *             </li>
+   *          </ul>
+   *          <p>Custom attributes aren't searchable.</p>
+   *          <note>
+   *             <p>You can also list users with a client-side filter. The server-side filter matches
+   *                 no more than one attribute. For an advanced search, use a client-side filter with
+   *                 the <code>--query</code> parameter of the <code>list-users</code> action in the
+   *                 CLI. When you use a client-side filter, ListUsers returns a paginated list of zero
+   *                 or more users. You can receive multiple pages in a row with zero results. Repeat the
+   *                 query with each pagination token that is returned until you receive a null
+   *                 pagination token value, and then review the combined result. </p>
+   *             <p>For more information about server-side and client-side filtering, see <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html">FilteringCLI output</a> in the <a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html">Command Line Interface
+   *                     User Guide</a>. </p>
+   *          </note>
+   *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-using-listusers-api">Searching for Users Using the ListUsers API</a> and <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-listusers-api-examples">Examples of Using the ListUsers API</a> in the <i>Amazon Cognito Developer
+   *                 Guide</i>.</p>
+   * @public
+   */
+  Filter?: string | undefined;
+}
+
+/**
+ * <p>The response from the request to list users.</p>
+ * @public
+ */
+export interface ListUsersResponse {
+  /**
+   * <p>A list of the user pool users, and their attributes, that match your query.</p>
+   *          <note>
+   *             <p>Amazon Cognito creates a profile in your user pool for each native user in your user pool,
+   *                 and each unique user ID from your third-party identity providers (IdPs). When you
+   *                 link users with the <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html">AdminLinkProviderForUser</a> API operation, the output of
+   *                     <code>ListUsers</code> displays both the IdP user and the native user that you
+   *                 linked. You can identify IdP users in the <code>Users</code> object of this API
+   *                 response by the IdP prefix that Amazon Cognito appends to <code>Username</code>.</p>
+   *          </note>
+   * @public
+   */
+  Users?: UserType[] | undefined;
+
+  /**
+   * <p>The identifier that Amazon Cognito returned with the previous request to this operation. When
+   * you include a pagination token in your request, Amazon Cognito returns the next set of items in
+   * the list. By use of this token, you can paginate through the full list of items.</p>
+   * @public
+   */
+  PaginationToken?: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListUsersInGroupRequest {
+  /**
+   * <p>The user pool ID for the user pool.</p>
+   * @public
+   */
+  UserPoolId: string | undefined;
+
+  /**
+   * <p>The name of the group.</p>
+   * @public
+   */
+  GroupName: string | undefined;
+
+  /**
+   * <p>The maximum number of users that you want to retrieve before pagination.</p>
+   * @public
+   */
+  Limit?: number | undefined;
+
+  /**
+   * <p>An identifier that was returned from the previous call to this operation, which can be
+   *             used to return the next set of items in the list.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListUsersInGroupResponse {
+  /**
+   * <p>A list of users in the group, and their attributes.</p>
+   * @public
+   */
+  Users?: UserType[] | undefined;
+
+  /**
+   * <p>An identifier that you can use in a later request to return the next set of items in
+   *             the list.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListWebAuthnCredentialsRequest {
+  /**
+   * <p>A valid access token that Amazon Cognito issued to the user whose registered passkeys you want
+   *             to list.</p>
+   * @public
+   */
+  AccessToken: string | undefined;
+
+  /**
+   * <p>An identifier that was returned from the previous call to this operation, which can be
+   *             used to return the next set of items in the list.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+
+  /**
+   * <p>The maximum number of the user's passkey credentials that you want to
+   *             return.</p>
+   * @public
+   */
+  MaxResults?: number | undefined;
+}
+
+/**
+ * <p>The details of a passkey, or webauthN, biometric or security-key authentication factor
+ *             for a user.</p>
+ *          <p>This data type is a response parameter of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListWebAuthnCredentials.html">ListWebAuthnCredentials</a>.</p>
+ * @public
+ */
+export interface WebAuthnCredentialDescription {
+  /**
+   * <p>The unique identifier of the passkey credential.</p>
+   * @public
+   */
+  CredentialId: string | undefined;
+
+  /**
+   * <p>An automatically-generated friendly name for the passkey credential.</p>
+   * @public
+   */
+  FriendlyCredentialName: string | undefined;
+
+  /**
+   * <p>The relying-party ID of the provider for the passkey credential.</p>
+   * @public
+   */
+  RelyingPartyId: string | undefined;
+
+  /**
+   * <p>The general category of the passkey authenticator. Can be a platform, or on-device
+   *             authenticator like a built-in fingerprint scanner, or a cross-platform device that's not
+   *             attached to the device like a Bluetooth security key.</p>
+   * @public
+   */
+  AuthenticatorAttachment?: string | undefined;
+
+  /**
+   * <p>Information about the transport methods of the passkey credential, for example USB or
+   *             Bluetooth Low Energy.</p>
+   * @public
+   */
+  AuthenticatorTransports: string[] | undefined;
+
+  /**
+   * <p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a
+   * human-readable format like ISO 8601 or a Java <code>Date</code> object.</p>
+   * @public
+   */
+  CreatedAt: Date | undefined;
+}
+
+/**
+ * @public
+ */
+export interface ListWebAuthnCredentialsResponse {
+  /**
+   * <p>A list of registered passkeys for a user.</p>
+   * @public
+   */
+  Credentials: WebAuthnCredentialDescription[] | undefined;
+
+  /**
+   * <p>An identifier that you can use in a later request to return the next set of items in
+   *             the list.</p>
+   * @public
+   */
+  NextToken?: string | undefined;
+}
+
+/**
+ * <p>Represents the request to resend the confirmation code.</p>
+ * @public
+ */
+export interface ResendConfirmationCodeRequest {
+  /**
+   * <p>The ID of the client associated with the user pool.</p>
+   * @public
+   */
+  ClientId: string | undefined;
+
+  /**
+   * <p>A keyed-hash message authentication code (HMAC) calculated using the secret key of a
+   *             user pool client and username plus the client ID in the message.</p>
+   * @public
+   */
+  SecretHash?: string | undefined;
+
+  /**
+   * <p>Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced
+   * security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito
+   * when it makes API requests.</p>
+   * @public
+   */
+  UserContextData?: UserContextDataType | undefined;
+
+  /**
+   * <p>The username of the user that you want to query or modify. The value of this parameter
+   *             is typically your user's username, but it can be any of their alias attributes. If
+   *                 <code>username</code> isn't an alias attribute in your user pool, this value
+   *             must be the <code>sub</code> of a local user or the username of a user from a
+   *             third-party IdP.</p>
+   * @public
+   */
+  Username: string | undefined;
+
+  /**
+   * <p>The Amazon Pinpoint analytics metadata that contributes to your metrics for
+   *                 <code>ResendConfirmationCode</code> calls.</p>
+   * @public
+   */
+  AnalyticsMetadata?: AnalyticsMetadataType | undefined;
+
+  /**
+   * <p>A map of custom key-value pairs that you can provide as input for any custom workflows
+   *             that this action triggers.</p>
+   *          <p>You create custom workflows by assigning Lambda functions to user pool triggers.
+   *             When you use the ResendConfirmationCode API action, Amazon Cognito invokes the function that is
+   *             assigned to the <i>custom message</i> trigger. When Amazon Cognito invokes this
+   *             function, it passes a JSON payload, which the function receives as input. This payload
+   *             contains a <code>clientMetadata</code> attribute, which provides the data that you
+   *             assigned to the ClientMetadata parameter in your ResendConfirmationCode request. In your
+   *             function code in Lambda, you can process the <code>clientMetadata</code> value to enhance
+   *             your workflow for your specific needs.</p>
+   *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html">
+   * Customizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>
+   *          <note>
+   *             <p>When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the
+   *                 following:</p>
+   *             <ul>
+   *                <li>
+   *                   <p>Store the ClientMetadata value. This data is available only to Lambda
+   *                         triggers that are assigned to a user pool to support custom workflows. If
+   *                         your user pool configuration doesn't include triggers, the ClientMetadata
+   *                         parameter serves no purpose.</p>
+   *                </li>
+   *                <li>
+   *                   <p>Validate the ClientMetadata value.</p>
+   *                </li>
+   *                <li>
+   *                   <p>Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive
+   *                         information.</p>
+   *                </li>
+   *             </ul>
+   *          </note>
+   * @public
+   */
+  ClientMetadata?: Record<string, string> | undefined;
+}
+
+/**
+ * <p>The response from the server when Amazon Cognito makes the request to resend a confirmation
+ *             code.</p>
+ * @public
+ */
+export interface ResendConfirmationCodeResponse {
+  /**
+   * <p>The code delivery details returned by the server in response to the request to resend
+   *             the confirmation code.</p>
+   * @public
+   */
+  CodeDeliveryDetails?: CodeDeliveryDetailsType | undefined;
+}
+
+/**
+ * <p>The request to respond to an authentication challenge.</p>
+ * @public
+ */
+export interface RespondToAuthChallengeRequest {
+  /**
+   * <p>The app client ID.</p>
+   * @public
+   */
+  ClientId: string | undefined;
+
+  /**
+   * <p>The challenge name. For more information, see <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html">InitiateAuth</a>.</p>
+   *          <p>
+   *             <code>ADMIN_NO_SRP_AUTH</code> isn't a valid value.</p>
+   * @public
+   */
+  ChallengeName: ChallengeNameType | undefined;
+
+  /**
+   * <p>The session that should be passed both ways in challenge-response calls to the
+   *             service. If <code>InitiateAuth</code> or <code>RespondToAuthChallenge</code> API call
+   *             determines that the caller must pass another challenge, they return a session with other
+   *             challenge parameters. This session should be passed as it is to the next
+   *                 <code>RespondToAuthChallenge</code> API call.</p>
+   * @public
+   */
+  Session?: string | undefined;
+
+  /**
+   * <p>The responses to the challenge that you received in the previous request. Each
+   *     challenge has its own required response parameters. The following examples are partial
+   *     JSON request bodies that highlight challenge-response parameters.</p>
+   *          <important>
+   *             <p>You must provide a SECRET_HASH parameter in all challenge responses to an app
+   *         client that has a client secret. Include a <code>DEVICE_KEY</code> for device
+   *         authentication.</p>
+   *          </important>
+   *          <dl>
+   *             <dt>SELECT_CHALLENGE</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *             "USERNAME": "[username]",
+   *             "ANSWER": "[Challenge name]"\}</code>
+   *                </p>
+   *                <p>Available challenges are <code>PASSWORD</code>, <code>PASSWORD_SRP</code>,
+   *             <code>EMAIL_OTP</code>, <code>SMS_OTP</code>, and <code>WEB_AUTHN</code>.</p>
+   *                <p>Complete authentication in the <code>SELECT_CHALLENGE</code> response for
+   *             <code>PASSWORD</code>, <code>PASSWORD_SRP</code>, and <code>WEB_AUTHN</code>:</p>
+   *                <ul>
+   *                   <li>
+   *                      <p>
+   *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *                   "ANSWER": "WEB_AUTHN",
+   *                   "USERNAME": "[username]",
+   *                   "CREDENTIAL": "[AuthenticationResponseJSON]"\}</code>
+   *                      </p>
+   *                      <p>See <a href="https://www.w3.org/TR/webauthn-3/#dictdef-authenticationresponsejson">
+   *                   AuthenticationResponseJSON</a>.</p>
+   *                   </li>
+   *                   <li>
+   *                      <p>
+   *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *                   "ANSWER": "PASSWORD",
+   *                   "USERNAME": "[username]",
+   *                   "PASSWORD": "[password]"\}</code>
+   *                      </p>
+   *                   </li>
+   *                   <li>
+   *                      <p>
+   *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *                   "ANSWER": "PASSWORD_SRP",
+   *                   "USERNAME": "[username]",
+   *                   "SRP_A": "[SRP_A]"\}</code>
+   *                      </p>
+   *                   </li>
+   *                </ul>
+   *                <p>For <code>SMS_OTP</code> and <code>EMAIL_OTP</code>, respond with the
+   *             username and answer. Your user pool will send a code for the user to submit in
+   *             the next challenge response.</p>
+   *                <ul>
+   *                   <li>
+   *                      <p>
+   *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *                   "ANSWER": "SMS_OTP",
+   *                   "USERNAME": "[username]"\}</code>
+   *                      </p>
+   *                   </li>
+   *                   <li>
+   *                      <p>
+   *                         <code>"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": \{
+   *                   "ANSWER": "EMAIL_OTP",
+   *                   "USERNAME": "[username]"\}</code>
+   *                      </p>
+   *                   </li>
+   *                </ul>
+   *             </dd>
+   *             <dt>SMS_OTP</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "SMS_OTP", "ChallengeResponses":
+   *             \{"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"\}</code>
+   *                </p>
+   *             </dd>
+   *             <dt>EMAIL_OTP</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "EMAIL_OTP", "ChallengeResponses": \{"EMAIL_OTP_CODE":
+   *                     "[code]", "USERNAME": "[username]"\}</code>
+   *                </p>
+   *             </dd>
+   *             <dt>SMS_MFA</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "SMS_MFA", "ChallengeResponses": \{"SMS_MFA_CODE":
+   *                     "[code]", "USERNAME": "[username]"\}</code>
+   *                </p>
+   *             </dd>
+   *             <dt>PASSWORD_VERIFIER</dt>
+   *             <dd>
+   *                <p>This challenge response is part of the SRP flow. Amazon Cognito requires
+   *             that your application respond to this challenge within a few seconds. When
+   *             the response time exceeds this period, your user pool returns a
+   *             <code>NotAuthorizedException</code> error.</p>
+   *                <p>
+   *                   <code>"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
+   *                     \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
+   *                     "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
+   *                     [timestamp], "USERNAME": "[username]"\}</code>
+   *                </p>
+   *                <p>Add <code>"DEVICE_KEY"</code> when you sign in with a remembered
+   *                 device.</p>
+   *             </dd>
+   *             <dt>CUSTOM_CHALLENGE</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses":
+   *                     \{"USERNAME": "[username]", "ANSWER": "[challenge_answer]"\}</code>
+   *                </p>
+   *                <p>Add <code>"DEVICE_KEY"</code> when you sign in with a remembered
+   *                 device.</p>
+   *             </dd>
+   *             <dt>NEW_PASSWORD_REQUIRED</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses":
+   *                     \{"NEW_PASSWORD": "[new_password]", "USERNAME":
+   *                 "[username]"\}</code>
+   *                </p>
+   *                <p>To set any required attributes that <code>InitiateAuth</code> returned in
+   *                 an <code>requiredAttributes</code> parameter, add
+   *                     <code>"userAttributes.[attribute_name]": "[attribute_value]"</code>.
+   *                 This parameter can also set values for writable attributes that aren't
+   *                 required by your user pool.</p>
+   *                <note>
+   *                   <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value.
+   * In <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter,
+   * then use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>
+   *                </note>
+   *             </dd>
+   *             <dt>SOFTWARE_TOKEN_MFA</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses":
+   *                     \{"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE":
+   *                     [authenticator_code]\}</code>
+   *                </p>
+   *             </dd>
+   *             <dt>DEVICE_SRP_AUTH</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses": \{"USERNAME":
+   *                 "[username]", "DEVICE_KEY": "[device_key]", "SRP_A":
+   *                 "[srp_a]"\}</code>
+   *                </p>
+   *             </dd>
+   *             <dt>DEVICE_PASSWORD_VERIFIER</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "DEVICE_PASSWORD_VERIFIER", "ChallengeResponses":
+   *                 \{"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE":
+   *                 "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]",
+   *                 "TIMESTAMP": [timestamp], "USERNAME": "[username]"\}</code>
+   *                </p>
+   *             </dd>
+   *             <dt>MFA_SETUP</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "MFA_SETUP", "ChallengeResponses": \{"USERNAME":
+   *                 "[username]"\}, "SESSION": "[Session ID from
+   *                 VerifySoftwareToken]"</code>
+   *                </p>
+   *             </dd>
+   *             <dt>SELECT_MFA_TYPE</dt>
+   *             <dd>
+   *                <p>
+   *                   <code>"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": \{"USERNAME":
+   *                 "[username]", "ANSWER": "[SMS_MFA or SOFTWARE_TOKEN_MFA]"\}</code>
+   *                </p>
+   *             </dd>
+   *          </dl>
+   *          <p>For more information about <code>SECRET_HASH</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash">Computing secret hash values</a>. For information about
+   *     <code>DEVICE_KEY</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html">Working with user devices in your user pool</a>.</p>
+   * @public
+   */
+  ChallengeResponses?: Record<string, string> | undefined;
+
+  /**
+   * <p>The Amazon Pinpoint analytics metadata that contributes to your metrics for
+   *                 <code>RespondToAuthChallenge</code> calls.</p>
+   * @public
+   */
+  AnalyticsMetadata?: AnalyticsMetadataType | undefined;
+
+  /**
+   * <p>Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced
+   * security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito
+   * when it makes API requests.</p>
+   * @public
+   */
+  UserContextData?: UserContextDataType | undefined;
+
+  /**
+   * <p>A map of custom key-value pairs that you can provide as input for any custom workflows
+   *             that this action triggers.</p>
+   *          <p>You create custom workflows by assigning Lambda functions to user pool
+   *             triggers. When you use the RespondToAuthChallenge API action, Amazon Cognito invokes any
+   *             functions that are assigned to the following triggers: <i>post
+   *                 authentication</i>, <i>pre token generation</i>,
+   *                 <i>define auth challenge</i>, <i>create auth
+   *                 challenge</i>, and <i>verify auth challenge</i>. When Amazon Cognito
+   *             invokes any of these functions, it passes a JSON payload, which the function receives as
+   *             input. This payload contains a <code>clientMetadata</code> attribute, which provides the
+   *             data that you assigned to the ClientMetadata parameter in your RespondToAuthChallenge
+   *             request. In your function code in Lambda, you can process the
+   *                 <code>clientMetadata</code> value to enhance your workflow for your specific
+   *             needs.</p>
+   *          <p>For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html">
+   * Customizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>
+   *          <note>
+   *             <p>When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the
+   *                 following:</p>
+   *             <ul>
+   *                <li>
+   *                   <p>Store the ClientMetadata value. This data is available only to Lambda
+   *                         triggers that are assigned to a user pool to support custom workflows. If
+   *                         your user pool configuration doesn't include triggers, the ClientMetadata
+   *                         parameter serves no purpose.</p>
+   *                </li>
+   *                <li>
+   *                   <p>Validate the ClientMetadata value.</p>
+   *                </li>
+   *                <li>
+   *                   <p>Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive
+   *                         information.</p>
+   *                </li>
+   *             </ul>
+   *          </note>
+   * @public
+   */
+  ClientMetadata?: Record<string, string> | undefined;
+}
+
 /**
  * <p>The response to respond to the authentication challenge.</p>
  * @public
@@ -397,6 +2007,14 @@ export interface SetUserPoolMfaConfigRequest {
    * @public
    */
   MfaConfiguration?: UserPoolMfaType | undefined;
+
+  /**
+   * <p>The configuration of your user pool for passkey, or webauthN, authentication and
+   *             registration. You can set this configuration independent of the MFA configuration
+   *             options in this operation.</p>
+   * @public
+   */
+  WebAuthnConfiguration?: WebAuthnConfigurationType | undefined;
 }
 
 /**
@@ -445,6 +2063,13 @@ export interface SetUserPoolMfaConfigResponse {
    * @public
    */
   MfaConfiguration?: UserPoolMfaType | undefined;
+
+  /**
+   * <p>The configuration of your user pool for passkey, or webauthN, biometric and
+   *             security-key devices.</p>
+   * @public
+   */
+  WebAuthnConfiguration?: WebAuthnConfigurationType | undefined;
 }
 
 /**
@@ -500,9 +2125,13 @@ export interface SignUpRequest {
 
   /**
    * <p>The password of the user you want to register.</p>
+   *          <p>Users can sign up without a password when your user pool supports passwordless sign-in
+   *             with email or SMS OTPs. To create a user with no password, omit this parameter or submit
+   *             a blank value. You can only create a passwordless user when passwordless sign-in is
+   *             available. See <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignInPolicyType.html">the SignInPolicyType</a> property of <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html">CreateUserPool</a> and <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html">UpdateUserPool</a>.</p>
    * @public
    */
-  Password: string | undefined;
+  Password?: string | undefined;
 
   /**
    * <p>An array of name-value pairs representing user attributes.</p>
@@ -604,6 +2233,14 @@ export interface SignUpResponse {
    * @public
    */
   UserSub: string | undefined;
+
+  /**
+   * <p>A session Id that you can pass to <code>ConfirmSignUp</code> when you want to
+   *             immediately sign in your user with the <code>USER_AUTH</code> flow after they complete
+   *             sign-up.</p>
+   * @public
+   */
+  Session?: string | undefined;
 }
 
 /**
@@ -637,6 +2274,51 @@ export interface StartUserImportJobResponse {
   UserImportJob?: UserImportJobType | undefined;
 }
 
+/**
+ * @public
+ */
+export interface StartWebAuthnRegistrationRequest {
+  /**
+   * <p>A valid access token that Amazon Cognito issued to the user whose passkey metadata you want to
+   *             generate.</p>
+   * @public
+   */
+  AccessToken: string | undefined;
+}
+
+/**
+ * @public
+ */
+export interface StartWebAuthnRegistrationResponse {
+  /**
+   * <p>The information that a user can provide in their request to register with their
+   *             passkey provider.</p>
+   * @public
+   */
+  CredentialCreationOptions: __DocumentType | undefined;
+}
+
+/**
+ * <p>This exception is thrown when a user pool doesn't have a configured relying party
+ *             id or a user pool domain.</p>
+ * @public
+ */
+export class WebAuthnConfigurationMissingException extends __BaseException {
+  readonly name: "WebAuthnConfigurationMissingException" = "WebAuthnConfigurationMissingException";
+  readonly $fault: "client" = "client";
+  /**
+   * @internal
+   */
+  constructor(opts: __ExceptionOptionType<WebAuthnConfigurationMissingException, __BaseException>) {
+    super({
+      name: "WebAuthnConfigurationMissingException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, WebAuthnConfigurationMissingException.prototype);
+  }
+}
+
 /**
  * <p>Represents the request to stop the user import job.</p>
  * @public
@@ -1004,6 +2686,60 @@ export interface UpdateIdentityProviderResponse {
   IdentityProvider: IdentityProviderType | undefined;
 }
 
+/**
+ * @public
+ */
+export interface UpdateManagedLoginBrandingRequest {
+  /**
+   * <p>The ID of the user pool that contains the managed login branding style that you want
+   *             to update.</p>
+   * @public
+   */
+  UserPoolId?: string | undefined;
+
+  /**
+   * <p>The ID of the managed login branding style that you want to update.</p>
+   * @public
+   */
+  ManagedLoginBrandingId?: string | undefined;
+
+  /**
+   * <p>When true, applies the default branding style options. This option reverts to default
+   *             style options that are managed by Amazon Cognito. You can modify them later in the branding
+   *             designer.</p>
+   *          <p>When you specify <code>true</code> for this option, you must also omit values for
+   *                 <code>Settings</code> and <code>Assets</code> in the request.</p>
+   * @public
+   */
+  UseCognitoProvidedValues?: boolean | undefined;
+
+  /**
+   * <p>A JSON file, encoded as a <code>Document</code> type, with the the settings that you
+   *             want to apply to your style.</p>
+   * @public
+   */
+  Settings?: __DocumentType | undefined;
+
+  /**
+   * <p>An array of image files that you want to apply to roles like backgrounds, logos, and
+   *             icons. Each object must also indicate whether it is for dark mode, light mode, or
+   *             browser-adaptive mode.</p>
+   * @public
+   */
+  Assets?: AssetType[] | undefined;
+}
+
+/**
+ * @public
+ */
+export interface UpdateManagedLoginBrandingResponse {
+  /**
+   * <p>The details of the branding style that you updated.</p>
+   * @public
+   */
+  ManagedLoginBranding?: ManagedLoginBrandingType | undefined;
+}
+
 /**
  * @public
  */
@@ -1293,6 +3029,20 @@ export interface UpdateUserPoolRequest {
    * @public
    */
   AccountRecoverySetting?: AccountRecoverySettingType | undefined;
+
+  /**
+   * <p>The updated name of your user pool.</p>
+   * @public
+   */
+  PoolName?: string | undefined;
+
+  /**
+   * <p>The user pool <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html">feature plan</a>, or tier. This parameter determines the
+   *             eligibility of the user pool for features like managed login, access-token
+   *             customization, and threat protection. Defaults to <code>ESSENTIALS</code>.</p>
+   * @public
+   */
+  UserPoolTier?: UserPoolTierType | undefined;
 }
 
 /**
@@ -1436,6 +3186,18 @@ export interface UpdateUserPoolClientRequest {
    *          <ul>
    *             <li>
    *                <p>
+   *                   <code>ALLOW_USER_AUTH</code>: Enable selection-based sign-in
+   *             with <code>USER_AUTH</code>. This setting covers username-password,
+   *             secure remote password (SRP), passwordless, and passkey authentication.
+   *             This authentiation flow can do username-password and SRP authentication
+   *             without other <code>ExplicitAuthFlows</code> permitting them. For example
+   *             users can complete an SRP challenge through <code>USER_AUTH</code>
+   *             without the flow <code>USER_SRP_AUTH</code> being active for the app
+   *             client. This flow doesn't include <code>CUSTOM_AUTH</code>.
+   *         </p>
+   *             </li>
+   *             <li>
+   *                <p>
    *                   <code>ALLOW_ADMIN_USER_PASSWORD_AUTH</code>: Enable admin based user password
    *             authentication flow <code>ADMIN_USER_PASSWORD_AUTH</code>. This setting replaces
    *             the <code>ADMIN_NO_SRP_AUTH</code> setting. With this authentication flow, your app
@@ -1471,10 +3233,16 @@ export interface UpdateUserPoolClientRequest {
   ExplicitAuthFlows?: ExplicitAuthFlowsType[] | undefined;
 
   /**
-   * <p>A list of provider names for the IdPs that this client supports. The following are
-   *             supported: <code>COGNITO</code>, <code>Facebook</code>, <code>Google</code>,
-   *                 <code>SignInWithApple</code>, <code>LoginWithAmazon</code>, and the names of your
-   *             own SAML and OIDC providers.</p>
+   * <p>A list of provider names for the identity providers (IdPs) that are supported on this
+   *             client. The following are supported: <code>COGNITO</code>, <code>Facebook</code>,
+   *                 <code>Google</code>, <code>SignInWithApple</code>, and <code>LoginWithAmazon</code>.
+   *             You can also specify the names that you configured for the SAML and OIDC IdPs in your
+   *             user pool, for example <code>MySAMLIdP</code> or <code>MyOIDCIdP</code>.</p>
+   *          <p>This setting applies to providers that you can access with the <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html">hosted
+   *                 UI and OAuth 2.0 authorization server</a>. The removal of <code>COGNITO</code>
+   *             from this list doesn't prevent authentication operations for local users with the
+   *             user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to
+   *             block access with a <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html">WAF rule</a>.</p>
    * @public
    */
   SupportedIdentityProviders?: string[] | undefined;
@@ -1644,7 +3412,7 @@ export interface UpdateUserPoolClientRequest {
 
   /**
    * <p>Activates the propagation of additional user context data. For more information about
-   *             propagation of user context data, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html"> Adding advanced security to a user pool</a>. If you don’t include this
+   *             propagation of user context data, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html"> Adding advanced security to a user pool</a>. If you don’t include this
    *             parameter, you can't send device fingerprint information, including source IP address,
    *             to Amazon Cognito advanced security. You can only activate
    *                 <code>EnablePropagateAdditionalUserContextData</code> in an app client that has a
@@ -1696,10 +3464,23 @@ export interface UpdateUserPoolDomainRequest {
    */
   UserPoolId: string | undefined;
 
+  /**
+   * <p>A version number that indicates the state of managed login for your domain. Version
+   *                 <code>1</code> is hosted UI (classic). Version <code>2</code> is the newer managed
+   *             login with the branding designer. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html">Managed login</a>.</p>
+   * @public
+   */
+  ManagedLoginVersion?: number | undefined;
+
   /**
    * <p>The configuration for a custom domain that hosts the sign-up and sign-in pages for
    *             your application. Use this object to specify an SSL certificate that is managed by
    *             ACM.</p>
+   *          <p>When you create a custom domain, the passkey RP ID defaults to the custom domain. If
+   *             you had a prefix domain active, this will cause passkey integration for your prefix
+   *             domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey
+   *             integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID
+   *             in a <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html">SetUserPoolMfaConfig</a> request.</p>
    * @public
    */
   CustomDomainConfig: CustomDomainConfigType | undefined;
@@ -1710,6 +3491,14 @@ export interface UpdateUserPoolDomainRequest {
  * @public
  */
 export interface UpdateUserPoolDomainResponse {
+  /**
+   * <p>A version number that indicates the state of managed login for your domain. Version
+   *                 <code>1</code> is hosted UI (classic). Version <code>2</code> is the newer managed
+   *             login with the branding designer. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html">Managed login</a>.</p>
+   * @public
+   */
+  ManagedLoginVersion?: number | undefined;
+
   /**
    * <p>The Amazon CloudFront endpoint that Amazon Cognito set up when you added the custom domain to your user
    *             pool.</p>
@@ -1835,6 +3624,115 @@ export interface VerifyUserAttributeRequest {
  */
 export interface VerifyUserAttributeResponse {}
 
+/**
+ * @internal
+ */
+export const GlobalSignOutRequestFilterSensitiveLog = (obj: GlobalSignOutRequest): any => ({
+  ...obj,
+  ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }),
+});
+
+/**
+ * @internal
+ */
+export const InitiateAuthRequestFilterSensitiveLog = (obj: InitiateAuthRequest): any => ({
+  ...obj,
+  ...(obj.AuthParameters && { AuthParameters: SENSITIVE_STRING }),
+  ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
+  ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }),
+  ...(obj.Session && { Session: SENSITIVE_STRING }),
+});
+
+/**
+ * @internal
+ */
+export const InitiateAuthResponseFilterSensitiveLog = (obj: InitiateAuthResponse): any => ({
+  ...obj,
+  ...(obj.Session && { Session: SENSITIVE_STRING }),
+  ...(obj.AuthenticationResult && {
+    AuthenticationResult: AuthenticationResultTypeFilterSensitiveLog(obj.AuthenticationResult),
+  }),
+});
+
+/**
+ * @internal
+ */
+export const ListDevicesRequestFilterSensitiveLog = (obj: ListDevicesRequest): any => ({
+  ...obj,
+  ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }),
+});
+
+/**
+ * @internal
+ */
+export const ListDevicesResponseFilterSensitiveLog = (obj: ListDevicesResponse): any => ({
+  ...obj,
+});
+
+/**
+ * @internal
+ */
+export const UserPoolClientDescriptionFilterSensitiveLog = (obj: UserPoolClientDescription): any => ({
+  ...obj,
+  ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
+});
+
+/**
+ * @internal
+ */
+export const ListUserPoolClientsResponseFilterSensitiveLog = (obj: ListUserPoolClientsResponse): any => ({
+  ...obj,
+  ...(obj.UserPoolClients && {
+    UserPoolClients: obj.UserPoolClients.map((item) => UserPoolClientDescriptionFilterSensitiveLog(item)),
+  }),
+});
+
+/**
+ * @internal
+ */
+export const ListUsersResponseFilterSensitiveLog = (obj: ListUsersResponse): any => ({
+  ...obj,
+  ...(obj.Users && { Users: obj.Users.map((item) => UserTypeFilterSensitiveLog(item)) }),
+});
+
+/**
+ * @internal
+ */
+export const ListUsersInGroupResponseFilterSensitiveLog = (obj: ListUsersInGroupResponse): any => ({
+  ...obj,
+  ...(obj.Users && { Users: obj.Users.map((item) => UserTypeFilterSensitiveLog(item)) }),
+});
+
+/**
+ * @internal
+ */
+export const ListWebAuthnCredentialsRequestFilterSensitiveLog = (obj: ListWebAuthnCredentialsRequest): any => ({
+  ...obj,
+  ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }),
+});
+
+/**
+ * @internal
+ */
+export const ResendConfirmationCodeRequestFilterSensitiveLog = (obj: ResendConfirmationCodeRequest): any => ({
+  ...obj,
+  ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
+  ...(obj.SecretHash && { SecretHash: SENSITIVE_STRING }),
+  ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }),
+  ...(obj.Username && { Username: SENSITIVE_STRING }),
+});
+
+/**
+ * @internal
+ */
+export const RespondToAuthChallengeRequestFilterSensitiveLog = (obj: RespondToAuthChallengeRequest): any => ({
+  ...obj,
+  ...(obj.ClientId && { ClientId: SENSITIVE_STRING }),
+  ...(obj.Session && { Session: SENSITIVE_STRING }),
+  ...(obj.ChallengeResponses && { ChallengeResponses: SENSITIVE_STRING }),
+  ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }),
+});
+
 /**
  * @internal
  */
@@ -1922,6 +3820,22 @@ export const SignUpRequestFilterSensitiveLog = (obj: SignUpRequest): any => ({
   ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }),
 });
 
+/**
+ * @internal
+ */
+export const SignUpResponseFilterSensitiveLog = (obj: SignUpResponse): any => ({
+  ...obj,
+  ...(obj.Session && { Session: SENSITIVE_STRING }),
+});
+
+/**
+ * @internal
+ */
+export const StartWebAuthnRegistrationRequestFilterSensitiveLog = (obj: StartWebAuthnRegistrationRequest): any => ({
+  ...obj,
+  ...(obj.AccessToken && { AccessToken: SENSITIVE_STRING }),
+});
+
 /**
  * @internal
  */
diff --git a/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts b/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts
index e21e011a7ebe..2245407413ef 100644
--- a/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts
+++ b/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts
@@ -16,6 +16,7 @@ import {
   withBaseException,
 } from "@smithy/smithy-client";
 import {
+  DocumentType as __DocumentType,
   Endpoint as __Endpoint,
   HeaderBag as __HeaderBag,
   ResponseMetadata as __ResponseMetadata,
@@ -105,6 +106,10 @@ import {
   AssociateSoftwareTokenCommandOutput,
 } from "../commands/AssociateSoftwareTokenCommand";
 import { ChangePasswordCommandInput, ChangePasswordCommandOutput } from "../commands/ChangePasswordCommand";
+import {
+  CompleteWebAuthnRegistrationCommandInput,
+  CompleteWebAuthnRegistrationCommandOutput,
+} from "../commands/CompleteWebAuthnRegistrationCommand";
 import { ConfirmDeviceCommandInput, ConfirmDeviceCommandOutput } from "../commands/ConfirmDeviceCommand";
 import {
   ConfirmForgotPasswordCommandInput,
@@ -116,6 +121,10 @@ import {
   CreateIdentityProviderCommandInput,
   CreateIdentityProviderCommandOutput,
 } from "../commands/CreateIdentityProviderCommand";
+import {
+  CreateManagedLoginBrandingCommandInput,
+  CreateManagedLoginBrandingCommandOutput,
+} from "../commands/CreateManagedLoginBrandingCommand";
 import {
   CreateResourceServerCommandInput,
   CreateResourceServerCommandOutput,
@@ -138,6 +147,10 @@ import {
   DeleteIdentityProviderCommandInput,
   DeleteIdentityProviderCommandOutput,
 } from "../commands/DeleteIdentityProviderCommand";
+import {
+  DeleteManagedLoginBrandingCommandInput,
+  DeleteManagedLoginBrandingCommandOutput,
+} from "../commands/DeleteManagedLoginBrandingCommand";
 import {
   DeleteResourceServerCommandInput,
   DeleteResourceServerCommandOutput,
@@ -156,10 +169,22 @@ import {
   DeleteUserPoolDomainCommandInput,
   DeleteUserPoolDomainCommandOutput,
 } from "../commands/DeleteUserPoolDomainCommand";
+import {
+  DeleteWebAuthnCredentialCommandInput,
+  DeleteWebAuthnCredentialCommandOutput,
+} from "../commands/DeleteWebAuthnCredentialCommand";
 import {
   DescribeIdentityProviderCommandInput,
   DescribeIdentityProviderCommandOutput,
 } from "../commands/DescribeIdentityProviderCommand";
+import {
+  DescribeManagedLoginBrandingByClientCommandInput,
+  DescribeManagedLoginBrandingByClientCommandOutput,
+} from "../commands/DescribeManagedLoginBrandingByClientCommand";
+import {
+  DescribeManagedLoginBrandingCommandInput,
+  DescribeManagedLoginBrandingCommandOutput,
+} from "../commands/DescribeManagedLoginBrandingCommand";
 import {
   DescribeResourceServerCommandInput,
   DescribeResourceServerCommandOutput,
@@ -203,6 +228,7 @@ import {
   GetUserAttributeVerificationCodeCommandInput,
   GetUserAttributeVerificationCodeCommandOutput,
 } from "../commands/GetUserAttributeVerificationCodeCommand";
+import { GetUserAuthFactorsCommandInput, GetUserAuthFactorsCommandOutput } from "../commands/GetUserAuthFactorsCommand";
 import { GetUserCommandInput, GetUserCommandOutput } from "../commands/GetUserCommand";
 import {
   GetUserPoolMfaConfigCommandInput,
@@ -232,6 +258,10 @@ import {
 import { ListUserPoolsCommandInput, ListUserPoolsCommandOutput } from "../commands/ListUserPoolsCommand";
 import { ListUsersCommandInput, ListUsersCommandOutput } from "../commands/ListUsersCommand";
 import { ListUsersInGroupCommandInput, ListUsersInGroupCommandOutput } from "../commands/ListUsersInGroupCommand";
+import {
+  ListWebAuthnCredentialsCommandInput,
+  ListWebAuthnCredentialsCommandOutput,
+} from "../commands/ListWebAuthnCredentialsCommand";
 import {
   ResendConfirmationCodeCommandInput,
   ResendConfirmationCodeCommandOutput,
@@ -261,6 +291,10 @@ import {
 import { SetUserSettingsCommandInput, SetUserSettingsCommandOutput } from "../commands/SetUserSettingsCommand";
 import { SignUpCommandInput, SignUpCommandOutput } from "../commands/SignUpCommand";
 import { StartUserImportJobCommandInput, StartUserImportJobCommandOutput } from "../commands/StartUserImportJobCommand";
+import {
+  StartWebAuthnRegistrationCommandInput,
+  StartWebAuthnRegistrationCommandOutput,
+} from "../commands/StartWebAuthnRegistrationCommand";
 import { StopUserImportJobCommandInput, StopUserImportJobCommandOutput } from "../commands/StopUserImportJobCommand";
 import { TagResourceCommandInput, TagResourceCommandOutput } from "../commands/TagResourceCommand";
 import { UntagResourceCommandInput, UntagResourceCommandOutput } from "../commands/UntagResourceCommand";
@@ -274,6 +308,10 @@ import {
   UpdateIdentityProviderCommandInput,
   UpdateIdentityProviderCommandOutput,
 } from "../commands/UpdateIdentityProviderCommand";
+import {
+  UpdateManagedLoginBrandingCommandInput,
+  UpdateManagedLoginBrandingCommandOutput,
+} from "../commands/UpdateManagedLoginBrandingCommand";
 import {
   UpdateResourceServerCommandInput,
   UpdateResourceServerCommandOutput,
@@ -344,13 +382,16 @@ import {
   AliasExistsException,
   AnalyticsConfigurationType,
   AnalyticsMetadataType,
+  AssetType,
   AssociateSoftwareTokenRequest,
   AttributeType,
   AuthEventType,
+  AuthFactorType,
   ChangePasswordRequest,
   CloudWatchLogsConfigurationType,
   CodeDeliveryFailureException,
   CodeMismatchException,
+  CompleteWebAuthnRegistrationRequest,
   CompromisedCredentialsActionsType,
   CompromisedCredentialsRiskConfigurationType,
   ConcurrentModificationException,
@@ -362,6 +403,8 @@ import {
   CreateGroupResponse,
   CreateIdentityProviderRequest,
   CreateIdentityProviderResponse,
+  CreateManagedLoginBrandingRequest,
+  CreateManagedLoginBrandingResponse,
   CreateResourceServerRequest,
   CreateUserImportJobRequest,
   CreateUserImportJobResponse,
@@ -375,15 +418,21 @@ import {
   CustomSMSLambdaVersionConfigType,
   DeleteGroupRequest,
   DeleteIdentityProviderRequest,
+  DeleteManagedLoginBrandingRequest,
   DeleteResourceServerRequest,
   DeleteUserAttributesRequest,
   DeleteUserPoolClientRequest,
   DeleteUserPoolDomainRequest,
   DeleteUserPoolRequest,
   DeleteUserRequest,
+  DeleteWebAuthnCredentialRequest,
   DeliveryMediumType,
   DescribeIdentityProviderRequest,
   DescribeIdentityProviderResponse,
+  DescribeManagedLoginBrandingByClientRequest,
+  DescribeManagedLoginBrandingByClientResponse,
+  DescribeManagedLoginBrandingRequest,
+  DescribeManagedLoginBrandingResponse,
   DescribeResourceServerRequest,
   DescribeRiskConfigurationRequest,
   DescribeRiskConfigurationResponse,
@@ -405,6 +454,7 @@ import {
   EventFilterType,
   ExpiredCodeException,
   ExplicitAuthFlowsType,
+  FeatureUnavailableInTierException,
   FirehoseConfigurationType,
   ForbiddenException,
   ForgetDeviceRequest,
@@ -421,14 +471,13 @@ import {
   GetUICustomizationRequest,
   GetUICustomizationResponse,
   GetUserAttributeVerificationCodeRequest,
+  GetUserAuthFactorsRequest,
   GetUserPoolMfaConfigRequest,
   GetUserRequest,
-  GlobalSignOutRequest,
   GroupExistsException,
   GroupType,
   HttpHeader,
   IdentityProviderType,
-  InitiateAuthRequest,
   InternalErrorException,
   InvalidEmailRoleAccessPolicyException,
   InvalidLambdaResponseException,
@@ -440,24 +489,9 @@ import {
   InvalidUserPoolConfigurationException,
   LambdaConfigType,
   LimitExceededException,
-  ListDevicesRequest,
-  ListDevicesResponse,
-  ListGroupsRequest,
-  ListGroupsResponse,
-  ListIdentityProvidersRequest,
-  ListIdentityProvidersResponse,
-  ListResourceServersRequest,
-  ListTagsForResourceRequest,
-  ListUserImportJobsRequest,
-  ListUserImportJobsResponse,
-  ListUserPoolClientsRequest,
-  ListUserPoolsRequest,
-  ListUserPoolsResponse,
-  ListUsersInGroupRequest,
-  ListUsersInGroupResponse,
-  ListUsersRequest,
-  ListUsersResponse,
   LogConfigurationType,
+  ManagedLoginBrandingExistsException,
+  ManagedLoginBrandingType,
   MessageTemplateType,
   MFAMethodNotFoundException,
   MFAOptionType,
@@ -471,18 +505,16 @@ import {
   PasswordResetRequiredException,
   PreconditionNotMetException,
   PreTokenGenerationVersionConfigType,
-  ProviderDescription,
   ProviderUserIdentifierType,
   RecoveryOptionType,
-  ResendConfirmationCodeRequest,
   ResourceNotFoundException,
   ResourceServerScopeType,
-  RespondToAuthChallengeRequest,
   RiskConfigurationType,
   RiskExceptionConfigurationType,
   S3ConfigurationType,
   SchemaAttributeType,
   ScopeDoesNotExistException,
+  SignInPolicyType,
   SmsConfigurationType,
   SmsMfaConfigType,
   SMSMfaSettingsType,
@@ -490,6 +522,7 @@ import {
   SoftwareTokenMFANotFoundException,
   SoftwareTokenMfaSettingsType,
   StringAttributeConstraintsType,
+  TierChangeNotAllowedException,
   TokenValidityUnitsType,
   TooManyFailedAttemptsException,
   TooManyRequestsException,
@@ -510,16 +543,45 @@ import {
   UserPoolAddOnNotEnabledException,
   UserPoolAddOnsType,
   UserPoolClientType,
-  UserPoolDescriptionType,
   UserPoolPolicyType,
   UserPoolTaggingException,
   UserPoolType,
   UserType,
   VerificationMessageTemplateType,
   VerifiedAttributeType,
+  WebAuthnChallengeNotFoundException,
+  WebAuthnClientMismatchException,
+  WebAuthnCredentialNotSupportedException,
+  WebAuthnNotEnabledException,
+  WebAuthnOriginNotAllowedException,
+  WebAuthnRelyingPartyMismatchException,
 } from "../models/models_0";
 import {
   EnableSoftwareTokenMFAException,
+  GlobalSignOutRequest,
+  InitiateAuthRequest,
+  ListDevicesRequest,
+  ListDevicesResponse,
+  ListGroupsRequest,
+  ListGroupsResponse,
+  ListIdentityProvidersRequest,
+  ListIdentityProvidersResponse,
+  ListResourceServersRequest,
+  ListTagsForResourceRequest,
+  ListUserImportJobsRequest,
+  ListUserImportJobsResponse,
+  ListUserPoolClientsRequest,
+  ListUserPoolsRequest,
+  ListUserPoolsResponse,
+  ListUsersInGroupRequest,
+  ListUsersInGroupResponse,
+  ListUsersRequest,
+  ListUsersResponse,
+  ListWebAuthnCredentialsRequest,
+  ListWebAuthnCredentialsResponse,
+  ProviderDescription,
+  ResendConfirmationCodeRequest,
+  RespondToAuthChallengeRequest,
   RevokeTokenRequest,
   SetLogDeliveryConfigurationRequest,
   SetRiskConfigurationRequest,
@@ -532,6 +594,8 @@ import {
   SignUpRequest,
   StartUserImportJobRequest,
   StartUserImportJobResponse,
+  StartWebAuthnRegistrationRequest,
+  StartWebAuthnRegistrationResponse,
   StopUserImportJobRequest,
   StopUserImportJobResponse,
   TagResourceRequest,
@@ -545,14 +609,20 @@ import {
   UpdateGroupResponse,
   UpdateIdentityProviderRequest,
   UpdateIdentityProviderResponse,
+  UpdateManagedLoginBrandingRequest,
+  UpdateManagedLoginBrandingResponse,
   UpdateResourceServerRequest,
   UpdateUserAttributesRequest,
   UpdateUserPoolClientRequest,
   UpdateUserPoolClientResponse,
   UpdateUserPoolDomainRequest,
   UpdateUserPoolRequest,
+  UserPoolDescriptionType,
   VerifySoftwareTokenRequest,
   VerifyUserAttributeRequest,
+  WebAuthnConfigurationMissingException,
+  WebAuthnConfigurationType,
+  WebAuthnCredentialDescription,
 } from "../models/models_1";
 
 /**
@@ -932,6 +1002,19 @@ export const se_ChangePasswordCommand = async (
   return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 
+/**
+ * serializeAws_json1_1CompleteWebAuthnRegistrationCommand
+ */
+export const se_CompleteWebAuthnRegistrationCommand = async (
+  input: CompleteWebAuthnRegistrationCommandInput,
+  context: __SerdeContext
+): Promise<__HttpRequest> => {
+  const headers: __HeaderBag = sharedHeaders("CompleteWebAuthnRegistration");
+  let body: any;
+  body = JSON.stringify(se_CompleteWebAuthnRegistrationRequest(input, context));
+  return buildHttpRpcRequest(context, headers, "/", undefined, body);
+};
+
 /**
  * serializeAws_json1_1ConfirmDeviceCommand
  */
@@ -997,6 +1080,19 @@ export const se_CreateIdentityProviderCommand = async (
   return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 
+/**
+ * serializeAws_json1_1CreateManagedLoginBrandingCommand
+ */
+export const se_CreateManagedLoginBrandingCommand = async (
+  input: CreateManagedLoginBrandingCommandInput,
+  context: __SerdeContext
+): Promise<__HttpRequest> => {
+  const headers: __HeaderBag = sharedHeaders("CreateManagedLoginBranding");
+  let body: any;
+  body = JSON.stringify(se_CreateManagedLoginBrandingRequest(input, context));
+  return buildHttpRpcRequest(context, headers, "/", undefined, body);
+};
+
 /**
  * serializeAws_json1_1CreateResourceServerCommand
  */
@@ -1088,6 +1184,19 @@ export const se_DeleteIdentityProviderCommand = async (
   return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 
+/**
+ * serializeAws_json1_1DeleteManagedLoginBrandingCommand
+ */
+export const se_DeleteManagedLoginBrandingCommand = async (
+  input: DeleteManagedLoginBrandingCommandInput,
+  context: __SerdeContext
+): Promise<__HttpRequest> => {
+  const headers: __HeaderBag = sharedHeaders("DeleteManagedLoginBranding");
+  let body: any;
+  body = JSON.stringify(_json(input));
+  return buildHttpRpcRequest(context, headers, "/", undefined, body);
+};
+
 /**
  * serializeAws_json1_1DeleteResourceServerCommand
  */
@@ -1166,6 +1275,19 @@ export const se_DeleteUserPoolDomainCommand = async (
   return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 
+/**
+ * serializeAws_json1_1DeleteWebAuthnCredentialCommand
+ */
+export const se_DeleteWebAuthnCredentialCommand = async (
+  input: DeleteWebAuthnCredentialCommandInput,
+  context: __SerdeContext
+): Promise<__HttpRequest> => {
+  const headers: __HeaderBag = sharedHeaders("DeleteWebAuthnCredential");
+  let body: any;
+  body = JSON.stringify(_json(input));
+  return buildHttpRpcRequest(context, headers, "/", undefined, body);
+};
+
 /**
  * serializeAws_json1_1DescribeIdentityProviderCommand
  */
@@ -1179,6 +1301,32 @@ export const se_DescribeIdentityProviderCommand = async (
   return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 
+/**
+ * serializeAws_json1_1DescribeManagedLoginBrandingCommand
+ */
+export const se_DescribeManagedLoginBrandingCommand = async (
+  input: DescribeManagedLoginBrandingCommandInput,
+  context: __SerdeContext
+): Promise<__HttpRequest> => {
+  const headers: __HeaderBag = sharedHeaders("DescribeManagedLoginBranding");
+  let body: any;
+  body = JSON.stringify(_json(input));
+  return buildHttpRpcRequest(context, headers, "/", undefined, body);
+};
+
+/**
+ * serializeAws_json1_1DescribeManagedLoginBrandingByClientCommand
+ */
+export const se_DescribeManagedLoginBrandingByClientCommand = async (
+  input: DescribeManagedLoginBrandingByClientCommandInput,
+  context: __SerdeContext
+): Promise<__HttpRequest> => {
+  const headers: __HeaderBag = sharedHeaders("DescribeManagedLoginBrandingByClient");
+  let body: any;
+  body = JSON.stringify(_json(input));
+  return buildHttpRpcRequest(context, headers, "/", undefined, body);
+};
+
 /**
  * serializeAws_json1_1DescribeResourceServerCommand
  */
@@ -1400,6 +1548,19 @@ export const se_GetUserAttributeVerificationCodeCommand = async (
   return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 
+/**
+ * serializeAws_json1_1GetUserAuthFactorsCommand
+ */
+export const se_GetUserAuthFactorsCommand = async (
+  input: GetUserAuthFactorsCommandInput,
+  context: __SerdeContext
+): Promise<__HttpRequest> => {
+  const headers: __HeaderBag = sharedHeaders("GetUserAuthFactors");
+  let body: any;
+  body = JSON.stringify(_json(input));
+  return buildHttpRpcRequest(context, headers, "/", undefined, body);
+};
+
 /**
  * serializeAws_json1_1GetUserPoolMfaConfigCommand
  */
@@ -1569,6 +1730,19 @@ export const se_ListUsersInGroupCommand = async (
   return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 
+/**
+ * serializeAws_json1_1ListWebAuthnCredentialsCommand
+ */
+export const se_ListWebAuthnCredentialsCommand = async (
+  input: ListWebAuthnCredentialsCommandInput,
+  context: __SerdeContext
+): Promise<__HttpRequest> => {
+  const headers: __HeaderBag = sharedHeaders("ListWebAuthnCredentials");
+  let body: any;
+  body = JSON.stringify(_json(input));
+  return buildHttpRpcRequest(context, headers, "/", undefined, body);
+};
+
 /**
  * serializeAws_json1_1ResendConfirmationCodeCommand
  */
@@ -1709,6 +1883,19 @@ export const se_StartUserImportJobCommand = async (
   return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 
+/**
+ * serializeAws_json1_1StartWebAuthnRegistrationCommand
+ */
+export const se_StartWebAuthnRegistrationCommand = async (
+  input: StartWebAuthnRegistrationCommandInput,
+  context: __SerdeContext
+): Promise<__HttpRequest> => {
+  const headers: __HeaderBag = sharedHeaders("StartWebAuthnRegistration");
+  let body: any;
+  body = JSON.stringify(_json(input));
+  return buildHttpRpcRequest(context, headers, "/", undefined, body);
+};
+
 /**
  * serializeAws_json1_1StopUserImportJobCommand
  */
@@ -1800,6 +1987,19 @@ export const se_UpdateIdentityProviderCommand = async (
   return buildHttpRpcRequest(context, headers, "/", undefined, body);
 };
 
+/**
+ * serializeAws_json1_1UpdateManagedLoginBrandingCommand
+ */
+export const se_UpdateManagedLoginBrandingCommand = async (
+  input: UpdateManagedLoginBrandingCommandInput,
+  context: __SerdeContext
+): Promise<__HttpRequest> => {
+  const headers: __HeaderBag = sharedHeaders("UpdateManagedLoginBranding");
+  let body: any;
+  body = JSON.stringify(se_UpdateManagedLoginBrandingRequest(input, context));
+  return buildHttpRpcRequest(context, headers, "/", undefined, body);
+};
+
 /**
  * serializeAws_json1_1UpdateResourceServerCommand
  */
@@ -2459,6 +2659,26 @@ export const de_ChangePasswordCommand = async (
   return response;
 };
 
+/**
+ * deserializeAws_json1_1CompleteWebAuthnRegistrationCommand
+ */
+export const de_CompleteWebAuthnRegistrationCommand = async (
+  output: __HttpResponse,
+  context: __SerdeContext
+): Promise<CompleteWebAuthnRegistrationCommandOutput> => {
+  if (output.statusCode >= 300) {
+    return de_CommandError(output, context);
+  }
+  const data: any = await parseBody(output.body, context);
+  let contents: any = {};
+  contents = _json(data);
+  const response: CompleteWebAuthnRegistrationCommandOutput = {
+    $metadata: deserializeMetadata(output),
+    ...contents,
+  };
+  return response;
+};
+
 /**
  * deserializeAws_json1_1ConfirmDeviceCommand
  */
@@ -2559,6 +2779,26 @@ export const de_CreateIdentityProviderCommand = async (
   return response;
 };
 
+/**
+ * deserializeAws_json1_1CreateManagedLoginBrandingCommand
+ */
+export const de_CreateManagedLoginBrandingCommand = async (
+  output: __HttpResponse,
+  context: __SerdeContext
+): Promise<CreateManagedLoginBrandingCommandOutput> => {
+  if (output.statusCode >= 300) {
+    return de_CommandError(output, context);
+  }
+  const data: any = await parseBody(output.body, context);
+  let contents: any = {};
+  contents = de_CreateManagedLoginBrandingResponse(data, context);
+  const response: CreateManagedLoginBrandingCommandOutput = {
+    $metadata: deserializeMetadata(output),
+    ...contents,
+  };
+  return response;
+};
+
 /**
  * deserializeAws_json1_1CreateResourceServerCommand
  */
@@ -2693,6 +2933,23 @@ export const de_DeleteIdentityProviderCommand = async (
   return response;
 };
 
+/**
+ * deserializeAws_json1_1DeleteManagedLoginBrandingCommand
+ */
+export const de_DeleteManagedLoginBrandingCommand = async (
+  output: __HttpResponse,
+  context: __SerdeContext
+): Promise<DeleteManagedLoginBrandingCommandOutput> => {
+  if (output.statusCode >= 300) {
+    return de_CommandError(output, context);
+  }
+  await collectBody(output.body, context);
+  const response: DeleteManagedLoginBrandingCommandOutput = {
+    $metadata: deserializeMetadata(output),
+  };
+  return response;
+};
+
 /**
  * deserializeAws_json1_1DeleteResourceServerCommand
  */
@@ -2801,6 +3058,26 @@ export const de_DeleteUserPoolDomainCommand = async (
   return response;
 };
 
+/**
+ * deserializeAws_json1_1DeleteWebAuthnCredentialCommand
+ */
+export const de_DeleteWebAuthnCredentialCommand = async (
+  output: __HttpResponse,
+  context: __SerdeContext
+): Promise<DeleteWebAuthnCredentialCommandOutput> => {
+  if (output.statusCode >= 300) {
+    return de_CommandError(output, context);
+  }
+  const data: any = await parseBody(output.body, context);
+  let contents: any = {};
+  contents = _json(data);
+  const response: DeleteWebAuthnCredentialCommandOutput = {
+    $metadata: deserializeMetadata(output),
+    ...contents,
+  };
+  return response;
+};
+
 /**
  * deserializeAws_json1_1DescribeIdentityProviderCommand
  */
@@ -2821,6 +3098,46 @@ export const de_DescribeIdentityProviderCommand = async (
   return response;
 };
 
+/**
+ * deserializeAws_json1_1DescribeManagedLoginBrandingCommand
+ */
+export const de_DescribeManagedLoginBrandingCommand = async (
+  output: __HttpResponse,
+  context: __SerdeContext
+): Promise<DescribeManagedLoginBrandingCommandOutput> => {
+  if (output.statusCode >= 300) {
+    return de_CommandError(output, context);
+  }
+  const data: any = await parseBody(output.body, context);
+  let contents: any = {};
+  contents = de_DescribeManagedLoginBrandingResponse(data, context);
+  const response: DescribeManagedLoginBrandingCommandOutput = {
+    $metadata: deserializeMetadata(output),
+    ...contents,
+  };
+  return response;
+};
+
+/**
+ * deserializeAws_json1_1DescribeManagedLoginBrandingByClientCommand
+ */
+export const de_DescribeManagedLoginBrandingByClientCommand = async (
+  output: __HttpResponse,
+  context: __SerdeContext
+): Promise<DescribeManagedLoginBrandingByClientCommandOutput> => {
+  if (output.statusCode >= 300) {
+    return de_CommandError(output, context);
+  }
+  const data: any = await parseBody(output.body, context);
+  let contents: any = {};
+  contents = de_DescribeManagedLoginBrandingByClientResponse(data, context);
+  const response: DescribeManagedLoginBrandingByClientCommandOutput = {
+    $metadata: deserializeMetadata(output),
+    ...contents,
+  };
+  return response;
+};
+
 /**
  * deserializeAws_json1_1DescribeResourceServerCommand
  */
@@ -3158,6 +3475,26 @@ export const de_GetUserAttributeVerificationCodeCommand = async (
   return response;
 };
 
+/**
+ * deserializeAws_json1_1GetUserAuthFactorsCommand
+ */
+export const de_GetUserAuthFactorsCommand = async (
+  output: __HttpResponse,
+  context: __SerdeContext
+): Promise<GetUserAuthFactorsCommandOutput> => {
+  if (output.statusCode >= 300) {
+    return de_CommandError(output, context);
+  }
+  const data: any = await parseBody(output.body, context);
+  let contents: any = {};
+  contents = _json(data);
+  const response: GetUserAuthFactorsCommandOutput = {
+    $metadata: deserializeMetadata(output),
+    ...contents,
+  };
+  return response;
+};
+
 /**
  * deserializeAws_json1_1GetUserPoolMfaConfigCommand
  */
@@ -3419,19 +3756,19 @@ export const de_ListUsersInGroupCommand = async (
 };
 
 /**
- * deserializeAws_json1_1ResendConfirmationCodeCommand
+ * deserializeAws_json1_1ListWebAuthnCredentialsCommand
  */
-export const de_ResendConfirmationCodeCommand = async (
+export const de_ListWebAuthnCredentialsCommand = async (
   output: __HttpResponse,
   context: __SerdeContext
-): Promise<ResendConfirmationCodeCommandOutput> => {
+): Promise<ListWebAuthnCredentialsCommandOutput> => {
   if (output.statusCode >= 300) {
     return de_CommandError(output, context);
   }
   const data: any = await parseBody(output.body, context);
   let contents: any = {};
-  contents = _json(data);
-  const response: ResendConfirmationCodeCommandOutput = {
+  contents = de_ListWebAuthnCredentialsResponse(data, context);
+  const response: ListWebAuthnCredentialsCommandOutput = {
     $metadata: deserializeMetadata(output),
     ...contents,
   };
@@ -3439,9 +3776,29 @@ export const de_ResendConfirmationCodeCommand = async (
 };
 
 /**
- * deserializeAws_json1_1RespondToAuthChallengeCommand
+ * deserializeAws_json1_1ResendConfirmationCodeCommand
  */
-export const de_RespondToAuthChallengeCommand = async (
+export const de_ResendConfirmationCodeCommand = async (
+  output: __HttpResponse,
+  context: __SerdeContext
+): Promise<ResendConfirmationCodeCommandOutput> => {
+  if (output.statusCode >= 300) {
+    return de_CommandError(output, context);
+  }
+  const data: any = await parseBody(output.body, context);
+  let contents: any = {};
+  contents = _json(data);
+  const response: ResendConfirmationCodeCommandOutput = {
+    $metadata: deserializeMetadata(output),
+    ...contents,
+  };
+  return response;
+};
+
+/**
+ * deserializeAws_json1_1RespondToAuthChallengeCommand
+ */
+export const de_RespondToAuthChallengeCommand = async (
   output: __HttpResponse,
   context: __SerdeContext
 ): Promise<RespondToAuthChallengeCommandOutput> => {
@@ -3638,6 +3995,26 @@ export const de_StartUserImportJobCommand = async (
   return response;
 };
 
+/**
+ * deserializeAws_json1_1StartWebAuthnRegistrationCommand
+ */
+export const de_StartWebAuthnRegistrationCommand = async (
+  output: __HttpResponse,
+  context: __SerdeContext
+): Promise<StartWebAuthnRegistrationCommandOutput> => {
+  if (output.statusCode >= 300) {
+    return de_CommandError(output, context);
+  }
+  const data: any = await parseBody(output.body, context);
+  let contents: any = {};
+  contents = de_StartWebAuthnRegistrationResponse(data, context);
+  const response: StartWebAuthnRegistrationCommandOutput = {
+    $metadata: deserializeMetadata(output),
+    ...contents,
+  };
+  return response;
+};
+
 /**
  * deserializeAws_json1_1StopUserImportJobCommand
  */
@@ -3778,6 +4155,26 @@ export const de_UpdateIdentityProviderCommand = async (
   return response;
 };
 
+/**
+ * deserializeAws_json1_1UpdateManagedLoginBrandingCommand
+ */
+export const de_UpdateManagedLoginBrandingCommand = async (
+  output: __HttpResponse,
+  context: __SerdeContext
+): Promise<UpdateManagedLoginBrandingCommandOutput> => {
+  if (output.statusCode >= 300) {
+    return de_CommandError(output, context);
+  }
+  const data: any = await parseBody(output.body, context);
+  let contents: any = {};
+  contents = de_UpdateManagedLoginBrandingResponse(data, context);
+  const response: UpdateManagedLoginBrandingCommandOutput = {
+    $metadata: deserializeMetadata(output),
+    ...contents,
+  };
+  return response;
+};
+
 /**
  * deserializeAws_json1_1UpdateResourceServerCommand
  */
@@ -4024,12 +4421,39 @@ const de_CommandError = async (output: __HttpResponse, context: __SerdeContext):
     case "ForbiddenException":
     case "com.amazonaws.cognitoidentityprovider#ForbiddenException":
       throw await de_ForbiddenExceptionRes(parsedOutput, context);
+    case "WebAuthnChallengeNotFoundException":
+    case "com.amazonaws.cognitoidentityprovider#WebAuthnChallengeNotFoundException":
+      throw await de_WebAuthnChallengeNotFoundExceptionRes(parsedOutput, context);
+    case "WebAuthnClientMismatchException":
+    case "com.amazonaws.cognitoidentityprovider#WebAuthnClientMismatchException":
+      throw await de_WebAuthnClientMismatchExceptionRes(parsedOutput, context);
+    case "WebAuthnCredentialNotSupportedException":
+    case "com.amazonaws.cognitoidentityprovider#WebAuthnCredentialNotSupportedException":
+      throw await de_WebAuthnCredentialNotSupportedExceptionRes(parsedOutput, context);
+    case "WebAuthnNotEnabledException":
+    case "com.amazonaws.cognitoidentityprovider#WebAuthnNotEnabledException":
+      throw await de_WebAuthnNotEnabledExceptionRes(parsedOutput, context);
+    case "WebAuthnOriginNotAllowedException":
+    case "com.amazonaws.cognitoidentityprovider#WebAuthnOriginNotAllowedException":
+      throw await de_WebAuthnOriginNotAllowedExceptionRes(parsedOutput, context);
+    case "WebAuthnRelyingPartyMismatchException":
+    case "com.amazonaws.cognitoidentityprovider#WebAuthnRelyingPartyMismatchException":
+      throw await de_WebAuthnRelyingPartyMismatchExceptionRes(parsedOutput, context);
     case "GroupExistsException":
     case "com.amazonaws.cognitoidentityprovider#GroupExistsException":
       throw await de_GroupExistsExceptionRes(parsedOutput, context);
     case "DuplicateProviderException":
     case "com.amazonaws.cognitoidentityprovider#DuplicateProviderException":
       throw await de_DuplicateProviderExceptionRes(parsedOutput, context);
+    case "ManagedLoginBrandingExistsException":
+    case "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingExistsException":
+      throw await de_ManagedLoginBrandingExistsExceptionRes(parsedOutput, context);
+    case "FeatureUnavailableInTierException":
+    case "com.amazonaws.cognitoidentityprovider#FeatureUnavailableInTierException":
+      throw await de_FeatureUnavailableInTierExceptionRes(parsedOutput, context);
+    case "TierChangeNotAllowedException":
+    case "com.amazonaws.cognitoidentityprovider#TierChangeNotAllowedException":
+      throw await de_TierChangeNotAllowedExceptionRes(parsedOutput, context);
     case "UserPoolTaggingException":
     case "com.amazonaws.cognitoidentityprovider#UserPoolTaggingException":
       throw await de_UserPoolTaggingExceptionRes(parsedOutput, context);
@@ -4051,6 +4475,9 @@ const de_CommandError = async (output: __HttpResponse, context: __SerdeContext):
     case "UnsupportedTokenTypeException":
     case "com.amazonaws.cognitoidentityprovider#UnsupportedTokenTypeException":
       throw await de_UnsupportedTokenTypeExceptionRes(parsedOutput, context);
+    case "WebAuthnConfigurationMissingException":
+    case "com.amazonaws.cognitoidentityprovider#WebAuthnConfigurationMissingException":
+      throw await de_WebAuthnConfigurationMissingExceptionRes(parsedOutput, context);
     case "EnableSoftwareTokenMFAException":
     case "com.amazonaws.cognitoidentityprovider#EnableSoftwareTokenMFAException":
       throw await de_EnableSoftwareTokenMFAExceptionRes(parsedOutput, context);
@@ -4176,6 +4603,22 @@ const de_ExpiredCodeExceptionRes = async (
   return __decorateServiceException(exception, body);
 };
 
+/**
+ * deserializeAws_json1_1FeatureUnavailableInTierExceptionRes
+ */
+const de_FeatureUnavailableInTierExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<FeatureUnavailableInTierException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = _json(body);
+  const exception = new FeatureUnavailableInTierException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
 /**
  * deserializeAws_json1_1ForbiddenExceptionRes
  */
@@ -4365,6 +4808,22 @@ const de_LimitExceededExceptionRes = async (
   return __decorateServiceException(exception, body);
 };
 
+/**
+ * deserializeAws_json1_1ManagedLoginBrandingExistsExceptionRes
+ */
+const de_ManagedLoginBrandingExistsExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<ManagedLoginBrandingExistsException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = _json(body);
+  const exception = new ManagedLoginBrandingExistsException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
 /**
  * deserializeAws_json1_1MFAMethodNotFoundExceptionRes
  */
@@ -4493,6 +4952,22 @@ const de_SoftwareTokenMFANotFoundExceptionRes = async (
   return __decorateServiceException(exception, body);
 };
 
+/**
+ * deserializeAws_json1_1TierChangeNotAllowedExceptionRes
+ */
+const de_TierChangeNotAllowedExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<TierChangeNotAllowedException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = _json(body);
+  const exception = new TierChangeNotAllowedException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
 /**
  * deserializeAws_json1_1TooManyFailedAttemptsExceptionRes
  */
@@ -4733,6 +5208,118 @@ const de_UserPoolTaggingExceptionRes = async (
   return __decorateServiceException(exception, body);
 };
 
+/**
+ * deserializeAws_json1_1WebAuthnChallengeNotFoundExceptionRes
+ */
+const de_WebAuthnChallengeNotFoundExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<WebAuthnChallengeNotFoundException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = _json(body);
+  const exception = new WebAuthnChallengeNotFoundException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
+/**
+ * deserializeAws_json1_1WebAuthnClientMismatchExceptionRes
+ */
+const de_WebAuthnClientMismatchExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<WebAuthnClientMismatchException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = _json(body);
+  const exception = new WebAuthnClientMismatchException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
+/**
+ * deserializeAws_json1_1WebAuthnConfigurationMissingExceptionRes
+ */
+const de_WebAuthnConfigurationMissingExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<WebAuthnConfigurationMissingException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = _json(body);
+  const exception = new WebAuthnConfigurationMissingException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
+/**
+ * deserializeAws_json1_1WebAuthnCredentialNotSupportedExceptionRes
+ */
+const de_WebAuthnCredentialNotSupportedExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<WebAuthnCredentialNotSupportedException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = _json(body);
+  const exception = new WebAuthnCredentialNotSupportedException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
+/**
+ * deserializeAws_json1_1WebAuthnNotEnabledExceptionRes
+ */
+const de_WebAuthnNotEnabledExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<WebAuthnNotEnabledException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = _json(body);
+  const exception = new WebAuthnNotEnabledException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
+/**
+ * deserializeAws_json1_1WebAuthnOriginNotAllowedExceptionRes
+ */
+const de_WebAuthnOriginNotAllowedExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<WebAuthnOriginNotAllowedException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = _json(body);
+  const exception = new WebAuthnOriginNotAllowedException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
+/**
+ * deserializeAws_json1_1WebAuthnRelyingPartyMismatchExceptionRes
+ */
+const de_WebAuthnRelyingPartyMismatchExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<WebAuthnRelyingPartyMismatchException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = _json(body);
+  const exception = new WebAuthnRelyingPartyMismatchException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
 // se_AccountRecoverySettingType omitted.
 
 // se_AccountTakeoverActionsType omitted.
@@ -4801,10 +5388,36 @@ const de_UserPoolTaggingExceptionRes = async (
 
 // se_AliasAttributesListType omitted.
 
+// se_AllowedFirstAuthFactorsListType omitted.
+
 // se_AnalyticsConfigurationType omitted.
 
 // se_AnalyticsMetadataType omitted.
 
+/**
+ * serializeAws_json1_1AssetListType
+ */
+const se_AssetListType = (input: AssetType[], context: __SerdeContext): any => {
+  return input
+    .filter((e: any) => e != null)
+    .map((entry) => {
+      return se_AssetType(entry, context);
+    });
+};
+
+/**
+ * serializeAws_json1_1AssetType
+ */
+const se_AssetType = (input: AssetType, context: __SerdeContext): any => {
+  return take(input, {
+    Bytes: context.base64Encoder,
+    Category: [],
+    ColorMode: [],
+    Extension: [],
+    ResourceId: [],
+  });
+};
+
 // se_AssociateSoftwareTokenRequest omitted.
 
 // se_AttributeListType omitted.
@@ -4833,6 +5446,19 @@ const de_UserPoolTaggingExceptionRes = async (
 
 // se_CloudWatchLogsConfigurationType omitted.
 
+/**
+ * serializeAws_json1_1CompleteWebAuthnRegistrationRequest
+ */
+const se_CompleteWebAuthnRegistrationRequest = (
+  input: CompleteWebAuthnRegistrationRequest,
+  context: __SerdeContext
+): any => {
+  return take(input, {
+    AccessToken: [],
+    Credential: (_) => se_Document(_, context),
+  });
+};
+
 // se_CompromisedCredentialsActionsType omitted.
 
 // se_CompromisedCredentialsRiskConfigurationType omitted.
@@ -4849,6 +5475,22 @@ const de_UserPoolTaggingExceptionRes = async (
 
 // se_CreateIdentityProviderRequest omitted.
 
+/**
+ * serializeAws_json1_1CreateManagedLoginBrandingRequest
+ */
+const se_CreateManagedLoginBrandingRequest = (
+  input: CreateManagedLoginBrandingRequest,
+  context: __SerdeContext
+): any => {
+  return take(input, {
+    Assets: (_) => se_AssetListType(_, context),
+    ClientId: [],
+    Settings: (_) => se_Document(_, context),
+    UseCognitoProvidedValues: [],
+    UserPoolId: [],
+  });
+};
+
 // se_CreateResourceServerRequest omitted.
 
 // se_CreateUserImportJobRequest omitted.
@@ -4871,6 +5513,8 @@ const de_UserPoolTaggingExceptionRes = async (
 
 // se_DeleteIdentityProviderRequest omitted.
 
+// se_DeleteManagedLoginBrandingRequest omitted.
+
 // se_DeleteResourceServerRequest omitted.
 
 // se_DeleteUserAttributesRequest omitted.
@@ -4883,10 +5527,16 @@ const de_UserPoolTaggingExceptionRes = async (
 
 // se_DeleteUserRequest omitted.
 
+// se_DeleteWebAuthnCredentialRequest omitted.
+
 // se_DeliveryMediumListType omitted.
 
 // se_DescribeIdentityProviderRequest omitted.
 
+// se_DescribeManagedLoginBrandingByClientRequest omitted.
+
+// se_DescribeManagedLoginBrandingRequest omitted.
+
 // se_DescribeResourceServerRequest omitted.
 
 // se_DescribeRiskConfigurationRequest omitted.
@@ -4903,6 +5553,13 @@ const de_UserPoolTaggingExceptionRes = async (
 
 // se_DeviceSecretVerifierConfigType omitted.
 
+/**
+ * serializeAws_json1_1Document
+ */
+const se_Document = (input: __DocumentType, context: __SerdeContext): any => {
+  return input;
+};
+
 // se_EmailConfigurationType omitted.
 
 // se_EmailMfaConfigType omitted.
@@ -4935,6 +5592,8 @@ const de_UserPoolTaggingExceptionRes = async (
 
 // se_GetUserAttributeVerificationCodeRequest omitted.
 
+// se_GetUserAuthFactorsRequest omitted.
+
 // se_GetUserPoolMfaConfigRequest omitted.
 
 // se_GetUserRequest omitted.
@@ -4971,6 +5630,8 @@ const de_UserPoolTaggingExceptionRes = async (
 
 // se_ListUsersRequest omitted.
 
+// se_ListWebAuthnCredentialsRequest omitted.
+
 // se_LogConfigurationListType omitted.
 
 // se_LogConfigurationType omitted.
@@ -5047,6 +5708,8 @@ const se_SetUICustomizationRequest = (input: SetUICustomizationRequest, context:
 
 // se_SetUserSettingsRequest omitted.
 
+// se_SignInPolicyType omitted.
+
 // se_SignUpRequest omitted.
 
 // se_SkippedIPRangeListType omitted.
@@ -5063,6 +5726,8 @@ const se_SetUICustomizationRequest = (input: SetUICustomizationRequest, context:
 
 // se_StartUserImportJobRequest omitted.
 
+// se_StartWebAuthnRegistrationRequest omitted.
+
 // se_StopUserImportJobRequest omitted.
 
 // se_StringAttributeConstraintsType omitted.
@@ -5083,6 +5748,22 @@ const se_SetUICustomizationRequest = (input: SetUICustomizationRequest, context:
 
 // se_UpdateIdentityProviderRequest omitted.
 
+/**
+ * serializeAws_json1_1UpdateManagedLoginBrandingRequest
+ */
+const se_UpdateManagedLoginBrandingRequest = (
+  input: UpdateManagedLoginBrandingRequest,
+  context: __SerdeContext
+): any => {
+  return take(input, {
+    Assets: (_) => se_AssetListType(_, context),
+    ManagedLoginBrandingId: [],
+    Settings: (_) => se_Document(_, context),
+    UseCognitoProvidedValues: [],
+    UserPoolId: [],
+  });
+};
+
 // se_UpdateResourceServerRequest omitted.
 
 // se_UpdateUserAttributesRequest omitted.
@@ -5117,6 +5798,8 @@ const se_SetUICustomizationRequest = (input: SetUICustomizationRequest, context:
 
 // se_VerifyUserAttributeRequest omitted.
 
+// se_WebAuthnConfigurationType omitted.
+
 // de_AccountRecoverySettingType omitted.
 
 // de_AccountTakeoverActionsType omitted.
@@ -5232,8 +5915,35 @@ const de_AdminListUserAuthEventsResponse = (output: any, context: __SerdeContext
 
 // de_AliasExistsException omitted.
 
+// de_AllowedFirstAuthFactorsListType omitted.
+
 // de_AnalyticsConfigurationType omitted.
 
+/**
+ * deserializeAws_json1_1AssetListType
+ */
+const de_AssetListType = (output: any, context: __SerdeContext): AssetType[] => {
+  const retVal = (output || [])
+    .filter((e: any) => e != null)
+    .map((entry: any) => {
+      return de_AssetType(entry, context);
+    });
+  return retVal;
+};
+
+/**
+ * deserializeAws_json1_1AssetType
+ */
+const de_AssetType = (output: any, context: __SerdeContext): AssetType => {
+  return take(output, {
+    Bytes: context.base64Decoder,
+    Category: __expectString,
+    ColorMode: __expectString,
+    Extension: __expectString,
+    ResourceId: __expectString,
+  }) as any;
+};
+
 // de_AssociateSoftwareTokenResponse omitted.
 
 // de_AttributeListType omitted.
@@ -5274,6 +5984,8 @@ const de_AuthEventType = (output: any, context: __SerdeContext): AuthEventType =
   }) as any;
 };
 
+// de_AvailableChallengeListType omitted.
+
 // de_BlockedIPRangeListType omitted.
 
 // de_CallbackURLsListType omitted.
@@ -5298,12 +6010,16 @@ const de_AuthEventType = (output: any, context: __SerdeContext): AuthEventType =
 
 // de_CodeMismatchException omitted.
 
+// de_CompleteWebAuthnRegistrationResponse omitted.
+
 // de_CompromisedCredentialsActionsType omitted.
 
 // de_CompromisedCredentialsRiskConfigurationType omitted.
 
 // de_ConcurrentModificationException omitted.
 
+// de_ConfiguredUserAuthFactorsListType omitted.
+
 // de_ConfirmDeviceResponse omitted.
 
 // de_ConfirmForgotPasswordResponse omitted.
@@ -5328,6 +6044,18 @@ const de_CreateIdentityProviderResponse = (output: any, context: __SerdeContext)
   }) as any;
 };
 
+/**
+ * deserializeAws_json1_1CreateManagedLoginBrandingResponse
+ */
+const de_CreateManagedLoginBrandingResponse = (
+  output: any,
+  context: __SerdeContext
+): CreateManagedLoginBrandingResponse => {
+  return take(output, {
+    ManagedLoginBranding: (_: any) => de_ManagedLoginBrandingType(_, context),
+  }) as any;
+};
+
 // de_CreateResourceServerResponse omitted.
 
 /**
@@ -5369,6 +6097,8 @@ const de_CreateUserPoolResponse = (output: any, context: __SerdeContext): Create
 
 // de_DeleteUserPoolDomainResponse omitted.
 
+// de_DeleteWebAuthnCredentialResponse omitted.
+
 /**
  * deserializeAws_json1_1DescribeIdentityProviderResponse
  */
@@ -5381,6 +6111,30 @@ const de_DescribeIdentityProviderResponse = (
   }) as any;
 };
 
+/**
+ * deserializeAws_json1_1DescribeManagedLoginBrandingByClientResponse
+ */
+const de_DescribeManagedLoginBrandingByClientResponse = (
+  output: any,
+  context: __SerdeContext
+): DescribeManagedLoginBrandingByClientResponse => {
+  return take(output, {
+    ManagedLoginBranding: (_: any) => de_ManagedLoginBrandingType(_, context),
+  }) as any;
+};
+
+/**
+ * deserializeAws_json1_1DescribeManagedLoginBrandingResponse
+ */
+const de_DescribeManagedLoginBrandingResponse = (
+  output: any,
+  context: __SerdeContext
+): DescribeManagedLoginBrandingResponse => {
+  return take(output, {
+    ManagedLoginBranding: (_: any) => de_ManagedLoginBrandingType(_, context),
+  }) as any;
+};
+
 // de_DescribeResourceServerResponse omitted.
 
 /**
@@ -5451,6 +6205,13 @@ const de_DeviceType = (output: any, context: __SerdeContext): DeviceType => {
   }) as any;
 };
 
+/**
+ * deserializeAws_json1_1Document
+ */
+const de_Document = (output: any, context: __SerdeContext): __DocumentType => {
+  return output;
+};
+
 // de_DomainDescriptionType omitted.
 
 // de_DuplicateProviderException omitted.
@@ -5482,6 +6243,8 @@ const de_EventFeedbackType = (output: any, context: __SerdeContext): EventFeedba
 
 // de_ExplicitAuthFlowsListType omitted.
 
+// de_FeatureUnavailableInTierException omitted.
+
 // de_FirehoseConfigurationType omitted.
 
 // de_ForbiddenException omitted.
@@ -5535,6 +6298,8 @@ const de_GetUICustomizationResponse = (output: any, context: __SerdeContext): Ge
 
 // de_GetUserAttributeVerificationCodeResponse omitted.
 
+// de_GetUserAuthFactorsResponse omitted.
+
 // de_GetUserPoolMfaConfigResponse omitted.
 
 // de_GetUserResponse omitted.
@@ -5690,6 +6455,16 @@ const de_ListUsersResponse = (output: any, context: __SerdeContext): ListUsersRe
   }) as any;
 };
 
+/**
+ * deserializeAws_json1_1ListWebAuthnCredentialsResponse
+ */
+const de_ListWebAuthnCredentialsResponse = (output: any, context: __SerdeContext): ListWebAuthnCredentialsResponse => {
+  return take(output, {
+    Credentials: (_: any) => de_WebAuthnCredentialDescriptionListType(_, context),
+    NextToken: __expectString,
+  }) as any;
+};
+
 // de_LogConfigurationListType omitted.
 
 // de_LogConfigurationType omitted.
@@ -5698,6 +6473,23 @@ const de_ListUsersResponse = (output: any, context: __SerdeContext): ListUsersRe
 
 // de_LogoutURLsListType omitted.
 
+// de_ManagedLoginBrandingExistsException omitted.
+
+/**
+ * deserializeAws_json1_1ManagedLoginBrandingType
+ */
+const de_ManagedLoginBrandingType = (output: any, context: __SerdeContext): ManagedLoginBrandingType => {
+  return take(output, {
+    Assets: (_: any) => de_AssetListType(_, context),
+    CreationDate: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
+    LastModifiedDate: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
+    ManagedLoginBrandingId: __expectString,
+    Settings: (_: any) => de_Document(_, context),
+    UseCognitoProvidedValues: __expectBoolean,
+    UserPoolId: __expectString,
+  }) as any;
+};
+
 // de_MessageTemplateType omitted.
 
 // de_MFAMethodNotFoundException omitted.
@@ -5826,6 +6618,8 @@ const de_SetUICustomizationResponse = (output: any, context: __SerdeContext): Se
 
 // de_SetUserSettingsResponse omitted.
 
+// de_SignInPolicyType omitted.
+
 // de_SignUpResponse omitted.
 
 // de_SkippedIPRangeListType omitted.
@@ -5847,6 +6641,18 @@ const de_StartUserImportJobResponse = (output: any, context: __SerdeContext): St
   }) as any;
 };
 
+/**
+ * deserializeAws_json1_1StartWebAuthnRegistrationResponse
+ */
+const de_StartWebAuthnRegistrationResponse = (
+  output: any,
+  context: __SerdeContext
+): StartWebAuthnRegistrationResponse => {
+  return take(output, {
+    CredentialCreationOptions: (_: any) => de_Document(_, context),
+  }) as any;
+};
+
 /**
  * deserializeAws_json1_1StopUserImportJobResponse
  */
@@ -5862,6 +6668,8 @@ const de_StopUserImportJobResponse = (output: any, context: __SerdeContext): Sto
 
 // de_TagResourceResponse omitted.
 
+// de_TierChangeNotAllowedException omitted.
+
 // de_TokenValidityUnitsType omitted.
 
 // de_TooManyFailedAttemptsException omitted.
@@ -5919,6 +6727,18 @@ const de_UpdateIdentityProviderResponse = (output: any, context: __SerdeContext)
   }) as any;
 };
 
+/**
+ * deserializeAws_json1_1UpdateManagedLoginBrandingResponse
+ */
+const de_UpdateManagedLoginBrandingResponse = (
+  output: any,
+  context: __SerdeContext
+): UpdateManagedLoginBrandingResponse => {
+  return take(output, {
+    ManagedLoginBranding: (_: any) => de_ManagedLoginBrandingType(_, context),
+  }) as any;
+};
+
 // de_UpdateResourceServerResponse omitted.
 
 // de_UpdateUserAttributesResponse omitted.
@@ -6095,6 +6915,7 @@ const de_UserPoolType = (output: any, context: __SerdeContext): UserPoolType =>
     UserAttributeUpdateSettings: _json,
     UserPoolAddOns: _json,
     UserPoolTags: _json,
+    UserPoolTier: __expectString,
     UsernameAttributes: _json,
     UsernameConfiguration: _json,
     VerificationMessageTemplate: _json,
@@ -6136,6 +6957,53 @@ const de_UserType = (output: any, context: __SerdeContext): UserType => {
 
 // de_VerifyUserAttributeResponse omitted.
 
+// de_WebAuthnAuthenticatorTransportsList omitted.
+
+// de_WebAuthnChallengeNotFoundException omitted.
+
+// de_WebAuthnClientMismatchException omitted.
+
+// de_WebAuthnConfigurationMissingException omitted.
+
+// de_WebAuthnConfigurationType omitted.
+
+/**
+ * deserializeAws_json1_1WebAuthnCredentialDescription
+ */
+const de_WebAuthnCredentialDescription = (output: any, context: __SerdeContext): WebAuthnCredentialDescription => {
+  return take(output, {
+    AuthenticatorAttachment: __expectString,
+    AuthenticatorTransports: _json,
+    CreatedAt: (_: any) => __expectNonNull(__parseEpochTimestamp(__expectNumber(_))),
+    CredentialId: __expectString,
+    FriendlyCredentialName: __expectString,
+    RelyingPartyId: __expectString,
+  }) as any;
+};
+
+/**
+ * deserializeAws_json1_1WebAuthnCredentialDescriptionListType
+ */
+const de_WebAuthnCredentialDescriptionListType = (
+  output: any,
+  context: __SerdeContext
+): WebAuthnCredentialDescription[] => {
+  const retVal = (output || [])
+    .filter((e: any) => e != null)
+    .map((entry: any) => {
+      return de_WebAuthnCredentialDescription(entry, context);
+    });
+  return retVal;
+};
+
+// de_WebAuthnCredentialNotSupportedException omitted.
+
+// de_WebAuthnNotEnabledException omitted.
+
+// de_WebAuthnOriginNotAllowedException omitted.
+
+// de_WebAuthnRelyingPartyMismatchException omitted.
+
 const deserializeMetadata = (output: __HttpResponse): __ResponseMetadata => ({
   httpStatusCode: output.statusCode,
   requestId:
diff --git a/codegen/sdk-codegen/aws-models/cognito-identity-provider.json b/codegen/sdk-codegen/aws-models/cognito-identity-provider.json
index a7802bf3f966..e753dd8ce89f 100644
--- a/codegen/sdk-codegen/aws-models/cognito-identity-provider.json
+++ b/codegen/sdk-codegen/aws-models/cognito-identity-provider.json
@@ -130,6 +130,9 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#ChangePassword"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#CompleteWebAuthnRegistration"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#ConfirmDevice"
         },
@@ -145,6 +148,9 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#CreateIdentityProvider"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#CreateManagedLoginBranding"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#CreateResourceServer"
         },
@@ -166,6 +172,9 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#DeleteIdentityProvider"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#DeleteManagedLoginBranding"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#DeleteResourceServer"
         },
@@ -184,9 +193,18 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#DeleteUserPoolDomain"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#DeleteWebAuthnCredential"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#DescribeIdentityProvider"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBranding"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBrandingByClient"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#DescribeResourceServer"
         },
@@ -238,6 +256,9 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#GetUserAttributeVerificationCode"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#GetUserAuthFactors"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#GetUserPoolMfaConfig"
         },
@@ -277,6 +298,9 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#ListUsersInGroup"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ListWebAuthnCredentials"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#ResendConfirmationCode"
         },
@@ -310,6 +334,9 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#StartUserImportJob"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#StartWebAuthnRegistration"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#StopUserImportJob"
         },
@@ -331,6 +358,9 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#UpdateIdentityProvider"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#UpdateManagedLoginBranding"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#UpdateResourceServer"
         },
@@ -1289,12 +1319,12 @@
         "RecoveryMechanisms": {
           "target": "com.amazonaws.cognitoidentityprovider#RecoveryMechanismsType",
           "traits": {
-            "smithy.api#documentation": "<p>The list of <code>RecoveryOptionTypes</code>.</p>"
+            "smithy.api#documentation": "<p>The list of options and priorities for user message delivery in forgot-password\n            operations. Sets or displays user pool preferences for email or SMS message priority,\n            whether users should fall back to a second delivery method, and whether passwords should\n            only be reset by administrators.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The data type for <code>AccountRecoverySetting</code>.</p>"
+        "smithy.api#documentation": "<p>The settings for user message delivery in forgot-password operations. Contains\n            preference for email or SMS message delivery of password reset codes, or for admin-only\n            password reset.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AccountTakeoverActionNotifyType": {
@@ -1310,20 +1340,20 @@
           "target": "com.amazonaws.cognitoidentityprovider#AccountTakeoverActionNotifyType",
           "traits": {
             "smithy.api#default": false,
-            "smithy.api#documentation": "<p>Flag specifying whether to send a notification.</p>",
+            "smithy.api#documentation": "<p>Determines whether Amazon Cognito sends a user a notification message when your user pools\n            assesses a user's session at the associated risk level.</p>",
             "smithy.api#required": {}
           }
         },
         "EventAction": {
           "target": "com.amazonaws.cognitoidentityprovider#AccountTakeoverEventActionType",
           "traits": {
-            "smithy.api#documentation": "<p>The action to take in response to the account takeover action. Valid values are as\n            follows:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>BLOCK</code> Choosing this action will block the request.</p>\n            </li>\n            <li>\n               <p>\n                  <code>MFA_IF_CONFIGURED</code> Present an MFA challenge if user has configured\n                    it, else allow the request.</p>\n            </li>\n            <li>\n               <p>\n                  <code>MFA_REQUIRED</code> Present an MFA challenge if user has configured it,\n                    else block the request.</p>\n            </li>\n            <li>\n               <p>\n                  <code>NO_ACTION</code> Allow the user to sign in.</p>\n            </li>\n         </ul>",
+            "smithy.api#documentation": "<p>The action to take for the attempted account takeover action for the associated risk\n            level. Valid values are as follows:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>BLOCK</code>: Block the request.</p>\n            </li>\n            <li>\n               <p>\n                  <code>MFA_IF_CONFIGURED</code>: Present an MFA challenge if possible. MFA is\n                    possible if the user pool has active MFA methods that the user can set up. For\n                    example, if the user pool only supports SMS message MFA but the user\n                    doesn't have a phone number attribute, MFA setup isn't possible. If MFA\n                    setup isn't possible, allow the request.</p>\n            </li>\n            <li>\n               <p>\n                  <code>MFA_REQUIRED</code>: Present an MFA challenge if possible. Block the\n                    request if a user hasn't set up MFA. To sign in with required MFA, users must\n                    have an email address or phone number attribute, or a registered TOTP\n                    factor.</p>\n            </li>\n            <li>\n               <p>\n                  <code>NO_ACTION</code>: Take no action. Permit sign-in.</p>\n            </li>\n         </ul>",
             "smithy.api#required": {}
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Account takeover action type.</p>"
+        "smithy.api#documentation": "<p>The automated response to a risk level for adaptive authentication in full-function,\n            or <code>ENFORCED</code>, mode. You can assign an action to each risk level that\n            advanced security features evaluates.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html\">SetRiskConfiguration</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html\">DescribeRiskConfiguration</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AccountTakeoverActionsType": {
@@ -1332,24 +1362,24 @@
         "LowAction": {
           "target": "com.amazonaws.cognitoidentityprovider#AccountTakeoverActionType",
           "traits": {
-            "smithy.api#documentation": "<p>Action to take for a low risk.</p>"
+            "smithy.api#documentation": "<p>The action that you assign to a low-risk assessment by advanced security\n            features.</p>"
           }
         },
         "MediumAction": {
           "target": "com.amazonaws.cognitoidentityprovider#AccountTakeoverActionType",
           "traits": {
-            "smithy.api#documentation": "<p>Action to take for a medium risk.</p>"
+            "smithy.api#documentation": "<p>The action that you assign to a medium-risk assessment by advanced security\n            features.</p>"
           }
         },
         "HighAction": {
           "target": "com.amazonaws.cognitoidentityprovider#AccountTakeoverActionType",
           "traits": {
-            "smithy.api#documentation": "<p>Action to take for a high risk.</p>"
+            "smithy.api#documentation": "<p>The action that you assign to a high-risk assessment by advanced security\n            features.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Account takeover actions type.</p>"
+        "smithy.api#documentation": "<p>A list of account-takeover actions for each level of risk that Amazon Cognito might assess with\n            advanced security features.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html\">SetRiskConfiguration</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html\">DescribeRiskConfiguration</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AccountTakeoverEventActionType": {
@@ -1387,19 +1417,19 @@
         "NotifyConfiguration": {
           "target": "com.amazonaws.cognitoidentityprovider#NotifyConfigurationType",
           "traits": {
-            "smithy.api#documentation": "<p>The notify configuration used to construct email notifications.</p>"
+            "smithy.api#documentation": "<p>The settings for composing and sending an email message when advanced security\n            features assesses a risk level with adaptive authentication. When you choose to notify\n            users in <code>AccountTakeoverRiskConfiguration</code>, Amazon Cognito sends an email message\n            using the method and template that you set with this data type.</p>"
           }
         },
         "Actions": {
           "target": "com.amazonaws.cognitoidentityprovider#AccountTakeoverActionsType",
           "traits": {
-            "smithy.api#documentation": "<p>Account takeover risk configuration actions.</p>",
+            "smithy.api#documentation": "<p>A list of account-takeover actions for each level of risk that Amazon Cognito might assess with\n            advanced security features.</p>",
             "smithy.api#required": {}
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Configuration for mitigation actions and notification for different levels of risk\n            detected for a potential account takeover.</p>"
+        "smithy.api#documentation": "<p>The settings for automated responses and notification templates for adaptive\n            authentication with advanced security features.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html\">SetRiskConfiguration</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html\">DescribeRiskConfiguration</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AddCustomAttributes": {
@@ -1669,7 +1699,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Creates a new user in the specified user pool.</p>\n         <p>If <code>MessageAction</code> isn't set, the default is to send a welcome message via\n            email or phone (SMS).</p>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <p>This message is based on a template that you configured in your call to create or\n            update a user pool. This template includes your custom sign-up instructions and\n            placeholders for user name and temporary password.</p>\n         <p>Alternatively, you can call <code>AdminCreateUser</code> with <code>SUPPRESS</code>\n            for the <code>MessageAction</code> parameter, and Amazon Cognito won't send any email. </p>\n         <p>In either case, the user will be in the <code>FORCE_CHANGE_PASSWORD</code> state until\n            they sign in and change their password.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>",
+        "smithy.api#documentation": "<p>Creates a new user in the specified user pool.</p>\n         <p>If <code>MessageAction</code> isn't set, the default is to send a welcome message via\n            email or phone (SMS).</p>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <p>This message is based on a template that you configured in your call to create or\n            update a user pool. This template includes your custom sign-up instructions and\n            placeholders for user name and temporary password.</p>\n         <p>Alternatively, you can call <code>AdminCreateUser</code> with <code>SUPPRESS</code>\n            for the <code>MessageAction</code> parameter, and Amazon Cognito won't send any email. </p>\n         <p>In either case, if the user has a password, they will be in the\n                <code>FORCE_CHANGE_PASSWORD</code> state until they sign in and set their password.\n            Your invitation message template must have the <code>{####}</code> password placeholder\n            if your users have passwords. If your template doesn't have this placeholder, Amazon Cognito\n            doesn't deliver the invitation message. In this case, you must update your message\n            template and resend the password with a new <code>AdminCreateUser</code> request with a\n                <code>MessageAction</code> value of <code>RESEND</code>.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>",
         "smithy.api#examples": [
           {
             "title": "An AdminCreateUser request for for a test user named John.",
@@ -1733,25 +1763,25 @@
           "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
           "traits": {
             "smithy.api#default": false,
-            "smithy.api#documentation": "<p>Set to <code>True</code> if only the administrator is allowed to create user profiles.\n            Set to <code>False</code> if users can sign themselves up via an app.</p>"
+            "smithy.api#documentation": "<p>The setting for allowing self-service sign-up. When <code>true</code>, only\n            administrators can create new user profiles. When <code>false</code>, users can register\n            themselves and create a new user profile with the <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html\">SignUp</a> operation.</p>"
           }
         },
         "UnusedAccountValidityDays": {
           "target": "com.amazonaws.cognitoidentityprovider#AdminCreateUserUnusedAccountValidityDaysType",
           "traits": {
             "smithy.api#default": 0,
-            "smithy.api#documentation": "<p>The user account expiration limit, in days, after which a new account that hasn't\n            signed in is no longer usable. To reset the account after that time limit, you must call\n                <code>AdminCreateUser</code> again, specifying <code>\"RESEND\"</code> for the\n                <code>MessageAction</code> parameter. The default value for this parameter is\n            7.</p>\n         <note>\n            <p>If you set a value for <code>TemporaryPasswordValidityDays</code> in\n                    <code>PasswordPolicy</code>, that value will be used, and\n                    <code>UnusedAccountValidityDays</code> will be no longer be an available\n                parameter for that user pool.</p>\n         </note>"
+            "smithy.api#documentation": "<p>This parameter is no longer in use. Configure the duration of temporary passwords with\n            the <code>TemporaryPasswordValidityDays</code> parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_PasswordPolicyType.html\">PasswordPolicyType</a>. For older user pools that have a\n                <code>UnusedAccountValidityDays</code> configuration, that value is effective until\n            you set a value for <code>TemporaryPasswordValidityDays</code>.</p>\n         <p>The password expiration limit in days for administrator-created users. When this time\n            expires, the user can't sign in with their temporary password. To reset the account\n            after that time limit, you must call <code>AdminCreateUser</code> again, specifying\n                <code>RESEND</code> for the <code>MessageAction</code> parameter. </p>\n         <p>The default value for this parameter is 7.</p>"
           }
         },
         "InviteMessageTemplate": {
           "target": "com.amazonaws.cognitoidentityprovider#MessageTemplateType",
           "traits": {
-            "smithy.api#documentation": "<p>The message template to be used for the welcome message to new users.</p>\n         <p>See also <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization\">Customizing User Invitation Messages</a>.</p>"
+            "smithy.api#documentation": "<p>The template for the welcome message to new users. This template must include the\n                <code>{####}</code> temporary password placeholder if you are creating users with\n            passwords. If your users don't have passwords, you can omit the placeholder.</p>\n         <p>See also <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization\">Customizing User Invitation Messages</a>.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The configuration for creating a new user profile.</p>"
+        "smithy.api#documentation": "<p>The settings for administrator creation of users in a user pool. Contains settings for\n            allowing user sign-up, customizing invitation messages to new users, and the amount of\n            time before temporary passwords expire.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AdminCreateUserRequest": {
@@ -1774,7 +1804,7 @@
         "UserAttributes": {
           "target": "com.amazonaws.cognitoidentityprovider#AttributeListType",
           "traits": {
-            "smithy.api#documentation": "<p>An array of name-value pairs that contain user attributes and attribute values to be\n            set for the user to be created. You can create a user without specifying any attributes\n            other than <code>Username</code>. However, any attributes that you specify as required\n            (when creating a user pool or in the <b>Attributes</b> tab of\n            the console) either you should supply (in your call to <code>AdminCreateUser</code>) or\n            the user should supply (when they sign up in response to your welcome message).</p>\n         <p>For custom attributes, you must prepend the <code>custom:</code> prefix to the\n            attribute name.</p>\n         <p>To send a message inviting the user to sign up, you must specify the user's email\n            address or phone number. You can do this in your call to AdminCreateUser or in the\n                <b>Users</b> tab of the Amazon Cognito console for managing your\n            user pools.</p>\n         <p>In your call to <code>AdminCreateUser</code>, you can set the\n                <code>email_verified</code> attribute to <code>True</code>, and you can set the\n                <code>phone_number_verified</code> attribute to <code>True</code>. You can also do\n            this by calling <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html\">AdminUpdateUserAttributes</a>.</p>\n         <ul>\n            <li>\n               <p>\n                  <b>email</b>: The email address of the user to whom\n                    the message that contains the code and username will be sent. Required if the\n                        <code>email_verified</code> attribute is set to <code>True</code>, or if\n                        <code>\"EMAIL\"</code> is specified in the <code>DesiredDeliveryMediums</code>\n                    parameter.</p>\n            </li>\n            <li>\n               <p>\n                  <b>phone_number</b>: The phone number of the user to\n                    whom the message that contains the code and username will be sent. Required if\n                    the <code>phone_number_verified</code> attribute is set to <code>True</code>, or\n                    if <code>\"SMS\"</code> is specified in the <code>DesiredDeliveryMediums</code>\n                    parameter.</p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>An array of name-value pairs that contain user attributes and attribute values to be\n            set for the user to be created. You can create a user without specifying any attributes\n            other than <code>Username</code>. However, any attributes that you specify as required\n            (when creating a user pool or in the <b>Attributes</b> tab of\n            the console) either you should supply (in your call to <code>AdminCreateUser</code>) or\n            the user should supply (when they sign up in response to your welcome message).</p>\n         <p>For custom attributes, you must prepend the <code>custom:</code> prefix to the\n            attribute name.</p>\n         <p>To send a message inviting the user to sign up, you must specify the user's email\n            address or phone number. You can do this in your call to AdminCreateUser or in the\n                <b>Users</b> tab of the Amazon Cognito console for managing your\n            user pools.</p>\n         <p>You must also provide an email address or phone number when you expect the user to do\n            passwordless sign-in with an email or SMS OTP. These attributes must be provided when\n            passwordless options are the only available, or when you don't submit a\n                <code>TemporaryPassword</code>.</p>\n         <p>In your call to <code>AdminCreateUser</code>, you can set the\n                <code>email_verified</code> attribute to <code>True</code>, and you can set the\n                <code>phone_number_verified</code> attribute to <code>True</code>. You can also do\n            this by calling <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html\">AdminUpdateUserAttributes</a>.</p>\n         <ul>\n            <li>\n               <p>\n                  <b>email</b>: The email address of the user to whom\n                    the message that contains the code and username will be sent. Required if the\n                        <code>email_verified</code> attribute is set to <code>True</code>, or if\n                        <code>\"EMAIL\"</code> is specified in the <code>DesiredDeliveryMediums</code>\n                    parameter.</p>\n            </li>\n            <li>\n               <p>\n                  <b>phone_number</b>: The phone number of the user to\n                    whom the message that contains the code and username will be sent. Required if\n                    the <code>phone_number_verified</code> attribute is set to <code>True</code>, or\n                    if <code>\"SMS\"</code> is specified in the <code>DesiredDeliveryMediums</code>\n                    parameter.</p>\n            </li>\n         </ul>"
           }
         },
         "ValidationData": {
@@ -1786,7 +1816,7 @@
         "TemporaryPassword": {
           "target": "com.amazonaws.cognitoidentityprovider#PasswordType",
           "traits": {
-            "smithy.api#documentation": "<p>The user's temporary password. This password must conform to the password policy that\n            you specified when you created the user pool.</p>\n         <p>The temporary password is valid only once. To complete the Admin Create User flow, the\n            user must enter the temporary password in the sign-in page, along with a new password to\n            be used in all future sign-ins.</p>\n         <p>This parameter isn't required. If you don't specify a value, Amazon Cognito generates one for\n            you.</p>\n         <p>The temporary password can only be used until the user account expiration limit that\n            you set for your user pool. To reset the account after that time limit, you must call\n                <code>AdminCreateUser</code> again and specify <code>RESEND</code> for the\n                <code>MessageAction</code> parameter.</p>"
+            "smithy.api#documentation": "<p>The user's temporary password. This password must conform to the password policy that\n            you specified when you created the user pool.</p>\n         <p>The exception to the requirement for a password is when your user pool supports\n            passwordless sign-in with email or SMS OTPs. To create a user with no password, omit\n            this parameter or submit a blank value. You can only create a passwordless user when\n            passwordless sign-in is available. See <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignInPolicyType.html\">the SignInPolicyType</a> property of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>.</p>\n         <p>The temporary password is valid only once. To complete the Admin Create User flow, the\n            user must enter the temporary password in the sign-in page, along with a new password to\n            be used in all future sign-ins.</p>\n         <p>If you don't specify a value, Amazon Cognito generates one for you unless you have passwordless\n            options active for your user pool.</p>\n         <p>The temporary password can only be used until the user account expiration limit that\n            you set for your user pool. To reset the account after that time limit, you must call\n                <code>AdminCreateUser</code> again and specify <code>RESEND</code> for the\n                <code>MessageAction</code> parameter.</p>"
           }
         },
         "ForceAliasCreation": {
@@ -1816,7 +1846,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Represents the request to create a user in the specified user pool.</p>",
+        "smithy.api#documentation": "<p>Creates a new user in the specified user pool.</p>",
         "smithy.api#input": {}
       }
     },
@@ -2332,7 +2362,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Gets the specified user by user name in a user pool as an administrator. Works on any\n            user.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
+        "smithy.api#documentation": "<p>Gets the specified user by user name in a user pool as an administrator. Works on any\n            user. This operation contributes to your monthly active user (MAU) count for the purpose\n            of billing.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AdminGetUserRequest": {
@@ -2414,7 +2444,7 @@
         "UserMFASettingList": {
           "target": "com.amazonaws.cognitoidentityprovider#UserMFASettingListType",
           "traits": {
-            "smithy.api#documentation": "<p>The MFA options that are activated for the user. The possible values in this list are\n            <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and <code>SOFTWARE_TOKEN_MFA</code>.</p>"
+            "smithy.api#documentation": "<p>The MFA options that are activated for the user. The possible values in this list are\n                <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and\n            <code>SOFTWARE_TOKEN_MFA</code>.</p>"
           }
         }
       },
@@ -2482,7 +2512,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Initiates the authentication flow, as an administrator.</p>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
+        "smithy.api#documentation": "<p>Initiates the authentication flow, as an administrator.</p>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AdminInitiateAuthRequest": {
@@ -2505,20 +2535,20 @@
         "AuthFlow": {
           "target": "com.amazonaws.cognitoidentityprovider#AuthFlowType",
           "traits": {
-            "smithy.api#documentation": "<p>The authentication flow for this call to run. The API action will depend on this\n            value. For example:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>REFRESH_TOKEN_AUTH</code> will take in a valid refresh token and return\n                    new tokens.</p>\n            </li>\n            <li>\n               <p>\n                  <code>USER_SRP_AUTH</code> will take in <code>USERNAME</code> and\n                        <code>SRP_A</code> and return the Secure Remote Password (SRP) protocol\n                    variables to be used for next challenge execution.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ADMIN_USER_PASSWORD_AUTH</code> will take in <code>USERNAME</code> and\n                        <code>PASSWORD</code> and return the next challenge or tokens.</p>\n            </li>\n         </ul>\n         <p>Valid values include:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>USER_SRP_AUTH</code>: Authentication flow for the Secure Remote Password\n                    (SRP) protocol.</p>\n            </li>\n            <li>\n               <p>\n                  <code>REFRESH_TOKEN_AUTH</code>/<code>REFRESH_TOKEN</code>: Authentication\n                    flow for refreshing the access token and ID token by supplying a valid refresh\n                    token.</p>\n            </li>\n            <li>\n               <p>\n                  <code>CUSTOM_AUTH</code>: Custom authentication flow.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ADMIN_NO_SRP_AUTH</code>: Non-SRP authentication flow; you can pass in\n                    the USERNAME and PASSWORD directly if the flow is enabled for calling the app\n                    client.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ADMIN_USER_PASSWORD_AUTH</code>: Admin-based user password\n                    authentication. This replaces the <code>ADMIN_NO_SRP_AUTH</code> authentication\n                    flow. In this flow, Amazon Cognito receives the password in the request instead of using\n                    the SRP process to verify passwords.</p>\n            </li>\n         </ul>",
+            "smithy.api#documentation": "<p>The authentication flow that you want to initiate. The <code>AuthParameters</code>\n            that you must submit are linked to the flow that you submit. For example:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>USER_AUTH</code>: Request a preferred authentication type or review\n                    available authentication types. From the offered authentication types, select\n                    one in a challenge response and then authenticate with that method in an\n                    additional challenge response.</p>\n            </li>\n            <li>\n               <p>\n                  <code>REFRESH_TOKEN_AUTH</code>: Receive new ID and access tokens when you\n                    pass a <code>REFRESH_TOKEN</code> parameter with a valid refresh token as the\n                    value.</p>\n            </li>\n            <li>\n               <p>\n                  <code>USER_SRP_AUTH</code>: Receive secure remote password (SRP) variables for\n                    the next challenge, <code>PASSWORD_VERIFIER</code>, when you pass\n                        <code>USERNAME</code> and <code>SRP_A</code> parameters..</p>\n            </li>\n            <li>\n               <p>\n                  <code>ADMIN_USER_PASSWORD_AUTH</code>: Receive new tokens or the next\n                    challenge, for example <code>SOFTWARE_TOKEN_MFA</code>, when you pass\n                        <code>USERNAME</code> and <code>PASSWORD</code> parameters.</p>\n            </li>\n         </ul>\n         <p>Valid values include the following:</p>\n         <dl>\n            <dt>USER_AUTH</dt>\n            <dd>\n               <p>The entry point for sign-in with passwords, one-time passwords, biometric\n                        devices, and security keys.</p>\n            </dd>\n            <dt>USER_SRP_AUTH</dt>\n            <dd>\n               <p>Username-password authentication with the Secure Remote Password (SRP)\n                        protocol. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow\">Use SRP password verification in custom\n                            authentication flow</a>.</p>\n            </dd>\n            <dt>REFRESH_TOKEN_AUTH and REFRESH_TOKEN</dt>\n            <dd>\n               <p>Provide a valid refresh token and receive new ID and access tokens. For\n                        more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html\">Using the refresh token</a>.</p>\n            </dd>\n            <dt>CUSTOM_AUTH</dt>\n            <dd>\n               <p>Custom authentication with Lambda triggers. For more information, see\n                            <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\">Custom authentication challenge Lambda\n                            triggers</a>.</p>\n            </dd>\n            <dt>ADMIN_USER_PASSWORD_AUTH</dt>\n            <dd>\n               <p>Username-password authentication with the password sent directly in the\n                        request. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges\">Admin authentication flow</a>.</p>\n            </dd>\n         </dl>\n         <p>\n            <code>USER_PASSWORD_AUTH</code> is a flow type of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html\">InitiateAuth</a> and isn't valid for\n            AdminInitiateAuth.</p>",
             "smithy.api#required": {}
           }
         },
         "AuthParameters": {
           "target": "com.amazonaws.cognitoidentityprovider#AuthParametersType",
           "traits": {
-            "smithy.api#documentation": "<p>The authentication parameters. These are inputs corresponding to the\n                <code>AuthFlow</code> that you're invoking. The required values depend on the value\n            of <code>AuthFlow</code>:</p>\n         <ul>\n            <li>\n               <p>For <code>USER_SRP_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>SRP_A</code> (required), <code>SECRET_HASH</code> (required if the app\n                    client is configured with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>ADMIN_USER_PASSWORD_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>PASSWORD</code> (required), <code>SECRET_HASH</code> (required if the\n                    app client is configured with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>REFRESH_TOKEN_AUTH/REFRESH_TOKEN</code>: <code>REFRESH_TOKEN</code>\n                    (required), <code>SECRET_HASH</code> (required if the app client is configured\n                    with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>CUSTOM_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>SECRET_HASH</code> (if app client is configured with client secret),\n                        <code>DEVICE_KEY</code>. To start the authentication flow with password\n                    verification, include <code>ChallengeName: SRP_A</code> and <code>SRP_A: (The\n                        SRP_A Value)</code>.</p>\n            </li>\n         </ul>\n         <p>For more information about <code>SECRET_HASH</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash\">Computing secret hash values</a>. For information about\n            <code>DEVICE_KEY</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html\">Working with user devices in your user pool</a>.</p>"
+            "smithy.api#documentation": "<p>The authentication parameters. These are inputs corresponding to the\n                <code>AuthFlow</code> that you're invoking. The required values depend on the value\n            of <code>AuthFlow</code>:</p>\n         <ul>\n            <li>\n               <p>For <code>USER_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>PREFERRED_CHALLENGE</code>. If you don't provide a value for\n                        <code>PREFERRED_CHALLENGE</code>, Amazon Cognito responds with the\n                        <code>AvailableChallenges</code> parameter that specifies the available\n                    sign-in methods.</p>\n            </li>\n            <li>\n               <p>For <code>USER_SRP_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>SRP_A</code> (required), <code>SECRET_HASH</code> (required if the app\n                    client is configured with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>ADMIN_USER_PASSWORD_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>PASSWORD</code> (required), <code>SECRET_HASH</code> (required if the\n                    app client is configured with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>REFRESH_TOKEN_AUTH/REFRESH_TOKEN</code>: <code>REFRESH_TOKEN</code>\n                    (required), <code>SECRET_HASH</code> (required if the app client is configured\n                    with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>CUSTOM_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>SECRET_HASH</code> (if app client is configured with client secret),\n                        <code>DEVICE_KEY</code>. To start the authentication flow with password\n                    verification, include <code>ChallengeName: SRP_A</code> and <code>SRP_A: (The\n                        SRP_A Value)</code>.</p>\n            </li>\n         </ul>\n         <p>For more information about <code>SECRET_HASH</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash\">Computing secret hash values</a>. For information about\n            <code>DEVICE_KEY</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html\">Working with user devices in your user pool</a>.</p>"
           }
         },
         "ClientMetadata": {
           "target": "com.amazonaws.cognitoidentityprovider#ClientMetadataType",
           "traits": {
-            "smithy.api#documentation": "<p>A map of custom key-value pairs that you can provide as input for certain custom\n            workflows that this action triggers.</p>\n         <p>You create custom workflows by assigning Lambda functions to user pool triggers.\n            When you use the AdminInitiateAuth API action, Amazon Cognito invokes the Lambda functions that\n            are specified for various triggers. The ClientMetadata value is passed as input to the\n            functions for only the following triggers:</p>\n         <ul>\n            <li>\n               <p>Pre signup</p>\n            </li>\n            <li>\n               <p>Pre authentication</p>\n            </li>\n            <li>\n               <p>User migration</p>\n            </li>\n         </ul>\n         <p>When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which\n            the function receives as input. This payload contains a <code>validationData</code>\n            attribute, which provides the data that you assigned to the ClientMetadata parameter in\n            your AdminInitiateAuth request. In your function code in Lambda, you can process the\n                <code>validationData</code> value to enhance your workflow for your specific\n            needs.</p>\n         <p>When you use the AdminInitiateAuth API action, Amazon Cognito also invokes the functions for\n            the following triggers, but it doesn't provide the ClientMetadata value as input:</p>\n         <ul>\n            <li>\n               <p>Post authentication</p>\n            </li>\n            <li>\n               <p>Custom message</p>\n            </li>\n            <li>\n               <p>Pre token generation</p>\n            </li>\n            <li>\n               <p>Create auth challenge</p>\n            </li>\n            <li>\n               <p>Define auth challenge</p>\n            </li>\n         </ul>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html\">\nCustomizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>\n         <note>\n            <p>When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the\n                following:</p>\n            <ul>\n               <li>\n                  <p>Store the ClientMetadata value. This data is available only to Lambda\n                        triggers that are assigned to a user pool to support custom workflows. If\n                        your user pool configuration doesn't include triggers, the ClientMetadata\n                        parameter serves no purpose.</p>\n               </li>\n               <li>\n                  <p>Validate the ClientMetadata value.</p>\n               </li>\n               <li>\n                  <p>Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive\n                        information.</p>\n               </li>\n            </ul>\n         </note>"
+            "smithy.api#documentation": "<p>A map of custom key-value pairs that you can provide as input for certain custom\n            workflows that this action triggers.</p>\n         <p>You create custom workflows by assigning Lambda functions to user pool triggers.\n            When you use the AdminInitiateAuth API action, Amazon Cognito invokes the Lambda functions that\n            are specified for various triggers. The ClientMetadata value is passed as input to the\n            functions for only the following triggers:</p>\n         <ul>\n            <li>\n               <p>Pre signup</p>\n            </li>\n            <li>\n               <p>Pre authentication</p>\n            </li>\n            <li>\n               <p>User migration</p>\n            </li>\n         </ul>\n         <p>When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which\n            the function receives as input. This payload contains a <code>validationData</code>\n            attribute, which provides the data that you assigned to the ClientMetadata parameter in\n            your AdminInitiateAuth request. In your function code in Lambda, you can process the\n                <code>validationData</code> value to enhance your workflow for your specific\n            needs.</p>\n         <p>When you use the AdminInitiateAuth API action, Amazon Cognito also invokes the functions for\n            the following triggers, but it doesn't provide the ClientMetadata value as input:</p>\n         <ul>\n            <li>\n               <p>Post authentication</p>\n            </li>\n            <li>\n               <p>Custom message</p>\n            </li>\n            <li>\n               <p>Pre token generation</p>\n            </li>\n            <li>\n               <p>Create auth challenge</p>\n            </li>\n            <li>\n               <p>Define auth challenge</p>\n            </li>\n            <li>\n               <p>Custom email sender</p>\n            </li>\n            <li>\n               <p>Custom SMS sender</p>\n            </li>\n         </ul>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html\">\nCustomizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>\n         <note>\n            <p>When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the\n                following:</p>\n            <ul>\n               <li>\n                  <p>Store the ClientMetadata value. This data is available only to Lambda\n                        triggers that are assigned to a user pool to support custom workflows. If\n                        your user pool configuration doesn't include triggers, the ClientMetadata\n                        parameter serves no purpose.</p>\n               </li>\n               <li>\n                  <p>Validate the ClientMetadata value.</p>\n               </li>\n               <li>\n                  <p>Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive\n                        information.</p>\n               </li>\n            </ul>\n         </note>"
           }
         },
         "AnalyticsMetadata": {
@@ -2532,6 +2562,12 @@
           "traits": {
             "smithy.api#documentation": "<p>Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced \nsecurity evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito\nwhen it makes API requests.</p>"
           }
+        },
+        "Session": {
+          "target": "com.amazonaws.cognitoidentityprovider#SessionType",
+          "traits": {
+            "smithy.api#documentation": "<p>The optional session ID from a <code>ConfirmSignUp</code> API request. You can sign in\n            a user directly from the sign-up process with the <code>USER_AUTH</code> authentication\n            flow.</p>"
+          }
         }
       },
       "traits": {
@@ -2545,7 +2581,7 @@
         "ChallengeName": {
           "target": "com.amazonaws.cognitoidentityprovider#ChallengeNameType",
           "traits": {
-            "smithy.api#documentation": "<p>The name of the challenge that you're responding to with this call. This is returned\n            in the <code>AdminInitiateAuth</code> response if you must pass another\n            challenge.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>MFA_SETUP</code>: If MFA is required, users who don't have at least one\n                    of the MFA methods set up are presented with an <code>MFA_SETUP</code>\n                    challenge. The user must set up at least one MFA type to continue to\n                    authenticate.</p>\n            </li>\n            <li>\n               <p>\n                  <code>SELECT_MFA_TYPE</code>: Selects the MFA type. Valid MFA options are\n                    <code>SMS_MFA</code> for SMS message MFA, <code>EMAIL_OTP</code> for email \n                    message MFA, and <code>SOFTWARE_TOKEN_MFA</code> for time-based one-time \n                    password (TOTP) software token MFA.</p>\n            </li>\n            <li>\n               <p>\n                  <code>SMS_MFA</code>: Next challenge is to supply an\n                    <code>SMS_MFA_CODE</code>that your user pool delivered\n                    in an SMS message.</p>\n            </li>\n            <li>\n               <p>\n                  <code>EMAIL_OTP</code>: Next challenge is to supply an\n                    <code>EMAIL_OTP_CODE</code> that your user pool delivered \n                    in an email message.</p>\n            </li>\n            <li>\n               <p>\n                  <code>PASSWORD_VERIFIER</code>: Next challenge is to supply\n                        <code>PASSWORD_CLAIM_SIGNATURE</code>,\n                        <code>PASSWORD_CLAIM_SECRET_BLOCK</code>, and <code>TIMESTAMP</code> after\n                    the client-side SRP calculations.</p>\n            </li>\n            <li>\n               <p>\n                  <code>CUSTOM_CHALLENGE</code>: This is returned if your custom authentication\n                    flow determines that the user should pass another challenge before tokens are\n                    issued.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DEVICE_SRP_AUTH</code>: If device tracking was activated in your user\n                    pool and the previous challenges were passed, this challenge is returned so that\n                    Amazon Cognito can start tracking this device.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DEVICE_PASSWORD_VERIFIER</code>: Similar to\n                        <code>PASSWORD_VERIFIER</code>, but for devices only.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ADMIN_NO_SRP_AUTH</code>: This is returned if you must authenticate with\n                        <code>USERNAME</code> and <code>PASSWORD</code> directly. An app client must\n                    be enabled to use this flow.</p>\n            </li>\n            <li>\n               <p>\n                  <code>NEW_PASSWORD_REQUIRED</code>: For users who are required to change their\n                    passwords after successful first login. Respond to this challenge with\n                        <code>NEW_PASSWORD</code> and any required attributes that Amazon Cognito returned in\n                    the <code>requiredAttributes</code> parameter. You can also set values for\n                    attributes that aren't required by your user pool and that your app client can\n                    write. For more information, see <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html\">AdminRespondToAuthChallenge</a>.</p>\n               <note>\n                  <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value. \nIn <code>AdminRespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter, \nthen use the <code>AdminUpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>\n               </note>\n            </li>\n            <li>\n               <p>\n                  <code>MFA_SETUP</code>: For users who are required to set up an MFA factor\n                    before they can sign in. The MFA types activated for the user pool will be\n                    listed in the challenge parameters <code>MFAS_CAN_SETUP</code> value. </p>\n               <p> To set up software token MFA, use the session returned here from\n                        <code>InitiateAuth</code> as an input to\n                    <code>AssociateSoftwareToken</code>, and use the session returned by\n                        <code>VerifySoftwareToken</code> as an input to\n                        <code>RespondToAuthChallenge</code> with challenge name\n                        <code>MFA_SETUP</code> to complete sign-in. To set up SMS MFA, users will\n                    need help from an administrator to add a phone number to their account and then\n                    call <code>InitiateAuth</code> again to restart sign-in.</p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>The name of the challenge that you're responding to with this call. This is returned\n            in the <code>AdminInitiateAuth</code> response if you must pass another\n            challenge.</p>\n         <ul>\n            <li>\n               <p>\n                  <code>WEB_AUTHN</code>: Respond to the challenge with the results of a\n                    successful authentication with a passkey, or webauthN, factor. These are\n                    typically biometric devices or security keys.</p>\n            </li>\n            <li>\n               <p>\n                  <code>PASSWORD</code>: Respond with <code>USER_PASSWORD_AUTH</code>\n                    parameters: <code>USERNAME</code> (required), <code>PASSWORD</code> (required),\n                        <code>SECRET_HASH</code> (required if the app client is configured with a\n                    client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>\n                  <code>PASSWORD_SRP</code>: Respond with <code>USER_SRP_AUTH</code> parameters:\n                        <code>USERNAME</code> (required), <code>SRP_A</code> (required),\n                        <code>SECRET_HASH</code> (required if the app client is configured with a\n                    client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>\n                  <code>SELECT_CHALLENGE</code>: Respond to the challenge with\n                        <code>USERNAME</code> and an <code>ANSWER</code> that matches one of the\n                    challenge types in the <code>AvailableChallenges</code> response\n                    parameter.</p>\n            </li>\n            <li>\n               <p>\n                  <code>MFA_SETUP</code>: If MFA is required, users who don't have at least one\n                    of the MFA methods set up are presented with an <code>MFA_SETUP</code>\n                    challenge. The user must set up at least one MFA type to continue to\n                    authenticate.</p>\n            </li>\n            <li>\n               <p>\n                  <code>SELECT_MFA_TYPE</code>: Selects the MFA type. Valid MFA options are\n                        <code>SMS_MFA</code> for SMS message MFA, <code>EMAIL_OTP</code> for email\n                    message MFA, and <code>SOFTWARE_TOKEN_MFA</code> for time-based one-time\n                    password (TOTP) software token MFA.</p>\n            </li>\n            <li>\n               <p>\n                  <code>SMS_MFA</code>: Next challenge is to supply an\n                    <code>SMS_MFA_CODE</code>that your user pool delivered in an SMS message.</p>\n            </li>\n            <li>\n               <p>\n                  <code>EMAIL_OTP</code>: Next challenge is to supply an\n                        <code>EMAIL_OTP_CODE</code> that your user pool delivered in an email\n                    message.</p>\n            </li>\n            <li>\n               <p>\n                  <code>PASSWORD_VERIFIER</code>: Next challenge is to supply\n                        <code>PASSWORD_CLAIM_SIGNATURE</code>,\n                        <code>PASSWORD_CLAIM_SECRET_BLOCK</code>, and <code>TIMESTAMP</code> after\n                    the client-side SRP calculations.</p>\n            </li>\n            <li>\n               <p>\n                  <code>CUSTOM_CHALLENGE</code>: This is returned if your custom authentication\n                    flow determines that the user should pass another challenge before tokens are\n                    issued.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DEVICE_SRP_AUTH</code>: If device tracking was activated in your user\n                    pool and the previous challenges were passed, this challenge is returned so that\n                    Amazon Cognito can start tracking this device.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DEVICE_PASSWORD_VERIFIER</code>: Similar to\n                        <code>PASSWORD_VERIFIER</code>, but for devices only.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ADMIN_NO_SRP_AUTH</code>: This is returned if you must authenticate with\n                        <code>USERNAME</code> and <code>PASSWORD</code> directly. An app client must\n                    be enabled to use this flow.</p>\n            </li>\n            <li>\n               <p>\n                  <code>NEW_PASSWORD_REQUIRED</code>: For users who are required to change their\n                    passwords after successful first login. Respond to this challenge with\n                        <code>NEW_PASSWORD</code> and any required attributes that Amazon Cognito returned in\n                    the <code>requiredAttributes</code> parameter. You can also set values for\n                    attributes that aren't required by your user pool and that your app client can\n                    write. For more information, see <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html\">AdminRespondToAuthChallenge</a>.</p>\n               <p>Amazon Cognito only returns this challenge for users who have temporary passwords.\n                    Because of this, and because in some cases you can create users who don't have\n                    values for required attributes, take care to collect and submit\n                    required-attribute values for all users who don't have passwords. You can create\n                    a user in the Amazon Cognito console without, for example, a required\n                        <code>birthdate</code> attribute. The API response from Amazon Cognito won't prompt\n                    you to submit a birthdate for the user if they don't have a password.</p>\n               <note>\n                  <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value. \nIn <code>AdminRespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter, \nthen use the <code>AdminUpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>\n               </note>\n            </li>\n            <li>\n               <p>\n                  <code>MFA_SETUP</code>: For users who are required to set up an MFA factor\n                    before they can sign in. The MFA types activated for the user pool will be\n                    listed in the challenge parameters <code>MFAS_CAN_SETUP</code> value. </p>\n               <p> To set up software token MFA, use the session returned here from\n                        <code>InitiateAuth</code> as an input to\n                    <code>AssociateSoftwareToken</code>, and use the session returned by\n                        <code>VerifySoftwareToken</code> as an input to\n                        <code>RespondToAuthChallenge</code> with challenge name\n                        <code>MFA_SETUP</code> to complete sign-in. To set up SMS MFA, users will\n                    need help from an administrator to add a phone number to their account and then\n                    call <code>InitiateAuth</code> again to restart sign-in.</p>\n            </li>\n         </ul>"
           }
         },
         "Session": {
@@ -2630,7 +2666,7 @@
         "SourceUser": {
           "target": "com.amazonaws.cognitoidentityprovider#ProviderUserIdentifierType",
           "traits": {
-            "smithy.api#documentation": "<p>An external IdP account for a user who doesn't exist yet in the user pool. This user\n            must be a federated user (for example, a SAML or Facebook user), not another native\n            user.</p>\n         <p>If the <code>SourceUser</code> is using a federated social IdP, such as Facebook,\n            Google, or Login with Amazon, you must set the <code>ProviderAttributeName</code> to\n                <code>Cognito_Subject</code>. For social IdPs, the <code>ProviderName</code> will be\n                <code>Facebook</code>, <code>Google</code>, or <code>LoginWithAmazon</code>, and\n            Amazon Cognito will automatically parse the Facebook, Google, and Login with Amazon tokens for\n                <code>id</code>, <code>sub</code>, and <code>user_id</code>, respectively. The\n                <code>ProviderAttributeValue</code> for the user must be the same value as the\n                <code>id</code>, <code>sub</code>, or <code>user_id</code> value found in the social\n            IdP token.</p>\n         <p></p>\n         <p>For OIDC, the <code>ProviderAttributeName</code> can be any value that matches a claim\n            in the ID token, or that your app retrieves from the <code>userInfo</code> endpoint. You\n            must map the claim to a user pool attribute in your IdP configuration, and set the user\n            pool attribute name as the value of <code>ProviderAttributeName</code> in your\n                <code>AdminLinkProviderForUser</code> request.</p>\n         <p>For SAML, the <code>ProviderAttributeName</code> can be any value that matches a claim\n            in the SAML assertion. To link SAML users based on the subject of the SAML assertion,\n            map the subject to a claim through the SAML IdP and set that claim name as the value of\n                <code>ProviderAttributeName</code> in your <code>AdminLinkProviderForUser</code>\n            request.</p>\n         <p>For both OIDC and SAML users, when you set <code>ProviderAttributeName</code> to\n                <code>Cognito_Subject</code>, Amazon Cognito will automatically parse the default unique\n            identifier found in the subject from the IdP token.</p>",
+            "smithy.api#documentation": "<p>An external IdP account for a user who doesn't exist yet in the user pool. This user\n            must be a federated user (for example, a SAML or Facebook user), not another native\n            user.</p>\n         <p>If the <code>SourceUser</code> is using a federated social IdP, such as Facebook,\n            Google, or Login with Amazon, you must set the <code>ProviderAttributeName</code> to\n                <code>Cognito_Subject</code>. For social IdPs, the <code>ProviderName</code> will be\n                <code>Facebook</code>, <code>Google</code>, or <code>LoginWithAmazon</code>, and\n            Amazon Cognito will automatically parse the Facebook, Google, and Login with Amazon tokens for\n                <code>id</code>, <code>sub</code>, and <code>user_id</code>, respectively. The\n                <code>ProviderAttributeValue</code> for the user must be the same value as the\n                <code>id</code>, <code>sub</code>, or <code>user_id</code> value found in the social\n            IdP token.</p>\n         <p>For OIDC, the <code>ProviderAttributeName</code> can be any mapped value from a claim\n            in the ID token, or that your app retrieves from the <code>userInfo</code> endpoint. For\n            SAML, the <code>ProviderAttributeName</code> can be any mapped value from a claim in the\n            SAML assertion.</p>\n         <p>The following additional considerations apply to <code>SourceUser</code> for OIDC and\n            SAML providers.</p>\n         <ul>\n            <li>\n               <p>You must map the claim to a user pool attribute in your IdP configuration, and\n                    set the user pool attribute name as the value of\n                        <code>ProviderAttributeName</code> in your\n                        <code>AdminLinkProviderForUser</code> request. For example,\n                        <code>email</code>.</p>\n            </li>\n            <li>\n               <p>When you set <code>ProviderAttributeName</code> to\n                        <code>Cognito_Subject</code>, Amazon Cognito will automatically parse the default\n                    unique identifier found in the subject from the IdP token.</p>\n            </li>\n         </ul>",
             "smithy.api#required": {}
           }
         }
@@ -2675,7 +2711,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Lists devices, as an administrator.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
+        "smithy.api#documentation": "<p>Lists a user's registered devices.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AdminListDevicesRequest": {
@@ -3032,7 +3068,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Resets the specified user's password in a user pool as an administrator. Works on any\n            user.</p>\n         <p>To use this API operation, your user pool must have self-service account recovery\n            configured. Use <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html\">AdminSetUserPassword</a> if you manage passwords as an administrator.</p>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <p>Deactivates a user's password, requiring them to change it. If a user tries to sign in\n            after the API is called, Amazon Cognito responds with a\n                <code>PasswordResetRequiredException</code> error. Your app must then perform the\n            actions that reset your user's password: the forgot-password flow. In addition, if the\n            user pool has phone verification selected and a verified phone number exists for the\n            user, or if email verification is selected and a verified email exists for the user,\n            calling this API will also result in sending a message to the end user with the code to\n            change their password.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
+        "smithy.api#documentation": "<p>Resets the specified user's password in a user pool as an administrator. Works on any\n            user.</p>\n         <p>To use this API operation, your user pool must have self-service account recovery\n            configured. Use <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html\">AdminSetUserPassword</a> if you manage passwords as an administrator.</p>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <p>Deactivates a user's password, requiring them to change it. If a user tries to sign in\n            after the API is called, Amazon Cognito responds with a\n                <code>PasswordResetRequiredException</code> error. Your app must then perform the\n            actions that reset your user's password: the forgot-password flow. In addition, if the\n            user pool has phone verification selected and a verified phone number exists for the\n            user, or if email verification is selected and a verified email exists for the user,\n            calling this API will also result in sending a message to the end user with the code to\n            change their password.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AdminResetUserPasswordRequest": {
@@ -3149,7 +3185,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Some API operations in a user pool generate a challenge, like a prompt for an MFA\n            code, for device authentication that bypasses MFA, or for a custom authentication\n            challenge. An <code>AdminRespondToAuthChallenge</code> API request provides the answer\n            to that challenge, like a code or a secure remote password (SRP). The parameters of a\n            response to an authentication challenge vary with the type of challenge.</p>\n         <p>For more information about custom authentication challenges, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\">Custom\n                authentication challenge Lambda triggers</a>.</p>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
+        "smithy.api#documentation": "<p>Some API operations in a user pool generate a challenge, like a prompt for an MFA\n            code, for device authentication that bypasses MFA, or for a custom authentication\n            challenge. An <code>AdminRespondToAuthChallenge</code> API request provides the answer\n            to that challenge, like a code or a secure remote password (SRP). The parameters of a\n            response to an authentication challenge vary with the type of challenge.</p>\n         <p>For more information about custom authentication challenges, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\">Custom\n                authentication challenge Lambda triggers</a>.</p>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AdminRespondToAuthChallengeRequest": {
@@ -3179,7 +3215,7 @@
         "ChallengeResponses": {
           "target": "com.amazonaws.cognitoidentityprovider#ChallengeResponsesType",
           "traits": {
-            "smithy.api#documentation": "<p>The responses to the challenge that you received in the previous request. Each\n    challenge has its own required response parameters. The following examples are partial\n    JSON request bodies that highlight challenge-response parameters.</p>\n         <important>\n            <p>You must provide a SECRET_HASH parameter in all challenge responses to an app\n        client that has a client secret.</p>\n         </important>\n         <dl>\n            <dt>SMS_MFA</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SMS_MFA\", \"ChallengeResponses\": {\"SMS_MFA_CODE\":\n                    \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>EMAIL_OTP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"EMAIL_OTP\", \"ChallengeResponses\": {\"EMAIL_OTP_CODE\":\n                    \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>PASSWORD_VERIFIER</dt>\n            <dd>\n               <p>This challenge response is part of the SRP flow. Amazon Cognito requires \n            that your application respond to this challenge within a few seconds. When\n            the response time exceeds this period, your user pool returns a\n            <code>NotAuthorizedException</code> error.</p>\n               <p>\n                  <code>\"ChallengeName\": \"PASSWORD_VERIFIER\", \"ChallengeResponses\":\n                    {\"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\",\n                    \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\":\n                    [timestamp], \"USERNAME\": \"[username]\"}</code>\n               </p>\n               <p>Add <code>\"DEVICE_KEY\"</code> when you sign in with a remembered\n                device.</p>\n            </dd>\n            <dt>CUSTOM_CHALLENGE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"CUSTOM_CHALLENGE\", \"ChallengeResponses\":\n                    {\"USERNAME\": \"[username]\", \"ANSWER\": \"[challenge_answer]\"}</code>\n               </p>\n               <p>Add <code>\"DEVICE_KEY\"</code> when you sign in with a remembered\n                device.</p>\n            </dd>\n            <dt>NEW_PASSWORD_REQUIRED</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"NEW_PASSWORD_REQUIRED\", \"ChallengeResponses\":\n                    {\"NEW_PASSWORD\": \"[new_password]\", \"USERNAME\":\n                \"[username]\"}</code>\n               </p>\n               <p>To set any required attributes that <code>InitiateAuth</code> returned in\n                an <code>requiredAttributes</code> parameter, add\n                    <code>\"userAttributes.[attribute_name]\": \"[attribute_value]\"</code>.\n                This parameter can also set values for writable attributes that aren't\n                required by your user pool.</p>\n               <note>\n                  <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value. \nIn <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter, \nthen use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>\n               </note>\n            </dd>\n            <dt>SOFTWARE_TOKEN_MFA</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SOFTWARE_TOKEN_MFA\", \"ChallengeResponses\":\n                    {\"USERNAME\": \"[username]\", \"SOFTWARE_TOKEN_MFA_CODE\":\n                    [authenticator_code]}</code>\n               </p>\n            </dd>\n            <dt>DEVICE_SRP_AUTH</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"DEVICE_SRP_AUTH\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\", \"DEVICE_KEY\": \"[device_key]\", \"SRP_A\":\n                \"[srp_a]\"}</code>\n               </p>\n            </dd>\n            <dt>DEVICE_PASSWORD_VERIFIER</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"DEVICE_PASSWORD_VERIFIER\", \"ChallengeResponses\":\n                {\"DEVICE_KEY\": \"[device_key]\", \"PASSWORD_CLAIM_SIGNATURE\":\n                \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\",\n                \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>MFA_SETUP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"MFA_SETUP\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\"}, \"SESSION\": \"[Session ID from\n                VerifySoftwareToken]\"</code>\n               </p>\n            </dd>\n            <dt>SELECT_MFA_TYPE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SELECT_MFA_TYPE\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\", \"ANSWER\": \"[SMS_MFA or SOFTWARE_TOKEN_MFA]\"}</code>\n               </p>\n            </dd>\n         </dl>\n         <p>For more information about <code>SECRET_HASH</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash\">Computing secret hash values</a>. For information about\n    <code>DEVICE_KEY</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html\">Working with user devices in your user pool</a>.</p>"
+            "smithy.api#documentation": "<p>The responses to the challenge that you received in the previous request. Each\n    challenge has its own required response parameters. The following examples are partial\n    JSON request bodies that highlight challenge-response parameters.</p>\n         <important>\n            <p>You must provide a SECRET_HASH parameter in all challenge responses to an app\n        client that has a client secret. Include a <code>DEVICE_KEY</code> for device\n        authentication.</p>\n         </important>\n         <dl>\n            <dt>SELECT_CHALLENGE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n            \"USERNAME\": \"[username]\",\n            \"ANSWER\": \"[Challenge name]\"}</code>\n               </p>\n               <p>Available challenges are <code>PASSWORD</code>, <code>PASSWORD_SRP</code>, \n            <code>EMAIL_OTP</code>, <code>SMS_OTP</code>, and <code>WEB_AUTHN</code>.</p>\n               <p>Complete authentication in the <code>SELECT_CHALLENGE</code> response for\n            <code>PASSWORD</code>, <code>PASSWORD_SRP</code>, and <code>WEB_AUTHN</code>:</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"WEB_AUTHN\",\n                  \"USERNAME\": \"[username]\",\n                  \"CREDENTIAL\": \"[AuthenticationResponseJSON]\"}</code>\n                     </p>\n                     <p>See <a href=\"https://www.w3.org/TR/webauthn-3/#dictdef-authenticationresponsejson\">\n                  AuthenticationResponseJSON</a>.</p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"PASSWORD\",\n                  \"USERNAME\": \"[username]\",\n                  \"PASSWORD\": \"[password]\"}</code>\n                     </p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"PASSWORD_SRP\",\n                  \"USERNAME\": \"[username]\",\n                  \"SRP_A\": \"[SRP_A]\"}</code>\n                     </p>\n                  </li>\n               </ul>\n               <p>For <code>SMS_OTP</code> and <code>EMAIL_OTP</code>, respond with the\n            username and answer. Your user pool will send a code for the user to submit in\n            the next challenge response.</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"SMS_OTP\",\n                  \"USERNAME\": \"[username]\"}</code>\n                     </p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"EMAIL_OTP\",\n                  \"USERNAME\": \"[username]\"}</code>\n                     </p>\n                  </li>\n               </ul>\n            </dd>\n            <dt>SMS_OTP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SMS_OTP\", \"ChallengeResponses\": \n            {\"SMS_OTP_CODE\": \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>EMAIL_OTP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"EMAIL_OTP\", \"ChallengeResponses\": {\"EMAIL_OTP_CODE\":\n                    \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>SMS_MFA</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SMS_MFA\", \"ChallengeResponses\": {\"SMS_MFA_CODE\":\n                    \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>PASSWORD_VERIFIER</dt>\n            <dd>\n               <p>This challenge response is part of the SRP flow. Amazon Cognito requires \n            that your application respond to this challenge within a few seconds. When\n            the response time exceeds this period, your user pool returns a\n            <code>NotAuthorizedException</code> error.</p>\n               <p>\n                  <code>\"ChallengeName\": \"PASSWORD_VERIFIER\", \"ChallengeResponses\":\n                    {\"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\",\n                    \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\":\n                    [timestamp], \"USERNAME\": \"[username]\"}</code>\n               </p>\n               <p>Add <code>\"DEVICE_KEY\"</code> when you sign in with a remembered\n                device.</p>\n            </dd>\n            <dt>CUSTOM_CHALLENGE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"CUSTOM_CHALLENGE\", \"ChallengeResponses\":\n                    {\"USERNAME\": \"[username]\", \"ANSWER\": \"[challenge_answer]\"}</code>\n               </p>\n               <p>Add <code>\"DEVICE_KEY\"</code> when you sign in with a remembered\n                device.</p>\n            </dd>\n            <dt>NEW_PASSWORD_REQUIRED</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"NEW_PASSWORD_REQUIRED\", \"ChallengeResponses\":\n                    {\"NEW_PASSWORD\": \"[new_password]\", \"USERNAME\":\n                \"[username]\"}</code>\n               </p>\n               <p>To set any required attributes that <code>InitiateAuth</code> returned in\n                an <code>requiredAttributes</code> parameter, add\n                    <code>\"userAttributes.[attribute_name]\": \"[attribute_value]\"</code>.\n                This parameter can also set values for writable attributes that aren't\n                required by your user pool.</p>\n               <note>\n                  <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value. \nIn <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter, \nthen use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>\n               </note>\n            </dd>\n            <dt>SOFTWARE_TOKEN_MFA</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SOFTWARE_TOKEN_MFA\", \"ChallengeResponses\":\n                    {\"USERNAME\": \"[username]\", \"SOFTWARE_TOKEN_MFA_CODE\":\n                    [authenticator_code]}</code>\n               </p>\n            </dd>\n            <dt>DEVICE_SRP_AUTH</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"DEVICE_SRP_AUTH\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\", \"DEVICE_KEY\": \"[device_key]\", \"SRP_A\":\n                \"[srp_a]\"}</code>\n               </p>\n            </dd>\n            <dt>DEVICE_PASSWORD_VERIFIER</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"DEVICE_PASSWORD_VERIFIER\", \"ChallengeResponses\":\n                {\"DEVICE_KEY\": \"[device_key]\", \"PASSWORD_CLAIM_SIGNATURE\":\n                \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\",\n                \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>MFA_SETUP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"MFA_SETUP\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\"}, \"SESSION\": \"[Session ID from\n                VerifySoftwareToken]\"</code>\n               </p>\n            </dd>\n            <dt>SELECT_MFA_TYPE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SELECT_MFA_TYPE\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\", \"ANSWER\": \"[SMS_MFA or SOFTWARE_TOKEN_MFA]\"}</code>\n               </p>\n            </dd>\n         </dl>\n         <p>For more information about <code>SECRET_HASH</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash\">Computing secret hash values</a>. For information about\n    <code>DEVICE_KEY</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html\">Working with user devices in your user pool</a>.</p>"
           }
         },
         "Session": {
@@ -3682,7 +3718,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <p>Updates the specified user's attributes, including developer attributes, as an\n            administrator. Works on any user. To delete an attribute from your user, submit the\n            attribute in your API request with a blank value.</p>\n         <p>For custom attributes, you must prepend the <code>custom:</code> prefix to the\n            attribute name.</p>\n         <p>In addition to updating user attributes, this API can also be used to mark phone and\n            email as verified.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
+        "smithy.api#documentation": "<note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <p>Updates the specified user's attributes, including developer attributes, as an\n            administrator. Works on any user. To delete an attribute from your user, submit the\n            attribute in your API request with a blank value.</p>\n         <p>For custom attributes, you must prepend the <code>custom:</code> prefix to the\n            attribute name.</p>\n         <p>In addition to updating user attributes, this API can also be used to mark phone and\n            email as verified.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AdminUpdateUserAttributesRequest": {
@@ -3705,7 +3741,7 @@
         "UserAttributes": {
           "target": "com.amazonaws.cognitoidentityprovider#AttributeListType",
           "traits": {
-            "smithy.api#documentation": "<p>An array of name-value pairs representing user attributes.</p>\n         <p>For custom attributes, you must prepend the <code>custom:</code> prefix to the\n            attribute name.</p>\n         <p>If your user pool requires verification before Amazon Cognito updates an attribute value that\n            you specify in this request, Amazon Cognito doesn’t immediately update the value of that\n            attribute. After your user receives and responds to a verification message to verify the\n            new value, Amazon Cognito updates the attribute value. Your user can sign in and receive messages\n            with the original attribute value until they verify the new value.</p>\n         <p>To update the value of an attribute that requires verification in the same API\n            request, include the <code>email_verified</code> or <code>phone_number_verified</code>\n            attribute, with a value of <code>true</code>. If you set the <code>email_verified</code>\n            or <code>phone_number_verified</code> value for an <code>email</code> or\n                <code>phone_number</code> attribute that requires verification to <code>true</code>,\n            Amazon Cognito doesn’t send a verification message to your user.</p>",
+            "smithy.api#documentation": "<p>An array of name-value pairs representing user attributes.</p>\n         <p>For custom attributes, you must prepend the <code>custom:</code> prefix to the\n            attribute name.</p>\n         <p>If your user pool requires verification before Amazon Cognito updates an attribute value that\n            you specify in this request, Amazon Cognito doesn’t immediately update the value of that\n            attribute. After your user receives and responds to a verification message to verify the\n            new value, Amazon Cognito updates the attribute value. Your user can sign in and receive messages\n            with the original attribute value until they verify the new value.</p>\n         <p>To skip the verification message and update the value of an attribute that requires\n            verification in the same API request, include the <code>email_verified</code> or\n                <code>phone_number_verified</code> attribute, with a value of <code>true</code>. If\n            you set the <code>email_verified</code> or <code>phone_number_verified</code> value for\n            an <code>email</code> or <code>phone_number</code> attribute that requires verification\n            to <code>true</code>, Amazon Cognito doesn’t send a verification message to your user.</p>",
             "smithy.api#required": {}
           }
         },
@@ -3798,7 +3834,7 @@
         "CustomAuthMode": {
           "target": "com.amazonaws.cognitoidentityprovider#AdvancedSecurityEnabledModeType",
           "traits": {
-            "smithy.api#documentation": "<p>The operating mode of advanced security features in custom authentication with \n            <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\">\n                Custom authentication challenge Lambda triggers</a>.\n        </p>"
+            "smithy.api#documentation": "<p>The operating mode of advanced security features in custom authentication with <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\"> Custom\n                authentication challenge Lambda triggers</a>. </p>"
           }
         }
       },
@@ -3891,31 +3927,43 @@
         "smithy.api#httpError": 400
       }
     },
+    "com.amazonaws.cognitoidentityprovider#AllowedFirstAuthFactorsListType": {
+      "type": "list",
+      "member": {
+        "target": "com.amazonaws.cognitoidentityprovider#AuthFactorType"
+      },
+      "traits": {
+        "smithy.api#length": {
+          "min": 1,
+          "max": 4
+        }
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#AnalyticsConfigurationType": {
       "type": "structure",
       "members": {
         "ApplicationId": {
           "target": "com.amazonaws.cognitoidentityprovider#HexStringType",
           "traits": {
-            "smithy.api#documentation": "<p>The application ID for an Amazon Pinpoint application.</p>"
+            "smithy.api#documentation": "<p>Your Amazon Pinpoint project ID.</p>"
           }
         },
         "ApplicationArn": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You can use the Amazon Pinpoint project\n            to integrate with the chosen user pool Client. Amazon Cognito publishes events to the Amazon Pinpoint\n            project that the app ARN declares.</p>"
+            "smithy.api#documentation": "<p>The Amazon Resource Name (ARN) of an Amazon Pinpoint project that you want to connect to\n            your user pool app client. Amazon Cognito publishes events to the Amazon Pinpoint project that\n                <code>ApplicationArn</code> declares. You can also configure your application to\n            pass an endpoint ID in the <code>AnalyticsMetadata</code> parameter of sign-in\n            operations. The endpoint ID is information about the destination for push\n            notifications</p>"
           }
         },
         "RoleArn": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>The ARN of an Identity and Access Management role that authorizes Amazon Cognito to publish events to Amazon Pinpoint\n            analytics.</p>"
+            "smithy.api#documentation": "<p>The ARN of an Identity and Access Management role that has the permissions required for Amazon Cognito to publish\n            events to Amazon Pinpoint analytics.</p>"
           }
         },
         "ExternalId": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The external ID.</p>"
+            "smithy.api#documentation": "<p>The <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html\">external ID</a> of the role that Amazon Cognito assumes to send\n            analytics data to Amazon Pinpoint.</p>"
           }
         },
         "UserDataShared": {
@@ -3927,7 +3975,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The Amazon Pinpoint analytics configuration necessary to collect metrics for a user\n            pool.</p>\n         <note>\n            <p>In Regions where Amazon Pinpoint isn't available, user pools only support sending\n                events to Amazon Pinpoint projects in us-east-1. In Regions where Amazon Pinpoint is available, user\n                pools support sending events to Amazon Pinpoint projects within that same Region.</p>\n         </note>"
+        "smithy.api#documentation": "<p>The settings for Amazon Pinpoint analytics configuration. With an analytics configuration,\n            your application can collect user-activity metrics for user notifications with a Amazon Pinpoint\n            campaign.</p>\n         <p>Amazon Pinpoint isn't available in all Amazon Web Services Regions. For a list of available Regions, see\n                <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings\">Amazon Cognito and Amazon Pinpoint Region availability</a>.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html\">CreateUserPoolClient</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html\">UpdateUserPoolClient</a>, and a response parameter of\n                <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html\">DescribeUserPoolClient</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AnalyticsMetadataType": {
@@ -3936,12 +3984,12 @@
         "AnalyticsEndpointId": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The endpoint ID.</p>"
+            "smithy.api#documentation": "<p>The endpoint ID. Information that you want to pass to Amazon Pinpoint about where to send\n            notifications.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>An Amazon Pinpoint analytics endpoint.</p>\n         <p>An endpoint uniquely identifies a mobile device, email address, or phone number that\n            can receive messages from Amazon Pinpoint analytics. For more information about Amazon Web Services Regions that\n            can contain Amazon Pinpoint resources for use with Amazon Cognito user pools, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html\">Using Amazon Pinpoint analytics with Amazon Cognito user pools</a>.</p>"
+        "smithy.api#documentation": "<p>Information that your application adds to authentication requests. Applies an endpoint\n            ID to the analytics data that your user pool sends to Amazon Pinpoint.</p>\n         <p>An endpoint ID uniquely identifies a mobile device, email address or phone number that\n            can receive messages from Amazon Pinpoint analytics. For more information about Amazon Web Services Regions that\n            can contain Amazon Pinpoint resources for use with Amazon Cognito user pools, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html\">Using Amazon Pinpoint analytics with Amazon Cognito user pools</a>.</p>\n         <p>This data type is a request parameter of authentication operations like <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html\">InitiateAuth</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html\">AdminInitiateAuth</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html\">RespondToAuthChallenge</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html\">AdminRespondToAuthChallenge</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#ArnType": {
@@ -3954,6 +4002,198 @@
         "smithy.api#pattern": "^arn:[\\w+=/,.@-]+:[\\w+=/,.@-]+:([\\w+=/,.@-]*)?:[0-9]+:[\\w+=/,.@-]+(:[\\w+=/,.@-]+)?(:[\\w+=/,.@-]+)?$"
       }
     },
+    "com.amazonaws.cognitoidentityprovider#AssetBytesType": {
+      "type": "blob",
+      "traits": {
+        "smithy.api#length": {
+          "min": 0,
+          "max": 1000000
+        }
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#AssetCategoryType": {
+      "type": "enum",
+      "members": {
+        "FAVICON_ICO": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "FAVICON_ICO"
+          }
+        },
+        "FAVICON_SVG": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "FAVICON_SVG"
+          }
+        },
+        "EMAIL_GRAPHIC": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "EMAIL_GRAPHIC"
+          }
+        },
+        "SMS_GRAPHIC": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "SMS_GRAPHIC"
+          }
+        },
+        "AUTH_APP_GRAPHIC": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "AUTH_APP_GRAPHIC"
+          }
+        },
+        "PASSWORD_GRAPHIC": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PASSWORD_GRAPHIC"
+          }
+        },
+        "PASSKEY_GRAPHIC": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PASSKEY_GRAPHIC"
+          }
+        },
+        "PAGE_HEADER_LOGO": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PAGE_HEADER_LOGO"
+          }
+        },
+        "PAGE_HEADER_BACKGROUND": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PAGE_HEADER_BACKGROUND"
+          }
+        },
+        "PAGE_FOOTER_LOGO": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PAGE_FOOTER_LOGO"
+          }
+        },
+        "PAGE_FOOTER_BACKGROUND": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PAGE_FOOTER_BACKGROUND"
+          }
+        },
+        "PAGE_BACKGROUND": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PAGE_BACKGROUND"
+          }
+        },
+        "FORM_BACKGROUND": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "FORM_BACKGROUND"
+          }
+        },
+        "FORM_LOGO": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "FORM_LOGO"
+          }
+        },
+        "IDP_BUTTON_ICON": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "IDP_BUTTON_ICON"
+          }
+        }
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#AssetExtensionType": {
+      "type": "enum",
+      "members": {
+        "ICO": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "ICO"
+          }
+        },
+        "JPEG": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "JPEG"
+          }
+        },
+        "PNG": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PNG"
+          }
+        },
+        "SVG": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "SVG"
+          }
+        },
+        "WEBP": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "WEBP"
+          }
+        }
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#AssetListType": {
+      "type": "list",
+      "member": {
+        "target": "com.amazonaws.cognitoidentityprovider#AssetType"
+      },
+      "traits": {
+        "smithy.api#length": {
+          "min": 0,
+          "max": 40
+        }
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#AssetType": {
+      "type": "structure",
+      "members": {
+        "Category": {
+          "target": "com.amazonaws.cognitoidentityprovider#AssetCategoryType",
+          "traits": {
+            "smithy.api#documentation": "<p>The category that the image corresponds to in your managed login configuration.\n            Managed login has asset categories for different types of logos, backgrounds, and\n            icons.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "ColorMode": {
+          "target": "com.amazonaws.cognitoidentityprovider#ColorSchemeModeType",
+          "traits": {
+            "smithy.api#documentation": "<p>The display-mode target of the asset: light, dark, or browser-adaptive. For example,\n            Amazon Cognito displays a dark-mode image only when the browser or application is in dark mode,\n            but displays a browser-adaptive file in all contexts.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "Extension": {
+          "target": "com.amazonaws.cognitoidentityprovider#AssetExtensionType",
+          "traits": {
+            "smithy.api#documentation": "<p>The file type of the image file.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "Bytes": {
+          "target": "com.amazonaws.cognitoidentityprovider#AssetBytesType",
+          "traits": {
+            "smithy.api#documentation": "<p>The image file, in Base64-encoded binary.</p>"
+          }
+        },
+        "ResourceId": {
+          "target": "com.amazonaws.cognitoidentityprovider#ResourceIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The ID of the asset.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>An image file from a managed login branding style in a user pool.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateManagedLoginBranding.html\">CreateManagedLoginBranding</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateManagedLoginBranding.html\">UpdateManagedLoginBranding</a>, and a response parameter of\n                <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBranding.html\">DescribeManagedLoginBranding</a>.</p>"
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#AssociateSoftwareToken": {
       "type": "operation",
       "input": {
@@ -4118,7 +4358,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Specifies whether the attribute is standard or custom.</p>"
+        "smithy.api#documentation": "<p>The name and value of a user attribute.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html\">AdminUpdateUserAttributes</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html\">UpdateUserAttributes</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AttributeValueType": {
@@ -4149,7 +4389,7 @@
         "EventType": {
           "target": "com.amazonaws.cognitoidentityprovider#EventType",
           "traits": {
-            "smithy.api#documentation": "<p>The event type.</p>"
+            "smithy.api#documentation": "<p>The type of authentication event.</p>"
           }
         },
         "CreationDate": {
@@ -4167,13 +4407,13 @@
         "EventRisk": {
           "target": "com.amazonaws.cognitoidentityprovider#EventRiskType",
           "traits": {
-            "smithy.api#documentation": "<p>The event risk.</p>"
+            "smithy.api#documentation": "<p>The threat evaluation from your user pool about an event. Contains information about\n            whether your user pool detected compromised credentials, whether the event triggered an\n            automated response, and the level of risk.</p>"
           }
         },
         "ChallengeResponses": {
           "target": "com.amazonaws.cognitoidentityprovider#ChallengeResponseListType",
           "traits": {
-            "smithy.api#documentation": "<p>The challenge responses.</p>"
+            "smithy.api#documentation": "<p>A list of the challenges that the user was requested to answer, for example\n                <code>Password</code>, and the result, for example <code>Success</code>.</p>"
           }
         },
         "EventContextData": {
@@ -4185,12 +4425,12 @@
         "EventFeedback": {
           "target": "com.amazonaws.cognitoidentityprovider#EventFeedbackType",
           "traits": {
-            "smithy.api#documentation": "<p>A flag specifying the user feedback captured at the time of an event request is good\n            or bad. </p>"
+            "smithy.api#documentation": "<p>The <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateAuthEventFeedback.html\">UpdateAuthEventFeedback</a> or <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateAuthEventFeedback.html\">AdminUpdateAuthEventFeedback</a> feedback that you or your\n            user provided in response to the event. A value of <code>Valid</code> indicates that you\n            disagreed with the level of risk that your user pool assigned, and evaluated a session\n            to be valid, or likely safe. A value of <code>Invalid</code> indicates that you agreed\n            with the user pool risk level and evaluated a session to be invalid, or likely\n            malicious.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The authentication event type.</p>"
+        "smithy.api#documentation": "<p>One authentication event that Amazon Cognito logged in a user pool with advanced security\n            features active. Contains user and device metadata and a risk assessment from your user\n            pool.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListUserAuthEvents.html\">AdminListUserAuthEvents</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#AuthEventsType": {
@@ -4199,6 +4439,35 @@
         "target": "com.amazonaws.cognitoidentityprovider#AuthEventType"
       }
     },
+    "com.amazonaws.cognitoidentityprovider#AuthFactorType": {
+      "type": "enum",
+      "members": {
+        "PASSWORD": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PASSWORD"
+          }
+        },
+        "EMAIL_OTP": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "EMAIL_OTP"
+          }
+        },
+        "SMS_OTP": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "SMS_OTP"
+          }
+        },
+        "WEB_AUTHN": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "WEB_AUTHN"
+          }
+        }
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#AuthFlowType": {
       "type": "enum",
       "members": {
@@ -4243,6 +4512,12 @@
           "traits": {
             "smithy.api#enumValue": "ADMIN_USER_PASSWORD_AUTH"
           }
+        },
+        "USER_AUTH": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "USER_AUTH"
+          }
         }
       }
     },
@@ -4273,7 +4548,7 @@
         "AccessToken": {
           "target": "com.amazonaws.cognitoidentityprovider#TokenModelType",
           "traits": {
-            "smithy.api#documentation": "<p>A valid access token that Amazon Cognito issued to the user who you want to\n            authenticate.</p>"
+            "smithy.api#documentation": "<p>Your user's access token.</p>"
           }
         },
         "ExpiresIn": {
@@ -4286,19 +4561,19 @@
         "TokenType": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The token type.</p>"
+            "smithy.api#documentation": "<p>The intended use of the token, for example <code>Bearer</code>.</p>"
           }
         },
         "RefreshToken": {
           "target": "com.amazonaws.cognitoidentityprovider#TokenModelType",
           "traits": {
-            "smithy.api#documentation": "<p>The refresh token.</p>"
+            "smithy.api#documentation": "<p>Your user's refresh token.</p>"
           }
         },
         "IdToken": {
           "target": "com.amazonaws.cognitoidentityprovider#TokenModelType",
           "traits": {
-            "smithy.api#documentation": "<p>The ID token.</p>"
+            "smithy.api#documentation": "<p>Your user's ID token.</p>"
           }
         },
         "NewDeviceMetadata": {
@@ -4309,7 +4584,13 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The authentication result.</p>"
+        "smithy.api#documentation": "<p>The object that your application receives after authentication. Contains tokens and\n            information for device authentication.</p>\n         <p>This data type is a response parameter of authentication operations like <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html\">InitiateAuth</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html\">AdminInitiateAuth</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html\">RespondToAuthChallenge</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html\">AdminRespondToAuthChallenge</a>.</p>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#AvailableChallengeListType": {
+      "type": "list",
+      "member": {
+        "target": "com.amazonaws.cognitoidentityprovider#ChallengeNameType"
       }
     },
     "com.amazonaws.cognitoidentityprovider#BlockedIPRangeListType": {
@@ -4416,6 +4697,12 @@
             "smithy.api#enumValue": "CUSTOM_CHALLENGE"
           }
         },
+        "SELECT_CHALLENGE": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "SELECT_CHALLENGE"
+          }
+        },
         "DEVICE_SRP_AUTH": {
           "target": "smithy.api#Unit",
           "traits": {
@@ -4439,6 +4726,30 @@
           "traits": {
             "smithy.api#enumValue": "NEW_PASSWORD_REQUIRED"
           }
+        },
+        "SMS_OTP": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "SMS_OTP"
+          }
+        },
+        "PASSWORD": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PASSWORD"
+          }
+        },
+        "WEB_AUTHN": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "WEB_AUTHN"
+          }
+        },
+        "PASSWORD_SRP": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PASSWORD_SRP"
+          }
         }
       }
     },
@@ -4480,18 +4791,18 @@
         "ChallengeName": {
           "target": "com.amazonaws.cognitoidentityprovider#ChallengeName",
           "traits": {
-            "smithy.api#documentation": "<p>The challenge name.</p>"
+            "smithy.api#documentation": "<p>The type of challenge that your previous authentication request returned in the\n            parameter <code>ChallengeName</code>, for example <code>SMS_MFA</code>.</p>"
           }
         },
         "ChallengeResponse": {
           "target": "com.amazonaws.cognitoidentityprovider#ChallengeResponse",
           "traits": {
-            "smithy.api#documentation": "<p>The challenge response.</p>"
+            "smithy.api#documentation": "<p>The set of key-value pairs that provides a response to the requested challenge.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The challenge response type.</p>"
+        "smithy.api#documentation": "<p>The responses to the challenge that you received in the previous request. Each\n    challenge has its own required response parameters. The following examples are partial\n    JSON request bodies that highlight challenge-response parameters.</p>\n         <important>\n            <p>You must provide a SECRET_HASH parameter in all challenge responses to an app\n        client that has a client secret. Include a <code>DEVICE_KEY</code> for device\n        authentication.</p>\n         </important>\n         <dl>\n            <dt>SELECT_CHALLENGE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n            \"USERNAME\": \"[username]\",\n            \"ANSWER\": \"[Challenge name]\"}</code>\n               </p>\n               <p>Available challenges are <code>PASSWORD</code>, <code>PASSWORD_SRP</code>, \n            <code>EMAIL_OTP</code>, <code>SMS_OTP</code>, and <code>WEB_AUTHN</code>.</p>\n               <p>Complete authentication in the <code>SELECT_CHALLENGE</code> response for\n            <code>PASSWORD</code>, <code>PASSWORD_SRP</code>, and <code>WEB_AUTHN</code>:</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"WEB_AUTHN\",\n                  \"USERNAME\": \"[username]\",\n                  \"CREDENTIAL\": \"[AuthenticationResponseJSON]\"}</code>\n                     </p>\n                     <p>See <a href=\"https://www.w3.org/TR/webauthn-3/#dictdef-authenticationresponsejson\">\n                  AuthenticationResponseJSON</a>.</p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"PASSWORD\",\n                  \"USERNAME\": \"[username]\",\n                  \"PASSWORD\": \"[password]\"}</code>\n                     </p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"PASSWORD_SRP\",\n                  \"USERNAME\": \"[username]\",\n                  \"SRP_A\": \"[SRP_A]\"}</code>\n                     </p>\n                  </li>\n               </ul>\n               <p>For <code>SMS_OTP</code> and <code>EMAIL_OTP</code>, respond with the\n            username and answer. Your user pool will send a code for the user to submit in\n            the next challenge response.</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"SMS_OTP\",\n                  \"USERNAME\": \"[username]\"}</code>\n                     </p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"EMAIL_OTP\",\n                  \"USERNAME\": \"[username]\"}</code>\n                     </p>\n                  </li>\n               </ul>\n            </dd>\n            <dt>SMS_OTP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SMS_OTP\", \"ChallengeResponses\": \n            {\"SMS_OTP_CODE\": \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>EMAIL_OTP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"EMAIL_OTP\", \"ChallengeResponses\": {\"EMAIL_OTP_CODE\":\n                    \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>SMS_MFA</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SMS_MFA\", \"ChallengeResponses\": {\"SMS_MFA_CODE\":\n                    \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>PASSWORD_VERIFIER</dt>\n            <dd>\n               <p>This challenge response is part of the SRP flow. Amazon Cognito requires \n            that your application respond to this challenge within a few seconds. When\n            the response time exceeds this period, your user pool returns a\n            <code>NotAuthorizedException</code> error.</p>\n               <p>\n                  <code>\"ChallengeName\": \"PASSWORD_VERIFIER\", \"ChallengeResponses\":\n                    {\"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\",\n                    \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\":\n                    [timestamp], \"USERNAME\": \"[username]\"}</code>\n               </p>\n               <p>Add <code>\"DEVICE_KEY\"</code> when you sign in with a remembered\n                device.</p>\n            </dd>\n            <dt>CUSTOM_CHALLENGE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"CUSTOM_CHALLENGE\", \"ChallengeResponses\":\n                    {\"USERNAME\": \"[username]\", \"ANSWER\": \"[challenge_answer]\"}</code>\n               </p>\n               <p>Add <code>\"DEVICE_KEY\"</code> when you sign in with a remembered\n                device.</p>\n            </dd>\n            <dt>NEW_PASSWORD_REQUIRED</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"NEW_PASSWORD_REQUIRED\", \"ChallengeResponses\":\n                    {\"NEW_PASSWORD\": \"[new_password]\", \"USERNAME\":\n                \"[username]\"}</code>\n               </p>\n               <p>To set any required attributes that <code>InitiateAuth</code> returned in\n                an <code>requiredAttributes</code> parameter, add\n                    <code>\"userAttributes.[attribute_name]\": \"[attribute_value]\"</code>.\n                This parameter can also set values for writable attributes that aren't\n                required by your user pool.</p>\n               <note>\n                  <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value. \nIn <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter, \nthen use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>\n               </note>\n            </dd>\n            <dt>SOFTWARE_TOKEN_MFA</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SOFTWARE_TOKEN_MFA\", \"ChallengeResponses\":\n                    {\"USERNAME\": \"[username]\", \"SOFTWARE_TOKEN_MFA_CODE\":\n                    [authenticator_code]}</code>\n               </p>\n            </dd>\n            <dt>DEVICE_SRP_AUTH</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"DEVICE_SRP_AUTH\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\", \"DEVICE_KEY\": \"[device_key]\", \"SRP_A\":\n                \"[srp_a]\"}</code>\n               </p>\n            </dd>\n            <dt>DEVICE_PASSWORD_VERIFIER</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"DEVICE_PASSWORD_VERIFIER\", \"ChallengeResponses\":\n                {\"DEVICE_KEY\": \"[device_key]\", \"PASSWORD_CLAIM_SIGNATURE\":\n                \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\",\n                \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>MFA_SETUP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"MFA_SETUP\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\"}, \"SESSION\": \"[Session ID from\n                VerifySoftwareToken]\"</code>\n               </p>\n            </dd>\n            <dt>SELECT_MFA_TYPE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SELECT_MFA_TYPE\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\", \"ANSWER\": \"[SMS_MFA or SOFTWARE_TOKEN_MFA]\"}</code>\n               </p>\n            </dd>\n         </dl>\n         <p>For more information about <code>SECRET_HASH</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash\">Computing secret hash values</a>. For information about\n    <code>DEVICE_KEY</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html\">Working with user devices in your user pool</a>.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html\">RespondToAuthChallenge</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html\">AdminRespondToAuthChallenge</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#ChallengeResponsesType": {
@@ -4564,8 +4875,7 @@
         "PreviousPassword": {
           "target": "com.amazonaws.cognitoidentityprovider#PasswordType",
           "traits": {
-            "smithy.api#documentation": "<p>The old password.</p>",
-            "smithy.api#required": {}
+            "smithy.api#documentation": "<p>The user's previous password. Required if the user has a password. If the user\n            has no password and only signs in with passwordless authentication options, you can omit\n            this parameter.</p>"
           }
         },
         "ProposedPassword": {
@@ -4663,7 +4973,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Configuration for the CloudWatch log group destination of user pool detailed activity\n            logging, or of user activity log export with advanced security features.</p>"
+        "smithy.api#documentation": "<p>Configuration for the CloudWatch log group destination of user pool detailed activity\n            logging, or of user activity log export with advanced security features.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html\">SetLogDeliveryConfiguration</a> and a response parameter of\n                <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html\">GetLogDeliveryConfiguration</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#CodeDeliveryDetailsListType": {
@@ -4695,7 +5005,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The delivery details for an email or SMS message that Amazon Cognito sent for authentication or\n            verification.</p>"
+        "smithy.api#documentation": "<p>The delivery details for an email or SMS message that Amazon Cognito sent for authentication or\n            verification.</p>\n         <p>This data type is a response parameter of operations that send a code for user profile\n            confirmation, verification, or management, for example <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html\">ForgotPassword</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html\">SignUp</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#CodeDeliveryFailureException": {
@@ -4730,67 +5040,171 @@
         "smithy.api#httpError": 400
       }
     },
-    "com.amazonaws.cognitoidentityprovider#CompletionMessageType": {
-      "type": "string",
-      "traits": {
-        "smithy.api#length": {
-          "min": 1,
-          "max": 128
-        },
-        "smithy.api#pattern": "^[\\w]+$"
-      }
-    },
-    "com.amazonaws.cognitoidentityprovider#CompromisedCredentialsActionsType": {
-      "type": "structure",
-      "members": {
-        "EventAction": {
-          "target": "com.amazonaws.cognitoidentityprovider#CompromisedCredentialsEventActionType",
-          "traits": {
-            "smithy.api#documentation": "<p>The event action.</p>",
-            "smithy.api#required": {}
-          }
-        }
-      },
-      "traits": {
-        "smithy.api#documentation": "<p>The compromised credentials actions type.</p>"
-      }
-    },
-    "com.amazonaws.cognitoidentityprovider#CompromisedCredentialsEventActionType": {
+    "com.amazonaws.cognitoidentityprovider#ColorSchemeModeType": {
       "type": "enum",
       "members": {
-        "BLOCK": {
+        "LIGHT": {
           "target": "smithy.api#Unit",
           "traits": {
-            "smithy.api#enumValue": "BLOCK"
+            "smithy.api#enumValue": "LIGHT"
           }
         },
-        "NO_ACTION": {
+        "DARK": {
           "target": "smithy.api#Unit",
           "traits": {
-            "smithy.api#enumValue": "NO_ACTION"
-          }
-        }
-      }
-    },
-    "com.amazonaws.cognitoidentityprovider#CompromisedCredentialsRiskConfigurationType": {
-      "type": "structure",
-      "members": {
-        "EventFilter": {
-          "target": "com.amazonaws.cognitoidentityprovider#EventFiltersType",
-          "traits": {
-            "smithy.api#documentation": "<p>Perform the action for these events. The default is to perform all events if no event\n            filter is specified.</p>"
+            "smithy.api#enumValue": "DARK"
           }
         },
-        "Actions": {
-          "target": "com.amazonaws.cognitoidentityprovider#CompromisedCredentialsActionsType",
+        "DYNAMIC": {
+          "target": "smithy.api#Unit",
           "traits": {
-            "smithy.api#documentation": "<p>The compromised credentials risk configuration actions.</p>",
-            "smithy.api#required": {}
+            "smithy.api#enumValue": "DYNAMIC"
+          }
+        }
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#CompleteWebAuthnRegistration": {
+      "type": "operation",
+      "input": {
+        "target": "com.amazonaws.cognitoidentityprovider#CompleteWebAuthnRegistrationRequest"
+      },
+      "output": {
+        "target": "com.amazonaws.cognitoidentityprovider#CompleteWebAuthnRegistrationResponse"
+      },
+      "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ForbiddenException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#LimitExceededException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnChallengeNotFoundException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnClientMismatchException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnCredentialNotSupportedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnNotEnabledException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnOriginNotAllowedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnRelyingPartyMismatchException"
+        }
+      ],
+      "traits": {
+        "smithy.api#auth": [],
+        "smithy.api#documentation": "<p>Completes registration of a passkey authenticator for the current user. Your\n            application provides data from a successful registration request with the data from the\n            output of a <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_StartWebAuthnRegistration.html\"> StartWebAuthnRegistration</a>.</p>\n         <p>Authorize this action with a signed-in user's access token. It must include the scope <code>aws.cognito.signin.user.admin</code>.</p>",
+        "smithy.api#optionalAuth": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#CompleteWebAuthnRegistrationRequest": {
+      "type": "structure",
+      "members": {
+        "AccessToken": {
+          "target": "com.amazonaws.cognitoidentityprovider#TokenModelType",
+          "traits": {
+            "smithy.api#documentation": "<p>A valid access token that Amazon Cognito issued to the user whose passkey registration you want\n            to verify.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "Credential": {
+          "target": "com.amazonaws.cognitoidentityprovider#Document",
+          "traits": {
+            "smithy.api#documentation": "<p>A <a href=\"https://www.w3.org/TR/webauthn-3/#dictdef-registrationresponsejson\">RegistrationResponseJSON</a> public-key credential response from the\n            user's passkey provider.</p>",
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#input": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#CompleteWebAuthnRegistrationResponse": {
+      "type": "structure",
+      "members": {},
+      "traits": {
+        "smithy.api#output": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#CompletionMessageType": {
+      "type": "string",
+      "traits": {
+        "smithy.api#length": {
+          "min": 1,
+          "max": 128
+        },
+        "smithy.api#pattern": "^[\\w]+$"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#CompromisedCredentialsActionsType": {
+      "type": "structure",
+      "members": {
+        "EventAction": {
+          "target": "com.amazonaws.cognitoidentityprovider#CompromisedCredentialsEventActionType",
+          "traits": {
+            "smithy.api#documentation": "<p>The action that Amazon Cognito takes when it detects compromised credentials.</p>",
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>Settings for user pool actions when Amazon Cognito detects compromised credentials with\n            advanced security features in full-function <code>ENFORCED</code> mode.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html\">SetRiskConfiguration</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html\">DescribeRiskConfiguration</a>.</p>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#CompromisedCredentialsEventActionType": {
+      "type": "enum",
+      "members": {
+        "BLOCK": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "BLOCK"
+          }
+        },
+        "NO_ACTION": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "NO_ACTION"
+          }
+        }
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#CompromisedCredentialsRiskConfigurationType": {
+      "type": "structure",
+      "members": {
+        "EventFilter": {
+          "target": "com.amazonaws.cognitoidentityprovider#EventFiltersType",
+          "traits": {
+            "smithy.api#documentation": "<p>Settings for the sign-in activity where you want to configure compromised-credentials\n            actions. Defaults to all events.</p>"
+          }
+        },
+        "Actions": {
+          "target": "com.amazonaws.cognitoidentityprovider#CompromisedCredentialsActionsType",
+          "traits": {
+            "smithy.api#documentation": "<p>Settings for the actions that you want your user pool to take when Amazon Cognito detects\n            compromised credentials.</p>",
+            "smithy.api#required": {}
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The compromised credentials risk configuration type.</p>"
+        "smithy.api#documentation": "<p>Settings for compromised-credentials actions and authentication-event sources with\n            advanced security features in full-function <code>ENFORCED</code> mode.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html\">SetRiskConfiguration</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html\">DescribeRiskConfiguration</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#ConcurrentModificationException": {
@@ -4809,6 +5223,18 @@
         "smithy.api#httpError": 400
       }
     },
+    "com.amazonaws.cognitoidentityprovider#ConfiguredUserAuthFactorsListType": {
+      "type": "list",
+      "member": {
+        "target": "com.amazonaws.cognitoidentityprovider#AuthFactorType"
+      },
+      "traits": {
+        "smithy.api#length": {
+          "min": 0,
+          "max": 8
+        }
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#ConfirmDevice": {
       "type": "operation",
       "input": {
@@ -5166,6 +5592,12 @@
           "traits": {
             "smithy.api#documentation": "<p>A map of custom key-value pairs that you can provide as input for any custom workflows\n            that this action triggers.</p>\n         <p>You create custom workflows by assigning Lambda functions to user pool\n            triggers. When you use the ConfirmSignUp API action, Amazon Cognito invokes the function that is\n            assigned to the <i>post confirmation</i> trigger. When Amazon Cognito invokes this\n            function, it passes a JSON payload, which the function receives as input. This payload\n            contains a <code>clientMetadata</code> attribute, which provides the data that you\n            assigned to the ClientMetadata parameter in your ConfirmSignUp request. In your function\n            code in Lambda, you can process the <code>clientMetadata</code> value to\n            enhance your workflow for your specific needs.</p>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html\">\nCustomizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>\n         <note>\n            <p>When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the\n                following:</p>\n            <ul>\n               <li>\n                  <p>Store the ClientMetadata value. This data is available only to Lambda\n                        triggers that are assigned to a user pool to support custom workflows. If\n                        your user pool configuration doesn't include triggers, the ClientMetadata\n                        parameter serves no purpose.</p>\n               </li>\n               <li>\n                  <p>Validate the ClientMetadata value.</p>\n               </li>\n               <li>\n                  <p>Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive\n                        information.</p>\n               </li>\n            </ul>\n         </note>"
           }
+        },
+        "Session": {
+          "target": "com.amazonaws.cognitoidentityprovider#SessionType",
+          "traits": {
+            "smithy.api#documentation": "<p>The optional session ID from a <code>SignUp</code> API request. You can sign in a user\n            directly from the sign-up process with the <code>USER_AUTH</code> authentication\n            flow.</p>"
+          }
         }
       },
       "traits": {
@@ -5175,7 +5607,14 @@
     },
     "com.amazonaws.cognitoidentityprovider#ConfirmSignUpResponse": {
       "type": "structure",
-      "members": {},
+      "members": {
+        "Session": {
+          "target": "com.amazonaws.cognitoidentityprovider#SessionType",
+          "traits": {
+            "smithy.api#documentation": "<p>You can automatically sign users in with the one-time password that they provided in a\n            successful <code>ConfirmSignUp</code> request. To do this, pass the <code>Session</code>\n            parameter from the <code>ConfirmSignUp</code> response in the <code>Session</code>\n            parameter of an <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html\">InitiateAuth</a> or <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html\">AdminInitiateAuth</a> request.</p>"
+          }
+        }
+      },
       "traits": {
         "smithy.api#documentation": "<p>Represents the response from the server for the registration confirmation.</p>",
         "smithy.api#output": {}
@@ -5204,21 +5643,21 @@
         "ServerName": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>Your server endpoint where this API is invoked.</p>",
+            "smithy.api#documentation": "<p>The name of your application's service endpoint.</p>",
             "smithy.api#required": {}
           }
         },
         "ServerPath": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>Your server path where this API is invoked.</p>",
+            "smithy.api#documentation": "<p>The path of your application's service endpoint.</p>",
             "smithy.api#required": {}
           }
         },
         "HttpHeaders": {
           "target": "com.amazonaws.cognitoidentityprovider#HttpHeaderList",
           "traits": {
-            "smithy.api#documentation": "<p>HttpHeaders received on your server in same order.</p>",
+            "smithy.api#documentation": "<p>The HTTP headers from your user's authentication request.</p>",
             "smithy.api#required": {}
           }
         },
@@ -5230,7 +5669,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Contextual user data type used for evaluating the risk of an unexpected event by Amazon Cognito\n            advanced security.</p>"
+        "smithy.api#documentation": "<p>Contextual user data used for evaluating the risk of an authentication event by user\n            pool threat protection.</p>\n         <p>This data type is a request parameter of server-side authentication operations like\n                <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html\">AdminInitiateAuth</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html\">AdminRespondToAuthChallenge</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#CreateGroup": {
@@ -5420,6 +5859,99 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.cognitoidentityprovider#CreateManagedLoginBranding": {
+      "type": "operation",
+      "input": {
+        "target": "com.amazonaws.cognitoidentityprovider#CreateManagedLoginBrandingRequest"
+      },
+      "output": {
+        "target": "com.amazonaws.cognitoidentityprovider#CreateManagedLoginBrandingResponse"
+      },
+      "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ConcurrentModificationException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#LimitExceededException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingExistsException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException"
+        }
+      ],
+      "traits": {
+        "smithy.api#documentation": "<p>Creates a new set of branding settings for a user pool style and associates it with an\n            app client. This operation is the programmatic option for the creation of a new style in\n            the branding designer.</p>\n         <p>Provides values for UI customization in a <code>Settings</code> JSON object and image\n            files in an <code>Assets</code> array. To send the JSON object <code>Document</code>\n            type parameter in <code>Settings</code>, you might need to update to the most recent\n            version of your Amazon Web Services SDK. </p>\n         <p> This operation has a 2-megabyte request-size limit and include the CSS settings and\n            image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito\n            doesn't require that you pass all parameters in one request and preserves existing\n            style settings that you don't specify. If your request is larger than 2MB, separate it\n            into multiple requests, each with a size smaller than the limit. </p>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-brandingdesigner.html#branding-designer-api\">API and SDK operations for managed login branding</a>\n         </p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#CreateManagedLoginBrandingRequest": {
+      "type": "structure",
+      "members": {
+        "UserPoolId": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The ID of the user pool where you want to create a new branding style.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "ClientId": {
+          "target": "com.amazonaws.cognitoidentityprovider#ClientIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The app client that you want to create the branding style for. Each style is\n            permanently linked to an app client. To change the style for an app client, delete the\n            existing style with <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DeleteManagedLoginBranding.html\">DeleteManagedLoginBranding</a> and create a new one.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "UseCognitoProvidedValues": {
+          "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
+          "traits": {
+            "smithy.api#default": false,
+            "smithy.api#documentation": "<p>When true, applies the default branding style options. This option reverts to default\n            style options that are managed by Amazon Cognito. You can modify them later in the branding\n            designer.</p>\n         <p>When you specify <code>true</code> for this option, you must also omit values for\n                <code>Settings</code> and <code>Assets</code> in the request.</p>"
+          }
+        },
+        "Settings": {
+          "target": "com.amazonaws.cognitoidentityprovider#Document",
+          "traits": {
+            "smithy.api#documentation": "<p>A JSON file, encoded as a <code>Document</code> type, with the the settings that you\n            want to apply to your style.</p>"
+          }
+        },
+        "Assets": {
+          "target": "com.amazonaws.cognitoidentityprovider#AssetListType",
+          "traits": {
+            "smithy.api#documentation": "<p>An array of image files that you want to apply to roles like backgrounds, logos, and\n            icons. Each object must also indicate whether it is for dark mode, light mode, or\n            browser-adaptive mode.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#input": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#CreateManagedLoginBrandingResponse": {
+      "type": "structure",
+      "members": {
+        "ManagedLoginBranding": {
+          "target": "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingType",
+          "traits": {
+            "smithy.api#documentation": "<p>The details of the branding style that you created.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#output": {}
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#CreateResourceServer": {
       "type": "operation",
       "input": {
@@ -5591,6 +6123,9 @@
         "target": "com.amazonaws.cognitoidentityprovider#CreateUserPoolResponse"
       },
       "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#FeatureUnavailableInTierException"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
         },
@@ -5612,6 +6147,9 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#TierChangeNotAllowedException"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException"
         },
@@ -5620,7 +6158,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <p>Creates a new Amazon Cognito user pool and sets the password policy for the\n            pool.</p>\n         <important>\n            <p>If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.</p>\n         </important>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>",
+        "smithy.api#documentation": "<note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <p>Creates a new Amazon Cognito user pool and sets the password policy for the\n            pool.</p>\n         <important>\n            <p>If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.</p>\n         </important>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>",
         "smithy.api#examples": [
           {
             "title": "Example user pool with email and username sign-in",
@@ -6247,13 +6785,13 @@
         "ExplicitAuthFlows": {
           "target": "com.amazonaws.cognitoidentityprovider#ExplicitAuthFlowsListType",
           "traits": {
-            "smithy.api#documentation": "<p>The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in \nyour users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and \npassword, or a custom authentication process that you define with Lambda functions.</p>\n         <note>\n            <p>If you don't specify a value for <code>ExplicitAuthFlows</code>, your user client supports <code>ALLOW_REFRESH_TOKEN_AUTH</code>, <code>ALLOW_USER_SRP_AUTH</code>, and <code>ALLOW_CUSTOM_AUTH</code>.</p>\n         </note>\n         <p>Valid values include:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW_ADMIN_USER_PASSWORD_AUTH</code>: Enable admin based user password\n            authentication flow <code>ADMIN_USER_PASSWORD_AUTH</code>. This setting replaces\n            the <code>ADMIN_NO_SRP_AUTH</code> setting. With this authentication flow, your app\n            passes a user name and password to Amazon Cognito in the request, instead of using the Secure \n            Remote Password (SRP) protocol to securely transmit the password.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_CUSTOM_AUTH</code>: Enable Lambda trigger based\n            authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_PASSWORD_AUTH</code>: Enable user password-based\n            authentication. In this flow, Amazon Cognito receives the password in the request instead\n            of using the SRP protocol to verify passwords.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_SRP_AUTH</code>: Enable SRP-based authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_REFRESH_TOKEN_AUTH</code>: Enable authflow to refresh\n            tokens.</p>\n            </li>\n         </ul>\n         <p>In some environments, you will see the values <code>ADMIN_NO_SRP_AUTH</code>, <code>CUSTOM_AUTH_FLOW_ONLY</code>, or <code>USER_PASSWORD_AUTH</code>. \nYou can't assign these legacy <code>ExplicitAuthFlows</code> values to user pool clients at the same time as values that begin with <code>ALLOW_</code>,\nlike <code>ALLOW_USER_SRP_AUTH</code>.</p>"
+            "smithy.api#documentation": "<p>The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in \nyour users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and \npassword, or a custom authentication process that you define with Lambda functions.</p>\n         <note>\n            <p>If you don't specify a value for <code>ExplicitAuthFlows</code>, your user client supports <code>ALLOW_REFRESH_TOKEN_AUTH</code>, <code>ALLOW_USER_SRP_AUTH</code>, and <code>ALLOW_CUSTOM_AUTH</code>.</p>\n         </note>\n         <p>Valid values include:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW_USER_AUTH</code>: Enable selection-based sign-in\n            with <code>USER_AUTH</code>. This setting covers username-password,\n            secure remote password (SRP), passwordless, and passkey authentication.\n            This authentiation flow can do username-password and SRP authentication\n            without other <code>ExplicitAuthFlows</code> permitting them. For example\n            users can complete an SRP challenge through <code>USER_AUTH</code> \n            without the flow <code>USER_SRP_AUTH</code> being active for the app\n            client. This flow doesn't include <code>CUSTOM_AUTH</code>.\n        </p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_ADMIN_USER_PASSWORD_AUTH</code>: Enable admin based user password\n            authentication flow <code>ADMIN_USER_PASSWORD_AUTH</code>. This setting replaces\n            the <code>ADMIN_NO_SRP_AUTH</code> setting. With this authentication flow, your app\n            passes a user name and password to Amazon Cognito in the request, instead of using the Secure \n            Remote Password (SRP) protocol to securely transmit the password.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_CUSTOM_AUTH</code>: Enable Lambda trigger based\n            authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_PASSWORD_AUTH</code>: Enable user password-based\n            authentication. In this flow, Amazon Cognito receives the password in the request instead\n            of using the SRP protocol to verify passwords.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_SRP_AUTH</code>: Enable SRP-based authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_REFRESH_TOKEN_AUTH</code>: Enable authflow to refresh\n            tokens.</p>\n            </li>\n         </ul>\n         <p>In some environments, you will see the values <code>ADMIN_NO_SRP_AUTH</code>, <code>CUSTOM_AUTH_FLOW_ONLY</code>, or <code>USER_PASSWORD_AUTH</code>. \nYou can't assign these legacy <code>ExplicitAuthFlows</code> values to user pool clients at the same time as values that begin with <code>ALLOW_</code>,\nlike <code>ALLOW_USER_SRP_AUTH</code>.</p>"
           }
         },
         "SupportedIdentityProviders": {
           "target": "com.amazonaws.cognitoidentityprovider#SupportedIdentityProvidersListType",
           "traits": {
-            "smithy.api#documentation": "<p>A list of provider names for the identity providers (IdPs) that are supported on this\n            client. The following are supported: <code>COGNITO</code>, <code>Facebook</code>,\n                <code>Google</code>, <code>SignInWithApple</code>, and <code>LoginWithAmazon</code>.\n            You can also specify the names that you configured for the SAML and OIDC IdPs in your\n            user pool, for example <code>MySAMLIdP</code> or <code>MyOIDCIdP</code>.</p>"
+            "smithy.api#documentation": "<p>A list of provider names for the identity providers (IdPs) that are supported on this\n            client. The following are supported: <code>COGNITO</code>, <code>Facebook</code>,\n                <code>Google</code>, <code>SignInWithApple</code>, and <code>LoginWithAmazon</code>.\n            You can also specify the names that you configured for the SAML and OIDC IdPs in your\n            user pool, for example <code>MySAMLIdP</code> or <code>MyOIDCIdP</code>.</p>\n         <p>This setting applies to providers that you can access with the <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html\">hosted\n                UI and OAuth 2.0 authorization server</a>. The removal of <code>COGNITO</code>\n            from this list doesn't prevent authentication operations for local users with the\n            user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to\n            block access with a <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html\">WAF rule</a>.</p>"
           }
         },
         "CallbackURLs": {
@@ -6314,7 +6852,7 @@
         "EnablePropagateAdditionalUserContextData": {
           "target": "com.amazonaws.cognitoidentityprovider#WrappedBooleanType",
           "traits": {
-            "smithy.api#documentation": "<p>Activates the propagation of additional user context data. For more information about\n            propagation of user context data, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html\"> Adding advanced security to a user pool</a>. If you don’t include this\n            parameter, you can't send device fingerprint information, including source IP address,\n            to Amazon Cognito advanced security. You can only activate\n                <code>EnablePropagateAdditionalUserContextData</code> in an app client that has a\n            client secret.</p>"
+            "smithy.api#documentation": "<p>Activates the propagation of additional user context data. For more information about\n            propagation of user context data, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html\"> Adding advanced security to a user pool</a>. If you don’t include this\n            parameter, you can't send device fingerprint information, including source IP address,\n            to Amazon Cognito advanced security. You can only activate\n                <code>EnablePropagateAdditionalUserContextData</code> in an app client that has a\n            client secret.</p>"
           }
         },
         "AuthSessionValidity": {
@@ -6353,6 +6891,9 @@
         "target": "com.amazonaws.cognitoidentityprovider#CreateUserPoolDomainResponse"
       },
       "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#FeatureUnavailableInTierException"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
         },
@@ -6370,7 +6911,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Creates a new domain for a user pool.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
+        "smithy.api#documentation": "<p>Creates a new domain for a user pool. The domain hosts user pool domain services like\n            managed login, the hosted UI (classic), and the user pool authorization server.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#CreateUserPoolDomainRequest": {
@@ -6386,10 +6927,16 @@
         "UserPoolId": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The user pool ID.</p>",
+            "smithy.api#documentation": "<p>The ID of the user pool where you want to add a domain.</p>",
             "smithy.api#required": {}
           }
         },
+        "ManagedLoginVersion": {
+          "target": "com.amazonaws.cognitoidentityprovider#WrappedIntegerType",
+          "traits": {
+            "smithy.api#documentation": "<p>The version of managed login branding that you want to apply to your domain. A value\n            of <code>1</code> indicates hosted UI (classic) branding and a version of <code>2</code>\n            indicates managed login branding.</p>\n         <p>Managed login requires that your user pool be configured for any <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html\">feature plan</a> other than <code>Lite</code>.</p>"
+          }
+        },
         "CustomDomainConfig": {
           "target": "com.amazonaws.cognitoidentityprovider#CustomDomainConfigType",
           "traits": {
@@ -6404,6 +6951,12 @@
     "com.amazonaws.cognitoidentityprovider#CreateUserPoolDomainResponse": {
       "type": "structure",
       "members": {
+        "ManagedLoginVersion": {
+          "target": "com.amazonaws.cognitoidentityprovider#WrappedIntegerType",
+          "traits": {
+            "smithy.api#documentation": "<p>The version of managed login branding applied your domain. A value of <code>1</code>\n            indicates hosted UI (classic) branding and a version of <code>2</code> indicates managed\n            login branding.</p>"
+          }
+        },
         "CloudFrontDomain": {
           "target": "com.amazonaws.cognitoidentityprovider#DomainType",
           "traits": {
@@ -6440,7 +6993,7 @@
         "LambdaConfig": {
           "target": "com.amazonaws.cognitoidentityprovider#LambdaConfigType",
           "traits": {
-            "smithy.api#documentation": "<p>The Lambda trigger configuration information for the new user pool.</p>\n         <note>\n            <p>In a push model, event sources (such as Amazon S3 and custom applications) need\n                permission to invoke a function. So you must make an extra call to add permission\n                for these event sources to invoke your Lambda function.</p>\n            <p></p>\n            <p>For more information on using the Lambda API to add permission, see<a href=\"https://docs.aws.amazon.com/lambda/latest/dg/API_AddPermission.html\">\n                    AddPermission </a>. </p>\n            <p>For adding permission using the CLI, see<a href=\"https://docs.aws.amazon.com/cli/latest/reference/lambda/add-permission.html\"> add-permission\n                </a>.</p>\n         </note>"
+            "smithy.api#documentation": "<p>A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible\n            stages of authentication operations. Triggers can modify the outcome of the operations\n            that invoked them.</p>"
           }
         },
         "AutoVerifiedAttributes": {
@@ -6482,7 +7035,7 @@
         "VerificationMessageTemplate": {
           "target": "com.amazonaws.cognitoidentityprovider#VerificationMessageTemplateType",
           "traits": {
-            "smithy.api#documentation": "<p>The template for the verification message that the user sees when the app requests\n            permission to access the user's information.</p>"
+            "smithy.api#documentation": "<p>The template for the verification message that your user pool delivers to users who\n            set an email address or phone number attribute.</p>\n         <p>Set the email message type that corresponds to your <code>DefaultEmailOption</code>\n            selection. For <code>CONFIRM_WITH_LINK</code>, specify an\n                <code>EmailMessageByLink</code> and leave <code>EmailMessage</code> blank. For\n                <code>CONFIRM_WITH_CODE</code>, specify an <code>EmailMessage</code> and leave\n                <code>EmailMessageByLink</code> blank. When you supply both parameters with either\n            choice, Amazon Cognito returns an error.</p>"
           }
         },
         "SmsAuthenticationMessage": {
@@ -6556,6 +7109,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The available verified method a user can use to recover their password when they call\n                <code>ForgotPassword</code>. You can use this setting to define a preferred method\n            when a user has more than one method available. With this setting, SMS doesn't qualify\n            for a valid password recovery mechanism if the user also has SMS multi-factor\n            authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy\n            behavior to determine the recovery method where SMS is preferred through email.</p>"
           }
+        },
+        "UserPoolTier": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserPoolTierType",
+          "traits": {
+            "smithy.api#documentation": "<p>The user pool <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html\">feature plan</a>, or tier. This parameter determines the\n            eligibility of the user pool for features like managed login, access-token\n            customization, and threat protection. Defaults to <code>ESSENTIALS</code>.</p>"
+          }
         }
       },
       "traits": {
@@ -6612,7 +7171,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The configuration for a custom domain that hosts the sign-up and sign-in webpages for\n            your application.</p>"
+        "smithy.api#documentation": "<p>The configuration for a hosted UI custom domain.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolDomain.html\">CreateUserPoolDomain</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolDomain.html\">UpdateUserPoolDomain</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#CustomEmailLambdaVersionConfigType": {
@@ -6634,7 +7193,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The properties of a custom email sender Lambda trigger.</p>"
+        "smithy.api#documentation": "<p>The properties of a custom email sender Lambda trigger.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#CustomEmailSenderLambdaVersionType": {
@@ -6667,7 +7226,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The properties of a custom SMS sender Lambda trigger.</p>"
+        "smithy.api#documentation": "<p>The properties of a custom SMS sender Lambda trigger.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#CustomSMSSenderLambdaVersionType": {
@@ -6809,15 +7368,18 @@
         "smithy.api#input": {}
       }
     },
-    "com.amazonaws.cognitoidentityprovider#DeleteResourceServer": {
+    "com.amazonaws.cognitoidentityprovider#DeleteManagedLoginBranding": {
       "type": "operation",
       "input": {
-        "target": "com.amazonaws.cognitoidentityprovider#DeleteResourceServerRequest"
+        "target": "com.amazonaws.cognitoidentityprovider#DeleteManagedLoginBrandingRequest"
       },
       "output": {
         "target": "smithy.api#Unit"
       },
       "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ConcurrentModificationException"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
         },
@@ -6835,23 +7397,23 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Deletes a resource server.</p>"
+        "smithy.api#documentation": "<p>Deletes a managed login branding style. When you delete a style, you delete the\n            branding association for an app client and restore it to default settings.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
       }
     },
-    "com.amazonaws.cognitoidentityprovider#DeleteResourceServerRequest": {
+    "com.amazonaws.cognitoidentityprovider#DeleteManagedLoginBrandingRequest": {
       "type": "structure",
       "members": {
-        "UserPoolId": {
-          "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
+        "ManagedLoginBrandingId": {
+          "target": "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The user pool ID for the user pool that hosts the resource server.</p>",
+            "smithy.api#documentation": "<p>The ID of the managed login branding style that you want to delete.</p>",
             "smithy.api#required": {}
           }
         },
-        "Identifier": {
-          "target": "com.amazonaws.cognitoidentityprovider#ResourceServerIdentifierType",
+        "UserPoolId": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The identifier for the resource server.</p>",
+            "smithy.api#documentation": "<p>The ID of the user pool that contains the managed login branding style that you want\n            to delete.</p>",
             "smithy.api#required": {}
           }
         }
@@ -6860,18 +7422,15 @@
         "smithy.api#input": {}
       }
     },
-    "com.amazonaws.cognitoidentityprovider#DeleteUser": {
+    "com.amazonaws.cognitoidentityprovider#DeleteResourceServer": {
       "type": "operation",
       "input": {
-        "target": "com.amazonaws.cognitoidentityprovider#DeleteUserRequest"
+        "target": "com.amazonaws.cognitoidentityprovider#DeleteResourceServerRequest"
       },
       "output": {
         "target": "smithy.api#Unit"
       },
       "errors": [
-        {
-          "target": "com.amazonaws.cognitoidentityprovider#ForbiddenException"
-        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
         },
@@ -6882,7 +7441,61 @@
           "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
         },
         {
-          "target": "com.amazonaws.cognitoidentityprovider#PasswordResetRequiredException"
+          "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException"
+        }
+      ],
+      "traits": {
+        "smithy.api#documentation": "<p>Deletes a resource server.</p>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#DeleteResourceServerRequest": {
+      "type": "structure",
+      "members": {
+        "UserPoolId": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The user pool ID for the user pool that hosts the resource server.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "Identifier": {
+          "target": "com.amazonaws.cognitoidentityprovider#ResourceServerIdentifierType",
+          "traits": {
+            "smithy.api#documentation": "<p>The identifier for the resource server.</p>",
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#input": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#DeleteUser": {
+      "type": "operation",
+      "input": {
+        "target": "com.amazonaws.cognitoidentityprovider#DeleteUserRequest"
+      },
+      "output": {
+        "target": "smithy.api#Unit"
+      },
+      "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ForbiddenException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#PasswordResetRequiredException"
         },
         {
           "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException"
@@ -7151,6 +7764,66 @@
         "smithy.api#input": {}
       }
     },
+    "com.amazonaws.cognitoidentityprovider#DeleteWebAuthnCredential": {
+      "type": "operation",
+      "input": {
+        "target": "com.amazonaws.cognitoidentityprovider#DeleteWebAuthnCredentialRequest"
+      },
+      "output": {
+        "target": "com.amazonaws.cognitoidentityprovider#DeleteWebAuthnCredentialResponse"
+      },
+      "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ForbiddenException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException"
+        }
+      ],
+      "traits": {
+        "smithy.api#auth": [],
+        "smithy.api#documentation": "<p>Deletes a registered passkey, or webauthN, device for the currently signed-in\n            user.</p>\n         <p>Authorize this action with a signed-in user's access token. It must include the scope <code>aws.cognito.signin.user.admin</code>.</p>",
+        "smithy.api#optionalAuth": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#DeleteWebAuthnCredentialRequest": {
+      "type": "structure",
+      "members": {
+        "AccessToken": {
+          "target": "com.amazonaws.cognitoidentityprovider#TokenModelType",
+          "traits": {
+            "smithy.api#documentation": "<p>A valid access token that Amazon Cognito issued to the user whose passkey you want to\n            delete.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "CredentialId": {
+          "target": "com.amazonaws.cognitoidentityprovider#StringType",
+          "traits": {
+            "smithy.api#documentation": "<p>The unique identifier of the passkey that you want to delete. Look up registered\n            devices with <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListWebAuthnCredentials.html\"> ListWebAuthnCredentials</a>.</p>",
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#input": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#DeleteWebAuthnCredentialResponse": {
+      "type": "structure",
+      "members": {},
+      "traits": {
+        "smithy.api#output": {}
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#DeletionProtectionType": {
       "type": "enum",
       "members": {
@@ -7257,6 +7930,150 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBranding": {
+      "type": "operation",
+      "input": {
+        "target": "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBrandingRequest"
+      },
+      "output": {
+        "target": "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBrandingResponse"
+      },
+      "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException"
+        }
+      ],
+      "traits": {
+        "smithy.api#documentation": "<p>When given the ID of a managed login branding style, returns detailed information\n            about the style.</p>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBrandingByClient": {
+      "type": "operation",
+      "input": {
+        "target": "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBrandingByClientRequest"
+      },
+      "output": {
+        "target": "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBrandingByClientResponse"
+      },
+      "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException"
+        }
+      ],
+      "traits": {
+        "smithy.api#documentation": "<p>When given the ID of a user pool app client, returns detailed information about the\n            style assigned to the app client.</p>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBrandingByClientRequest": {
+      "type": "structure",
+      "members": {
+        "UserPoolId": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The ID of the user pool that contains the app client where you want more information\n            about the managed login branding style.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "ClientId": {
+          "target": "com.amazonaws.cognitoidentityprovider#ClientIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The app client that's assigned to the branding style that you want more information\n            about.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "ReturnMergedResources": {
+          "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
+          "traits": {
+            "smithy.api#default": false,
+            "smithy.api#documentation": "<p>When <code>true</code>, returns values for branding options that are unchanged from\n            Amazon Cognito defaults. When <code>false</code> or when you omit this parameter, returns only\n            values that you customized in your branding style.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#input": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBrandingByClientResponse": {
+      "type": "structure",
+      "members": {
+        "ManagedLoginBranding": {
+          "target": "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingType",
+          "traits": {
+            "smithy.api#documentation": "<p>The details of the requested branding style.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#output": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBrandingRequest": {
+      "type": "structure",
+      "members": {
+        "UserPoolId": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The ID of the user pool that contains the managed login branding style that you want\n            to get information about.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "ManagedLoginBrandingId": {
+          "target": "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The ID of the managed login branding style that you want to get more information\n            about.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "ReturnMergedResources": {
+          "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
+          "traits": {
+            "smithy.api#default": false,
+            "smithy.api#documentation": "<p>When <code>true</code>, returns values for branding options that are unchanged from\n            Amazon Cognito defaults. When <code>false</code> or when you omit this parameter, returns only\n            values that you customized in your branding style.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#input": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#DescribeManagedLoginBrandingResponse": {
+      "type": "structure",
+      "members": {
+        "ManagedLoginBranding": {
+          "target": "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingType",
+          "traits": {
+            "smithy.api#documentation": "<p>The details of the requested branding style.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#output": {}
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#DescribeResourceServer": {
       "type": "operation",
       "input": {
@@ -7671,7 +8488,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The device-remembering configuration for a user pool. A <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">\n                DescribeUserPool</a> request returns a null value for this object when the user\n            pool isn't configured to remember devices. When device remembering is active, you can\n            remember a user's device with a <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html\">ConfirmDevice</a> API request. Additionally. when the property\n                <code>DeviceOnlyRememberedOnUserPrompt</code> is <code>true</code>, you must follow\n                <code>ConfirmDevice</code> with an <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html\">UpdateDeviceStatus</a> API request that sets the user's device to\n                <code>remembered</code> or <code>not_remembered</code>.</p>\n         <p>To sign in with a remembered device, include <code>DEVICE_KEY</code> in the\n            authentication parameters in your user's <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html\">\n                InitiateAuth</a> request. If your app doesn't include a <code>DEVICE_KEY</code>\n            parameter, the <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#API_InitiateAuth_ResponseSyntax\">response</a> from Amazon Cognito includes newly-generated <code>DEVICE_KEY</code> and\n                <code>DEVICE_GROUP_KEY</code> values under <code>NewDeviceMetadata</code>. Store\n            these values to use in future device-authentication requests.</p>\n         <note>\n            <p>When you provide a value for any property of <code>DeviceConfiguration</code>, you\n                activate the device remembering for the user pool.</p>\n         </note>"
+        "smithy.api#documentation": "<p>The device-remembering configuration for a user pool. A <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">\n                DescribeUserPool</a> request returns a null value for this object when the user\n            pool isn't configured to remember devices. When device remembering is active, you can\n            remember a user's device with a <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html\">ConfirmDevice</a> API request. Additionally. when the property\n                <code>DeviceOnlyRememberedOnUserPrompt</code> is <code>true</code>, you must follow\n                <code>ConfirmDevice</code> with an <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateDeviceStatus.html\">UpdateDeviceStatus</a> API request that sets the user's device to\n                <code>remembered</code> or <code>not_remembered</code>.</p>\n         <p>To sign in with a remembered device, include <code>DEVICE_KEY</code> in the\n            authentication parameters in your user's <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html\">\n                InitiateAuth</a> request. If your app doesn't include a <code>DEVICE_KEY</code>\n            parameter, the <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html#API_InitiateAuth_ResponseSyntax\">response</a> from Amazon Cognito includes newly-generated <code>DEVICE_KEY</code> and\n                <code>DEVICE_GROUP_KEY</code> values under <code>NewDeviceMetadata</code>. Store\n            these values to use in future device-authentication requests.</p>\n         <note>\n            <p>When you provide a value for any property of <code>DeviceConfiguration</code>, you\n                activate the device remembering for the user pool.</p>\n            <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>\n         </note>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#DeviceKeyType": {
@@ -7722,18 +8539,18 @@
         "PasswordVerifier": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The password verifier.</p>"
+            "smithy.api#documentation": "<p>A password verifier for a user's device. Used in SRP authentication.</p>"
           }
         },
         "Salt": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The <a href=\"https://en.wikipedia.org/wiki/Salt_(cryptography)\">salt</a>\n         </p>"
+            "smithy.api#documentation": "<p>The salt that you want to use in SRP authentication with the user's device.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The device verifier against which it is authenticated.</p>"
+        "smithy.api#documentation": "<p>A Secure Remote Password (SRP) value that your application generates when you register\n            a user's device. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-getting-a-device-key\">Getting a device key</a>.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmDevice.html\">ConfirmDevice</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#DeviceType": {
@@ -7742,19 +8559,19 @@
         "DeviceKey": {
           "target": "com.amazonaws.cognitoidentityprovider#DeviceKeyType",
           "traits": {
-            "smithy.api#documentation": "<p>The device key.</p>"
+            "smithy.api#documentation": "<p>The device key, for example\n                <code>us-west-2_EXAMPLE-a1b2c3d4-5678-90ab-cdef-EXAMPLE22222</code>.</p>"
           }
         },
         "DeviceAttributes": {
           "target": "com.amazonaws.cognitoidentityprovider#AttributeListType",
           "traits": {
-            "smithy.api#documentation": "<p>The device attributes.</p>"
+            "smithy.api#documentation": "<p>Metadata about a user's device, like name and last-access source IP.</p>"
           }
         },
         "DeviceCreateDate": {
           "target": "com.amazonaws.cognitoidentityprovider#DateType",
           "traits": {
-            "smithy.api#documentation": "<p>The creation date of the device.</p>"
+            "smithy.api#documentation": "<p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a \nhuman-readable format like ISO 8601 or a Java <code>Date</code> object.</p>"
           }
         },
         "DeviceLastModifiedDate": {
@@ -7766,27 +8583,30 @@
         "DeviceLastAuthenticatedDate": {
           "target": "com.amazonaws.cognitoidentityprovider#DateType",
           "traits": {
-            "smithy.api#documentation": "<p>The date when the device was last authenticated.</p>"
+            "smithy.api#documentation": "<p>The date when the user last signed in with the device.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The device type.</p>"
+        "smithy.api#documentation": "<p>Information about a user's device that they've registered for device SRP\n            authentication in your application. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html\">Working with user devices in your user pool</a>.</p>\n         <p>The data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminGetDevice.html\">AdminGetDevice</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListDevices.html\">AdminListDevices</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetDevice.html\">GetDevice</a>.</p>"
       }
     },
+    "com.amazonaws.cognitoidentityprovider#Document": {
+      "type": "document"
+    },
     "com.amazonaws.cognitoidentityprovider#DomainDescriptionType": {
       "type": "structure",
       "members": {
         "UserPoolId": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The user pool ID.</p>"
+            "smithy.api#documentation": "<p>The ID of the user pool that the domain is attached to.</p>"
           }
         },
         "AWSAccountId": {
           "target": "com.amazonaws.cognitoidentityprovider#AWSAccountIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The Amazon Web Services ID for the user pool owner.</p>"
+            "smithy.api#documentation": "<p>The Amazon Web Services account that you created the user pool in.</p>"
           }
         },
         "Domain": {
@@ -7804,7 +8624,7 @@
         "CloudFrontDistribution": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The Amazon CloudFront endpoint that you use as the target of the alias that you set up with\n            your Domain Name Service (DNS) provider.</p>"
+            "smithy.api#documentation": "<p>The Amazon CloudFront endpoint that hosts your custom domain.</p>"
           }
         },
         "Version": {
@@ -7824,10 +8644,16 @@
           "traits": {
             "smithy.api#documentation": "<p>The configuration for a custom domain that hosts the sign-up and sign-in webpages for\n            your application.</p>"
           }
+        },
+        "ManagedLoginVersion": {
+          "target": "com.amazonaws.cognitoidentityprovider#WrappedIntegerType",
+          "traits": {
+            "smithy.api#documentation": "<p>The version of managed login branding that you want to apply to your domain. A value\n            of <code>1</code> indicates hosted UI (classic) branding and a version of <code>2</code>\n            indicates managed login branding.</p>\n         <p>Managed login requires that your user pool be configured for any <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html\">feature plan</a> other than <code>Lite</code>.</p>"
+          }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A container for information about a domain.</p>"
+        "smithy.api#documentation": "<p>A container for information about the user pool domain associated with the hosted UI\n            and OAuth endpoints.</p>\n         <p>This data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolDomain.html\">DescribeUserPoolDomain</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#DomainStatusType": {
@@ -7938,7 +8764,17 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The email configuration of your user pool. The email configuration type sets your\n            preferred sending method, Amazon Web Services Region, and sender for messages from your user\n            pool.</p>\n         <note>\n            <p>Amazon Cognito can send email messages with Amazon Simple Email Service resources in the Amazon Web Services Region where\n                you created your user pool, and in alternate Regions in some cases. For more\n                information on the supported Regions, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html\">Email settings for Amazon Cognito user pools</a>.</p>\n         </note>"
+        "smithy.api#documentation": "<p>The email configuration of your user pool. The email configuration type sets your\n            preferred sending method, Amazon Web Services Region, and sender for messages from your user\n            pool.</p>\n         <note>\n            <p>Amazon Cognito can send email messages with Amazon Simple Email Service resources in the Amazon Web Services Region where\n                you created your user pool, and in alternate Regions in some cases. For more\n                information on the supported Regions, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html\">Email settings for Amazon Cognito user pools</a>.</p>\n         </note>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html\">SetUserPoolMfaConfig</a>, and a response parameter of\n                <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html\">GetUserPoolMfaConfig</a>.</p>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#EmailInviteMessageType": {
+      "type": "string",
+      "traits": {
+        "smithy.api#length": {
+          "min": 6,
+          "max": 20000
+        },
+        "smithy.api#pattern": "^[\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\s*]*$"
       }
     },
     "com.amazonaws.cognitoidentityprovider#EmailMfaConfigType": {
@@ -7958,7 +8794,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Sets or shows user pool email message configuration for MFA. Includes the subject and\n            body of the email message template for MFA messages. To activate this setting, <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html\">\n                     advanced security features</a> must be active in your user pool.</p>"
+        "smithy.api#documentation": "<p>Sets or shows user pool email message configuration for MFA. Includes the subject and\n            body of the email message template for MFA messages. To activate this setting, <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html\">\n                     advanced security features</a> must be active in your user pool.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html\">SetUserPoolMfaConfig</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html\">GetUserPoolMfaConfig</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#EmailMfaMessageType": {
@@ -7990,7 +8826,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>User preferences for multi-factor authentication with email messages. Activates or\n            deactivates email MFA and sets it as the preferred MFA method when multiple methods are\n            available. To activate this setting, <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html\">\n                     advanced security features</a> must be active in your user pool.</p>"
+        "smithy.api#documentation": "<p>User preferences for multi-factor authentication with email messages. Activates or\n            deactivates email MFA and sets it as the preferred MFA method when multiple methods are\n            available. To activate this setting, <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html\">\n                     advanced security features</a> must be active in your user pool.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html\">SetUserMFAPreference</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html\">AdminSetUserMFAPreference</a>. </p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#EmailMfaSubjectType": {
@@ -8124,7 +8960,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Specifies the user context data captured at the time of an event request.</p>"
+        "smithy.api#documentation": "<p>The context data that your application submitted in an authentication request with\n            advanced security features, as displayed in an <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListUserAuthEvents.html\">AdminListUserAuthEvents</a> response.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#EventFeedbackType": {
@@ -8140,19 +8976,19 @@
         "Provider": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The provider.</p>",
+            "smithy.api#documentation": "<p>The submitter of the event feedback. For example, if you submit event feedback in the\n            Amazon Cognito console, this value is <code>Admin</code>.</p>",
             "smithy.api#required": {}
           }
         },
         "FeedbackDate": {
           "target": "com.amazonaws.cognitoidentityprovider#DateType",
           "traits": {
-            "smithy.api#documentation": "<p>The event feedback date.</p>"
+            "smithy.api#documentation": "<p>The date that you or your user submitted the feedback.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Specifies the event feedback type.</p>"
+        "smithy.api#documentation": "<p>The feedback that your application submitted to an advanced security features event\n            log, as displayed in an <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListUserAuthEvents.html\">AdminListUserAuthEvents</a> response.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#EventFilterType": {
@@ -8223,13 +9059,13 @@
         "RiskDecision": {
           "target": "com.amazonaws.cognitoidentityprovider#RiskDecisionType",
           "traits": {
-            "smithy.api#documentation": "<p>The risk decision.</p>"
+            "smithy.api#documentation": "<p>The action taken by adaptive authentication. If <code>NoRisk</code>, your user pool\n            took no action. If <code>AccountTakeover</code>, your user pool applied the adaptive\n            authentication automated response that you configured. If <code>Block</code>, your user\n            pool prevented the attempt.</p>"
           }
         },
         "RiskLevel": {
           "target": "com.amazonaws.cognitoidentityprovider#RiskLevelType",
           "traits": {
-            "smithy.api#documentation": "<p>The risk level.</p>"
+            "smithy.api#documentation": "<p>The risk level that adaptive authentication assessed for the authentication\n            event.</p>"
           }
         },
         "CompromisedCredentialsDetected": {
@@ -8240,7 +9076,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The event risk type.</p>"
+        "smithy.api#documentation": "<p>The risk evaluation by adaptive authentication, as displayed in an <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListUserAuthEvents.html\">AdminListUserAuthEvents</a> response. Contains evaluations\n            of compromised-credentials detection and assessed risk level and action taken by\n            adaptive authentication.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#EventSourceName": {
@@ -8367,7 +9203,26 @@
           "traits": {
             "smithy.api#enumValue": "ALLOW_REFRESH_TOKEN_AUTH"
           }
+        },
+        "ALLOW_USER_AUTH": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "ALLOW_USER_AUTH"
+          }
+        }
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#FeatureUnavailableInTierException": {
+      "type": "structure",
+      "members": {
+        "message": {
+          "target": "com.amazonaws.cognitoidentityprovider#MessageType"
         }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>This exception is thrown when a feature you attempted to configure isn't\n            available in your current feature plan.</p>",
+        "smithy.api#error": "client",
+        "smithy.api#httpError": 403
       }
     },
     "com.amazonaws.cognitoidentityprovider#FeedbackValueType": {
@@ -8548,7 +9403,7 @@
       ],
       "traits": {
         "smithy.api#auth": [],
-        "smithy.api#documentation": "<p>Calling this API causes a message to be sent to the end user with a confirmation code\n            that is required to change the user's password. For the <code>Username</code> parameter,\n            you can use the username or user alias. The method used to send the confirmation code is\n            sent according to the specified AccountRecoverySetting. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html\">Recovering\n                User Accounts</a> in the <i>Amazon Cognito Developer Guide</i>. To\n            use the confirmation code for resetting the password, call <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html\">ConfirmForgotPassword</a>. </p>\n         <p>If neither a verified phone number nor a verified email exists, this API returns\n                <code>InvalidParameterException</code>. If your app client has a client secret and\n            you don't provide a <code>SECRET_HASH</code> parameter, this API returns\n                <code>NotAuthorizedException</code>.</p>\n         <p>To use this API operation, your user pool must have self-service account recovery\n            configured. Use <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html\">AdminSetUserPassword</a> if you manage passwords as an administrator.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
+        "smithy.api#documentation": "<p>Calling this API causes a message to be sent to the end user with a confirmation code\n            that is required to change the user's password. For the <code>Username</code> parameter,\n            you can use the username or user alias. The method used to send the confirmation code is\n            sent according to the specified AccountRecoverySetting. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html\">Recovering\n                User Accounts</a> in the <i>Amazon Cognito Developer Guide</i>. To\n            use the confirmation code for resetting the password, call <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html\">ConfirmForgotPassword</a>. </p>\n         <p>If neither a verified phone number nor a verified email exists, this API returns\n                <code>InvalidParameterException</code>. If your app client has a client secret and\n            you don't provide a <code>SECRET_HASH</code> parameter, this API returns\n                <code>NotAuthorizedException</code>.</p>\n         <p>To use this API operation, your user pool must have self-service account recovery\n            configured. Use <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html\">AdminSetUserPassword</a> if you manage passwords as an administrator.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
         "smithy.api#optionalAuth": {}
       }
     },
@@ -9184,7 +10039,7 @@
       ],
       "traits": {
         "smithy.api#auth": [],
-        "smithy.api#documentation": "<p>Generates a user attribute verification code for the specified attribute name. Sends a\n            message to a user with a code that they must return in a VerifyUserAttribute\n            request.</p>\n         <p>Authorize this action with a signed-in user's access token. It must include the scope <code>aws.cognito.signin.user.admin</code>.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
+        "smithy.api#documentation": "<p>Generates a user attribute verification code for the specified attribute name. Sends a\n            message to a user with a code that they must return in a VerifyUserAttribute\n            request.</p>\n         <p>Authorize this action with a signed-in user's access token. It must include the scope <code>aws.cognito.signin.user.admin</code>.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
         "smithy.api#optionalAuth": {}
       }
     },
@@ -9232,13 +10087,104 @@
         "smithy.api#output": {}
       }
     },
-    "com.amazonaws.cognitoidentityprovider#GetUserPoolMfaConfig": {
+    "com.amazonaws.cognitoidentityprovider#GetUserAuthFactors": {
       "type": "operation",
       "input": {
-        "target": "com.amazonaws.cognitoidentityprovider#GetUserPoolMfaConfigRequest"
+        "target": "com.amazonaws.cognitoidentityprovider#GetUserAuthFactorsRequest"
       },
       "output": {
-        "target": "com.amazonaws.cognitoidentityprovider#GetUserPoolMfaConfigResponse"
+        "target": "com.amazonaws.cognitoidentityprovider#GetUserAuthFactorsResponse"
+      },
+      "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ForbiddenException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#PasswordResetRequiredException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#UserNotConfirmedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#UserNotFoundException"
+        }
+      ],
+      "traits": {
+        "smithy.api#auth": [],
+        "smithy.api#documentation": "<p>Lists the authentication options for the currently signed-in user. Returns the\n            following:</p>\n         <ol>\n            <li>\n               <p>The user's multi-factor authentication (MFA) preferences.</p>\n            </li>\n            <li>\n               <p>The user's options in the <code>USER_AUTH</code> flow that they can\n                    select in a <code>SELECT_CHALLENGE</code> response or request in a\n                        <code>PREFERRED_CHALLENGE</code>request.</p>\n            </li>\n         </ol>",
+        "smithy.api#optionalAuth": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#GetUserAuthFactorsRequest": {
+      "type": "structure",
+      "members": {
+        "AccessToken": {
+          "target": "com.amazonaws.cognitoidentityprovider#TokenModelType",
+          "traits": {
+            "smithy.api#documentation": "<p>A valid access token that Amazon Cognito issued to the user whose authentication factors you\n            want to view.</p>",
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#input": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#GetUserAuthFactorsResponse": {
+      "type": "structure",
+      "members": {
+        "Username": {
+          "target": "com.amazonaws.cognitoidentityprovider#UsernameType",
+          "traits": {
+            "smithy.api#documentation": "<p>The username of the currently sign-in user.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "PreferredMfaSetting": {
+          "target": "com.amazonaws.cognitoidentityprovider#StringType",
+          "traits": {
+            "smithy.api#documentation": "<p>The user's preferred MFA setting.</p>"
+          }
+        },
+        "UserMFASettingList": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserMFASettingListType",
+          "traits": {
+            "smithy.api#documentation": "<p>The MFA options that are activated for the user. The possible values in this list are\n                <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and\n            <code>SOFTWARE_TOKEN_MFA</code>.</p>"
+          }
+        },
+        "ConfiguredUserAuthFactors": {
+          "target": "com.amazonaws.cognitoidentityprovider#ConfiguredUserAuthFactorsListType",
+          "traits": {
+            "smithy.api#documentation": "<p>The authentication types that are available to the user with <code>USER_AUTH</code>\n            sign-in. </p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#output": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#GetUserPoolMfaConfig": {
+      "type": "operation",
+      "input": {
+        "target": "com.amazonaws.cognitoidentityprovider#GetUserPoolMfaConfigRequest"
+      },
+      "output": {
+        "target": "com.amazonaws.cognitoidentityprovider#GetUserPoolMfaConfigResponse"
       },
       "errors": [
         {
@@ -9302,6 +10248,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The multi-factor authentication (MFA) configuration. Valid values include:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>OFF</code> MFA won't be used for any users.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ON</code> MFA is required for all users to sign in.</p>\n            </li>\n            <li>\n               <p>\n                  <code>OPTIONAL</code> MFA will be required only for individual users who have\n                    an MFA factor activated.</p>\n            </li>\n         </ul>"
           }
+        },
+        "WebAuthnConfiguration": {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnConfigurationType",
+          "traits": {
+            "smithy.api#documentation": "<p>Shows user pool configuration for MFA with passkeys from biometric devices and\n            security keys.</p>"
+          }
         }
       },
       "traits": {
@@ -9356,7 +10308,7 @@
         "UserMFASettingList": {
           "target": "com.amazonaws.cognitoidentityprovider#UserMFASettingListType",
           "traits": {
-            "smithy.api#documentation": "<p>The MFA options that are activated for the user. The possible values in this list are\n            <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and <code>SOFTWARE_TOKEN_MFA</code>.</p>"
+            "smithy.api#documentation": "<p>The MFA options that are activated for the user. The possible values in this list are\n                <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and\n            <code>SOFTWARE_TOKEN_MFA</code>.</p>"
           }
         }
       },
@@ -9470,25 +10422,25 @@
         "UserPoolId": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The user pool ID for the user pool.</p>"
+            "smithy.api#documentation": "<p>The ID of the user pool that contains the group.</p>"
           }
         },
         "Description": {
           "target": "com.amazonaws.cognitoidentityprovider#DescriptionType",
           "traits": {
-            "smithy.api#documentation": "<p>A string containing the description of the group.</p>"
+            "smithy.api#documentation": "<p>A friendly description of the group.</p>"
           }
         },
         "RoleArn": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>The role Amazon Resource Name (ARN) for the group.</p>"
+            "smithy.api#documentation": "<p>The ARN of the IAM role associated with the group. If a group has the highest\n            priority of a user's groups, users who authenticate with an identity pool get\n            credentials for the <code>RoleArn</code> that's associated with the group.</p>"
           }
         },
         "Precedence": {
           "target": "com.amazonaws.cognitoidentityprovider#PrecedenceType",
           "traits": {
-            "smithy.api#documentation": "<p>A non-negative integer value that specifies the precedence of this group relative to\n            the other groups that a user can belong to in the user pool. Zero is the highest\n            precedence value. Groups with lower <code>Precedence</code> values take precedence over\n            groups with higher ornull <code>Precedence</code> values. If a user belongs to two or\n            more groups, it is the group with the lowest precedence value whose role ARN is given in\n            the user's tokens for the <code>cognito:roles</code> and\n                <code>cognito:preferred_role</code> claims.</p>\n         <p>Two groups can have the same <code>Precedence</code> value. If this happens, neither\n            group takes precedence over the other. If two groups with the same\n                <code>Precedence</code> have the same role ARN, that role is used in the\n                <code>cognito:preferred_role</code> claim in tokens for users in each group. If the\n            two groups have different role ARNs, the <code>cognito:preferred_role</code> claim isn't\n            set in users' tokens.</p>\n         <p>The default <code>Precedence</code> value is null.</p>"
+            "smithy.api#documentation": "<p>A non-negative integer value that specifies the precedence of this group relative to\n            the other groups that a user can belong to in the user pool. Zero is the highest\n            precedence value. Groups with lower <code>Precedence</code> values take precedence over\n            groups with higher ornull <code>Precedence</code> values. If a user belongs to two or\n            more groups, it is the group with the lowest precedence value whose role ARN is given in\n            the user's tokens for the <code>cognito:roles</code> and\n                <code>cognito:preferred_role</code> claims.</p>\n         <p>Two groups can have the same <code>Precedence</code> value. If this happens, neither\n            group takes precedence over the other. If two groups with the same\n                <code>Precedence</code> have the same role ARN, that role is used in the\n                <code>cognito:preferred_role</code> claim in tokens for users in each group. If the\n            two groups have different role ARNs, the <code>cognito:preferred_role</code> claim isn't\n            set in users' tokens.</p>\n         <p>The default <code>Precedence</code> value is <code>null</code>.</p>"
           }
         },
         "LastModifiedDate": {
@@ -9505,7 +10457,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The group type.</p>"
+        "smithy.api#documentation": "<p>A user pool group. Contains details about the group and the way that it contributes to\n            IAM role decisions with identity pools. Identity pools can make decisions about the\n            IAM role to assign based on groups: users get credentials for the role associated with\n            their highest-priority group.</p>\n         <p>This data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListGroupsForUser.html\">AdminListGroupsForUser</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html\">CreateGroup</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetGroup.html\">GetGroup</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListGroups.html\">ListGroups</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateGroup.html\">UpdateGroup</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#HexStringType": {
@@ -9531,7 +10483,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The HTTP header.</p>"
+        "smithy.api#documentation": "<p>The HTTP header in the <code>ContextData</code> parameter.</p>\n         <p>This data type is a request parameter of server-side authentication operations like\n                <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html\">AdminInitiateAuth</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html\">AdminRespondToAuthChallenge</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#HttpHeaderList": {
@@ -9555,19 +10507,19 @@
         "UserPoolId": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The user pool ID.</p>"
+            "smithy.api#documentation": "<p>The ID of the user pool associated with the IdP.</p>"
           }
         },
         "ProviderName": {
           "target": "com.amazonaws.cognitoidentityprovider#ProviderNameType",
           "traits": {
-            "smithy.api#documentation": "<p>The IdP name.</p>"
+            "smithy.api#documentation": "<p>A friendly name for the IdP.</p>"
           }
         },
         "ProviderType": {
           "target": "com.amazonaws.cognitoidentityprovider#IdentityProviderTypeType",
           "traits": {
-            "smithy.api#documentation": "<p>The IdP type.</p>"
+            "smithy.api#documentation": "<p>The type of IdP. Either SAML, OIDC, or a named social identity provider.</p>"
           }
         },
         "ProviderDetails": {
@@ -9585,7 +10537,7 @@
         "IdpIdentifiers": {
           "target": "com.amazonaws.cognitoidentityprovider#IdpIdentifiersListType",
           "traits": {
-            "smithy.api#documentation": "<p>A list of IdP identifiers.</p>"
+            "smithy.api#documentation": "<p>A list of IdP identifiers. IdP identifiers are strings that represent friendly names\n            or domain names of IdPs, for example <code>MyIdP</code> or\n            <code>auth.example.com</code>. You can choose to route user authorization requests to\n            the right IdP with either IdP identifiers or IdP names. For more information, see\n                <code>identity_provider</code> and <code>idp_identifier</code> at <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html#get-authorize-request-parameters\">Authorize endpoint</a>.</p>"
           }
         },
         "LastModifiedDate": {
@@ -9602,7 +10554,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A container for information about an IdP.</p>"
+        "smithy.api#documentation": "<p>A user pool identity provider (IdP). Contains information about a third-party IdP to a\n            user pool, the attributes that it populates to user profiles, and the trust relationship\n            between the IdP and your user pool.</p>\n         <p>This data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateIdentityProvider.html\">CreateIdentityProvider</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeIdentityProvider.html\">DescribeIdentityProvider</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetIdentityProviderByIdentifier.html\">GetIdentityProviderByIdentifier</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateIdentityProvider.html\">UpdateIdentityProvider</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#IdentityProviderTypeType": {
@@ -9740,7 +10692,7 @@
       ],
       "traits": {
         "smithy.api#auth": [],
-        "smithy.api#documentation": "<p>Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user\n            with a federated IdP with <code>InitiateAuth</code>. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html\"> Adding user pool sign-in through a third party</a>.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
+        "smithy.api#documentation": "<p>Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user\n            with a federated IdP with <code>InitiateAuth</code>. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html\"> Adding user pool sign-in through a third party</a>.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
         "smithy.api#examples": [
           {
             "title": "Example username and password sign-in for a user who has TOTP MFA",
@@ -9783,20 +10735,20 @@
         "AuthFlow": {
           "target": "com.amazonaws.cognitoidentityprovider#AuthFlowType",
           "traits": {
-            "smithy.api#documentation": "<p>The authentication flow for this call to run. The API action will depend on this\n            value. For example:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>REFRESH_TOKEN_AUTH</code> takes in a valid refresh token and returns new\n                    tokens.</p>\n            </li>\n            <li>\n               <p>\n                  <code>USER_SRP_AUTH</code> takes in <code>USERNAME</code> and\n                        <code>SRP_A</code> and returns the SRP variables to be used for next\n                    challenge execution.</p>\n            </li>\n            <li>\n               <p>\n                  <code>USER_PASSWORD_AUTH</code> takes in <code>USERNAME</code> and\n                        <code>PASSWORD</code> and returns the next challenge or tokens.</p>\n            </li>\n         </ul>\n         <p>Valid values include:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>USER_SRP_AUTH</code>: Authentication flow for the Secure Remote Password\n                    (SRP) protocol.</p>\n            </li>\n            <li>\n               <p>\n                  <code>REFRESH_TOKEN_AUTH</code>/<code>REFRESH_TOKEN</code>: Authentication\n                    flow for refreshing the access token and ID token by supplying a valid refresh\n                    token.</p>\n            </li>\n            <li>\n               <p>\n                  <code>CUSTOM_AUTH</code>: Custom authentication flow.</p>\n            </li>\n            <li>\n               <p>\n                  <code>USER_PASSWORD_AUTH</code>: Non-SRP authentication flow; user name and\n                    password are passed directly. If a user migration Lambda trigger is set, this\n                    flow will invoke the user migration Lambda if it doesn't find the user name in\n                    the user pool. </p>\n            </li>\n         </ul>\n         <p>\n            <code>ADMIN_NO_SRP_AUTH</code> isn't a valid value.</p>",
+            "smithy.api#documentation": "<p>The authentication flow that you want to initiate. The <code>AuthParameters</code>\n            that you must submit are linked to the flow that you submit. For example:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>USER_AUTH</code>: Request a preferred authentication type or review\n                    available authentication types. From the offered authentication types, select\n                    one in a challenge response and then authenticate with that method in an\n                    additional challenge response.</p>\n            </li>\n            <li>\n               <p>\n                  <code>REFRESH_TOKEN_AUTH</code>: Receive new ID and access tokens when you\n                    pass a <code>REFRESH_TOKEN</code> parameter with a valid refresh token as the\n                    value.</p>\n            </li>\n            <li>\n               <p>\n                  <code>USER_SRP_AUTH</code>: Receive secure remote password (SRP) variables for\n                    the next challenge, <code>PASSWORD_VERIFIER</code>, when you pass\n                        <code>USERNAME</code> and <code>SRP_A</code> parameters.</p>\n            </li>\n            <li>\n               <p>\n                  <code>USER_PASSWORD_AUTH</code>: Receive new tokens or the next challenge, for\n                    example <code>SOFTWARE_TOKEN_MFA</code>, when you pass <code>USERNAME</code> and\n                        <code>PASSWORD</code> parameters.</p>\n            </li>\n         </ul>\n         <p>Valid values include the following:</p>\n         <dl>\n            <dt>USER_AUTH</dt>\n            <dd>\n               <p>The entry point for sign-in with passwords, one-time passwords, biometric\n                        devices, and security keys.</p>\n            </dd>\n            <dt>USER_SRP_AUTH</dt>\n            <dd>\n               <p>Username-password authentication with the Secure Remote Password (SRP)\n                        protocol. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow\">Use SRP password verification in custom\n                            authentication flow</a>.</p>\n            </dd>\n            <dt>REFRESH_TOKEN_AUTH and REFRESH_TOKEN</dt>\n            <dd>\n               <p>Provide a valid refresh token and receive new ID and access tokens. For\n                        more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html\">Using the refresh token</a>.</p>\n            </dd>\n            <dt>CUSTOM_AUTH</dt>\n            <dd>\n               <p>Custom authentication with Lambda triggers. For more information, see\n                            <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\">Custom authentication challenge Lambda\n                            triggers</a>.</p>\n            </dd>\n            <dt>USER_PASSWORD_AUTH</dt>\n            <dd>\n               <p>Username-password authentication with the password sent directly in the\n                        request. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges\">Admin authentication flow</a>.</p>\n            </dd>\n         </dl>\n         <p>\n            <code>ADMIN_USER_PASSWORD_AUTH</code> is a flow type of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html\">AdminInitiateAuth</a> and isn't valid for InitiateAuth.\n                <code>ADMIN_NO_SRP_AUTH</code> is a legacy server-side username-password flow and\n            isn't valid for InitiateAuth.</p>",
             "smithy.api#required": {}
           }
         },
         "AuthParameters": {
           "target": "com.amazonaws.cognitoidentityprovider#AuthParametersType",
           "traits": {
-            "smithy.api#documentation": "<p>The authentication parameters. These are inputs corresponding to the\n                <code>AuthFlow</code> that you're invoking. The required values depend on the value\n            of <code>AuthFlow</code>:</p>\n         <ul>\n            <li>\n               <p>For <code>USER_SRP_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>SRP_A</code> (required), <code>SECRET_HASH</code> (required if the app\n                    client is configured with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>USER_PASSWORD_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>PASSWORD</code> (required), <code>SECRET_HASH</code> (required if the\n                    app client is configured with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>REFRESH_TOKEN_AUTH/REFRESH_TOKEN</code>: <code>REFRESH_TOKEN</code>\n                    (required), <code>SECRET_HASH</code> (required if the app client is configured\n                    with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>CUSTOM_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>SECRET_HASH</code> (if app client is configured with client secret),\n                        <code>DEVICE_KEY</code>. To start the authentication flow with password\n                    verification, include <code>ChallengeName: SRP_A</code> and <code>SRP_A: (The\n                        SRP_A Value)</code>.</p>\n            </li>\n         </ul>\n         <p>For more information about <code>SECRET_HASH</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash\">Computing secret hash values</a>. For information about\n            <code>DEVICE_KEY</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html\">Working with user devices in your user pool</a>.</p>"
+            "smithy.api#documentation": "<p>The authentication parameters. These are inputs corresponding to the\n                <code>AuthFlow</code> that you're invoking. The required values depend on the value\n            of <code>AuthFlow</code>:</p>\n         <ul>\n            <li>\n               <p>For <code>USER_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>PREFERRED_CHALLENGE</code>. If you don't provide a value for\n                        <code>PREFERRED_CHALLENGE</code>, Amazon Cognito responds with the\n                        <code>AvailableChallenges</code> parameter that specifies the available\n                    sign-in methods.</p>\n            </li>\n            <li>\n               <p>For <code>USER_SRP_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>SRP_A</code> (required), <code>SECRET_HASH</code> (required if the app\n                    client is configured with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>USER_PASSWORD_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>PASSWORD</code> (required), <code>SECRET_HASH</code> (required if the\n                    app client is configured with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>REFRESH_TOKEN_AUTH/REFRESH_TOKEN</code>: <code>REFRESH_TOKEN</code>\n                    (required), <code>SECRET_HASH</code> (required if the app client is configured\n                    with a client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>For <code>CUSTOM_AUTH</code>: <code>USERNAME</code> (required),\n                        <code>SECRET_HASH</code> (if app client is configured with client secret),\n                        <code>DEVICE_KEY</code>. To start the authentication flow with password\n                    verification, include <code>ChallengeName: SRP_A</code> and <code>SRP_A: (The\n                        SRP_A Value)</code>.</p>\n            </li>\n         </ul>\n         <p>For more information about <code>SECRET_HASH</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash\">Computing secret hash values</a>. For information about\n            <code>DEVICE_KEY</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html\">Working with user devices in your user pool</a>.</p>"
           }
         },
         "ClientMetadata": {
           "target": "com.amazonaws.cognitoidentityprovider#ClientMetadataType",
           "traits": {
-            "smithy.api#documentation": "<p>A map of custom key-value pairs that you can provide as input for certain custom\n            workflows that this action triggers.</p>\n         <p>You create custom workflows by assigning Lambda functions to user pool triggers.\n            When you use the InitiateAuth API action, Amazon Cognito invokes the Lambda functions that are\n            specified for various triggers. The ClientMetadata value is passed as input to the\n            functions for only the following triggers:</p>\n         <ul>\n            <li>\n               <p>Pre signup</p>\n            </li>\n            <li>\n               <p>Pre authentication</p>\n            </li>\n            <li>\n               <p>User migration</p>\n            </li>\n         </ul>\n         <p>When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which\n            the function receives as input. This payload contains a <code>validationData</code>\n            attribute, which provides the data that you assigned to the ClientMetadata parameter in\n            your InitiateAuth request. In your function code in Lambda, you can process the\n                <code>validationData</code> value to enhance your workflow for your specific\n            needs.</p>\n         <p>When you use the InitiateAuth API action, Amazon Cognito also invokes the functions for the\n            following triggers, but it doesn't provide the ClientMetadata value as input:</p>\n         <ul>\n            <li>\n               <p>Post authentication</p>\n            </li>\n            <li>\n               <p>Custom message</p>\n            </li>\n            <li>\n               <p>Pre token generation</p>\n            </li>\n            <li>\n               <p>Create auth challenge</p>\n            </li>\n            <li>\n               <p>Define auth challenge</p>\n            </li>\n         </ul>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html\">\nCustomizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>\n         <note>\n            <p>When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the\n                following:</p>\n            <ul>\n               <li>\n                  <p>Store the ClientMetadata value. This data is available only to Lambda\n                        triggers that are assigned to a user pool to support custom workflows. If\n                        your user pool configuration doesn't include triggers, the ClientMetadata\n                        parameter serves no purpose.</p>\n               </li>\n               <li>\n                  <p>Validate the ClientMetadata value.</p>\n               </li>\n               <li>\n                  <p>Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive\n                        information.</p>\n               </li>\n            </ul>\n         </note>"
+            "smithy.api#documentation": "<p>A map of custom key-value pairs that you can provide as input for certain custom\n            workflows that this action triggers.</p>\n         <p>You create custom workflows by assigning Lambda functions to user pool triggers.\n            When you use the InitiateAuth API action, Amazon Cognito invokes the Lambda functions that are\n            specified for various triggers. The ClientMetadata value is passed as input to the\n            functions for only the following triggers:</p>\n         <ul>\n            <li>\n               <p>Pre signup</p>\n            </li>\n            <li>\n               <p>Pre authentication</p>\n            </li>\n            <li>\n               <p>User migration</p>\n            </li>\n         </ul>\n         <p>When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which\n            the function receives as input. This payload contains a <code>validationData</code>\n            attribute, which provides the data that you assigned to the ClientMetadata parameter in\n            your InitiateAuth request. In your function code in Lambda, you can process the\n                <code>validationData</code> value to enhance your workflow for your specific\n            needs.</p>\n         <p>When you use the InitiateAuth API action, Amazon Cognito also invokes the functions for the\n            following triggers, but it doesn't provide the ClientMetadata value as input:</p>\n         <ul>\n            <li>\n               <p>Post authentication</p>\n            </li>\n            <li>\n               <p>Custom message</p>\n            </li>\n            <li>\n               <p>Pre token generation</p>\n            </li>\n            <li>\n               <p>Create auth challenge</p>\n            </li>\n            <li>\n               <p>Define auth challenge</p>\n            </li>\n            <li>\n               <p>Custom email sender</p>\n            </li>\n            <li>\n               <p>Custom SMS sender</p>\n            </li>\n         </ul>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html\">\nCustomizing user pool Workflows with Lambda Triggers</a> in the <i>Amazon Cognito Developer Guide</i>.</p>\n         <note>\n            <p>When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the\n                following:</p>\n            <ul>\n               <li>\n                  <p>Store the ClientMetadata value. This data is available only to Lambda\n                        triggers that are assigned to a user pool to support custom workflows. If\n                        your user pool configuration doesn't include triggers, the ClientMetadata\n                        parameter serves no purpose.</p>\n               </li>\n               <li>\n                  <p>Validate the ClientMetadata value.</p>\n               </li>\n               <li>\n                  <p>Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive\n                        information.</p>\n               </li>\n            </ul>\n         </note>"
           }
         },
         "ClientId": {
@@ -9817,6 +10769,12 @@
           "traits": {
             "smithy.api#documentation": "<p>Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced \nsecurity evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito\nwhen it makes API requests.</p>"
           }
+        },
+        "Session": {
+          "target": "com.amazonaws.cognitoidentityprovider#SessionType",
+          "traits": {
+            "smithy.api#documentation": "<p>The optional session ID from a <code>ConfirmSignUp</code> API request. You can sign in\n            a user directly from the sign-up process with the <code>USER_AUTH</code> authentication\n            flow.</p>"
+          }
         }
       },
       "traits": {
@@ -9830,19 +10788,19 @@
         "ChallengeName": {
           "target": "com.amazonaws.cognitoidentityprovider#ChallengeNameType",
           "traits": {
-            "smithy.api#documentation": "<p>The name of the challenge that you're responding to with this call. This name is\n            returned in the <code>InitiateAuth</code> response if you must pass another\n            challenge.</p>\n         <p>Valid values include the following:</p>\n         <note>\n            <p>All of the following challenges require <code>USERNAME</code> and\n                    <code>SECRET_HASH</code> (if applicable) in the parameters.</p>\n         </note>\n         <ul>\n            <li>\n               <p>\n                  <code>SMS_MFA</code>: Next challenge is to supply an\n                    <code>SMS_MFA_CODE</code>that your user pool delivered\n                    in an SMS message.</p>\n            </li>\n            <li>\n               <p>\n                  <code>EMAIL_OTP</code>: Next challenge is to supply an\n                    <code>EMAIL_OTP_CODE</code> that your user pool delivered \n                    in an email message.</p>\n            </li>\n            <li>\n               <p>\n                  <code>PASSWORD_VERIFIER</code>: Next challenge is to supply\n                        <code>PASSWORD_CLAIM_SIGNATURE</code>,\n                        <code>PASSWORD_CLAIM_SECRET_BLOCK</code>, and <code>TIMESTAMP</code> after\n                    the client-side SRP calculations.</p>\n            </li>\n            <li>\n               <p>\n                  <code>CUSTOM_CHALLENGE</code>: This is returned if your custom authentication\n                    flow determines that the user should pass another challenge before tokens are\n                    issued.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DEVICE_SRP_AUTH</code>: If device tracking was activated on your user\n                    pool and the previous challenges were passed, this challenge is returned so that\n                    Amazon Cognito can start tracking this device.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DEVICE_PASSWORD_VERIFIER</code>: Similar to\n                        <code>PASSWORD_VERIFIER</code>, but for devices only.</p>\n            </li>\n            <li>\n               <p>\n                  <code>NEW_PASSWORD_REQUIRED</code>: For users who are required to change their\n                    passwords after successful first login. </p>\n               <p>Respond to this challenge with <code>NEW_PASSWORD</code> and any required\n                    attributes that Amazon Cognito returned in the <code>requiredAttributes</code> parameter.\n                    You can also set values for attributes that aren't required by your user pool\n                    and that your app client can write. For more information, see <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html\">RespondToAuthChallenge</a>.</p>\n               <note>\n                  <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value. \nIn <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter, \nthen use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>\n               </note>\n            </li>\n            <li>\n               <p>\n                  <code>MFA_SETUP</code>: For users who are required to setup an MFA factor\n                    before they can sign in. The MFA types activated for the user pool will be\n                    listed in the challenge parameters <code>MFAS_CAN_SETUP</code> value. </p>\n               <p> To set up software token MFA, use the session returned here from\n                        <code>InitiateAuth</code> as an input to\n                    <code>AssociateSoftwareToken</code>. Use the session returned by\n                        <code>VerifySoftwareToken</code> as an input to\n                        <code>RespondToAuthChallenge</code> with challenge name\n                        <code>MFA_SETUP</code> to complete sign-in. To set up SMS MFA, an\n                    administrator should help the user to add a phone number to their account, and\n                    then the user should call <code>InitiateAuth</code> again to restart\n                    sign-in.</p>\n            </li>\n         </ul>"
+            "smithy.api#documentation": "<p>The name of the challenge that you're responding to with this call. This name is\n            returned in the <code>InitiateAuth</code> response if you must pass another\n            challenge.</p>\n         <p>Valid values include the following:</p>\n         <note>\n            <p>All of the following challenges require <code>USERNAME</code> and\n                    <code>SECRET_HASH</code> (if applicable) in the parameters.</p>\n         </note>\n         <ul>\n            <li>\n               <p>\n                  <code>WEB_AUTHN</code>: Respond to the challenge with the results of a\n                    successful authentication with a passkey, or webauthN, factor. These are\n                    typically biometric devices or security keys.</p>\n            </li>\n            <li>\n               <p>\n                  <code>PASSWORD</code>: Respond with <code>USER_PASSWORD_AUTH</code>\n                    parameters: <code>USERNAME</code> (required), <code>PASSWORD</code> (required),\n                        <code>SECRET_HASH</code> (required if the app client is configured with a\n                    client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>\n                  <code>PASSWORD_SRP</code>: Respond with <code>USER_SRP_AUTH</code> parameters:\n                        <code>USERNAME</code> (required), <code>SRP_A</code> (required),\n                        <code>SECRET_HASH</code> (required if the app client is configured with a\n                    client secret), <code>DEVICE_KEY</code>.</p>\n            </li>\n            <li>\n               <p>\n                  <code>SELECT_CHALLENGE</code>: Respond to the challenge with\n                        <code>USERNAME</code> and an <code>ANSWER</code> that matches one of the\n                    challenge types in the <code>AvailableChallenges</code> response\n                    parameter.</p>\n            </li>\n            <li>\n               <p>\n                  <code>SMS_MFA</code>: Next challenge is to supply an\n                    <code>SMS_MFA_CODE</code>that your user pool delivered in an SMS message.</p>\n            </li>\n            <li>\n               <p>\n                  <code>EMAIL_OTP</code>: Next challenge is to supply an\n                        <code>EMAIL_OTP_CODE</code> that your user pool delivered in an email\n                    message.</p>\n            </li>\n            <li>\n               <p>\n                  <code>PASSWORD_VERIFIER</code>: Next challenge is to supply\n                        <code>PASSWORD_CLAIM_SIGNATURE</code>,\n                        <code>PASSWORD_CLAIM_SECRET_BLOCK</code>, and <code>TIMESTAMP</code> after\n                    the client-side SRP calculations.</p>\n            </li>\n            <li>\n               <p>\n                  <code>CUSTOM_CHALLENGE</code>: This is returned if your custom authentication\n                    flow determines that the user should pass another challenge before tokens are\n                    issued.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DEVICE_SRP_AUTH</code>: If device tracking was activated on your user\n                    pool and the previous challenges were passed, this challenge is returned so that\n                    Amazon Cognito can start tracking this device.</p>\n            </li>\n            <li>\n               <p>\n                  <code>DEVICE_PASSWORD_VERIFIER</code>: Similar to\n                        <code>PASSWORD_VERIFIER</code>, but for devices only.</p>\n            </li>\n            <li>\n               <p>\n                  <code>NEW_PASSWORD_REQUIRED</code>: For users who are required to change their\n                    passwords after successful first login.</p>\n               <p>Respond to this challenge with <code>NEW_PASSWORD</code> and any required\n                    attributes that Amazon Cognito returned in the <code>requiredAttributes</code> parameter.\n                    You can also set values for attributes that aren't required by your user pool\n                    and that your app client can write. For more information, see <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html\">RespondToAuthChallenge</a>.</p>\n               <p>Amazon Cognito only returns this challenge for users who have temporary passwords.\n                    Because of this, and because in some cases you can create users who don't have\n                    values for required attributes, take care to collect and submit\n                    required-attribute values for all users who don't have passwords. You can create\n                    a user in the Amazon Cognito console without, for example, a required\n                        <code>birthdate</code> attribute. The API response from Amazon Cognito won't prompt\n                    you to submit a birthdate for the user if they don't have a password.</p>\n               <note>\n                  <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value. \nIn <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter, \nthen use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>\n               </note>\n            </li>\n            <li>\n               <p>\n                  <code>MFA_SETUP</code>: For users who are required to setup an MFA factor\n                    before they can sign in. The MFA types activated for the user pool will be\n                    listed in the challenge parameters <code>MFAS_CAN_SETUP</code> value. </p>\n               <p> To set up software token MFA, use the session returned here from\n                        <code>InitiateAuth</code> as an input to\n                    <code>AssociateSoftwareToken</code>. Use the session returned by\n                        <code>VerifySoftwareToken</code> as an input to\n                        <code>RespondToAuthChallenge</code> with challenge name\n                        <code>MFA_SETUP</code> to complete sign-in. To set up SMS MFA, an\n                    administrator should help the user to add a phone number to their account, and\n                    then the user should call <code>InitiateAuth</code> again to restart\n                    sign-in.</p>\n            </li>\n         </ul>"
           }
         },
         "Session": {
           "target": "com.amazonaws.cognitoidentityprovider#SessionType",
           "traits": {
-            "smithy.api#documentation": "<p>The session that should pass both ways in challenge-response calls to the service. If\n            the caller must pass another challenge, they return a session with other challenge\n            parameters. This session should be passed as it is to the next\n                <code>RespondToAuthChallenge</code> API call.</p>"
+            "smithy.api#documentation": "<p>The session that should pass both ways in challenge-response calls to the service. If\n            the caller must pass another challenge, they return a session with other challenge\n            parameters. Include this session identifier in a <code>RespondToAuthChallenge</code> API\n            request.</p>"
           }
         },
         "ChallengeParameters": {
           "target": "com.amazonaws.cognitoidentityprovider#ChallengeParametersType",
           "traits": {
-            "smithy.api#documentation": "<p>The challenge parameters. These are returned in the <code>InitiateAuth</code> response\n            if you must pass another challenge. The responses in this parameter should be used to\n            compute inputs to the next call (<code>RespondToAuthChallenge</code>). </p>\n         <p>All challenges require <code>USERNAME</code> and <code>SECRET_HASH</code> (if\n            applicable).</p>"
+            "smithy.api#documentation": "<p>The challenge parameters. These are returned in the <code>InitiateAuth</code> response\n            if you must pass another challenge. The responses in this parameter should be used to\n            compute inputs to the next call (<code>RespondToAuthChallenge</code>). </p>\n         <p>All challenges require <code>USERNAME</code>. They also require\n                <code>SECRET_HASH</code> if your app client has a client secret.</p>"
           }
         },
         "AuthenticationResult": {
@@ -9850,6 +10808,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The result of the authentication response. This result is only returned if the caller\n            doesn't need to pass another challenge. If the caller does need to pass another\n            challenge before it gets tokens, <code>ChallengeName</code>,\n                <code>ChallengeParameters</code>, and <code>Session</code> are returned.</p>"
           }
+        },
+        "AvailableChallenges": {
+          "target": "com.amazonaws.cognitoidentityprovider#AvailableChallengeListType",
+          "traits": {
+            "smithy.api#documentation": "<p>This response parameter prompts a user to select from multiple available challenges\n            that they can complete authentication with. For example, they might be able to continue\n            with passwordless authentication or with a one-time password from an SMS message.</p>"
+          }
         }
       },
       "traits": {
@@ -9931,6 +10895,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The message returned when the Amazon Cognito service throws an invalid parameter\n            exception.</p>"
           }
+        },
+        "reasonCode": {
+          "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterExceptionReasonCodeType",
+          "traits": {
+            "smithy.api#documentation": "<p>The reason code of the exception.</p>"
+          }
         }
       },
       "traits": {
@@ -9939,6 +10909,9 @@
         "smithy.api#httpError": 400
       }
     },
+    "com.amazonaws.cognitoidentityprovider#InvalidParameterExceptionReasonCodeType": {
+      "type": "string"
+    },
     "com.amazonaws.cognitoidentityprovider#InvalidPasswordException": {
       "type": "structure",
       "members": {
@@ -9982,7 +10955,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>This exception is thrown when the trust relationship is not valid for the role\n            provided for SMS configuration. This can happen if you don't trust\n            <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does\n            not match what is provided in the SMS configuration for the user pool.</p>",
+        "smithy.api#documentation": "<p>This exception is thrown when the trust relationship is not valid for the role\n            provided for SMS configuration. This can happen if you don't trust\n                <code>cognito-idp.amazonaws.com</code> or the external ID provided in the role does\n            not match what is provided in the SMS configuration for the user pool.</p>",
         "smithy.api#error": "client",
         "smithy.api#httpError": 400
       }
@@ -10009,90 +10982,90 @@
         "PreSignUp": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>A pre-registration Lambda trigger.</p>"
+            "smithy.api#documentation": "<p>The configuration of a <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html\">pre sign-up Lambda trigger</a> in a user pool. This trigger\n            evaluates new users and can bypass confirmation, <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation-consolidate-users.html\">link a federated user profile</a>, or block sign-up\n            requests.</p>"
           }
         },
         "CustomMessage": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>A custom Message Lambda trigger.</p>"
+            "smithy.api#documentation": "<p>A custom message Lambda trigger. This trigger is an opportunity to customize all SMS\n            and email messages from your user pool. When a custom message trigger is active, your\n            user pool routes all messages to a Lambda function that returns a runtime-customized\n            message subject and body for your user pool to deliver to a user.</p>"
           }
         },
         "PostConfirmation": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>A post-confirmation Lambda trigger.</p>"
+            "smithy.api#documentation": "<p>The configuration of a <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-confirmation.html\">post confirmation Lambda trigger</a> in a user pool. This\n            trigger can take custom actions after a user confirms their user account and their email\n            address or phone number.</p>"
           }
         },
         "PreAuthentication": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>A pre-authentication Lambda trigger.</p>"
+            "smithy.api#documentation": "<p>The configuration of a <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-authentication.html\">pre authentication trigger</a> in a user pool. This trigger\n            can evaluate and modify user sign-in events.</p>"
           }
         },
         "PostAuthentication": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>A post-authentication Lambda trigger.</p>"
+            "smithy.api#documentation": "<p>The configuration of a <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-post-authentication.html\">post authentication Lambda trigger</a> in a user pool. This\n            trigger can take custom actions after a user signs in.</p>"
           }
         },
         "DefineAuthChallenge": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>Defines the authentication challenge.</p>"
+            "smithy.api#documentation": "<p>The configuration of a define auth challenge Lambda trigger, one of three triggers in\n            the sequence of the <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\">custom authentication challenge triggers</a>.</p>"
           }
         },
         "CreateAuthChallenge": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>Creates an authentication challenge.</p>"
+            "smithy.api#documentation": "<p>The configuration of a create auth challenge Lambda trigger, one of three triggers in\n            the sequence of the <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\">custom authentication challenge triggers</a>.</p>"
           }
         },
         "VerifyAuthChallengeResponse": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>Verifies the authentication challenge response.</p>"
+            "smithy.api#documentation": "<p>The configuration of a verify auth challenge Lambda trigger, one of three triggers in\n            the sequence of the <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\">custom authentication challenge triggers</a>.</p>"
           }
         },
         "PreTokenGeneration": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.</p>\n         <p>Set this parameter for legacy purposes. If you also set an ARN in\n                <code>PreTokenGenerationConfig</code>, its value must be identical to\n                <code>PreTokenGeneration</code>. For new instances of pre token generation triggers,\n            set the <code>LambdaArn</code> of <code>PreTokenGenerationConfig</code>.</p>\n         <p>You can set <code></code>\n         </p>"
+            "smithy.api#documentation": "<p>The legacy configuration of a <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html\">pre token generation Lambda trigger</a> in a user\n            pool.</p>\n         <p>Set this parameter for legacy purposes. If you also set an ARN in\n                <code>PreTokenGenerationConfig</code>, its value must be identical to\n                <code>PreTokenGeneration</code>. For new instances of pre token generation triggers,\n            set the <code>LambdaArn</code> of <code>PreTokenGenerationConfig</code>.</p>"
           }
         },
         "UserMigration": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>The user migration Lambda config type.</p>"
+            "smithy.api#documentation": "<p>The configuration of a <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-migrate-user.html\">migrate user Lambda trigger</a> in a user pool. This trigger\n            can create user profiles when users sign in or attempt to reset their password with\n            credentials that don't exist yet.</p>"
           }
         },
         "PreTokenGenerationConfig": {
           "target": "com.amazonaws.cognitoidentityprovider#PreTokenGenerationVersionConfigType",
           "traits": {
-            "smithy.api#documentation": "<p>The detailed configuration of a pre token generation trigger. If you also set an ARN\n            in <code>PreTokenGeneration</code>, its value must be identical to\n                <code>PreTokenGenerationConfig</code>.</p>"
+            "smithy.api#documentation": "<p>The detailed configuration of a <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html\">pre token generation Lambda trigger</a> in a user pool. If\n            you also set an ARN in <code>PreTokenGeneration</code>, its value must be identical to\n                <code>PreTokenGenerationConfig</code>.</p>"
           }
         },
         "CustomSMSSender": {
           "target": "com.amazonaws.cognitoidentityprovider#CustomSMSLambdaVersionConfigType",
           "traits": {
-            "smithy.api#documentation": "<p>A custom SMS sender Lambda trigger.</p>"
+            "smithy.api#documentation": "<p>The configuration of a custom SMS sender Lambda trigger. This trigger routes all SMS\n            notifications from a user pool to a Lambda function that delivers the message using\n            custom logic.</p>"
           }
         },
         "CustomEmailSender": {
           "target": "com.amazonaws.cognitoidentityprovider#CustomEmailLambdaVersionConfigType",
           "traits": {
-            "smithy.api#documentation": "<p>A custom email sender Lambda trigger.</p>"
+            "smithy.api#documentation": "<p>The configuration of a custom email sender Lambda trigger. This trigger routes all\n            email notifications from a user pool to a Lambda function that delivers the message using\n            custom logic.</p>"
           }
         },
         "KMSKeyID": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>The Amazon Resource Name (ARN) of an <a href=\"/kms/latest/developerguide/concepts.html#master_keys\">KMS key</a>. Amazon Cognito\n            uses the key to encrypt codes and temporary passwords sent to\n                <code>CustomEmailSender</code> and <code>CustomSMSSender</code>.</p>"
+            "smithy.api#documentation": "<p>The ARN of an <a href=\"https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys\">KMS key</a>. Amazon Cognito uses the key to encrypt codes and temporary passwords sent to\n            custom sender Lambda triggers.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Specifies the configuration for Lambda triggers.</p>"
+        "smithy.api#documentation": "<p>A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible\n            stages of user pool operations. Triggers can modify the outcome of the operations that\n            invoked them.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#LimitExceededException": {
@@ -11013,7 +11986,7 @@
         "Filter": {
           "target": "com.amazonaws.cognitoidentityprovider#UserFilterType",
           "traits": {
-            "smithy.api#documentation": "<p>A filter string of the form \"<i>AttributeName</i>\n            <i>Filter-Type</i> \"<i>AttributeValue</i>\"\". Quotation marks\n            within the filter string must be escaped using the backslash (<code>\\</code>) character.\n            For example, <code>\"family_name = \\\"Reddy\\\"\"</code>.</p>\n         <ul>\n            <li>\n               <p>\n                  <i>AttributeName</i>: The name of the attribute to search for.\n                    You can only search for one attribute at a time.</p>\n            </li>\n            <li>\n               <p>\n                  <i>Filter-Type</i>: For an exact match, use <code>=</code>, for\n                    example, \"<code>given_name = \\\"Jon\\\"</code>\". For a prefix (\"starts with\")\n                    match, use <code>^=</code>, for example, \"<code>given_name ^= \\\"Jon\\\"</code>\".\n                </p>\n            </li>\n            <li>\n               <p>\n                  <i>AttributeValue</i>: The attribute value that must be matched\n                    for each user.</p>\n            </li>\n         </ul>\n         <p>If the filter string is empty, <code>ListUsers</code> returns all users in the user\n            pool.</p>\n         <p>You can only search for the following standard attributes:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>username</code> (case-sensitive)</p>\n            </li>\n            <li>\n               <p>\n                  <code>email</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>phone_number</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>name</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>given_name</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>family_name</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>preferred_username</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>cognito:user_status</code> (called <b>Status</b> in the Console) (case-insensitive)</p>\n            </li>\n            <li>\n               <p>\n                  <code>status (called <b>Enabled</b> in the Console)\n                        (case-sensitive)</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>sub</code>\n               </p>\n            </li>\n         </ul>\n         <p>Custom attributes aren't searchable.</p>\n         <note>\n            <p>You can also list users with a client-side filter. The server-side filter matches\n                no more than one attribute. For an advanced search, use a client-side filter with\n                the <code>--query</code> parameter of the <code>list-users</code> action in the\n                CLI. When you use a client-side filter, ListUsers returns a paginated list of zero\n                or more users. You can receive multiple pages in a row with zero results. Repeat the\n                query with each pagination token that is returned until you receive a null\n                pagination token value, and then review the combined result. </p>\n            <p>For more information about server-side and client-side filtering, see <a href=\"https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html\">FilteringCLI output</a> in the <a href=\"https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html\">Command Line Interface\n                    User Guide</a>. </p>\n         </note>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-using-listusers-api\">Searching for Users Using the ListUsers API</a> and <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-listusers-api-examples\">Examples of Using the ListUsers API</a> in the <i>Amazon Cognito Developer\n                Guide</i>.</p>"
+            "smithy.api#documentation": "<p>A filter string of the form <code>\"AttributeName Filter-Type \"AttributeValue\"</code>.\n            Quotation marks within the filter string must be escaped using the backslash\n                (<code>\\</code>) character. For example, <code>\"family_name =\n            \\\"Reddy\\\"\"</code>.</p>\n         <ul>\n            <li>\n               <p>\n                  <i>AttributeName</i>: The name of the attribute to search for.\n                    You can only search for one attribute at a time.</p>\n            </li>\n            <li>\n               <p>\n                  <i>Filter-Type</i>: For an exact match, use <code>=</code>, for\n                    example, \"<code>given_name = \\\"Jon\\\"</code>\". For a prefix (\"starts with\")\n                    match, use <code>^=</code>, for example, \"<code>given_name ^= \\\"Jon\\\"</code>\".\n                </p>\n            </li>\n            <li>\n               <p>\n                  <i>AttributeValue</i>: The attribute value that must be matched\n                    for each user.</p>\n            </li>\n         </ul>\n         <p>If the filter string is empty, <code>ListUsers</code> returns all users in the user\n            pool.</p>\n         <p>You can only search for the following standard attributes:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>username</code> (case-sensitive)</p>\n            </li>\n            <li>\n               <p>\n                  <code>email</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>phone_number</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>name</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>given_name</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>family_name</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>preferred_username</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>cognito:user_status</code> (called <b>Status</b> in the Console) (case-insensitive)</p>\n            </li>\n            <li>\n               <p>\n                  <code>status (called <b>Enabled</b> in the Console)\n                        (case-sensitive)</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <code>sub</code>\n               </p>\n            </li>\n         </ul>\n         <p>Custom attributes aren't searchable.</p>\n         <note>\n            <p>You can also list users with a client-side filter. The server-side filter matches\n                no more than one attribute. For an advanced search, use a client-side filter with\n                the <code>--query</code> parameter of the <code>list-users</code> action in the\n                CLI. When you use a client-side filter, ListUsers returns a paginated list of zero\n                or more users. You can receive multiple pages in a row with zero results. Repeat the\n                query with each pagination token that is returned until you receive a null\n                pagination token value, and then review the combined result. </p>\n            <p>For more information about server-side and client-side filtering, see <a href=\"https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html\">FilteringCLI output</a> in the <a href=\"https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-filter.html\">Command Line Interface\n                    User Guide</a>. </p>\n         </note>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-using-listusers-api\">Searching for Users Using the ListUsers API</a> and <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-listusers-api-examples\">Examples of Using the ListUsers API</a> in the <i>Amazon Cognito Developer\n                Guide</i>.</p>"
           }
         }
       },
@@ -11043,6 +12016,82 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.cognitoidentityprovider#ListWebAuthnCredentials": {
+      "type": "operation",
+      "input": {
+        "target": "com.amazonaws.cognitoidentityprovider#ListWebAuthnCredentialsRequest"
+      },
+      "output": {
+        "target": "com.amazonaws.cognitoidentityprovider#ListWebAuthnCredentialsResponse"
+      },
+      "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ForbiddenException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
+        }
+      ],
+      "traits": {
+        "smithy.api#auth": [],
+        "smithy.api#documentation": "<p>Generates a list of the current user's registered passkey, or webauthN,\n            credentials.</p>",
+        "smithy.api#optionalAuth": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#ListWebAuthnCredentialsRequest": {
+      "type": "structure",
+      "members": {
+        "AccessToken": {
+          "target": "com.amazonaws.cognitoidentityprovider#TokenModelType",
+          "traits": {
+            "smithy.api#documentation": "<p>A valid access token that Amazon Cognito issued to the user whose registered passkeys you want\n            to list.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "NextToken": {
+          "target": "com.amazonaws.cognitoidentityprovider#PaginationKey",
+          "traits": {
+            "smithy.api#documentation": "<p>An identifier that was returned from the previous call to this operation, which can be\n            used to return the next set of items in the list.</p>"
+          }
+        },
+        "MaxResults": {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnCredentialsQueryLimitType",
+          "traits": {
+            "smithy.api#documentation": "<p>The maximum number of the user's passkey credentials that you want to\n            return.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#input": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#ListWebAuthnCredentialsResponse": {
+      "type": "structure",
+      "members": {
+        "Credentials": {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnCredentialDescriptionListType",
+          "traits": {
+            "smithy.api#documentation": "<p>A list of registered passkeys for a user.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "NextToken": {
+          "target": "com.amazonaws.cognitoidentityprovider#PaginationKey",
+          "traits": {
+            "smithy.api#documentation": "<p>An identifier that you can use in a later request to return the next set of items in\n            the list.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#output": {}
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#LogConfigurationListType": {
       "type": "list",
       "member": {
@@ -11092,7 +12141,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The logging parameters of a user pool.</p>"
+        "smithy.api#documentation": "<p>The configuration of user event logs to an external Amazon Web Services service like\n                Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetLogDeliveryConfiguration.html\">SetLogDeliveryConfiguration</a> and a response parameter of\n                <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html\">GetLogDeliveryConfiguration</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#LogDeliveryConfigurationType": {
@@ -11114,7 +12163,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The logging parameters of a user pool returned in response to\n                <code>GetLogDeliveryConfiguration</code>.</p>"
+        "smithy.api#documentation": "<p>The logging parameters of a user pool, as returned in the response to a <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetLogDeliveryConfiguration.html\">GetLogDeliveryConfiguration</a> request.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#LogLevel": {
@@ -11194,6 +12243,76 @@
         "smithy.api#documentation": "<p>\n            <i>This data type is no longer supported.</i> Applies only to SMS\n            multi-factor authentication (MFA) configurations. Does not apply to time-based one-time\n            password (TOTP) software token MFA configurations.</p>"
       }
     },
+    "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingExistsException": {
+      "type": "structure",
+      "members": {
+        "message": {
+          "target": "com.amazonaws.cognitoidentityprovider#MessageType"
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>This exception is thrown when you attempt to apply a managed login branding style to\n            an app client that already has an assigned style.</p>",
+        "smithy.api#error": "client",
+        "smithy.api#httpError": 400
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingIdType": {
+      "type": "string",
+      "traits": {
+        "smithy.api#pattern": "^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[4][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}$"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingType": {
+      "type": "structure",
+      "members": {
+        "ManagedLoginBrandingId": {
+          "target": "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The ID of the managed login branding style.</p>"
+          }
+        },
+        "UserPoolId": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The user pool where the branding style is assigned.</p>"
+          }
+        },
+        "UseCognitoProvidedValues": {
+          "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
+          "traits": {
+            "smithy.api#default": false,
+            "smithy.api#documentation": "<p>When true, applies the default branding style options. This option reverts to a\n            \"blank\" style that you can modify later in the branding designer.</p>"
+          }
+        },
+        "Settings": {
+          "target": "com.amazonaws.cognitoidentityprovider#Document",
+          "traits": {
+            "smithy.api#documentation": "<p>A JSON file, encoded as a <code>Document</code> type, with the the settings that you\n            want to apply to your style.</p>"
+          }
+        },
+        "Assets": {
+          "target": "com.amazonaws.cognitoidentityprovider#AssetListType",
+          "traits": {
+            "smithy.api#documentation": "<p>An array of image files that you want to apply to roles like backgrounds, logos, and\n            icons. Each object must also indicate whether it is for dark mode, light mode, or\n            browser-adaptive mode.</p>"
+          }
+        },
+        "CreationDate": {
+          "target": "com.amazonaws.cognitoidentityprovider#DateType",
+          "traits": {
+            "smithy.api#documentation": "<p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a \nhuman-readable format like ISO 8601 or a Java <code>Date</code> object.</p>"
+          }
+        },
+        "LastModifiedDate": {
+          "target": "com.amazonaws.cognitoidentityprovider#DateType",
+          "traits": {
+            "smithy.api#documentation": "<p>The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a \nhuman-readable format like ISO 8601 or a Java <code>Date</code> object.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>A managed login branding style that's assigned to a user pool app client.</p>\n         <p>This data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateManagedLoginBranding.html\">CreateManagedLoginBranding</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateManagedLoginBranding.html\">UpdateManagedLoginBranding</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBranding.html\">DescribeManagedLoginBranding</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeManagedLoginBrandingByClient.html\">DescribeManagedLoginBrandingByClient</a>.</p>"
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#MessageActionType": {
       "type": "enum",
       "members": {
@@ -11215,13 +12334,13 @@
       "type": "structure",
       "members": {
         "SMSMessage": {
-          "target": "com.amazonaws.cognitoidentityprovider#SmsVerificationMessageType",
+          "target": "com.amazonaws.cognitoidentityprovider#SmsInviteMessageType",
           "traits": {
             "smithy.api#documentation": "<p>The message template for SMS messages.</p>"
           }
         },
         "EmailMessage": {
-          "target": "com.amazonaws.cognitoidentityprovider#EmailVerificationMessageType",
+          "target": "com.amazonaws.cognitoidentityprovider#EmailInviteMessageType",
           "traits": {
             "smithy.api#documentation": "<p>The message template for email messages. EmailMessage is allowed only if <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount\">EmailSendingAccount</a> is DEVELOPER. </p>"
           }
@@ -11246,18 +12365,18 @@
         "DeviceKey": {
           "target": "com.amazonaws.cognitoidentityprovider#DeviceKeyType",
           "traits": {
-            "smithy.api#documentation": "<p>The device key.</p>"
+            "smithy.api#documentation": "<p>The device key, an identifier used in generating the\n                <code>DEVICE_PASSWORD_VERIFIER</code> for device SRP authentication.</p>"
           }
         },
         "DeviceGroupKey": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The device group key.</p>"
+            "smithy.api#documentation": "<p>The device group key, an identifier used in generating the\n                <code>DEVICE_PASSWORD_VERIFIER</code> for device SRP authentication.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The new device metadata type.</p>"
+        "smithy.api#documentation": "<p>Information that your user pool responds with in <code>AuthenticationResult</code>when\n            you configure it to remember devices and a user signs in with an unrecognized device.\n            Amazon Cognito presents a new device key that you can use to set up <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html\">device authentication</a> in a \"Remember me on this device\"\n            authentication model.</p>\n         <p>This data type is a response parameter of authentication operations like <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html\">InitiateAuth</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html\">AdminInitiateAuth</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html\">RespondToAuthChallenge</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html\">AdminRespondToAuthChallenge</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#NotAuthorizedException": {
@@ -11282,13 +12401,13 @@
         "From": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The email address that is sending the email. The address must be either individually\n            verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES.</p>"
+            "smithy.api#documentation": "<p>The email address that sends the email message. The address must be either\n            individually verified with Amazon Simple Email Service, or from a domain that has been verified with\n            Amazon SES.</p>"
           }
         },
         "ReplyTo": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The destination to which the receiver of an email should reply to.</p>"
+            "smithy.api#documentation": "<p>The reply-to email address of an email template.</p>"
           }
         },
         "SourceArn": {
@@ -11301,24 +12420,24 @@
         "BlockEmail": {
           "target": "com.amazonaws.cognitoidentityprovider#NotifyEmailType",
           "traits": {
-            "smithy.api#documentation": "<p>Email template used when a detected risk event is blocked.</p>"
+            "smithy.api#documentation": "<p>The template for the email message that your user pool sends when a detected risk\n            event is blocked.</p>"
           }
         },
         "NoActionEmail": {
           "target": "com.amazonaws.cognitoidentityprovider#NotifyEmailType",
           "traits": {
-            "smithy.api#documentation": "<p>The email template used when a detected risk event is allowed.</p>"
+            "smithy.api#documentation": "<p>The template for the email message that your user pool sends when no action is taken\n            in response to a detected risk.</p>"
           }
         },
         "MfaEmail": {
           "target": "com.amazonaws.cognitoidentityprovider#NotifyEmailType",
           "traits": {
-            "smithy.api#documentation": "<p>The multi-factor authentication (MFA) email template used when MFA is challenged as\n            part of a detected risk.</p>"
+            "smithy.api#documentation": "<p>The template for the email message that your user pool sends when MFA is challenged in\n            response to a detected risk.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The notify configuration type.</p>"
+        "smithy.api#documentation": "<p>The configuration for Amazon SES email messages that advanced security features sends to a\n            user when your adaptive authentication automated response has a\n                <i>Notify</i> action.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html\">SetRiskConfiguration</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html\">DescribeRiskConfiguration</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#NotifyEmailType": {
@@ -11327,25 +12446,25 @@
         "Subject": {
           "target": "com.amazonaws.cognitoidentityprovider#EmailNotificationSubjectType",
           "traits": {
-            "smithy.api#documentation": "<p>The email subject.</p>",
+            "smithy.api#documentation": "<p>The subject of the threat protection email notification.</p>",
             "smithy.api#required": {}
           }
         },
         "HtmlBody": {
           "target": "com.amazonaws.cognitoidentityprovider#EmailNotificationBodyType",
           "traits": {
-            "smithy.api#documentation": "<p>The email HTML body.</p>"
+            "smithy.api#documentation": "<p>The body of an email notification formatted in HTML. Choose an <code>HtmlBody</code>\n            or a <code>TextBody</code> to send an HTML-formatted or plaintext message,\n            respectively.</p>"
           }
         },
         "TextBody": {
           "target": "com.amazonaws.cognitoidentityprovider#EmailNotificationBodyType",
           "traits": {
-            "smithy.api#documentation": "<p>The email text body.</p>"
+            "smithy.api#documentation": "<p>The body of an email notification formatted in plaintext. Choose an\n                <code>HtmlBody</code> or a <code>TextBody</code> to send an HTML-formatted or\n            plaintext message, respectively.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The notify email type.</p>"
+        "smithy.api#documentation": "<p>The template for email messages that advanced security features sends to a user when\n            your threat protection automated response has a <i>Notify</i>\n            action.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html\">SetRiskConfiguration</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html\">DescribeRiskConfiguration</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#NumberAttributeConstraintsType": {
@@ -11365,7 +12484,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The minimum and maximum values of an attribute that is of the number data type.</p>"
+        "smithy.api#documentation": "<p>The minimum and maximum values of an attribute that is of the number type, for example\n                <code>custom:age</code>.</p>\n         <p>This data type is part of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html\">SchemaAttributeType</a>. It defines the length constraints\n            on number-type attributes that you configure in <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and displays the length constraints of\n            all number-type attributes in the response to <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>\n         </p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#OAuthFlowType": {
@@ -11430,7 +12549,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The message returned when a user's new password matches a previous password and \n            doesn't comply with the password-history policy.</p>",
+        "smithy.api#documentation": "<p>The message returned when a user's new password matches a previous password and\n            doesn't comply with the password-history policy.</p>",
         "smithy.api#error": "client",
         "smithy.api#httpError": 400
       }
@@ -11466,28 +12585,28 @@
           "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
           "traits": {
             "smithy.api#default": false,
-            "smithy.api#documentation": "<p>In the password policy that you have set, refers to whether you have required users to\n            use at least one uppercase letter in their password.</p>"
+            "smithy.api#documentation": "<p>The requirement in a password policy that users must include at least one uppercase\n            letter in their password.</p>"
           }
         },
         "RequireLowercase": {
           "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
           "traits": {
             "smithy.api#default": false,
-            "smithy.api#documentation": "<p>In the password policy that you have set, refers to whether you have required users to\n            use at least one lowercase letter in their password.</p>"
+            "smithy.api#documentation": "<p>The requirement in a password policy that users must include at least one lowercase\n            letter in their password.</p>"
           }
         },
         "RequireNumbers": {
           "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
           "traits": {
             "smithy.api#default": false,
-            "smithy.api#documentation": "<p>In the password policy that you have set, refers to whether you have required users to\n            use at least one number in their password.</p>"
+            "smithy.api#documentation": "<p>The requirement in a password policy that users must include at least one number in\n            their password.</p>"
           }
         },
         "RequireSymbols": {
           "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
           "traits": {
             "smithy.api#default": false,
-            "smithy.api#documentation": "<p>In the password policy that you have set, refers to whether you have required users to\n            use at least one symbol in their password.</p>"
+            "smithy.api#documentation": "<p>The requirement in a password policy that users must include at least one symbol in\n            their password.</p>"
           }
         },
         "PasswordHistorySize": {
@@ -11505,7 +12624,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The password policy type.</p>"
+        "smithy.api#documentation": "<p>The password policy settings for a user pool, including complexity, history, and\n            length requirements.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#PasswordResetRequiredException": {
@@ -11589,7 +12708,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The properties of a pre token generation Lambda trigger.</p>"
+        "smithy.api#documentation": "<p>The properties of a pre token generation Lambda trigger.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#PrecedenceType": {
@@ -11648,19 +12767,19 @@
         "ProviderName": {
           "target": "com.amazonaws.cognitoidentityprovider#ProviderNameType",
           "traits": {
-            "smithy.api#documentation": "<p>The IdP name.</p>"
+            "smithy.api#documentation": "<p>The name of the IdP, for example <code>MySAMLProvider</code>.</p>"
           }
         },
         "ProviderType": {
           "target": "com.amazonaws.cognitoidentityprovider#IdentityProviderTypeType",
           "traits": {
-            "smithy.api#documentation": "<p>The IdP type.</p>"
+            "smithy.api#documentation": "<p>The type of the provider, for example <code>SAML</code>. Amazon Cognito supports SAML 2.0,\n            OIDC, and social IdPs. User pools list supported social IdPs by name in this response\n            parameter: Facebook, Google, Login with Amazon, and Sign in with Apple.</p>"
           }
         },
         "LastModifiedDate": {
           "target": "com.amazonaws.cognitoidentityprovider#DateType",
           "traits": {
-            "smithy.api#documentation": "<p>The date the provider was last modified.</p>"
+            "smithy.api#documentation": "<p>The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a \nhuman-readable format like ISO 8601 or a Java <code>Date</code> object.</p>"
           }
         },
         "CreationDate": {
@@ -11671,7 +12790,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A container for IdP details.</p>"
+        "smithy.api#documentation": "<p>The details of a user pool identity provider (IdP), including name and type.</p>\n         <p>This data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListIdentityProviders.html\">ListIdentityProviders</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#ProviderDetailsType": {
@@ -11726,7 +12845,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A container for information about an IdP for a user pool.</p>"
+        "smithy.api#documentation": "<p>The characteristics of a source or destination user for linking a federated user\n            profile to a local user profile.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html\">AdminLinkProviderForUser</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminDisableProviderForUser.html\">AdminDisableProviderForUser</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#ProvidersListType": {
@@ -11800,20 +12919,20 @@
         "Priority": {
           "target": "com.amazonaws.cognitoidentityprovider#PriorityType",
           "traits": {
-            "smithy.api#documentation": "<p>A positive integer specifying priority of a method with 1 being the highest\n            priority.</p>",
+            "smithy.api#documentation": "<p>Your priority preference for using the specified attribute in account recovery. The\n            highest priority is <code>1</code>.</p>",
             "smithy.api#required": {}
           }
         },
         "Name": {
           "target": "com.amazonaws.cognitoidentityprovider#RecoveryOptionNameType",
           "traits": {
-            "smithy.api#documentation": "<p>The recovery method for a user.</p>",
+            "smithy.api#documentation": "<p>The recovery method that this object sets a recovery option for.</p>",
             "smithy.api#required": {}
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A map containing a priority as a key, and recovery method name as a value.</p>"
+        "smithy.api#documentation": "<p>A recovery option for a user. The <code>AccountRecoverySettingType</code> data type is\n            an array of this object. Each <code>RecoveryOptionType</code> has a priority property\n            that determines whether it is a primary or secondary option.</p>\n         <p>For example, if <code>verified_email</code> has a priority of <code>1</code> and\n                <code>verified_phone_number</code> has a priority of <code>2</code>, your user pool\n            sends account-recovery messages to a verified email address but falls back to an SMS\n            message if the user has a verified phone number. The <code>admin_only</code> option\n            prevents self-service account recovery.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#RedirectUrlType": {
@@ -11845,6 +12964,15 @@
         }
       }
     },
+    "com.amazonaws.cognitoidentityprovider#RelyingPartyIdType": {
+      "type": "string",
+      "traits": {
+        "smithy.api#length": {
+          "min": 1,
+          "max": 127
+        }
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#ResendConfirmationCode": {
       "type": "operation",
       "input": {
@@ -11902,7 +13030,7 @@
       ],
       "traits": {
         "smithy.api#auth": [],
-        "smithy.api#documentation": "<p>Resends the confirmation (for confirmation of registration) to a specific user in the\n            user pool.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
+        "smithy.api#documentation": "<p>Resends the confirmation (for confirmation of registration) to a specific user in the\n            user pool.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
         "smithy.api#optionalAuth": {}
       }
     },
@@ -11968,6 +13096,16 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.cognitoidentityprovider#ResourceIdType": {
+      "type": "string",
+      "traits": {
+        "smithy.api#length": {
+          "min": 1,
+          "max": 40
+        },
+        "smithy.api#pattern": "^[\\w\\- ]+$"
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException": {
       "type": "structure",
       "members": {
@@ -12041,20 +13179,20 @@
         "ScopeName": {
           "target": "com.amazonaws.cognitoidentityprovider#ResourceServerScopeNameType",
           "traits": {
-            "smithy.api#documentation": "<p>The name of the scope.</p>",
+            "smithy.api#documentation": "<p>The name of the scope. Amazon Cognito renders custom scopes in the format\n                <code>resourceServerIdentifier/ScopeName</code>. For example, if this parameter is\n                <code>exampleScope</code> in the resource server with the identifier\n                <code>exampleResourceServer</code>, you request and receive the scope\n                <code>exampleResourceServer/exampleScope</code>.</p>",
             "smithy.api#required": {}
           }
         },
         "ScopeDescription": {
           "target": "com.amazonaws.cognitoidentityprovider#ResourceServerScopeDescriptionType",
           "traits": {
-            "smithy.api#documentation": "<p>A description of the scope.</p>",
+            "smithy.api#documentation": "<p>A friendly description of a custom scope.</p>",
             "smithy.api#required": {}
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A resource server scope.</p>"
+        "smithy.api#documentation": "<p>One custom scope associated with a user pool resource server. This data type is a\n            member of <code>ResourceServerScopeType</code>. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html\">\n                Scopes, M2M, and API authorization with resource servers</a>. </p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateResourceServer.html\">CreateResourceServer</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeResourceServer.html\">DescribeResourceServer</a>. </p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#ResourceServerType": {
@@ -12063,7 +13201,7 @@
         "UserPoolId": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The user pool ID for the user pool that hosts the resource server.</p>"
+            "smithy.api#documentation": "<p>The ID of the user pool that contains the resource server configuration.</p>"
           }
         },
         "Identifier": {
@@ -12086,7 +13224,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A container for information about a resource server for a user pool.</p>"
+        "smithy.api#documentation": "<p>The details of a resource server configuration and associated custom scopes in a user\n            pool.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateResourceServer.html\">CreateResourceServer</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeResourceServer.html\">DescribeResourceServer</a>. </p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#ResourceServersListType": {
@@ -12176,7 +13314,7 @@
       ],
       "traits": {
         "smithy.api#auth": [],
-        "smithy.api#documentation": "<p>Some API operations in a user pool generate a challenge, like a prompt for an MFA\n            code, for device authentication that bypasses MFA, or for a custom authentication\n            challenge. A <code>RespondToAuthChallenge</code> API request provides the answer to that\n            challenge, like a code or a secure remote password (SRP). The parameters of a response\n            to an authentication challenge vary with the type of challenge.</p>\n         <p>For more information about custom authentication challenges, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\">Custom\n                authentication challenge Lambda triggers</a>.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
+        "smithy.api#documentation": "<p>Some API operations in a user pool generate a challenge, like a prompt for an MFA\n            code, for device authentication that bypasses MFA, or for a custom authentication\n            challenge. A <code>RespondToAuthChallenge</code> API request provides the answer to that\n            challenge, like a code or a secure remote password (SRP). The parameters of a response\n            to an authentication challenge vary with the type of challenge.</p>\n         <p>For more information about custom authentication challenges, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html\">Custom\n                authentication challenge Lambda triggers</a>.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
         "smithy.api#optionalAuth": {}
       }
     },
@@ -12206,7 +13344,7 @@
         "ChallengeResponses": {
           "target": "com.amazonaws.cognitoidentityprovider#ChallengeResponsesType",
           "traits": {
-            "smithy.api#documentation": "<p>The responses to the challenge that you received in the previous request. Each\n    challenge has its own required response parameters. The following examples are partial\n    JSON request bodies that highlight challenge-response parameters.</p>\n         <important>\n            <p>You must provide a SECRET_HASH parameter in all challenge responses to an app\n        client that has a client secret.</p>\n         </important>\n         <dl>\n            <dt>SMS_MFA</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SMS_MFA\", \"ChallengeResponses\": {\"SMS_MFA_CODE\":\n                    \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>EMAIL_OTP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"EMAIL_OTP\", \"ChallengeResponses\": {\"EMAIL_OTP_CODE\":\n                    \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>PASSWORD_VERIFIER</dt>\n            <dd>\n               <p>This challenge response is part of the SRP flow. Amazon Cognito requires \n            that your application respond to this challenge within a few seconds. When\n            the response time exceeds this period, your user pool returns a\n            <code>NotAuthorizedException</code> error.</p>\n               <p>\n                  <code>\"ChallengeName\": \"PASSWORD_VERIFIER\", \"ChallengeResponses\":\n                    {\"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\",\n                    \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\":\n                    [timestamp], \"USERNAME\": \"[username]\"}</code>\n               </p>\n               <p>Add <code>\"DEVICE_KEY\"</code> when you sign in with a remembered\n                device.</p>\n            </dd>\n            <dt>CUSTOM_CHALLENGE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"CUSTOM_CHALLENGE\", \"ChallengeResponses\":\n                    {\"USERNAME\": \"[username]\", \"ANSWER\": \"[challenge_answer]\"}</code>\n               </p>\n               <p>Add <code>\"DEVICE_KEY\"</code> when you sign in with a remembered\n                device.</p>\n            </dd>\n            <dt>NEW_PASSWORD_REQUIRED</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"NEW_PASSWORD_REQUIRED\", \"ChallengeResponses\":\n                    {\"NEW_PASSWORD\": \"[new_password]\", \"USERNAME\":\n                \"[username]\"}</code>\n               </p>\n               <p>To set any required attributes that <code>InitiateAuth</code> returned in\n                an <code>requiredAttributes</code> parameter, add\n                    <code>\"userAttributes.[attribute_name]\": \"[attribute_value]\"</code>.\n                This parameter can also set values for writable attributes that aren't\n                required by your user pool.</p>\n               <note>\n                  <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value. \nIn <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter, \nthen use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>\n               </note>\n            </dd>\n            <dt>SOFTWARE_TOKEN_MFA</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SOFTWARE_TOKEN_MFA\", \"ChallengeResponses\":\n                    {\"USERNAME\": \"[username]\", \"SOFTWARE_TOKEN_MFA_CODE\":\n                    [authenticator_code]}</code>\n               </p>\n            </dd>\n            <dt>DEVICE_SRP_AUTH</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"DEVICE_SRP_AUTH\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\", \"DEVICE_KEY\": \"[device_key]\", \"SRP_A\":\n                \"[srp_a]\"}</code>\n               </p>\n            </dd>\n            <dt>DEVICE_PASSWORD_VERIFIER</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"DEVICE_PASSWORD_VERIFIER\", \"ChallengeResponses\":\n                {\"DEVICE_KEY\": \"[device_key]\", \"PASSWORD_CLAIM_SIGNATURE\":\n                \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\",\n                \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>MFA_SETUP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"MFA_SETUP\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\"}, \"SESSION\": \"[Session ID from\n                VerifySoftwareToken]\"</code>\n               </p>\n            </dd>\n            <dt>SELECT_MFA_TYPE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SELECT_MFA_TYPE\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\", \"ANSWER\": \"[SMS_MFA or SOFTWARE_TOKEN_MFA]\"}</code>\n               </p>\n            </dd>\n         </dl>\n         <p>For more information about <code>SECRET_HASH</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash\">Computing secret hash values</a>. For information about\n    <code>DEVICE_KEY</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html\">Working with user devices in your user pool</a>.</p>"
+            "smithy.api#documentation": "<p>The responses to the challenge that you received in the previous request. Each\n    challenge has its own required response parameters. The following examples are partial\n    JSON request bodies that highlight challenge-response parameters.</p>\n         <important>\n            <p>You must provide a SECRET_HASH parameter in all challenge responses to an app\n        client that has a client secret. Include a <code>DEVICE_KEY</code> for device\n        authentication.</p>\n         </important>\n         <dl>\n            <dt>SELECT_CHALLENGE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n            \"USERNAME\": \"[username]\",\n            \"ANSWER\": \"[Challenge name]\"}</code>\n               </p>\n               <p>Available challenges are <code>PASSWORD</code>, <code>PASSWORD_SRP</code>, \n            <code>EMAIL_OTP</code>, <code>SMS_OTP</code>, and <code>WEB_AUTHN</code>.</p>\n               <p>Complete authentication in the <code>SELECT_CHALLENGE</code> response for\n            <code>PASSWORD</code>, <code>PASSWORD_SRP</code>, and <code>WEB_AUTHN</code>:</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"WEB_AUTHN\",\n                  \"USERNAME\": \"[username]\",\n                  \"CREDENTIAL\": \"[AuthenticationResponseJSON]\"}</code>\n                     </p>\n                     <p>See <a href=\"https://www.w3.org/TR/webauthn-3/#dictdef-authenticationresponsejson\">\n                  AuthenticationResponseJSON</a>.</p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"PASSWORD\",\n                  \"USERNAME\": \"[username]\",\n                  \"PASSWORD\": \"[password]\"}</code>\n                     </p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"PASSWORD_SRP\",\n                  \"USERNAME\": \"[username]\",\n                  \"SRP_A\": \"[SRP_A]\"}</code>\n                     </p>\n                  </li>\n               </ul>\n               <p>For <code>SMS_OTP</code> and <code>EMAIL_OTP</code>, respond with the\n            username and answer. Your user pool will send a code for the user to submit in\n            the next challenge response.</p>\n               <ul>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"SMS_OTP\",\n                  \"USERNAME\": \"[username]\"}</code>\n                     </p>\n                  </li>\n                  <li>\n                     <p>\n                        <code>\"ChallengeName\": \"SELECT_CHALLENGE\", \"ChallengeResponses\": {\n                  \"ANSWER\": \"EMAIL_OTP\",\n                  \"USERNAME\": \"[username]\"}</code>\n                     </p>\n                  </li>\n               </ul>\n            </dd>\n            <dt>SMS_OTP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SMS_OTP\", \"ChallengeResponses\": \n            {\"SMS_OTP_CODE\": \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>EMAIL_OTP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"EMAIL_OTP\", \"ChallengeResponses\": {\"EMAIL_OTP_CODE\":\n                    \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>SMS_MFA</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SMS_MFA\", \"ChallengeResponses\": {\"SMS_MFA_CODE\":\n                    \"[code]\", \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>PASSWORD_VERIFIER</dt>\n            <dd>\n               <p>This challenge response is part of the SRP flow. Amazon Cognito requires \n            that your application respond to this challenge within a few seconds. When\n            the response time exceeds this period, your user pool returns a\n            <code>NotAuthorizedException</code> error.</p>\n               <p>\n                  <code>\"ChallengeName\": \"PASSWORD_VERIFIER\", \"ChallengeResponses\":\n                    {\"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\",\n                    \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\":\n                    [timestamp], \"USERNAME\": \"[username]\"}</code>\n               </p>\n               <p>Add <code>\"DEVICE_KEY\"</code> when you sign in with a remembered\n                device.</p>\n            </dd>\n            <dt>CUSTOM_CHALLENGE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"CUSTOM_CHALLENGE\", \"ChallengeResponses\":\n                    {\"USERNAME\": \"[username]\", \"ANSWER\": \"[challenge_answer]\"}</code>\n               </p>\n               <p>Add <code>\"DEVICE_KEY\"</code> when you sign in with a remembered\n                device.</p>\n            </dd>\n            <dt>NEW_PASSWORD_REQUIRED</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"NEW_PASSWORD_REQUIRED\", \"ChallengeResponses\":\n                    {\"NEW_PASSWORD\": \"[new_password]\", \"USERNAME\":\n                \"[username]\"}</code>\n               </p>\n               <p>To set any required attributes that <code>InitiateAuth</code> returned in\n                an <code>requiredAttributes</code> parameter, add\n                    <code>\"userAttributes.[attribute_name]\": \"[attribute_value]\"</code>.\n                This parameter can also set values for writable attributes that aren't\n                required by your user pool.</p>\n               <note>\n                  <p>In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value. \nIn <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the <code>requiredAttributes</code> parameter, \nthen use the <code>UpdateUserAttributes</code> API operation to modify the value of any additional attributes.</p>\n               </note>\n            </dd>\n            <dt>SOFTWARE_TOKEN_MFA</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SOFTWARE_TOKEN_MFA\", \"ChallengeResponses\":\n                    {\"USERNAME\": \"[username]\", \"SOFTWARE_TOKEN_MFA_CODE\":\n                    [authenticator_code]}</code>\n               </p>\n            </dd>\n            <dt>DEVICE_SRP_AUTH</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"DEVICE_SRP_AUTH\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\", \"DEVICE_KEY\": \"[device_key]\", \"SRP_A\":\n                \"[srp_a]\"}</code>\n               </p>\n            </dd>\n            <dt>DEVICE_PASSWORD_VERIFIER</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"DEVICE_PASSWORD_VERIFIER\", \"ChallengeResponses\":\n                {\"DEVICE_KEY\": \"[device_key]\", \"PASSWORD_CLAIM_SIGNATURE\":\n                \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\",\n                \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}</code>\n               </p>\n            </dd>\n            <dt>MFA_SETUP</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"MFA_SETUP\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\"}, \"SESSION\": \"[Session ID from\n                VerifySoftwareToken]\"</code>\n               </p>\n            </dd>\n            <dt>SELECT_MFA_TYPE</dt>\n            <dd>\n               <p>\n                  <code>\"ChallengeName\": \"SELECT_MFA_TYPE\", \"ChallengeResponses\": {\"USERNAME\":\n                \"[username]\", \"ANSWER\": \"[SMS_MFA or SOFTWARE_TOKEN_MFA]\"}</code>\n               </p>\n            </dd>\n         </dl>\n         <p>For more information about <code>SECRET_HASH</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash\">Computing secret hash values</a>. For information about\n    <code>DEVICE_KEY</code>, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html\">Working with user devices in your user pool</a>.</p>"
           }
         },
         "AnalyticsMetadata": {
@@ -12344,31 +13482,31 @@
         "UserPoolId": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The user pool ID.</p>"
+            "smithy.api#documentation": "<p>The ID of the user pool that has the risk configuration applied.</p>"
           }
         },
         "ClientId": {
           "target": "com.amazonaws.cognitoidentityprovider#ClientIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The app client ID.</p>"
+            "smithy.api#documentation": "<p>The app client where this configuration is applied. When this parameter isn't present,\n            the risk configuration applies to all user pool app clients that don't have\n            client-level settings.</p>"
           }
         },
         "CompromisedCredentialsRiskConfiguration": {
           "target": "com.amazonaws.cognitoidentityprovider#CompromisedCredentialsRiskConfigurationType",
           "traits": {
-            "smithy.api#documentation": "<p>The compromised credentials risk configuration object, including the\n                <code>EventFilter</code> and the <code>EventAction</code>.</p>"
+            "smithy.api#documentation": "<p>Settings for compromised-credentials actions and authentication types with advanced\n            security features in full-function <code>ENFORCED</code> mode.</p>"
           }
         },
         "AccountTakeoverRiskConfiguration": {
           "target": "com.amazonaws.cognitoidentityprovider#AccountTakeoverRiskConfigurationType",
           "traits": {
-            "smithy.api#documentation": "<p>The account takeover risk configuration object, including the\n                <code>NotifyConfiguration</code> object and <code>Actions</code> to take if there is\n            an account takeover.</p>"
+            "smithy.api#documentation": "<p>The settings for automated responses and notification templates for adaptive\n            authentication with advanced security features.</p>"
           }
         },
         "RiskExceptionConfiguration": {
           "target": "com.amazonaws.cognitoidentityprovider#RiskExceptionConfigurationType",
           "traits": {
-            "smithy.api#documentation": "<p>The configuration to override the risk decision.</p>"
+            "smithy.api#documentation": "<p>Exceptions to the risk evaluation configuration, including always-allow and\n            always-block IP address ranges. </p>"
           }
         },
         "LastModifiedDate": {
@@ -12379,7 +13517,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The risk configuration type.</p>"
+        "smithy.api#documentation": "<p>The settings of risk configuration for threat protection with advanced security\n            features in a user pool.</p>\n         <p>This data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html\">DescribeRiskConfiguration</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html\">SetRiskConfiguration</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#RiskDecisionType": {
@@ -12411,18 +13549,18 @@
         "BlockedIPRangeList": {
           "target": "com.amazonaws.cognitoidentityprovider#BlockedIPRangeListType",
           "traits": {
-            "smithy.api#documentation": "<p>Overrides the risk decision to always block the pre-authentication requests. The IP\n            range is in CIDR notation, a compact representation of an IP address and its routing\n            prefix.</p>"
+            "smithy.api#documentation": "<p>An always-block IP address list. Overrides the risk decision and always blocks\n            authentication requests. This parameter is displayed and set in CIDR notation.</p>"
           }
         },
         "SkippedIPRangeList": {
           "target": "com.amazonaws.cognitoidentityprovider#SkippedIPRangeListType",
           "traits": {
-            "smithy.api#documentation": "<p>Risk detection isn't performed on the IP addresses in this range list. The IP range is\n            in CIDR notation.</p>"
+            "smithy.api#documentation": "<p>An always-allow IP address list. Risk detection isn't performed on the IP addresses in\n            this range list. This parameter is displayed and set in CIDR notation.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The type of the configuration to override the risk decision.</p>"
+        "smithy.api#documentation": "<p>Exceptions to the risk evaluation configuration, including always-allow and\n            always-block IP address ranges. </p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html\">SetRiskConfiguration</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeRiskConfiguration.html\">DescribeRiskConfiguration</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#RiskLevelType": {
@@ -12506,12 +13644,12 @@
           "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
           "traits": {
             "smithy.api#default": false,
-            "smithy.api#documentation": "<p>Specifies whether SMS is the preferred MFA method.</p>"
+            "smithy.api#documentation": "<p>Specifies whether SMS is the preferred MFA method. If true, your user pool prompts the\n            specified user for a code delivered by SMS message after username-password sign-in\n            succeeds. </p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The type used for enabling SMS multi-factor authentication (MFA) at the user level.\n            Phone numbers don't need to be verified to be used for SMS MFA. If an MFA type is\n            activated for a user, the user will be prompted for MFA during all sign-in attempts,\n            unless device tracking is turned on and the device has been trusted. If you would like\n            MFA to be applied selectively based on the assessed risk level of sign-in attempts,\n            deactivate MFA for users and turn on Adaptive Authentication for the user pool.</p>"
+        "smithy.api#documentation": "<p>A user's preference for using SMS message multi-factor authentication (MFA). Turns SMS\n            MFA on and off, and can set SMS as preferred when other MFA options are available. You\n            can't turn off SMS MFA for any of your users when MFA is required in your user pool; you\n            can only set the type that your user prefers. </p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html\">SetUserMFAPreference</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html\">AdminSetUserMFAPreference</a>. </p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#SchemaAttributeType": {
@@ -12564,7 +13702,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A list of the user attributes and their properties in your user pool. The attribute\n            schema contains standard attributes, custom attributes with a <code>custom:</code>\n            prefix, and developer attributes with a <code>dev:</code> prefix. For more information,\n            see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html\">User pool\n                attributes</a>.</p>\n         <p>Developer-only attributes are a legacy feature of user pools, are read-only to all app\n            clients. You can create and update developer-only attributes only with IAM-authenticated\n            API operations. Use app client read/write permissions instead.</p>"
+        "smithy.api#documentation": "<p>A list of the user attributes and their properties in your user pool. The attribute\n            schema contains standard attributes, custom attributes with a <code>custom:</code>\n            prefix, and developer attributes with a <code>dev:</code> prefix. For more information,\n            see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html\">User pool\n                attributes</a>.</p>\n         <p>Developer-only <code>dev:</code> attributes are a legacy feature of user pools, and\n            are read-only to all app clients. You can create and update developer-only attributes\n            only with IAM-authenticated API operations. Use app client read/write permissions\n            instead.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#SchemaAttributesListType": {
@@ -12669,6 +13807,9 @@
         "target": "com.amazonaws.cognitoidentityprovider#SetLogDeliveryConfigurationResponse"
       },
       "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#FeatureUnavailableInTierException"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
         },
@@ -12986,6 +14127,9 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#ConcurrentModificationException"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#FeatureUnavailableInTierException"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
         },
@@ -13009,7 +14153,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<p>Sets the user pool multi-factor authentication (MFA) configuration.</p>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>"
+        "smithy.api#documentation": "<p>Sets the user pool multi-factor authentication (MFA) and passkey configuration.</p>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#SetUserPoolMfaConfigRequest": {
@@ -13045,6 +14189,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The MFA configuration. If you set the MfaConfiguration value to ‘ON’, only users who\n            have set up an MFA factor can sign in. To learn more, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html\">Adding Multi-Factor\n                Authentication (MFA) to a user pool</a>. Valid values include:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>OFF</code> MFA won't be used for any users.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ON</code> MFA is required for all users to sign in.</p>\n            </li>\n            <li>\n               <p>\n                  <code>OPTIONAL</code> MFA will be required only for individual users who have\n                    an MFA factor activated.</p>\n            </li>\n         </ul>"
           }
+        },
+        "WebAuthnConfiguration": {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnConfigurationType",
+          "traits": {
+            "smithy.api#documentation": "<p>The configuration of your user pool for passkey, or webauthN, authentication and\n            registration. You can set this configuration independent of the MFA configuration\n            options in this operation.</p>"
+          }
         }
       },
       "traits": {
@@ -13077,6 +14227,12 @@
           "traits": {
             "smithy.api#documentation": "<p>The MFA configuration. Valid values include:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>OFF</code> MFA won't be used for any users.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ON</code> MFA is required for all users to sign in.</p>\n            </li>\n            <li>\n               <p>\n                  <code>OPTIONAL</code> MFA will be required only for individual users who have\n                    an MFA factor enabled.</p>\n            </li>\n         </ul>"
           }
+        },
+        "WebAuthnConfiguration": {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnConfigurationType",
+          "traits": {
+            "smithy.api#documentation": "<p>The configuration of your user pool for passkey, or webauthN, biometric and\n            security-key devices.</p>"
+          }
         }
       },
       "traits": {
@@ -13154,6 +14310,20 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.cognitoidentityprovider#SignInPolicyType": {
+      "type": "structure",
+      "members": {
+        "AllowedFirstAuthFactors": {
+          "target": "com.amazonaws.cognitoidentityprovider#AllowedFirstAuthFactorsListType",
+          "traits": {
+            "smithy.api#documentation": "<p>The sign-in methods that a user pool supports as the first factor. You can permit\n            users to start authentication with a standard username and password, or with other\n            one-time password and hardware factors.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>The policy for allowed types of authentication in a user pool.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#SignUp": {
       "type": "operation",
       "input": {
@@ -13214,7 +14384,7 @@
       ],
       "traits": {
         "smithy.api#auth": [],
-        "smithy.api#documentation": "<p>Registers the user in the specified user pool and creates a user name, password, and\n            user attributes.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
+        "smithy.api#documentation": "<p>Registers the user in the specified user pool and creates a user name, password, and\n            user attributes.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <p>You might receive a <code>LimitExceeded</code> exception in response to this request\n            if you have exceeded a rate quota for email or SMS messages, and if your user pool\n            automatically verifies email addresses or phone numbers. When you get this exception in\n            the response, the user is successfully created and is in an <code>UNCONFIRMED</code>\n            state. You can send a new code with the <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ResendConfirmationCode.html\"> ResendConfirmationCode</a> request, or confirm the user as an administrator\n            with an <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminConfirmSignUp.html\">\n                AdminConfirmSignUp</a> request.</p>",
         "smithy.api#optionalAuth": {}
       }
     },
@@ -13244,8 +14414,7 @@
         "Password": {
           "target": "com.amazonaws.cognitoidentityprovider#PasswordType",
           "traits": {
-            "smithy.api#documentation": "<p>The password of the user you want to register.</p>",
-            "smithy.api#required": {}
+            "smithy.api#documentation": "<p>The password of the user you want to register.</p>\n         <p>Users can sign up without a password when your user pool supports passwordless sign-in\n            with email or SMS OTPs. To create a user with no password, omit this parameter or submit\n            a blank value. You can only create a passwordless user when passwordless sign-in is\n            available. See <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignInPolicyType.html\">the SignInPolicyType</a> property of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>.</p>"
           }
         },
         "UserAttributes": {
@@ -13307,6 +14476,12 @@
             "smithy.api#documentation": "<p>The 128-bit ID of the authenticated user. This isn't the same as\n            <code>username</code>.</p>",
             "smithy.api#required": {}
           }
+        },
+        "Session": {
+          "target": "com.amazonaws.cognitoidentityprovider#SessionType",
+          "traits": {
+            "smithy.api#documentation": "<p>A session Id that you can pass to <code>ConfirmSignUp</code> when you want to\n            immediately sign in your user with the <code>USER_AUTH</code> flow after they complete\n            sign-up.</p>"
+          }
         }
       },
       "traits": {
@@ -13339,7 +14514,7 @@
         "ExternalId": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The external ID provides additional security for your IAM role. You can use an\n                <code>ExternalId</code> with the IAM role that you use with Amazon SNS to send SMS\n            messages for your user pool. If you provide an <code>ExternalId</code>, your Amazon Cognito user\n            pool includes it in the request to assume your IAM role. You can configure the role\n            trust policy to require that Amazon Cognito, and any principal, provide the\n                <code>ExternalID</code>. If you use the Amazon Cognito Management Console to create a role\n            for SMS multi-factor authentication (MFA), Amazon Cognito creates a role with the required\n            permissions and a trust policy that demonstrates use of the\n            <code>ExternalId</code>.</p>\n         <p>For more information about the <code>ExternalId</code> of a role, see <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html\">How to use an\n                external ID when granting access to your Amazon Web Services resources to a third\n                party</a>\n         </p>"
+            "smithy.api#documentation": "<p>The external ID provides additional security for your IAM role. You can use an\n                <code>ExternalId</code> with the IAM role that you use with Amazon SNS to send SMS\n            messages for your user pool. If you provide an <code>ExternalId</code>, your Amazon Cognito user\n            pool includes it in the request to assume your IAM role. You can configure the role\n            trust policy to require that Amazon Cognito, and any principal, provide the\n                <code>ExternalID</code>. If you use the Amazon Cognito Management Console to create a role\n            for SMS multi-factor authentication (MFA), Amazon Cognito creates a role with the required\n            permissions and a trust policy that demonstrates use of the\n            <code>ExternalId</code>.</p>\n         <p>For more information about the <code>ExternalId</code> of a role, see <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html\">How to use an\n                external ID when granting access to your Amazon Web Services resources to a third\n                party</a>.</p>"
           }
         },
         "SnsRegion": {
@@ -13350,7 +14525,17 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The SMS configuration type is the settings that your Amazon Cognito user pool must use to send\n            an SMS message from your Amazon Web Services account through Amazon Simple Notification Service. To send SMS\n            messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an\n            Identity and Access Management (IAM) role in your Amazon Web Services account.</p>"
+        "smithy.api#documentation": "<p>User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS\n            messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an\n            Identity and Access Management (IAM) role in your Amazon Web Services account.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html\">SetUserPoolMfaConfig</a>, and a response parameter of\n                <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html\">GetUserPoolMfaConfig</a>.</p>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#SmsInviteMessageType": {
+      "type": "string",
+      "traits": {
+        "smithy.api#length": {
+          "min": 6,
+          "max": 140
+        },
+        "smithy.api#pattern": "^(?s)"
       }
     },
     "com.amazonaws.cognitoidentityprovider#SmsMfaConfigType": {
@@ -13359,18 +14544,18 @@
         "SmsAuthenticationMessage": {
           "target": "com.amazonaws.cognitoidentityprovider#SmsVerificationMessageType",
           "traits": {
-            "smithy.api#documentation": "<p>The SMS message that your user pool sends to users with an MFA code. The message must\n            contain the <code>{####}</code> placeholder. In the message, Amazon Cognito replaces this\n            placeholder with the code. If you don't provide this parameter, Amazon Cognito sends\n            messages in the default format.</p>"
+            "smithy.api#documentation": "<p>The SMS authentication message that will be sent to users with the code they must sign\n            in with. The message must contain the <code>{####}</code> placeholder. Your user pool\n            replaces the placeholder with the MFA code. If this parameter isn't provided, your user\n            pool sends a default message.</p>"
           }
         },
         "SmsConfiguration": {
           "target": "com.amazonaws.cognitoidentityprovider#SmsConfigurationType",
           "traits": {
-            "smithy.api#documentation": "<p>The SMS configuration with the settings that your Amazon Cognito user pool must use to send an\n            SMS message from your Amazon Web Services account through Amazon Simple Notification Service. To request Amazon SNS in\n            the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an Identity and Access Management (IAM) role that\n            you provide for your Amazon Web Services account.</p>"
+            "smithy.api#documentation": "<p>User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS\n            messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an\n            Identity and Access Management (IAM) role in your Amazon Web Services account.</p>\n         <p>You can set <code>SmsConfiguration</code> in <code>CreateUserPool</code> and <code>\n                UpdateUserPool</code>, or in <code>SetUserPoolMfaConfig</code>.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Configures user pool SMS messages for multi-factor authentication (MFA). Sets the\n            message template and the SMS message sending configuration for Amazon SNS.</p>"
+        "smithy.api#documentation": "<p>The configuration of multi-factor authentication (MFA) with SMS messages in a user\n            pool.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html\">SetUserPoolMfaConfig</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html\">GetUserPoolMfaConfig</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#SmsVerificationMessageType": {
@@ -13414,12 +14599,12 @@
           "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
           "traits": {
             "smithy.api#default": false,
-            "smithy.api#documentation": "<p>Specifies whether software token MFA is activated.</p>"
+            "smithy.api#documentation": "<p>The activation state of TOTP MFA.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Configures a user pool for time-based one-time password (TOTP) multi-factor\n            authentication (MFA). Enables or disables TOTP.</p>"
+        "smithy.api#documentation": "<p>Settings for time-based one-time password (TOTP) multi-factor authentication (MFA) in\n            a user pool. Enables and disables availability of this feature.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html\">SetUserPoolMfaConfig</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html\">GetUserPoolMfaConfig</a>. </p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#SoftwareTokenMfaSettingsType": {
@@ -13441,7 +14626,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The type used for enabling software token MFA at the user level. If an MFA type is\n            activated for a user, the user will be prompted for MFA during all sign-in attempts,\n            unless device tracking is turned on and the device has been trusted. If you want MFA to\n            be applied selectively based on the assessed risk level of sign-in attempts, deactivate\n            MFA for users and turn on Adaptive Authentication for the user pool.</p>"
+        "smithy.api#documentation": "<p>A user's preference for using time-based one-time password (TOTP) multi-factor\n            authentication (MFA). Turns TOTP MFA on and off, and can set TOTP as preferred when\n            other MFA options are available. You can't turn off TOTP MFA for any of your users when\n            MFA is required in your user pool; you can only set the type that your user prefers. </p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html\">SetUserMFAPreference</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html\">AdminSetUserMFAPreference</a>. </p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#StartUserImportJob": {
@@ -13514,6 +14699,76 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.cognitoidentityprovider#StartWebAuthnRegistration": {
+      "type": "operation",
+      "input": {
+        "target": "com.amazonaws.cognitoidentityprovider#StartWebAuthnRegistrationRequest"
+      },
+      "output": {
+        "target": "com.amazonaws.cognitoidentityprovider#StartWebAuthnRegistrationResponse"
+      },
+      "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ForbiddenException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#LimitExceededException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnConfigurationMissingException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnNotEnabledException"
+        }
+      ],
+      "traits": {
+        "smithy.api#auth": [],
+        "smithy.api#documentation": "<p>Requests credential creation options from your user pool for registration of a passkey\n            authenticator. Returns information about the user pool, the user profile, and\n            authentication requirements. Users must provide this information in their request to\n            enroll your application with their passkey provider.</p>\n         <p>After users present this data and register with their passkey provider, return the\n            response to your user pool in a <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CompleteWebAuthnRegistration.html\"> CompleteWebAuthnRegistration</a> API request.</p>\n         <p>Authorize this action with a signed-in user's access token. It must include the scope <code>aws.cognito.signin.user.admin</code>.</p>",
+        "smithy.api#optionalAuth": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#StartWebAuthnRegistrationRequest": {
+      "type": "structure",
+      "members": {
+        "AccessToken": {
+          "target": "com.amazonaws.cognitoidentityprovider#TokenModelType",
+          "traits": {
+            "smithy.api#documentation": "<p>A valid access token that Amazon Cognito issued to the user whose passkey metadata you want to\n            generate.</p>",
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#input": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#StartWebAuthnRegistrationResponse": {
+      "type": "structure",
+      "members": {
+        "CredentialCreationOptions": {
+          "target": "com.amazonaws.cognitoidentityprovider#Document",
+          "traits": {
+            "smithy.api#documentation": "<p>The information that a user can provide in their request to register with their\n            passkey provider.</p>",
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#output": {}
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#StatusType": {
       "type": "enum",
       "members": {
@@ -13607,7 +14862,7 @@
         "MinLength": {
           "target": "com.amazonaws.cognitoidentityprovider#StringType",
           "traits": {
-            "smithy.api#documentation": "<p>The minimum length.</p>"
+            "smithy.api#documentation": "<p>The minimum length of a string attribute value.</p>"
           }
         },
         "MaxLength": {
@@ -13618,7 +14873,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The constraints associated with a string attribute.</p>"
+        "smithy.api#documentation": "<p>The minimum and maximum length values of an attribute that is of the string type, for\n            example <code>custom:department</code>.</p>\n         <p>This data type is part of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SchemaAttributeType.html\">SchemaAttributeType</a>. It defines the length constraints\n            on string-type attributes that you configure in <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and displays the length constraints of\n            all string-type attributes in the response to <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>\n         </p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#StringType": {
@@ -13722,6 +14977,19 @@
         }
       }
     },
+    "com.amazonaws.cognitoidentityprovider#TierChangeNotAllowedException": {
+      "type": "structure",
+      "members": {
+        "message": {
+          "target": "com.amazonaws.cognitoidentityprovider#MessageType"
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>This exception is thrown when you've attempted to change your feature plan but\n            the operation isn't permitted.</p>",
+        "smithy.api#error": "client",
+        "smithy.api#httpError": 403
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#TimeUnitsType": {
       "type": "enum",
       "members": {
@@ -13764,24 +15032,24 @@
         "AccessToken": {
           "target": "com.amazonaws.cognitoidentityprovider#TimeUnitsType",
           "traits": {
-            "smithy.api#documentation": "<p> A time unit of <code>seconds</code>, <code>minutes</code>, <code>hours</code>, or\n                <code>days</code> for the value that you set in the <code>AccessTokenValidity</code>\n            parameter. The default <code>AccessTokenValidity</code> time unit is hours.\n                <code>AccessTokenValidity</code> duration can range from five minutes to one\n            day.</p>"
+            "smithy.api#documentation": "<p> A time unit for the value that you set in the <code>AccessTokenValidity</code>\n            parameter. The default <code>AccessTokenValidity</code> time unit is <code>hours</code>.\n                <code>AccessTokenValidity</code> duration can range from five minutes to one\n            day.</p>"
           }
         },
         "IdToken": {
           "target": "com.amazonaws.cognitoidentityprovider#TimeUnitsType",
           "traits": {
-            "smithy.api#documentation": "<p>A time unit of <code>seconds</code>, <code>minutes</code>, <code>hours</code>, or\n                <code>days</code> for the value that you set in the <code>IdTokenValidity</code>\n            parameter. The default <code>IdTokenValidity</code> time unit is hours.\n                <code>IdTokenValidity</code> duration can range from five minutes to one day.</p>"
+            "smithy.api#documentation": "<p>A time unit for the value that you set in the <code>IdTokenValidity</code> parameter.\n            The default <code>IdTokenValidity</code> time unit is <code>hours</code>.\n                <code>IdTokenValidity</code> duration can range from five minutes to one day.</p>"
           }
         },
         "RefreshToken": {
           "target": "com.amazonaws.cognitoidentityprovider#TimeUnitsType",
           "traits": {
-            "smithy.api#documentation": "<p>A time unit of <code>seconds</code>, <code>minutes</code>, <code>hours</code>, or\n                <code>days</code> for the value that you set in the\n                <code>RefreshTokenValidity</code> parameter. The default\n                <code>RefreshTokenValidity</code> time unit is days.\n                <code>RefreshTokenValidity</code> duration can range from 60 minutes to 10\n            years.</p>"
+            "smithy.api#documentation": "<p>A time unit for the value that you set in the <code>RefreshTokenValidity</code>\n            parameter. The default <code>RefreshTokenValidity</code> time unit is <code>days</code>.\n                <code>RefreshTokenValidity</code> duration can range from 60 minutes to 10\n            years.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The data type TokenValidityUnits specifies the time units you use when you set the\n            duration of ID, access, and refresh tokens.</p>"
+        "smithy.api#documentation": "<p>The time units that, with <code>IdTokenValidity</code>,\n                <code>AccessTokenValidity</code>, and <code>RefreshTokenValidity</code>, set and\n            display the duration of ID, access, and refresh tokens for an app client. You can assign\n            a separate token validity unit to each type of token. </p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html\">CreateUserPoolClient</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html\">UpdateUserPoolClient</a>, and a response parameter of\n                <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html\">DescribeUserPoolClient</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#TooManyFailedAttemptsException": {
@@ -13822,25 +15090,25 @@
         "UserPoolId": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The user pool ID for the user pool.</p>"
+            "smithy.api#documentation": "<p>The ID of the user pool with hosted UI customizations.</p>"
           }
         },
         "ClientId": {
           "target": "com.amazonaws.cognitoidentityprovider#ClientIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The client ID for the client app.</p>"
+            "smithy.api#documentation": "<p>The app client ID for your UI customization. When this value isn't present, the\n            customization applies to all user pool app clients that don't have client-level\n            settings..</p>"
           }
         },
         "ImageUrl": {
           "target": "com.amazonaws.cognitoidentityprovider#ImageUrlType",
           "traits": {
-            "smithy.api#documentation": "<p>The logo image for the UI customization.</p>"
+            "smithy.api#documentation": "<p>A URL path to the hosted logo image of your UI customization.</p>"
           }
         },
         "CSS": {
           "target": "com.amazonaws.cognitoidentityprovider#CSSType",
           "traits": {
-            "smithy.api#documentation": "<p>The CSS values in the UI customization.</p>"
+            "smithy.api#documentation": "<p>The CSS values in the UI customization. To get a template with your UI customization\n            options, make a <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUiCustomization.html\">GetUiCustomization</a> request.</p>"
           }
         },
         "CSSVersion": {
@@ -13863,7 +15131,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A container for the UI customization information for a user pool's built-in app\n            UI.</p>"
+        "smithy.api#documentation": "<p>A container for the UI customization information for the hosted UI in a user\n            pool.</p>\n         <p>This data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html\">GetUICustomization</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#UnauthorizedException": {
@@ -14351,6 +15619,91 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.cognitoidentityprovider#UpdateManagedLoginBranding": {
+      "type": "operation",
+      "input": {
+        "target": "com.amazonaws.cognitoidentityprovider#UpdateManagedLoginBrandingRequest"
+      },
+      "output": {
+        "target": "com.amazonaws.cognitoidentityprovider#UpdateManagedLoginBrandingResponse"
+      },
+      "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ConcurrentModificationException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#InvalidParameterException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException"
+        },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException"
+        }
+      ],
+      "traits": {
+        "smithy.api#documentation": "<p>Configures the branding settings for a user pool style. This operation is the\n            programmatic option for the configuration of a style in the branding designer.</p>\n         <p>Provides values for UI customization in a <code>Settings</code> JSON object and image\n            files in an <code>Assets</code> array.</p>\n         <p> This operation has a 2-megabyte request-size limit and include the CSS settings and\n            image assets for your app client. Your branding settings might exceed 2MB in size. Amazon Cognito\n            doesn't require that you pass all parameters in one request and preserves existing\n            style settings that you don't specify. If your request is larger than 2MB, separate it\n            into multiple requests, each with a size smaller than the limit. </p>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/managed-login-brandingdesigner.html#branding-designer-api\">API and SDK operations for managed login branding</a>.</p>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#UpdateManagedLoginBrandingRequest": {
+      "type": "structure",
+      "members": {
+        "UserPoolId": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The ID of the user pool that contains the managed login branding style that you want\n            to update.</p>"
+          }
+        },
+        "ManagedLoginBrandingId": {
+          "target": "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>The ID of the managed login branding style that you want to update.</p>"
+          }
+        },
+        "UseCognitoProvidedValues": {
+          "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
+          "traits": {
+            "smithy.api#default": false,
+            "smithy.api#documentation": "<p>When true, applies the default branding style options. This option reverts to default\n            style options that are managed by Amazon Cognito. You can modify them later in the branding\n            designer.</p>\n         <p>When you specify <code>true</code> for this option, you must also omit values for\n                <code>Settings</code> and <code>Assets</code> in the request.</p>"
+          }
+        },
+        "Settings": {
+          "target": "com.amazonaws.cognitoidentityprovider#Document",
+          "traits": {
+            "smithy.api#documentation": "<p>A JSON file, encoded as a <code>Document</code> type, with the the settings that you\n            want to apply to your style.</p>"
+          }
+        },
+        "Assets": {
+          "target": "com.amazonaws.cognitoidentityprovider#AssetListType",
+          "traits": {
+            "smithy.api#documentation": "<p>An array of image files that you want to apply to roles like backgrounds, logos, and\n            icons. Each object must also indicate whether it is for dark mode, light mode, or\n            browser-adaptive mode.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#input": {}
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#UpdateManagedLoginBrandingResponse": {
+      "type": "structure",
+      "members": {
+        "ManagedLoginBranding": {
+          "target": "com.amazonaws.cognitoidentityprovider#ManagedLoginBrandingType",
+          "traits": {
+            "smithy.api#documentation": "<p>The details of the branding style that you updated.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#output": {}
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#UpdateResourceServer": {
       "type": "operation",
       "input": {
@@ -14499,7 +15852,7 @@
       ],
       "traits": {
         "smithy.api#auth": [],
-        "smithy.api#documentation": "<p>With this operation, your users can update one or more of their attributes with their\n            own credentials. You authorize this API request with the user's access token. To delete\n            an attribute from your user, submit the attribute in your API request with a blank\n            value. Custom attribute values in this request must include the <code>custom:</code>\n            prefix.</p>\n         <p>Authorize this action with a signed-in user's access token. It must include the scope <code>aws.cognito.signin.user.admin</code>.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
+        "smithy.api#documentation": "<p>With this operation, your users can update one or more of their attributes with their\n            own credentials. You authorize this API request with the user's access token. To delete\n            an attribute from your user, submit the attribute in your API request with a blank\n            value. Custom attribute values in this request must include the <code>custom:</code>\n            prefix.</p>\n         <p>Authorize this action with a signed-in user's access token. It must include the scope <code>aws.cognito.signin.user.admin</code>.</p>\n         <note>\n            <p>Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you can't use IAM credentials to authorize requests, and you can't\n    grant IAM permissions in policies. For more information about authorization models in\n    Amazon Cognito, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>.</p>\n         </note>\n         <note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>",
         "smithy.api#optionalAuth": {}
       }
     },
@@ -14559,6 +15912,9 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#ConcurrentModificationException"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#FeatureUnavailableInTierException"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
         },
@@ -14580,6 +15936,9 @@
         {
           "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException"
         },
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#TierChangeNotAllowedException"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#TooManyRequestsException"
         },
@@ -14591,7 +15950,7 @@
         }
       ],
       "traits": {
-        "smithy.api#documentation": "<note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <p>Updates the specified user pool with the specified attributes. You can get a list of\n            the current user pool settings using <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>\n         <important>\n            <p>If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.</p>\n         </important>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
+        "smithy.api#documentation": "<note>\n            <p>This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n            require you to register an origination phone number before you can send SMS messages\n            to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n            phone number with <a href=\"https://console.aws.amazon.com/pinpoint/home/\">Amazon Pinpoint</a>.\n            Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n            receive SMS messages might not be able to sign up, activate their accounts, or sign\n            in.</p>\n            <p>If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n            Amazon Simple Notification Service might place your account in the SMS sandbox. In <i>\n                  <a href=\"https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html\">sandbox\n                    mode</a>\n               </i>, you can send messages only to verified phone\n            numbers. After you test your app while in the sandbox environment, you can move out\n            of the sandbox and into production. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html\"> SMS message settings for Amazon Cognito user pools</a> in the <i>Amazon Cognito\n                Developer Guide</i>.</p>\n         </note>\n         <p>Updates the specified user pool with the specified attributes. You can get a list of\n            the current user pool settings using <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>\n         <important>\n            <p>If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.</p>\n         </important>\n         <note>\n            <p>Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n    this operation, you must use IAM credentials to authorize requests, and you must\n    grant yourself the corresponding IAM permission in a policy.</p>\n            <p class=\"title\">\n               <b>Learn more</b>\n            </p>\n            <ul>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html\">Signing Amazon Web Services API Requests</a>\n                  </p>\n               </li>\n               <li>\n                  <p>\n                     <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html\">Using the Amazon Cognito user pools API and user pool endpoints</a>\n                  </p>\n               </li>\n            </ul>\n         </note>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#UpdateUserPoolClient": {
@@ -14695,13 +16054,13 @@
         "ExplicitAuthFlows": {
           "target": "com.amazonaws.cognitoidentityprovider#ExplicitAuthFlowsListType",
           "traits": {
-            "smithy.api#documentation": "<p>The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in \nyour users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and \npassword, or a custom authentication process that you define with Lambda functions.</p>\n         <note>\n            <p>If you don't specify a value for <code>ExplicitAuthFlows</code>, your user client supports <code>ALLOW_REFRESH_TOKEN_AUTH</code>, <code>ALLOW_USER_SRP_AUTH</code>, and <code>ALLOW_CUSTOM_AUTH</code>.</p>\n         </note>\n         <p>Valid values include:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW_ADMIN_USER_PASSWORD_AUTH</code>: Enable admin based user password\n            authentication flow <code>ADMIN_USER_PASSWORD_AUTH</code>. This setting replaces\n            the <code>ADMIN_NO_SRP_AUTH</code> setting. With this authentication flow, your app\n            passes a user name and password to Amazon Cognito in the request, instead of using the Secure \n            Remote Password (SRP) protocol to securely transmit the password.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_CUSTOM_AUTH</code>: Enable Lambda trigger based\n            authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_PASSWORD_AUTH</code>: Enable user password-based\n            authentication. In this flow, Amazon Cognito receives the password in the request instead\n            of using the SRP protocol to verify passwords.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_SRP_AUTH</code>: Enable SRP-based authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_REFRESH_TOKEN_AUTH</code>: Enable authflow to refresh\n            tokens.</p>\n            </li>\n         </ul>\n         <p>In some environments, you will see the values <code>ADMIN_NO_SRP_AUTH</code>, <code>CUSTOM_AUTH_FLOW_ONLY</code>, or <code>USER_PASSWORD_AUTH</code>. \nYou can't assign these legacy <code>ExplicitAuthFlows</code> values to user pool clients at the same time as values that begin with <code>ALLOW_</code>,\nlike <code>ALLOW_USER_SRP_AUTH</code>.</p>"
+            "smithy.api#documentation": "<p>The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in \nyour users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and \npassword, or a custom authentication process that you define with Lambda functions.</p>\n         <note>\n            <p>If you don't specify a value for <code>ExplicitAuthFlows</code>, your user client supports <code>ALLOW_REFRESH_TOKEN_AUTH</code>, <code>ALLOW_USER_SRP_AUTH</code>, and <code>ALLOW_CUSTOM_AUTH</code>.</p>\n         </note>\n         <p>Valid values include:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW_USER_AUTH</code>: Enable selection-based sign-in\n            with <code>USER_AUTH</code>. This setting covers username-password,\n            secure remote password (SRP), passwordless, and passkey authentication.\n            This authentiation flow can do username-password and SRP authentication\n            without other <code>ExplicitAuthFlows</code> permitting them. For example\n            users can complete an SRP challenge through <code>USER_AUTH</code> \n            without the flow <code>USER_SRP_AUTH</code> being active for the app\n            client. This flow doesn't include <code>CUSTOM_AUTH</code>.\n        </p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_ADMIN_USER_PASSWORD_AUTH</code>: Enable admin based user password\n            authentication flow <code>ADMIN_USER_PASSWORD_AUTH</code>. This setting replaces\n            the <code>ADMIN_NO_SRP_AUTH</code> setting. With this authentication flow, your app\n            passes a user name and password to Amazon Cognito in the request, instead of using the Secure \n            Remote Password (SRP) protocol to securely transmit the password.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_CUSTOM_AUTH</code>: Enable Lambda trigger based\n            authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_PASSWORD_AUTH</code>: Enable user password-based\n            authentication. In this flow, Amazon Cognito receives the password in the request instead\n            of using the SRP protocol to verify passwords.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_SRP_AUTH</code>: Enable SRP-based authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_REFRESH_TOKEN_AUTH</code>: Enable authflow to refresh\n            tokens.</p>\n            </li>\n         </ul>\n         <p>In some environments, you will see the values <code>ADMIN_NO_SRP_AUTH</code>, <code>CUSTOM_AUTH_FLOW_ONLY</code>, or <code>USER_PASSWORD_AUTH</code>. \nYou can't assign these legacy <code>ExplicitAuthFlows</code> values to user pool clients at the same time as values that begin with <code>ALLOW_</code>,\nlike <code>ALLOW_USER_SRP_AUTH</code>.</p>"
           }
         },
         "SupportedIdentityProviders": {
           "target": "com.amazonaws.cognitoidentityprovider#SupportedIdentityProvidersListType",
           "traits": {
-            "smithy.api#documentation": "<p>A list of provider names for the IdPs that this client supports. The following are\n            supported: <code>COGNITO</code>, <code>Facebook</code>, <code>Google</code>,\n                <code>SignInWithApple</code>, <code>LoginWithAmazon</code>, and the names of your\n            own SAML and OIDC providers.</p>"
+            "smithy.api#documentation": "<p>A list of provider names for the identity providers (IdPs) that are supported on this\n            client. The following are supported: <code>COGNITO</code>, <code>Facebook</code>,\n                <code>Google</code>, <code>SignInWithApple</code>, and <code>LoginWithAmazon</code>.\n            You can also specify the names that you configured for the SAML and OIDC IdPs in your\n            user pool, for example <code>MySAMLIdP</code> or <code>MyOIDCIdP</code>.</p>\n         <p>This setting applies to providers that you can access with the <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html\">hosted\n                UI and OAuth 2.0 authorization server</a>. The removal of <code>COGNITO</code>\n            from this list doesn't prevent authentication operations for local users with the\n            user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to\n            block access with a <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html\">WAF rule</a>.</p>"
           }
         },
         "CallbackURLs": {
@@ -14762,7 +16121,7 @@
         "EnablePropagateAdditionalUserContextData": {
           "target": "com.amazonaws.cognitoidentityprovider#WrappedBooleanType",
           "traits": {
-            "smithy.api#documentation": "<p>Activates the propagation of additional user context data. For more information about\n            propagation of user context data, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html\"> Adding advanced security to a user pool</a>. If you don’t include this\n            parameter, you can't send device fingerprint information, including source IP address,\n            to Amazon Cognito advanced security. You can only activate\n                <code>EnablePropagateAdditionalUserContextData</code> in an app client that has a\n            client secret.</p>"
+            "smithy.api#documentation": "<p>Activates the propagation of additional user context data. For more information about\n            propagation of user context data, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-threat-protection.html\"> Adding advanced security to a user pool</a>. If you don’t include this\n            parameter, you can't send device fingerprint information, including source IP address,\n            to Amazon Cognito advanced security. You can only activate\n                <code>EnablePropagateAdditionalUserContextData</code> in an app client that has a\n            client secret.</p>"
           }
         },
         "AuthSessionValidity": {
@@ -14801,6 +16160,9 @@
         "target": "com.amazonaws.cognitoidentityprovider#UpdateUserPoolDomainResponse"
       },
       "errors": [
+        {
+          "target": "com.amazonaws.cognitoidentityprovider#FeatureUnavailableInTierException"
+        },
         {
           "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException"
         },
@@ -14838,10 +16200,16 @@
             "smithy.api#required": {}
           }
         },
+        "ManagedLoginVersion": {
+          "target": "com.amazonaws.cognitoidentityprovider#WrappedIntegerType",
+          "traits": {
+            "smithy.api#documentation": "<p>A version number that indicates the state of managed login for your domain. Version\n                <code>1</code> is hosted UI (classic). Version <code>2</code> is the newer managed\n            login with the branding designer. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html\">Managed login</a>.</p>"
+          }
+        },
         "CustomDomainConfig": {
           "target": "com.amazonaws.cognitoidentityprovider#CustomDomainConfigType",
           "traits": {
-            "smithy.api#documentation": "<p>The configuration for a custom domain that hosts the sign-up and sign-in pages for\n            your application. Use this object to specify an SSL certificate that is managed by\n            ACM.</p>",
+            "smithy.api#documentation": "<p>The configuration for a custom domain that hosts the sign-up and sign-in pages for\n            your application. Use this object to specify an SSL certificate that is managed by\n            ACM.</p>\n         <p>When you create a custom domain, the passkey RP ID defaults to the custom domain. If\n            you had a prefix domain active, this will cause passkey integration for your prefix\n            domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey\n            integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID\n            in a <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html\">SetUserPoolMfaConfig</a> request.</p>",
             "smithy.api#required": {}
           }
         }
@@ -14854,6 +16222,12 @@
     "com.amazonaws.cognitoidentityprovider#UpdateUserPoolDomainResponse": {
       "type": "structure",
       "members": {
+        "ManagedLoginVersion": {
+          "target": "com.amazonaws.cognitoidentityprovider#WrappedIntegerType",
+          "traits": {
+            "smithy.api#documentation": "<p>A version number that indicates the state of managed login for your domain. Version\n                <code>1</code> is hosted UI (classic). Version <code>2</code> is the newer managed\n            login with the branding designer. For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html\">Managed login</a>.</p>"
+          }
+        },
         "CloudFrontDomain": {
           "target": "com.amazonaws.cognitoidentityprovider#DomainType",
           "traits": {
@@ -14983,6 +16357,18 @@
           "traits": {
             "smithy.api#documentation": "<p>The available verified method a user can use to recover their password when they call\n                <code>ForgotPassword</code>. You can use this setting to define a preferred method\n            when a user has more than one method available. With this setting, SMS doesn't qualify\n            for a valid password recovery mechanism if the user also has SMS multi-factor\n            authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy\n            behavior to determine the recovery method where SMS is preferred through email.</p>"
           }
+        },
+        "PoolName": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserPoolNameType",
+          "traits": {
+            "smithy.api#documentation": "<p>The updated name of your user pool.</p>"
+          }
+        },
+        "UserPoolTier": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserPoolTierType",
+          "traits": {
+            "smithy.api#documentation": "<p>The user pool <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html\">feature plan</a>, or tier. This parameter determines the\n            eligibility of the user pool for features like managed login, access-token\n            customization, and threat protection. Defaults to <code>ESSENTIALS</code>.</p>"
+          }
         }
       },
       "traits": {
@@ -15009,7 +16395,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The settings for updates to user attributes. These settings include the property <code>AttributesRequireVerificationBeforeUpdate</code>,\na user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For\nmore information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates\">\nVerifying updates to email addresses and phone numbers</a>.</p>"
+        "smithy.api#documentation": "<p>The settings for updates to user attributes. These settings include the property <code>AttributesRequireVerificationBeforeUpdate</code>,\na user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For\nmore information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates\">\nVerifying updates to email addresses and phone numbers</a>.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#UserContextDataType": {
@@ -15029,7 +16415,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Contextual data, such as the user's device fingerprint, IP address, or location, used\n            for evaluating the risk of an unexpected event by Amazon Cognito advanced security.</p>",
+        "smithy.api#documentation": "<p>Contextual data, such as the user's device fingerprint, IP address, or location, used\n            for evaluating the risk of an unexpected event by Amazon Cognito advanced security.</p>\n         <p>This data type is a request parameter of public-client authentication operations like\n                <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html\">InitiateAuth</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html\">RespondToAuthChallenge</a>.</p>",
         "smithy.api#sensitive": {}
       }
     },
@@ -15137,25 +16523,25 @@
         "JobName": {
           "target": "com.amazonaws.cognitoidentityprovider#UserImportJobNameType",
           "traits": {
-            "smithy.api#documentation": "<p>The job name for the user import job.</p>"
+            "smithy.api#documentation": "<p>The friendly name of the user import job.</p>"
           }
         },
         "JobId": {
           "target": "com.amazonaws.cognitoidentityprovider#UserImportJobIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The job ID for the user import job.</p>"
+            "smithy.api#documentation": "<p>The ID of the user import job.</p>"
           }
         },
         "UserPoolId": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The user pool ID for the user pool that the users are being imported into.</p>"
+            "smithy.api#documentation": "<p>The ID of the user pool that the users are being imported into.</p>"
           }
         },
         "PreSignedUrl": {
           "target": "com.amazonaws.cognitoidentityprovider#PreSignedUrlType",
           "traits": {
-            "smithy.api#documentation": "<p>The pre-signed URL to be used to upload the <code>.csv</code> file.</p>"
+            "smithy.api#documentation": "<p>The pre-signed URL target for uploading the CSV file.</p>"
           }
         },
         "CreationDate": {
@@ -15217,7 +16603,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The user import job type.</p>"
+        "smithy.api#documentation": "<p>A user import job in a user pool. Describes the status of user import with a CSV file.\n            For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool.html\">Importing users into user pools from a CSV file</a>.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserImportJob.html\">CreateUserImportJob</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserImportJob.html\">DescribeUserImportJob</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUserImportJobs.html\">ListUserImportJobs</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_StartUserImportJob.html\">StartUserImportJob</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_StopUserImportJob.html\">StopUserImportJob</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#UserImportJobsListType": {
@@ -15305,7 +16691,7 @@
         "AdvancedSecurityMode": {
           "target": "com.amazonaws.cognitoidentityprovider#AdvancedSecurityModeType",
           "traits": {
-            "smithy.api#documentation": "<p>The operating mode of advanced security features for standard authentication types\n            in your user pool, including username-password and secure remote password (SRP)\n            authentication.\n        </p>",
+            "smithy.api#documentation": "<p>The operating mode of advanced security features for standard authentication types in\n            your user pool, including username-password and secure remote password (SRP)\n            authentication. </p>",
             "smithy.api#required": {}
           }
         },
@@ -15317,7 +16703,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>User pool add-ons. Contains settings for activation of advanced security features. To\n    log user security information but take no action, set to <code>AUDIT</code>. To\n    configure automatic security responses to risky traffic to your user pool, set to\n        <code>ENFORCED</code>.</p>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html\">Adding advanced security to a user pool</a>.</p>"
+        "smithy.api#documentation": "<p>User pool add-ons. Contains settings for activation of advanced security features. To\n    log user security information but take no action, set to <code>AUDIT</code>. To\n    configure automatic security responses to risky traffic to your user pool, set to\n        <code>ENFORCED</code>.</p>\n         <p>For more information, see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html\">Adding advanced security to a user pool</a>.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#UserPoolClientDescription": {
@@ -15326,24 +16712,24 @@
         "ClientId": {
           "target": "com.amazonaws.cognitoidentityprovider#ClientIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The ID of the client associated with the user pool.</p>"
+            "smithy.api#documentation": "<p>The app client ID.</p>"
           }
         },
         "UserPoolId": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The user pool ID for the user pool where you want to describe the user pool\n            client.</p>"
+            "smithy.api#documentation": "<p>The ID of the user pool that's associated with the app client.</p>"
           }
         },
         "ClientName": {
           "target": "com.amazonaws.cognitoidentityprovider#ClientNameType",
           "traits": {
-            "smithy.api#documentation": "<p>The client name from the user pool client description.</p>"
+            "smithy.api#documentation": "<p>The app client name.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The description of the user pool client.</p>"
+        "smithy.api#documentation": "<p>A short description of a user pool app client.</p>\n         <p>This data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUserPoolClients.html\">ListUserPoolClients</a>. </p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#UserPoolClientListType": {
@@ -15358,25 +16744,25 @@
         "UserPoolId": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The user pool ID for the user pool client.</p>"
+            "smithy.api#documentation": "<p>The ID of the user pool associated with the app client.</p>"
           }
         },
         "ClientName": {
           "target": "com.amazonaws.cognitoidentityprovider#ClientNameType",
           "traits": {
-            "smithy.api#documentation": "<p>The client name from the user pool request of the client type.</p>"
+            "smithy.api#documentation": "<p>The name of the app client.</p>"
           }
         },
         "ClientId": {
           "target": "com.amazonaws.cognitoidentityprovider#ClientIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The ID of the client associated with the user pool.</p>"
+            "smithy.api#documentation": "<p>The ID of the app client.</p>"
           }
         },
         "ClientSecret": {
           "target": "com.amazonaws.cognitoidentityprovider#ClientSecretType",
           "traits": {
-            "smithy.api#documentation": "<p>The client secret from the user pool request of the client type.</p>"
+            "smithy.api#documentation": "<p>The app client secret.</p>"
           }
         },
         "LastModifiedDate": {
@@ -15413,7 +16799,7 @@
         "TokenValidityUnits": {
           "target": "com.amazonaws.cognitoidentityprovider#TokenValidityUnitsType",
           "traits": {
-            "smithy.api#documentation": "<p>The time units used to specify the token validity times of each token type: ID,\n            access, and refresh.</p>"
+            "smithy.api#documentation": "<p>The time units that, with <code>IdTokenValidity</code>,\n                <code>AccessTokenValidity</code>, and <code>RefreshTokenValidity</code>, set and\n            display the duration of ID, access, and refresh tokens for an app client. You can assign\n            a separate token validity unit to each type of token. </p>"
           }
         },
         "ReadAttributes": {
@@ -15431,13 +16817,13 @@
         "ExplicitAuthFlows": {
           "target": "com.amazonaws.cognitoidentityprovider#ExplicitAuthFlowsListType",
           "traits": {
-            "smithy.api#documentation": "<p>The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in \nyour users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and \npassword, or a custom authentication process that you define with Lambda functions.</p>\n         <note>\n            <p>If you don't specify a value for <code>ExplicitAuthFlows</code>, your user client supports <code>ALLOW_REFRESH_TOKEN_AUTH</code>, <code>ALLOW_USER_SRP_AUTH</code>, and <code>ALLOW_CUSTOM_AUTH</code>.</p>\n         </note>\n         <p>Valid values include:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW_ADMIN_USER_PASSWORD_AUTH</code>: Enable admin based user password\n            authentication flow <code>ADMIN_USER_PASSWORD_AUTH</code>. This setting replaces\n            the <code>ADMIN_NO_SRP_AUTH</code> setting. With this authentication flow, your app\n            passes a user name and password to Amazon Cognito in the request, instead of using the Secure \n            Remote Password (SRP) protocol to securely transmit the password.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_CUSTOM_AUTH</code>: Enable Lambda trigger based\n            authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_PASSWORD_AUTH</code>: Enable user password-based\n            authentication. In this flow, Amazon Cognito receives the password in the request instead\n            of using the SRP protocol to verify passwords.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_SRP_AUTH</code>: Enable SRP-based authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_REFRESH_TOKEN_AUTH</code>: Enable authflow to refresh\n            tokens.</p>\n            </li>\n         </ul>\n         <p>In some environments, you will see the values <code>ADMIN_NO_SRP_AUTH</code>, <code>CUSTOM_AUTH_FLOW_ONLY</code>, or <code>USER_PASSWORD_AUTH</code>. \nYou can't assign these legacy <code>ExplicitAuthFlows</code> values to user pool clients at the same time as values that begin with <code>ALLOW_</code>,\nlike <code>ALLOW_USER_SRP_AUTH</code>.</p>"
+            "smithy.api#documentation": "<p>The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in \nyour users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and \npassword, or a custom authentication process that you define with Lambda functions.</p>\n         <note>\n            <p>If you don't specify a value for <code>ExplicitAuthFlows</code>, your user client supports <code>ALLOW_REFRESH_TOKEN_AUTH</code>, <code>ALLOW_USER_SRP_AUTH</code>, and <code>ALLOW_CUSTOM_AUTH</code>.</p>\n         </note>\n         <p>Valid values include:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>ALLOW_USER_AUTH</code>: Enable selection-based sign-in\n            with <code>USER_AUTH</code>. This setting covers username-password,\n            secure remote password (SRP), passwordless, and passkey authentication.\n            This authentiation flow can do username-password and SRP authentication\n            without other <code>ExplicitAuthFlows</code> permitting them. For example\n            users can complete an SRP challenge through <code>USER_AUTH</code> \n            without the flow <code>USER_SRP_AUTH</code> being active for the app\n            client. This flow doesn't include <code>CUSTOM_AUTH</code>.\n        </p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_ADMIN_USER_PASSWORD_AUTH</code>: Enable admin based user password\n            authentication flow <code>ADMIN_USER_PASSWORD_AUTH</code>. This setting replaces\n            the <code>ADMIN_NO_SRP_AUTH</code> setting. With this authentication flow, your app\n            passes a user name and password to Amazon Cognito in the request, instead of using the Secure \n            Remote Password (SRP) protocol to securely transmit the password.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_CUSTOM_AUTH</code>: Enable Lambda trigger based\n            authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_PASSWORD_AUTH</code>: Enable user password-based\n            authentication. In this flow, Amazon Cognito receives the password in the request instead\n            of using the SRP protocol to verify passwords.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_USER_SRP_AUTH</code>: Enable SRP-based authentication.</p>\n            </li>\n            <li>\n               <p>\n                  <code>ALLOW_REFRESH_TOKEN_AUTH</code>: Enable authflow to refresh\n            tokens.</p>\n            </li>\n         </ul>\n         <p>In some environments, you will see the values <code>ADMIN_NO_SRP_AUTH</code>, <code>CUSTOM_AUTH_FLOW_ONLY</code>, or <code>USER_PASSWORD_AUTH</code>. \nYou can't assign these legacy <code>ExplicitAuthFlows</code> values to user pool clients at the same time as values that begin with <code>ALLOW_</code>,\nlike <code>ALLOW_USER_SRP_AUTH</code>.</p>"
           }
         },
         "SupportedIdentityProviders": {
           "target": "com.amazonaws.cognitoidentityprovider#SupportedIdentityProvidersListType",
           "traits": {
-            "smithy.api#documentation": "<p>A list of provider names for the IdPs that this client supports. The following are\n            supported: <code>COGNITO</code>, <code>Facebook</code>, <code>Google</code>,\n                <code>SignInWithApple</code>, <code>LoginWithAmazon</code>, and the names of your\n            own SAML and OIDC providers.</p>"
+            "smithy.api#documentation": "<p>A list of provider names for the identity providers (IdPs) that are supported on this\n            client. The following are supported: <code>COGNITO</code>, <code>Facebook</code>,\n                <code>Google</code>, <code>SignInWithApple</code>, and <code>LoginWithAmazon</code>.\n            You can also specify the names that you configured for the SAML and OIDC IdPs in your\n            user pool, for example <code>MySAMLIdP</code> or <code>MyOIDCIdP</code>.</p>\n         <p>This setting applies to providers that you can access with the <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html\">hosted\n                UI and OAuth 2.0 authorization server</a>. The removal of <code>COGNITO</code>\n            from this list doesn't prevent authentication operations for local users with the\n            user pools API in an Amazon Web Services SDK. The only way to prevent API-based authentication is to\n            block access with a <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html\">WAF rule</a>.</p>"
           }
         },
         "CallbackURLs": {
@@ -15461,13 +16847,13 @@
         "AllowedOAuthFlows": {
           "target": "com.amazonaws.cognitoidentityprovider#OAuthFlowsType",
           "traits": {
-            "smithy.api#documentation": "<p>The allowed OAuth flows.</p>\n         <dl>\n            <dt>code</dt>\n            <dd>\n               <p>Use a code grant flow, which provides an authorization code as the\n                        response. This code can be exchanged for access tokens with the\n                            <code>/oauth2/token</code> endpoint.</p>\n            </dd>\n            <dt>implicit</dt>\n            <dd>\n               <p>Issue the access token (and, optionally, ID token, based on scopes)\n                        directly to your user.</p>\n            </dd>\n            <dt>client_credentials</dt>\n            <dd>\n               <p>Issue the access token from the <code>/oauth2/token</code> endpoint\n                        directly to a non-person user using a combination of the client ID and\n                        client secret.</p>\n            </dd>\n         </dl>"
+            "smithy.api#documentation": "<p>The OAuth grant types that you want your app client to generate. To create an app\n            client that generates client credentials grants, you must add\n                <code>client_credentials</code> as the only allowed OAuth flow.</p>\n         <dl>\n            <dt>code</dt>\n            <dd>\n               <p>Use a code grant flow, which provides an authorization code as the\n                        response. This code can be exchanged for access tokens with the\n                            <code>/oauth2/token</code> endpoint.</p>\n            </dd>\n            <dt>implicit</dt>\n            <dd>\n               <p>Issue the access token (and, optionally, ID token, based on scopes)\n                        directly to your user.</p>\n            </dd>\n            <dt>client_credentials</dt>\n            <dd>\n               <p>Issue the access token from the <code>/oauth2/token</code> endpoint\n                        directly to a non-person user using a combination of the client ID and\n                        client secret.</p>\n            </dd>\n         </dl>"
           }
         },
         "AllowedOAuthScopes": {
           "target": "com.amazonaws.cognitoidentityprovider#ScopeListType",
           "traits": {
-            "smithy.api#documentation": "<p>The OAuth scopes that your app client supports. Possible values that OAuth provides\n            are <code>phone</code>, <code>email</code>, <code>openid</code>, and\n                <code>profile</code>. Possible values that Amazon Web Services provides are\n                <code>aws.cognito.signin.user.admin</code>. Amazon Cognito also supports custom scopes that\n            you create in Resource Servers.</p>"
+            "smithy.api#documentation": "<p>The OAuth 2.0 scopes that you want your app client to support. Can include standard\n            OAuth scopes like <code>phone</code>, <code>email</code>, <code>openid</code>, and\n                <code>profile</code>. Can also include the\n                <code>aws.cognito.signin.user.admin</code> scope that authorizes user profile\n            self-service operations and custom scopes from resource servers.</p>"
           }
         },
         "AllowedOAuthFlowsUserPoolClient": {
@@ -15480,7 +16866,7 @@
         "AnalyticsConfiguration": {
           "target": "com.amazonaws.cognitoidentityprovider#AnalyticsConfigurationType",
           "traits": {
-            "smithy.api#documentation": "<p>The Amazon Pinpoint analytics configuration for the user pool client.</p>\n         <note>\n            <p>Amazon Cognito user pools only support sending events to Amazon Pinpoint projects in the US East\n                (N. Virginia) us-east-1 Region, regardless of the Region where the user pool\n                resides.</p>\n         </note>"
+            "smithy.api#documentation": "<p>The user pool analytics configuration for collecting metrics and sending them to your\n            Amazon Pinpoint campaign.</p>\n         <note>\n            <p>In Amazon Web Services Regions where Amazon Pinpoint isn't available, user pools only support sending\n                events to Amazon Pinpoint projects in Amazon Web Services Region us-east-1. In Regions where Amazon Pinpoint is\n                available, user pools support sending events to Amazon Pinpoint projects within that same\n                Region.</p>\n         </note>"
           }
         },
         "PreventUserExistenceErrors": {
@@ -15509,7 +16895,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Contains information about a user pool client.</p>"
+        "smithy.api#documentation": "<p>The configuration of a user pool client.</p>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html\">CreateUserPoolClient</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html\">UpdateUserPoolClient</a>, and a response parameter of\n                <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPoolClient.html\">DescribeUserPoolClient</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#UserPoolDescriptionType": {
@@ -15518,19 +16904,19 @@
         "Id": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType",
           "traits": {
-            "smithy.api#documentation": "<p>The ID in a user pool description.</p>"
+            "smithy.api#documentation": "<p>The user pool ID.</p>"
           }
         },
         "Name": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolNameType",
           "traits": {
-            "smithy.api#documentation": "<p>The name in a user pool description.</p>"
+            "smithy.api#documentation": "<p>The user pool name.</p>"
           }
         },
         "LambdaConfig": {
           "target": "com.amazonaws.cognitoidentityprovider#LambdaConfigType",
           "traits": {
-            "smithy.api#documentation": "<p>The Lambda configuration information in a user pool description.</p>"
+            "smithy.api#documentation": "<p>A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible\n            stages of user pool operations. Triggers can modify the outcome of the operations that\n            invoked them.</p>"
           }
         },
         "Status": {
@@ -15539,7 +16925,7 @@
             "smithy.api#deprecated": {
               "message": "This property is no longer available."
             },
-            "smithy.api#documentation": "<p>The user pool status in a user pool description.</p>"
+            "smithy.api#documentation": "<p>The user pool status.</p>"
           }
         },
         "LastModifiedDate": {
@@ -15556,7 +16942,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A user pool description.</p>"
+        "smithy.api#documentation": "<p>A short description of a user pool.</p>\n         <p>This data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUserPools.html\">ListUserPools</a>. </p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#UserPoolIdType": {
@@ -15614,12 +17000,18 @@
         "PasswordPolicy": {
           "target": "com.amazonaws.cognitoidentityprovider#PasswordPolicyType",
           "traits": {
-            "smithy.api#documentation": "<p>The password policy.</p>"
+            "smithy.api#documentation": "<p>The password policy settings for a user pool, including complexity, history, and\n            length requirements.</p>"
+          }
+        },
+        "SignInPolicy": {
+          "target": "com.amazonaws.cognitoidentityprovider#SignInPolicyType",
+          "traits": {
+            "smithy.api#documentation": "<p>The policy for allowed types of authentication in a user pool.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The policy associated with a user pool.</p>"
+        "smithy.api#documentation": "<p>A list of user pool policies. Contains the policy that sets password-complexity\n            requirements.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#UserPoolTaggingException": {
@@ -15650,6 +17042,29 @@
         "target": "com.amazonaws.cognitoidentityprovider#TagValueType"
       }
     },
+    "com.amazonaws.cognitoidentityprovider#UserPoolTierType": {
+      "type": "enum",
+      "members": {
+        "LITE": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "LITE"
+          }
+        },
+        "ESSENTIALS": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "ESSENTIALS"
+          }
+        },
+        "PLUS": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "PLUS"
+          }
+        }
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#UserPoolType": {
       "type": "structure",
       "members": {
@@ -15668,7 +17083,7 @@
         "Policies": {
           "target": "com.amazonaws.cognitoidentityprovider#UserPoolPolicyType",
           "traits": {
-            "smithy.api#documentation": "<p>The policies associated with the user pool.</p>"
+            "smithy.api#documentation": "<p>A list of user pool policies. Contains the policy that sets password-complexity\n            requirements.</p>"
           }
         },
         "DeletionProtection": {
@@ -15680,7 +17095,7 @@
         "LambdaConfig": {
           "target": "com.amazonaws.cognitoidentityprovider#LambdaConfigType",
           "traits": {
-            "smithy.api#documentation": "<p>The Lambda triggers associated with the user pool.</p>"
+            "smithy.api#documentation": "<p>A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible\n            stages of user pool operations. Triggers can modify the outcome of the operations that\n            invoked them.</p>"
           }
         },
         "Status": {
@@ -15707,7 +17122,7 @@
         "SchemaAttributes": {
           "target": "com.amazonaws.cognitoidentityprovider#SchemaAttributesListType",
           "traits": {
-            "smithy.api#documentation": "<p>A list of the user attributes and their properties in your user pool. The attribute\n            schema contains standard attributes, custom attributes with a <code>custom:</code>\n            prefix, and developer attributes with a <code>dev:</code> prefix. For more information,\n            see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html\">User pool\n                attributes</a>.</p>\n         <p>Developer-only attributes are a legacy feature of user pools, are read-only to all app\n            clients. You can create and update developer-only attributes only with IAM-authenticated\n            API operations. Use app client read/write permissions instead.</p>"
+            "smithy.api#documentation": "<p>A list of the user attributes and their properties in your user pool. The attribute\n            schema contains standard attributes, custom attributes with a <code>custom:</code>\n            prefix, and developer attributes with a <code>dev:</code> prefix. For more information,\n            see <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html\">User pool\n                attributes</a>.</p>\n         <p>Developer-only attributes are a legacy feature of user pools, and are read-only to all\n            app clients. You can create and update developer-only attributes only with\n            IAM-authenticated API operations. Use app client read/write permissions instead.</p>"
           }
         },
         "AutoVerifiedAttributes": {
@@ -15719,7 +17134,7 @@
         "AliasAttributes": {
           "target": "com.amazonaws.cognitoidentityprovider#AliasAttributesListType",
           "traits": {
-            "smithy.api#documentation": "<p>The attributes that are aliased in a user pool.</p>"
+            "smithy.api#documentation": "<p>Attributes supported as an alias for this user pool. An alias is an attribute that\n            users can enter as an alternative username. Possible values: <b>phone_number</b>, <b>email</b>, or <b>preferred_username</b>.</p>"
           }
         },
         "UsernameAttributes": {
@@ -15749,7 +17164,7 @@
         "VerificationMessageTemplate": {
           "target": "com.amazonaws.cognitoidentityprovider#VerificationMessageTemplateType",
           "traits": {
-            "smithy.api#documentation": "<p>The template for verification messages.</p>"
+            "smithy.api#documentation": "<p>The template for the verification message that your user pool delivers to users who\n            set an email address or phone number attribute.</p>"
           }
         },
         "SmsAuthenticationMessage": {
@@ -15792,7 +17207,7 @@
         "SmsConfiguration": {
           "target": "com.amazonaws.cognitoidentityprovider#SmsConfigurationType",
           "traits": {
-            "smithy.api#documentation": "<p>The SMS configuration with the settings that your Amazon Cognito user pool must use to send an\n            SMS message from your Amazon Web Services account through Amazon Simple Notification Service. To send SMS messages\n            with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an Identity and Access Management\n            (IAM) role in your Amazon Web Services account.</p>"
+            "smithy.api#documentation": "<p>User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS\n            messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an\n            Identity and Access Management (IAM) role in your Amazon Web Services account.</p>"
           }
         },
         "UserPoolTags": {
@@ -15840,13 +17255,13 @@
         "UsernameConfiguration": {
           "target": "com.amazonaws.cognitoidentityprovider#UsernameConfigurationType",
           "traits": {
-            "smithy.api#documentation": "<p>Case sensitivity of the username input for the selected sign-in option. For example,\n            when case sensitivity is set to <code>False</code>, users can sign in using either\n            \"username\" or \"Username\". This configuration is immutable once it has been set. For more\n            information, see <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html\">UsernameConfigurationType</a>.</p>"
+            "smithy.api#documentation": "<p>Case sensitivity of the username input for the selected sign-in option. When case\n            sensitivity is set to <code>False</code> (case insensitive), users can sign in with any\n            combination of capital and lowercase letters. For example, <code>username</code>,\n                <code>USERNAME</code>, or <code>UserName</code>, or for email,\n                <code>email@example.com</code> or <code>EMaiL@eXamplE.Com</code>. For most use\n            cases, set case sensitivity to <code>False</code> (case insensitive) as a best practice.\n            When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in\n            case as the same user, and prevents a case variation from being assigned to the same\n            attribute for a different user.</p>\n         <p>This configuration is immutable after you set it. For more information, see <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html\">UsernameConfigurationType</a>.</p>"
           }
         },
         "Arn": {
           "target": "com.amazonaws.cognitoidentityprovider#ArnType",
           "traits": {
-            "smithy.api#documentation": "<p>The Amazon Resource Name (ARN) for the user pool.</p>"
+            "smithy.api#documentation": "<p>The Amazon Resource Name (ARN) of the user pool.</p>"
           }
         },
         "AccountRecoverySetting": {
@@ -15854,10 +17269,16 @@
           "traits": {
             "smithy.api#documentation": "<p>The available verified method a user can use to recover their password when they call\n                <code>ForgotPassword</code>. You can use this setting to define a preferred method\n            when a user has more than one method available. With this setting, SMS doesn't qualify\n            for a valid password recovery mechanism if the user also has SMS multi-factor\n            authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy\n            behavior to determine the recovery method where SMS is preferred through email.</p>"
           }
+        },
+        "UserPoolTier": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserPoolTierType",
+          "traits": {
+            "smithy.api#documentation": "<p>The user pool <a href=\"https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html\">feature plan</a>, or tier. This parameter determines the\n            eligibility of the user pool for features like managed login, access-token\n            customization, and threat protection. Defaults to <code>ESSENTIALS</code>.</p>"
+          }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A container for information about the user pool.</p>"
+        "smithy.api#documentation": "<p>The configuration of a user pool.</p>\n         <p>This data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a>, <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#UserStatusType": {
@@ -15919,19 +17340,19 @@
         "Username": {
           "target": "com.amazonaws.cognitoidentityprovider#UsernameType",
           "traits": {
-            "smithy.api#documentation": "<p>The user name of the user you want to describe.</p>"
+            "smithy.api#documentation": "<p>The user's username.</p>"
           }
         },
         "Attributes": {
           "target": "com.amazonaws.cognitoidentityprovider#AttributeListType",
           "traits": {
-            "smithy.api#documentation": "<p>A container with information about the user type attributes.</p>"
+            "smithy.api#documentation": "<p>Names and values of a user's attributes, for example <code>email</code>.</p>"
           }
         },
         "UserCreateDate": {
           "target": "com.amazonaws.cognitoidentityprovider#DateType",
           "traits": {
-            "smithy.api#documentation": "<p>The creation date of the user.</p>"
+            "smithy.api#documentation": "<p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a \nhuman-readable format like ISO 8601 or a Java <code>Date</code> object.</p>"
           }
         },
         "UserLastModifiedDate": {
@@ -15944,7 +17365,7 @@
           "target": "com.amazonaws.cognitoidentityprovider#BooleanType",
           "traits": {
             "smithy.api#default": false,
-            "smithy.api#documentation": "<p>Specifies whether the user is enabled.</p>"
+            "smithy.api#documentation": "<p>Indicates whether the user's account is enabled or disabled.</p>"
           }
         },
         "UserStatus": {
@@ -15956,12 +17377,29 @@
         "MFAOptions": {
           "target": "com.amazonaws.cognitoidentityprovider#MFAOptionListType",
           "traits": {
-            "smithy.api#documentation": "<p>The MFA options for the user.</p>"
+            "smithy.api#documentation": "<p>The user's MFA configuration.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>A user profile in a Amazon Cognito user pool.</p>"
+        "smithy.api#documentation": "<p>A user profile in a Amazon Cognito user pool.</p>\n         <p>This data type is a response parameter to <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html\">AdminCreateUser</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html\">ListUsers</a>. </p>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#UserVerificationType": {
+      "type": "enum",
+      "members": {
+        "REQUIRED": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "required"
+          }
+        },
+        "PREFERRED": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "preferred"
+          }
+        }
       }
     },
     "com.amazonaws.cognitoidentityprovider#UsernameAttributeType": {
@@ -15993,13 +17431,13 @@
         "CaseSensitive": {
           "target": "com.amazonaws.cognitoidentityprovider#WrappedBooleanType",
           "traits": {
-            "smithy.api#documentation": "<p>Specifies whether user name case sensitivity will be applied for all users in the user\n            pool through Amazon Cognito APIs. For most use cases, set case sensitivity to <code>False</code>\n            (case insensitive) as a best practice. When usernames and email addresses are case\n            insensitive, users can sign in as the same user when they enter a different\n            capitalization of their user name.</p>\n         <p>Valid values include:</p>\n         <dl>\n            <dt>True</dt>\n            <dd>\n               <p>Enables case sensitivity for all username input. When this option is set\n                        to <code>True</code>, users must sign in using the exact capitalization of\n                        their given username, such as “UserName”. This is the default value.</p>\n            </dd>\n            <dt>False</dt>\n            <dd>\n               <p>Enables case insensitivity for all username input. For example, when this\n                        option is set to <code>False</code>, users can sign in using\n                            <code>username</code>, <code>USERNAME</code>, or <code>UserName</code>.\n                        This option also enables both <code>preferred_username</code> and\n                            <code>email</code> alias to be case insensitive, in addition to the\n                            <code>username</code> attribute.</p>\n            </dd>\n         </dl>",
+            "smithy.api#documentation": "<p>Specifies whether user name case sensitivity will be applied for all users in the user\n            pool through Amazon Cognito APIs. For most use cases, set case sensitivity to <code>False</code>\n            (case insensitive) as a best practice. When usernames and email addresses are case\n            insensitive, users can sign in as the same user when they enter a different\n            capitalization of their user name.</p>\n         <p>Valid values include:</p>\n         <dl>\n            <dt>true</dt>\n            <dd>\n               <p>Enables case sensitivity for all username input. When this option is set\n                        to <code>true</code>, users must sign in using the exact capitalization of\n                        their given username, such as “UserName”. This is the default value.</p>\n            </dd>\n            <dt>false</dt>\n            <dd>\n               <p>Enables case insensitivity for all username input. For example, when this\n                        option is set to <code>false</code>, users can sign in using\n                            <code>username</code>, <code>USERNAME</code>, or <code>UserName</code>.\n                        This option also enables both <code>preferred_username</code> and\n                            <code>email</code> alias to be case insensitive, in addition to the\n                            <code>username</code> attribute.</p>\n            </dd>\n         </dl>",
             "smithy.api#required": {}
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The username configuration type. </p>"
+        "smithy.api#documentation": "<p>The configuration of a user pool for username case sensitivity.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#UsernameExistsException": {
@@ -16071,12 +17509,12 @@
         "DefaultEmailOption": {
           "target": "com.amazonaws.cognitoidentityprovider#DefaultEmailOptionType",
           "traits": {
-            "smithy.api#documentation": "<p>The default email option.</p>"
+            "smithy.api#documentation": "<p>The configuration of verification emails to contain a clickable link or a verification\n            code.</p>\n         <p>For link, your template body must contain link text in the format <code>{##Click\n                here##}</code>. \"Click here\" in the example is a customizable string. For code, your\n            template body must contain a code placeholder in the format <code>{####}</code>.</p>"
           }
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>The template for verification messages.</p>"
+        "smithy.api#documentation": "<p>The template for the verification message that your user pool delivers to users who\n            set an email address or phone number attribute.</p>\n         <p>This data type is a request and response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html\">CreateUserPool</a> and <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html\">UpdateUserPool</a>, and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_DescribeUserPool.html\">DescribeUserPool</a>.</p>"
       }
     },
     "com.amazonaws.cognitoidentityprovider#VerifiedAttributeType": {
@@ -16320,8 +17758,198 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnAuthenticatorAttachmentType": {
+      "type": "string"
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnAuthenticatorTransportType": {
+      "type": "string"
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnAuthenticatorTransportsList": {
+      "type": "list",
+      "member": {
+        "target": "com.amazonaws.cognitoidentityprovider#WebAuthnAuthenticatorTransportType"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnChallengeNotFoundException": {
+      "type": "structure",
+      "members": {
+        "message": {
+          "target": "com.amazonaws.cognitoidentityprovider#MessageType"
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>This exception is thrown when the challenge from <code>StartWebAuthn</code>\n            registration has expired.</p>",
+        "smithy.api#error": "client",
+        "smithy.api#httpError": 400
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnClientMismatchException": {
+      "type": "structure",
+      "members": {
+        "message": {
+          "target": "com.amazonaws.cognitoidentityprovider#MessageType"
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>This exception is thrown when the access token is for a different client than the one\n            in the original <code>StartWebAuthnRegistration</code> request.</p>",
+        "smithy.api#error": "client",
+        "smithy.api#httpError": 400
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnConfigurationMissingException": {
+      "type": "structure",
+      "members": {
+        "message": {
+          "target": "com.amazonaws.cognitoidentityprovider#MessageType"
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>This exception is thrown when a user pool doesn't have a configured relying party\n            id or a user pool domain.</p>",
+        "smithy.api#error": "client",
+        "smithy.api#httpError": 400
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnConfigurationType": {
+      "type": "structure",
+      "members": {
+        "RelyingPartyId": {
+          "target": "com.amazonaws.cognitoidentityprovider#RelyingPartyIdType",
+          "traits": {
+            "smithy.api#documentation": "<p>Sets or displays the authentication domain, typically your user pool domain, that\n            passkey providers must use as a relying party (RP) in their configuration.</p>\n         <p>Under the following conditions, the passkey relying party ID must be the\n            fully-qualified domain name of your custom domain:</p>\n         <ul>\n            <li>\n               <p>The user pool is configured for passkey authentication.</p>\n            </li>\n            <li>\n               <p>The user pool has a custom domain, whether or not it also has a prefix\n                    domain.</p>\n            </li>\n            <li>\n               <p>Your application performs authentication with managed login or the classic\n                    hosted UI.</p>\n            </li>\n         </ul>"
+          }
+        },
+        "UserVerification": {
+          "target": "com.amazonaws.cognitoidentityprovider#UserVerificationType",
+          "traits": {
+            "smithy.api#documentation": "<p>Sets or displays your user-pool treatment for MFA with a passkey. You can override\n            other MFA options and require passkey MFA, or you can set it as preferred. When passkey\n            MFA is preferred, the hosted UI encourages users to register a passkey at\n            sign-in.</p>"
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>Settings for multi-factor authentication (MFA) with passkey, or webauthN, biometric\n            and security-key devices in a user pool. Configures the following:</p>\n         <ul>\n            <li>\n               <p>Configuration at the user-pool level for whether you want to require passkey\n                    configuration as an MFA factor, or include it as a choice.</p>\n            </li>\n            <li>\n               <p>The user pool relying-party ID. This is the user pool domain that user's\n                    passkey providers should trust as a receiver of passkey authentication.</p>\n            </li>\n            <li>\n               <p>The providers that you want to allow as origins for passkey\n                    authentication.</p>\n            </li>\n         </ul>\n         <p>This data type is a request parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html\">SetUserPoolMfaConfig</a> and a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUserPoolMfaConfig.html\">GetUserPoolMfaConfig</a>. </p>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnCredentialDescription": {
+      "type": "structure",
+      "members": {
+        "CredentialId": {
+          "target": "com.amazonaws.cognitoidentityprovider#StringType",
+          "traits": {
+            "smithy.api#documentation": "<p>The unique identifier of the passkey credential.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "FriendlyCredentialName": {
+          "target": "com.amazonaws.cognitoidentityprovider#StringType",
+          "traits": {
+            "smithy.api#documentation": "<p>An automatically-generated friendly name for the passkey credential.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "RelyingPartyId": {
+          "target": "com.amazonaws.cognitoidentityprovider#StringType",
+          "traits": {
+            "smithy.api#documentation": "<p>The relying-party ID of the provider for the passkey credential.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "AuthenticatorAttachment": {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnAuthenticatorAttachmentType",
+          "traits": {
+            "smithy.api#documentation": "<p>The general category of the passkey authenticator. Can be a platform, or on-device\n            authenticator like a built-in fingerprint scanner, or a cross-platform device that's not\n            attached to the device like a Bluetooth security key.</p>"
+          }
+        },
+        "AuthenticatorTransports": {
+          "target": "com.amazonaws.cognitoidentityprovider#WebAuthnAuthenticatorTransportsList",
+          "traits": {
+            "smithy.api#documentation": "<p>Information about the transport methods of the passkey credential, for example USB or\n            Bluetooth Low Energy.</p>",
+            "smithy.api#required": {}
+          }
+        },
+        "CreatedAt": {
+          "target": "com.amazonaws.cognitoidentityprovider#DateType",
+          "traits": {
+            "smithy.api#documentation": "<p>The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a \nhuman-readable format like ISO 8601 or a Java <code>Date</code> object.</p>",
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>The details of a passkey, or webauthN, biometric or security-key authentication factor\n            for a user.</p>\n         <p>This data type is a response parameter of <a href=\"https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListWebAuthnCredentials.html\">ListWebAuthnCredentials</a>.</p>"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnCredentialDescriptionListType": {
+      "type": "list",
+      "member": {
+        "target": "com.amazonaws.cognitoidentityprovider#WebAuthnCredentialDescription"
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnCredentialNotSupportedException": {
+      "type": "structure",
+      "members": {
+        "message": {
+          "target": "com.amazonaws.cognitoidentityprovider#MessageType"
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>This exception is thrown when a user presents passkey credentials from an unsupported\n            device or provider.</p>",
+        "smithy.api#error": "client",
+        "smithy.api#httpError": 400
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnCredentialsQueryLimitType": {
+      "type": "integer",
+      "traits": {
+        "smithy.api#range": {
+          "min": 0,
+          "max": 20
+        }
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnNotEnabledException": {
+      "type": "structure",
+      "members": {
+        "message": {
+          "target": "com.amazonaws.cognitoidentityprovider#MessageType"
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>This exception is thrown when the passkey feature isn't enabled for the user\n            pool.</p>",
+        "smithy.api#error": "client",
+        "smithy.api#httpError": 400
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnOriginNotAllowedException": {
+      "type": "structure",
+      "members": {
+        "message": {
+          "target": "com.amazonaws.cognitoidentityprovider#MessageType"
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>This exception is thrown when the passkey credential's registration origin does not\n            align with the user pool relying party id.</p>",
+        "smithy.api#error": "client",
+        "smithy.api#httpError": 400
+      }
+    },
+    "com.amazonaws.cognitoidentityprovider#WebAuthnRelyingPartyMismatchException": {
+      "type": "structure",
+      "members": {
+        "message": {
+          "target": "com.amazonaws.cognitoidentityprovider#MessageType"
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>This exception is thrown when the given passkey credential is associated with a\n            different relying party ID than the user pool relying party ID.</p>",
+        "smithy.api#error": "client",
+        "smithy.api#httpError": 400
+      }
+    },
     "com.amazonaws.cognitoidentityprovider#WrappedBooleanType": {
       "type": "boolean"
+    },
+    "com.amazonaws.cognitoidentityprovider#WrappedIntegerType": {
+      "type": "integer"
     }
   }
 }