Cognito ForgotPassword API returns "InvalidParameterException: Cannot reset password for the user as there is no registered/verified email or phone_number" despite user having verified attributes

[eaglex12]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

I'm facing an issue with ForgotPasswordCommand. I'm passing the username, and both email and phone are verified — OTP login works fine. But Cognito still throws InvalidParameterException saying no verified email/phone exists. Could it be that I need to pass the actual Cognito username instead of the email? Any idea how to fix this?

This is error : error: InvalidParameterException: Cannot reset password for the user as there is no registered/verified email or phone_number

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/package-name@version, ...

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

20.14.0

Reproduction Steps

User logs in using their email as username (email and phone are verified in Cognito).

OTP-based MFA works correctly for the user.

When calling ForgotPasswordCommand with the same username (email), Cognito returns:
InvalidParameterException: Cannot reset password for the user as there is no registered/verified email or phone_number.

Verified via admin-get-user that the user’s actual Cognito username is different (e.g., "michael.smith").

Suspected cause: ForgotPasswordCommand requires the internal Cognito username, not the email alias

Observed Behavior

When calling ForgotPasswordCommand with the user’s email as the username, the request fails with an InvalidParameterException stating there is no registered or verified email or phone number, despite both being verified and MFA via OTP working fine. Logs confirm this error with a 400 status. Using admin-get-user, the actual Cognito username differs from the email, indicating that ForgotPasswordCommand requires the internal username rather than the email alias.

Expected Behavior

When calling ForgotPasswordCommand with the correct username (email or internal username), the request should succeed and return a response containing CodeDeliveryDetails with information about where and how the verification code was sent, for example:
{
"CodeDeliveryDetails": {
"Destination": "user's email or phone",
"DeliveryMedium": "EMAIL" or "SMS",
"AttributeName": "email" or "phone_number"
}
}

Possible Solution

No response

Additional Information/Context

No response

[eaglex12]

@aBurmeseDev Any thing on this ?

[aBurmeseDev]

Hey @eaglex12 - thanks for reaching out and appreciate your patience here.

This's more of service model validation rather than SDK issue and upon reviewing service docs, you'd need to user actual username for Username param value and also ensure user has verified phone number or email.

const input = { // ForgotPasswordRequest
  ClientId: "STRING_VALUE", // required
  Username: "STRING_VALUE", // required
};

Hope that helps!

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.