# Cognito OTP Generate

div
div
Client SDK
div
Backend API
div
Mobile approve
div
SSO
div
Sub-journey
> Generates and sends a one-time passcode via email or SMS using AWS Cognito


## Description

This step generates a one-time passcode (OTP) and sends it to the user via email or SMS through AWS Cognito–an external identity provider. It is used for Just-In-Time (JIT) migration scenarios where users are gradually migrated from Cognito to Mosaic as they log in.

Before using this step, configure a [Cognito connection](/guides/orchestration/external-connections/external_idp) in Integration Hub.

The user identifier must be obtained before initiating this step, such as using a [Collect information](/guides/orchestration/journeys/get_info_from_client) form. After the OTP is sent, use the [Cognito OTP Validate](/guides/orchestration/journeys/authenticate_cognito_otp_validate) step to validate the code entered by the user.

If the step fails (e.g., invalid user identifier), the journey proceeds to the failure branch (if specified); otherwise, the journey is aborted and an error is sent to the client.

## Configuration

div
| Field | Description |
|  --- | --- |
| **Cognito integration** | The Cognito connector to use, as configured in Integration Hub. |
| **User identifier** | Expression that yields the user's identifier (email or phone number). |
| **OTP channel** | The channel used to deliver the OTP: email or SMS. |
| **Scope** | OAuth scopes to request from Cognito. Default: `openid profile email`. |
| **Output variable** | Name of the variable that stores the result returned by Cognito. |
| **Error output variable** | Name of the variable that stores any errors returned by the step. |
| **Failure behavior** | Determines the behavior in case of failure, which either aborts the journey or proceeds to a failure branch of the control flow (default). |


Journey event data
This step can be configured to record step input and output data, or a custom payload, which is then surfaced in journey events in Journey Analytics for diagnostic purposes. For details, see [Additional data reporting](/guides/orchestration/getting-started/event_reporting).

## Example

Consider a migration journey that collects the user's email using a [Collect information](/guides/orchestration/journeys/get_info_from_client) step. The Cognito OTP Generate step sends an OTP to the user's email. A subsequent [Collect information](/guides/orchestration/journeys/get_info_from_client) step collects the OTP code, which is then validated using the [Cognito OTP Validate](/guides/orchestration/journeys/authenticate_cognito_otp_validate) step.