# Cognito OTP Validate

div
div
Client SDK
div
Backend API
div
Mobile approve
div
SSO
div
Sub-journey
> Validates a one-time passcode sent via AWS Cognito


## Description

This step validates a one-time passcode (OTP) that was previously sent to the user via the [Cognito OTP Generate](/guides/orchestration/journeys/authenticate_cognito_otp_generate) step. It is used for Just-In-Time (JIT) migration scenarios where users are gradually migrated from Cognito to Mosaic as they log in.

Before using this step, configure a [Cognito connection](/guides/orchestration/external-connections/external_idp) in Integration Hub.

The OTP code must be obtained before initiating this step, such as using a [Collect information](/guides/orchestration/journeys/get_info_from_client) form. If the validation succeeds, the journey continues to the next step. The authentication result is stored in the output variable and can be used in subsequent steps (e.g., to create a user in Mosaic).

If the validation fails (e.g., incorrect or expired OTP), the journey proceeds to the failure branch (if specified); otherwise, the journey is aborted and an error is sent to the client.

## Configuration

div
| Field | Description |
|  --- | --- |
| **Cognito integration** | The Cognito connector to use, as configured in Integration Hub. |
| **User identifier** | Expression that yields the user's identifier (email or phone number). |
| **OTP channel** | The channel used to deliver the OTP: email or SMS. |
| **OTP code** | Expression that yields the OTP code entered by the user. |
| **Scope** | OAuth scopes to request from Cognito. Default: `openid profile email`. |
| **Output variable** | Name of the variable that stores the authentication result returned by Cognito. |
| **Error output variable** | Name of the variable that stores any errors returned by the step. |
| **Failure behavior** | Determines the behavior in case of failure, which either aborts the journey or proceeds to a failure branch of the control flow (default). |


Journey event data
This step can be configured to record step input and output data, or a custom payload, which is then surfaced in journey events in Journey Analytics for diagnostic purposes. For details, see [Additional data reporting](/guides/orchestration/getting-started/event_reporting).

## Example

Consider a migration journey where the user receives an OTP via the [Cognito OTP Generate](/guides/orchestration/journeys/authenticate_cognito_otp_generate) step. A [Collect information](/guides/orchestration/journeys/get_info_from_client) step collects the OTP code from the user. The Cognito OTP Validate step validates this code against Cognito. If successful, the output variable (`cognito_tokens`) contains user information, including ID token and `user_info`, that can be used to create or update a user in Mosaic using the [Create user](/guides/orchestration/journeys/create_user) step.