Skip to content
Latchkey

Cognito "InvalidParameterException" on InitiateAuth in CI

Cognito raised InvalidParameterException because the auth request is missing or has wrong parameters for the app client, such as a required SECRET_HASH or an auth flow the client does not allow.

What this error means

InitiateAuth throws "InvalidParameterException" with a message like "Missing required parameter SECRET_HASH" or "USER_PASSWORD_AUTH flow not enabled for this client".

Cognito
InvalidParameterException: Missing required parameter SECRET_HASH

Common causes

App client has a secret but SECRET_HASH is not sent

When the app client is configured with a client secret, each auth call must include a computed SECRET_HASH.

The requested auth flow is not enabled

USER_PASSWORD_AUTH or another flow must be explicitly enabled on the app client, or the request is invalid.

How to fix it

Send SECRET_HASH or use a client without a secret

  1. For a secretful client, compute SECRET_HASH from username, client id, and secret.
  2. Include it in the AuthParameters.
  3. Or use an app client with no secret for the test flow.
Terminal
SECRET_HASH=$(printf "%s%s" "$USER" "$CLIENT_ID" \
  | openssl dgst -sha256 -hmac "$CLIENT_SECRET" -binary | base64)

Enable the auth flow on the app client

Enable USER_PASSWORD_AUTH (or the flow the test uses) in the Cognito app client settings.

How to prevent it

  • Match the auth flow the client enables to what tests call.
  • Compute SECRET_HASH when the app client has a secret.
  • Prefer a secretless test client to simplify CI auth.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →