Amazon Cognito A client attempted to write unauthorized attribute
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
This Cognito error means the app client is trying to write a user attribute that it is not allowed to modify. The problem is usually not in the JSON syntax of the request. It is in the user pool configuration, the app client's attribute permissions, or the fact that the code is attempting to set an attribute that Cognito treats as read-only or administratively controlled. The fix is to line up the requested attributes with what that client is actually allowed to write.
Understand Which Attributes Are Writable
In Cognito user pools, not every attribute is freely writable from every client flow.
Examples of sensitive or restricted fields include:
- '
sub' - '
email_verified' - '
phone_number_verified' - some custom attributes depending on app client permissions
Even for normal attributes such as email, write access still depends on how the app client is configured.
That means two different things can both be true:
- the attribute exists in the user pool schema
- the current app client is still not allowed to write it
The Error Usually Appears During These Calls
You most often see this error during operations such as:
- sign-up with user attributes
- '
UpdateUserAttributes' - admin flows that are accidentally using non-admin client permissions
- hosted UI or SDK flows where the client submits a broader set of attributes than intended
A representative AWS SDK call in JavaScript might look like this:
If the app client does not have write permission for email, or if the flow attempts to include a forbidden field, Cognito can reject it with the unauthorized-attribute error.
Check App Client Attribute Permissions First
The fastest thing to inspect is the user pool app client configuration. Cognito lets you define which attributes a given app client can read and write.
If the client is missing write permission for a field, any attempt to update that field from the client-side flow can fail even though the attribute exists in the user pool schema.
So the basic diagnosis sequence is:
- identify the exact attribute name being sent
- check whether the app client is allowed to write that attribute
- confirm the attribute is intended to be client-writable at all
This is often enough to fix the issue without touching code.
Do Not Try to Write System-Managed Attributes
A frequent mistake is attempting to set attributes such as email_verified directly from a normal client request.
For example, this is a problematic pattern:
The verification fields are controlled by Cognito's verification workflow or by appropriate administrative actions. A normal app client should not try to force them during a regular user update.
Admin APIs Are a Different Permission Boundary
If your use case genuinely requires setting administrative attributes, use the appropriate admin-side API from trusted backend code with IAM permissions, not from an untrusted public client flow.
That distinction matters because Cognito separates:
- what a signed-in end-user client can update for itself
- what an administrative backend can update on behalf of a user
Trying to solve an admin-side problem with a public app client usually ends in this error.
Check Custom Attribute Names Carefully
Custom attributes in Cognito are referenced with the custom: prefix.
Correct example:
If you omit the prefix or target a field name that the client cannot write, the request may fail or behave unexpectedly.
So when debugging custom attributes, verify all three of these:
- the schema includes the attribute
- the request uses the correct
custom:prefix - the app client has write access to it
Keep the Client Payload Minimal
Another practical way to avoid this class of error is to send only the attributes that truly need updating. Some SDK wrappers or forms accidentally submit a larger user profile object than intended.
That can backfire if the object includes fields that should never be written by that client.
A safer pattern is to construct the update payload explicitly instead of serializing an entire user model blindly.
Common Pitfalls
The biggest mistake is trying to update system-managed attributes such as email_verified from a normal client request.
Another mistake is assuming that because an attribute exists in the user pool, every app client is allowed to write it. Cognito app client permissions still apply.
Teams also often confuse end-user attribute updates with admin-side user management. Those are different security boundaries and should use different APIs.
Finally, when custom attributes are involved, do not forget the custom: prefix. A naming mismatch can look like a permissions issue even when the root cause is the wrong attribute name.
Summary
- This error means the current Cognito client tried to write an attribute it is not allowed to modify.
- Start by checking the exact attribute name and the app client's write permissions.
- Do not try to set system-managed verification fields from ordinary client flows.
- Use admin APIs from trusted backend code when the update is administrative in nature.
- Keep update payloads narrow and explicit so forbidden attributes are not sent accidentally.

