AWS CLI and SDK support for validating Cognito tokens

Question

Even though manually validating Cognito JWT (e.g. for my case of authenticating WebSocket connections) can be done by extracting the key ID from the token, getting the respective JWKS from Cognito and verifying the token validity using various existing libraries I don’t understand why AWS doesn’t support this as part of the CLI/SDK - this would both reduce the load on Cognito (as developers wouldn’t need to download the JWKS anymore) and simplify clients (that wouldn’t need to implement the validation anymore). Is there any chance to address this as part of the Cognito roadmap?

Answer

The [AWS JWT Verify](https://github.com/awslabs/aws-jwt-verify) library available on npm and source on GitHub does this.

> JavaScript library for verifying JWTs signed by Amazon Cognito, and any OIDC-compatible IDP that signs JWTs with RS256 / RS384 / RS512.

Below is a basic usage example from the README, but there are other supported parameters and configuration options.

```javascript
import { CognitoJwtVerifier } from "aws-jwt-verify";

// Verifier that expects valid access tokens:
const verifier = CognitoJwtVerifier.create({
  userPoolId: "",
  tokenUse: "access",
  clientId: "",
});

try {
  const payload = await verifier.verify(
    "eyJraWQeyJhdF9oYXNoIjoidk..." // the JWT as string
  );
  console.log("Token is valid. Payload:", payload);
} catch {
  console.log("Token not valid!");
}
```

AWS CLI and SDK support for validating Cognito tokens

Relevant content