Cognito access token not expiring after user logout


In our web application we are using cognito as a authenticator. Whenever user is logout from application access token is not expring it still validating another session. For security issues in our organisation we need to invalid the token after user log out from application

asked 9 months ago900 views
2 Answers

You can revoke tokens using the RevokeToken API. Revoking the refresh token also revokes all access tokens associated with it.

Keep in mind that JWTs are self contained and it is up to recipient of the JWT to validate if it has been revoked, if that is needed.

profile pictureAWS
answered 9 months ago

You may always revoke the JSON Web Token (JWT) using the RevokeToken API when the user logs out from the application. You may also configure a tighter JWT session if this is better for your application security. This can be configured from 5 minutes to 24 hours (1 day). It should be noted that when using the Amazon Cognito HostedUI, the session cookie is cached for a minimum of 1 hour and any access token configured for a shorter time would not be honored through the HostedUI.

You can find explicit details in the Amazon Cognito documentation on User Pool Access Tokens JWTs here:

answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions