Cognito: Key Rotation


Please confirm if Cognito rotates the keys used to sign ID and Access tokens. The docs do not specify.

If they are rotated, how often?

asked 9 months ago83 views
1 Answer

Yes the document does not specify whether the keys are rotated. However, Cognito service may need to rotate the keys if required.

Hence, we recommend you to cache each key present in JWKS URI [1] against "kid". When you have a token to validate, then first check the "kid" present in the header of that JWT token. If you have a key with that "kid" in your cache then use that key. Otherwise, query the JWKS URI to fetch recent keys and update your local cache with the new "kid". This will help to make the application more robust and you will be able to handle the scenario if the public key is rotated in unforeseen future.


[1] The format of the JWKS URI is following (replace {region} with AWS region and replace {userPoolId} with the ID of your user pool): https://cognito-idp.{region}{userPoolId}/.well-known/jwks.json

answered 3 months ago
  • Where should we cache them? Users can find the region and user pool ID with a bit of snooping, so the JWKS is essentially public. Would hardcoding them be ill-advised?

  • You need to cache it in server side of your resource server (means where you are performing JWT validation before providing access to your secured resources).

  • Thank you but I meant what caching method/service? Right now I'm trying S3 but it is convoluted compared to just downloading the JWKS each time as I have been doing. This is in a Lambda authorizer for APIGW written in Go. What did you have in mind for caching?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions