Guide Updated 2026-06-18

AWS Cognito JWT Issuer & Claims

Q: What is the AWS Cognito JWT issuer URL?

The iss claim is per-user-pool: https://cognito-idp.{region}.amazonaws.com/{userPoolId}, where {region} is your AWS region (e.g. us-east-1) and {userPoolId} is your user pool ID (e.g. us-east-1_abc123def). Validate iss against your exact user pool. The JWKS endpoint is that URL plus /.well-known/jwks.json, and Cognito signs with RS256.

Q: How do I verify an AWS Cognito JWT?

Fetch public keys from https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json, verify the RS256 signature, and validate iss (your user pool URL), token_use ('id' or 'access' depending on which you expect), and aud (ID tokens) or client_id (access tokens) against your app client ID. AWS publishes an official guide for this; the cognito-jwt-verifier libraries and jose / PyJWKClient handle the JWKS fetch and caching for you.

Q: What is the token_use claim in Cognito JWTs?

token_use tells you whether the JWT is an ID token ('id') or an access token ('access'). Validate it on every request to ensure you received the token type you expect: ID tokens prove identity and should not be used to authorize API calls (their aud is your client, not your API); access tokens authorize API calls. Accepting an ID token as a bearer token for your API is a common Cognito setup mistake.

Verify AWS Cognito JWTs. Cognito's per-pool issuer, JWKS URL, RS256 signing, and the token_use, client_id, scope claims explained with validation rules.

AWS Cognito issues JWTs for authentication (ID tokens) and authorization (access tokens). Both are JWTs signed with RS256. The issuer is per-user-pool: https://cognito-idp.{region}.amazonaws.com/{userPoolId}. Cognito publishes its JWKS at that same URL plus /.well-known/jwks.json.

Issuer details

Property	AWS Cognito
Issuer (iss)	`https://cognito-idp.{region}.amazonaws.com/{userPoolId}`
JWKS URL	`https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json`
OIDC discovery	`https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration`
Signing algorithm	RS256 (default)

 Issuer-specific claims
 Claims you will encounter in AWS Cognito JWTs and what they mean for this issuer:
    Claim  Meaning for this issuer  
 
  iss https://cognito-idp.{region}.amazonaws.com/{userPoolId}: per-user-pool. Validate against your exact user pool.
sub The Cognito user's sub (a UUID). Stable across the user pool. Use this as the primary key.
aud The app client ID. Cognito access tokens do not carry aud: use client_id instead. ID tokens carry aud = client ID.
client_id The Cognito app client ID the token was issued to. Present in access tokens (which lack aud). Validate client_id for access tokens.
token_use 'id' for ID tokens, 'access' for access tokens. Validate this to ensure you received the token type you expect: do not accept an ID token as an access token or vice versa.
scope Space-separated OAuth 2.0 scopes. Present in access tokens when scopes were configured on the user pool.
cognito:username The user's username in the user pool (a custom claim prefixed with cognito:). Note this can be changed; use sub as the stable identifier.
 
 
 Verifying tokens from this issuer
 Fetch public keys from https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json. Hardcode algorithms: ['RS256']. Validate iss against your user pool URL, token_use against the expected value ('id' or 'access'), and aud (ID tokens) or client_id (access tokens) against your app client ID. Cognito rotates keys rarely but can: use a caching JWKS client.
   
Frequently asked questions
     What is the AWS Cognito JWT issuer URL?
  
  The iss claim is per-user-pool: https://cognito-idp.{region}.amazonaws.com/{userPoolId}, where {region} is your AWS region (e.g. us-east-1) and {userPoolId} is your user pool ID (e.g. us-east-1_abc123def). Validate iss against your exact user pool. The JWKS endpoint is that URL plus /.well-known/jwks.json, and Cognito signs with RS256. 
 
 
   How do I verify an AWS Cognito JWT?
  
  Fetch public keys from https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json, verify the RS256 signature, and validate iss (your user pool URL), token_use ('id' or 'access' depending on which you expect), and aud (ID tokens) or client_id (access tokens) against your app client ID. AWS publishes an official guide for this; the cognito-jwt-verifier libraries and jose / PyJWKClient handle the JWKS fetch and caching for you. 
 
 
   What is the token_use claim in Cognito JWTs?
  
  token_use tells you whether the JWT is an ID token ('id') or an access token ('access'). Validate it on every request to ensure you received the token type you expect: ID tokens prove identity and should not be used to authorize API calls (their aud is your client, not your API); access tokens authorize API calls. Accepting an ID token as a bearer token for your API is a common Cognito setup mistake. 
 
 
 
 
  Related
    issuers hub  
  verify in Node.js  
  aud claim reference

Claim	Meaning for this issuer
`iss`	https://cognito-idp.{region}.amazonaws.com/{userPoolId}: per-user-pool. Validate against your exact user pool.
`sub`	The Cognito user's sub (a UUID). Stable across the user pool. Use this as the primary key.
`aud`	The app client ID. Cognito access tokens do not carry aud: use client_id instead. ID tokens carry aud = client ID.
`client_id`	The Cognito app client ID the token was issued to. Present in access tokens (which lack aud). Validate client_id for access tokens.
`token_use`	'id' for ID tokens, 'access' for access tokens. Validate this to ensure you received the token type you expect: do not accept an ID token as an access token or vice versa.
`scope`	Space-separated OAuth 2.0 scopes. Present in access tokens when scopes were configured on the user pool.
`cognito:username`	The user's username in the user pool (a custom claim prefixed with cognito:). Note this can be changed; use sub as the stable identifier.