Cognito JWT Payloads
Warning
This is still work in progress while the Cognito Service is being implemented and integrated with the Front End Application.
Structure of Cognito JWT Payloads
Identity Token Payload¶
Example¶
{
"sub": "248289dc-...-f2f44a",
"email_verified": true,
"name": "Jane Doe",
"email": "jane@example.com",
"tenant": "tenant-id",
"role": "role-name",
"cognito:username": "janedoe",
"aud": "client-app-id",
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_ABC123",
"exp": 1712608972,
"iat": 1712605372,
"auth_time": 1712605370,
"identities": [
{
"userId": "janedoe@example.com",
"providerName": "Google",
"providerType": "Google",
"issuer": null,
"primary": true,
"dateCreated": "1712605370"
}
]
}
Key Claims¶
| Claim | Description |
|---|---|
sub |
Unique user ID in the user pool |
email |
Email address |
email_verified |
Whether the email is verified |
cognito:username |
Internal Cognito username |
custom:tenant |
Tenant ID: UUID or tenant name |
custom:role |
User role: One of public, lite, subscription, arda, system |
aud |
Client ID (audience) |
iss |
Issuer (user pool URL) |
exp, iat, auth_time |
Expiry, issued at, auth timestamp |
identities |
Federated identity metadata (e.g., from Google) |
Access Token Payload¶
Example¶
{
"sub": "248289dc-...-f2f44a",
"event_id": "abcd-efgh-5678",
"token_use": "access",
"scope": "openid profile email aws.cognito.signin.user.admin",
"auth_time": 1712605372,
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_ABC123",
"exp": 1712608972,
"iat": 1712605372,
"jti": "token-id",
"client_id": "client-app-id",
"username": "janedoe"
}
Key Claims¶
| Claim | Description |
|---|---|
token_use |
"access" — identifies the type of token |
scope |
OAuth2 scopes granted (space-separated) |
client_id |
The app client that requested the token |
username |
Cognito username |
iss, exp, iat |
Same as in ID token |
Note
Custom Attributes have the name pattern custom:<xyz>