user pool JSON web tokens (JWTs)

令牌对用户进行身份验证并授予对资源的访问权限。令牌中的claims是有关您的用户的信息。ID token包含claims是有关您的用户的身份，比如他们的用户名，姓名，email地址。access token包含claims是有关授权的用户可以使用第三方API的scope。The access and ID tokens both include a cognito:groups claim that contains your user's group membership in your user pool. For more information about user pool groups, see Adding groups to a user pool.

Amazon Cognito issues tokens as base64url-encoded strings. You can decode any Amazon Cognito ID or access token from base64url to plaintext JSON. Amazon Cognito refresh tokens are encrypted, opaque to user pools users and administrators, and can only be read by your user pool.

When a user signs into your app, Amazon Cognito verifies the login information. If the login is successful, Amazon Cognito creates a session and returns an ID token, an access token, and a refresh token for the authenticated user. You can use the tokens to grant your users access to downstream resources and APIs like Amazon API Gateway. Or you can exchange them for temporary AWS credentials to access other AWS services.

Storing tokens

Your app must be able to store tokens of varying sizes. Token size can change for reasons including, but not limited to, additional claims, changes in encoding algorithms, and changes in encryption algorithms. When you enable token revocation in your user pool, Amazon Cognito adds additional claims to JSON Web Tokens, increasing their size. The new claims origin_jti and jti are added to access and ID tokens. For more information about token revocation, see Revoking tokens.

Customizing tokens

You can customize the access and ID tokens that Amazon Cognito passes to your app. In a Pre token generation Lambda trigger, you can add, modify, and suppress token claims. The pre token generation trigger is a Lambda function that Amazon Cognito sends a default set of claims to. The claims include OAuth 2.0 scopes, user pool group membership, user attributes, and others. The function can then take the opportunity to make changes at runtime and return updated token claims to Amazon Cognito.

resource：https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html