OAuth2 Token Introspection vs JWT Validation on Cognito and API Gateway
Quick summary: Local JWT validation is fast until revocation lags bite you. When to introspect at Cognito, use API Gateway JWT authorizers, and add Verified Permissions for fine-grained authz.
Key Takeaways
- When to introspect at Cognito, use API Gateway JWT authorizers, and add Verified Permissions for fine-grained authz
- Amazon Cognito (June 2026) issues JWT access tokens—validate locally with JWKS ( ) for latency
- Introspection (RFC 7662) hits the authorization server each request—slower but immediate revocation awareness if the AS supports it
- Benchmark pattern (hypothetical workload) — API Gateway HTTP API with JWT authorizer (local validation), 8K auth checks/sec at 0
- 3ms overhead; Cognito introspection endpoint adds 12ms p99 per request at 2K RPS before caching layer
Table of Contents
Amazon Cognito (June 2026) issues JWT access tokens—validate locally with JWKS (/.well-known/jwks.json) for latency. Introspection (RFC 7662) hits the authorization server each request—slower but immediate revocation awareness if the AS supports it.
Symptom → mechanism → AWS control
| Production symptom | Mechanism | AWS control |
|---|---|---|
| Auth latency dominates p99 | Per-request introspection round-trip | API Gateway JWT authorizer with JWKS cache |
| Stale revoked tokens accepted | JWT validation without revocation check | Short TTL (5–15 min) + Cognito token revocation list poll |
| JWKS fetch failures | Authorizer can’t verify signature | API Gateway built-in JWKS cache, multi-AZ Cognito pool |
Opinionated take: Default to API Gateway JWT authorizers with 5-minute access tokens—reserve Cognito introspection for opaque tokens or immediate revocation requirements.
Benchmark pattern (hypothetical workload) — API Gateway HTTP API with JWT authorizer (local validation), 8K auth checks/sec at 0.3ms overhead; Cognito introspection endpoint adds 12ms p99 per request at 2K RPS before caching layer.
Decision matrix
| Approach | Latency | Revocation |
|---|---|---|
| JWT local validate | Low | Until expiry (unless short TTL + refresh) |
| Introspection | Higher | Real-time if AS honors active: false |
| API Gateway JWT authorizer | Edge validation | Cognito token lifetime |
Opinionated take: Short-lived access tokens (5–15 min) + local JWKS validation for APIs; introspection for high-risk admin actions only.
AWS wiring
- HTTP API JWT authorizer —
issuer,audiencefrom Cognito pool - Lambda authorizer — custom claims, Cedar via Verified Permissions
- mTLS — separate track for B2B
AWS services map
| Need | Service | Skip when |
|---|---|---|
| Local JWT validation | API Gateway JWT authorizer | Opaque tokens with no public JWKS |
| User pool + federation | Cognito User Pools | Internal service-to-service IAM SigV4 only |
| Token introspection (opaque) | Cognito / custom Lambda authorizer | Standard OIDC JWT with short TTL |
What to do this week
- Enable Cognito token revocation API where required.
- Cache JWKS with kid rotation handling.
- Map scopes to IAM-style policies in Verified Permissions for new services.
More in This Track
Part of the Engineering Guides library (June 2026).
- Next: Part 2
- Browse tracks: Engineering Guides hub
What this guide doesn’t cover
Rate limiting—part 2 of API track.
AWS Cloud Architect & AI Expert
AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.
