Local JWT validation is fast until revocation lags bite you. When to introspect at Cognito, use API Gateway JWT authorizers, and add Verified Permissions for fine-grained authz.
June 2026 AWS announcements — Console Private Access without internet (June 15), EC2 M9g/M9gd Graviton5 GA, Claude Fable 5 GA, FinOps Agent preview, Cost Explorer Analyze with Amazon Q, Bedrock console redesign, Cognito multi-Region replication, and GPT-5.4 in GovCloud.
Cognito is fine until you need it to do something it wasn't designed for — and then it's a multi-quarter rewrite. User pools, hosted UI, multi-tenant patterns, and the architecture decisions that determine whether Cognito fits your SaaS or you should look at Auth0.
