AWS Cognito usually responds with 3 JWTs (
RefreshToken) for each successful login request. There is a fair chance that your application would use these tokens to
- secure API requests.
- manage permissions/roles based authorization to the resources.
& other custom authorization requirements.
AccessToken are verified for such purposes, but not
RefreshToken. It is there just to refresh the session.
AccessToken have some common as well as unique claims so its 100% your own choice to decide where to verify which token according to your use-case.
More on using Tokens here
Find Cognito JWT Verification Algorithm here 👉 github-gist
You can use same algorithm with minor additions/deletions to verify both
AccessToken. This algorithm is written in TypeScript and follows the steps as described in officical Cognito guide here to verify the JWTs.