How to verify accessToken in node/express using aws-amplify?

AWS actually has this documented pretty well. I have written a gist on a middleware I wrote to validate AWS Cognito tokens in my express.js server.

Essentially, when you create a User Pool in Amazon, AWS creates a JSON Web Key (JWK). The JWT contains a public key you can use to verify the signature of a JWT.

At a high level in Javascript:

import jwt from "jsonwebtoken";

const authToken = getJwtFromHeader(request);

// please remember to verify the "iss" claim and "exp" claim!

// convert a jwk to a PEM for use by OpenSSL or crypto
const jwk = getJwkFromAWS();
const pem = jwkToPem(jwk);

// verify the signature of the token using the public key from AWS
await jwt.verify(authToken, pem, {algorithms: ['RS256']}, (err, decoded) =>{
  console.log('decoded', decoded);
  // TODO -- verify claims from decoded token

My GIST for a full express.js implementation:

AWS Resources:

Unfortunately, the aws-amplify SDK doesn't provide that functionality. For that reason, I've created an npm package to handle it.

How it works

Authentication flow

The package exposes:

  • authenticate: An Express middleware that can be added to any route that needs to be authenticated against a Cognito User Pool.
  • authenticationError: An Express error handler that takes care of any authentication errors generated by the authenticate middleware.
  • JWTValidator: A class that can be instantiated to validate JWTs issued by Cognito. This is useful if you need a custom authentication and error handling logic. The authenticate middleware uses it internally.

Features included

  • JWT signature verification.
  • JWT claims verification.
  • Verify that the token is not expired.
  • Verify that the audience (aud) claim matches one of the valid audiences provided in the configuration.
  • Verify that the issuer (iss) claim is valid for the configured user pool.
  • Verify that the token_use claim matches one of the valid token uses provided in the configuration.
  • Support for JWKs rotation as per described in the JWT signing key rotation thread.
  • Ability to set custom pems for local testing without the need of creating a User Pool.

Basic usage

// app.js
'use strict';

const express = require('express');
const { authenticate, authenticationError } = require('aws-cognito-express');

const app = express();

// Add the authentication middleware.
  region: 'us-east-2',
  userPoolId: 'us-east-2_6IfDT7ZUq',
  tokenUse: ['id', 'access'],
  audience: ['55plsi2cl0o267lfusmgaf67pf']

// Protected route.
app.get('/articles', (req, res, next) => {
  console.log('JWT payload: ', req.cognito);

// Add the authentication error handler.

module.exports = app;

For more advanced use cases, please check the docs here.

Unfortunately, there is no such method available in official aws-amplify SDK. After doing a lot of research I had to write my own middleware for that. This is not that difficult as it may seem but the only difficult part is to gather the right information from the huge AWS documentation.

I 've written this middleware to achieve the same, Hope this helps

import axios from 'axios'
import awsconfig from '../../aws-exports';

const COGNITO_URL = `https://cognito-idp.${awsconfig.aws_project_region}`;

const authentication = async (req, res, next) => {
    try {
        const accessToken = req.headers.authorization.split(" ")[1];

        const { data } = await
                AccessToken: accessToken
                headers: {
                    "Content-Type": "application/x-amz-json-1.1",
                    "X-Amz-Target": "AWSCognitoIdentityProviderService.GetUser"

        req.user = data;
    } catch (error) {
        return res.status(401).json({
            message: 'Auth failed'

export default authentication;

This middleware takes the authorization header and verifies the incoming accessToken using AWS Cognito REST API.

In order to get accessToken on your front-end you can do something like this:

const { accessToken: { jwtToken } } = await Auth.currentSession();

This jwtToken is your accessToken you can send this in your Authorization header and then verify this in the backend using the middleware I've written.