AWS Certified Developer Associate (DVA-C02) > Domain 2: Security > Authentication & Authorization > 2.1.2 Bearer Tokens

2.1.2 Bearer Tokens

Bearer Tokens

JWT (JSON Web Token)

JWT gồm 3 phần, separated by dots:

Header.Payload.Signature

eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyLTEyMyJ9.signature

Part	Nội dung
Header	Algorithm (RS256), token type (JWT)
Payload	Claims: sub, email, iss, exp, iat, custom claims
Signature	Verify token integrity

Token Validation

1. Decode JWT (base64)
2. Verify signature (public key từ Cognito JWKS endpoint)
3. Check expiration (exp claim)
4. Check issuer (iss claim = Cognito User Pool URL)
5. Check audience (aud claim = App Client ID)

API Gateway + Cognito Authorizer

Client → API Gateway → Cognito Authorizer → Validate JWT
                                           → Extract claims
                                           → Allow/Deny

Cognito Authorizer validate JWT tự động
Claims available trong $context.authorizer.claims
Không cần viết custom code

Token Refresh Flow

Access Token expired → Use Refresh Token → Cognito → New Access + ID Tokens

Access Token: Short-lived (default 1 hour)
Refresh Token: Long-lived (default 30 days, max 10 years)
Refresh Token bị revoke khi user sign out

Exam Tip: JWT = stateless authentication. API Gateway Cognito Authorizer = simplest way to validate JWT. Không cần Lambda authorizer nếu chỉ dùng Cognito.