---
title: OAuth2 Token Introspection vs JWT Validation on Cognito and API Gateway
description: Local JWT validation is fast until revocation lags bite you. When to introspect at Cognito, use API Gateway JWT authorizers, and add Verified Permissions for fine-grained authz.
url: https://www.factualminds.com/blog/oauth2-introspection-vs-jwt-validation-cognito-api-gateway/
datePublished: 2026-06-12T00:00:00.000Z
dateModified: 2026-06-12T00:00:00.000Z
author: Palaniappan P
category: Cloud Architecture
tags: engineering-guide, security, api-gateway, cognito, aws
---

# OAuth2 Token Introspection vs JWT Validation on Cognito and API Gateway

> Local JWT validation is fast until revocation lags bite you. When to introspect at Cognito, use API Gateway JWT authorizers, and add Verified Permissions for fine-grained authz.

**Amazon Cognito (June 2026)** issues **JWT access tokens**—validate locally with JWKS (`/.well-known/jwks.json`) for latency. **Introspection** (RFC 7662) hits the authorization server each request—slower but immediate revocation awareness if the AS supports it.

## Decision matrix

| Approach                   | Latency         | Revocation                                |
| -------------------------- | --------------- | ----------------------------------------- |
| JWT local validate         | Low             | Until expiry (unless short TTL + refresh) |
| Introspection              | Higher          | Real-time if AS honors `active: false`    |
| API Gateway JWT authorizer | Edge validation | Cognito token lifetime                    |

**Opinionated take:** **Short-lived access tokens (5–15 min)** + local JWKS validation for APIs; introspection for high-risk admin actions only.

## AWS wiring

- **HTTP API JWT authorizer** — `issuer`, `audience` from Cognito pool
- **Lambda authorizer** — custom claims, Cedar via **Verified Permissions**
- **mTLS** — separate track for B2B

## What to do this week

1. Enable Cognito token revocation API where required.
2. Cache JWKS with kid rotation handling.
3. Map scopes to IAM-style policies in Verified Permissions for new services.

## What this guide doesn't cover

Rate limiting—part 2 of API track.

---

*Source: https://www.factualminds.com/blog/oauth2-introspection-vs-jwt-validation-cognito-api-gateway/*