AWS Cognito JWT Auth icon

AWS Cognito JWT Auth

Validate AWS Cognito Auth JWTs

Overview

This n8n node verifies and decodes AWS Cognito JWT (JSON Web Token) access tokens. It is designed to authenticate users by validating their Cognito-issued JWTs, typically received from a webhook or API request. The node fetches the necessary public keys (JWKS) for the specified Cognito User Pool and region, checks the token's validity (with an option to ignore expiration), and extracts user information from the token.

Common scenarios:

  • Authenticating users in workflows triggered by webhooks where the JWT is provided in the request headers.
  • Validating access tokens before allowing further workflow execution.
  • Extracting user details from a Cognito JWT for use in subsequent workflow steps.

Practical example:
A workflow receives a webhook with an authorization header containing a Cognito JWT. This node validates the token, extracts the user's identity, and makes it available for downstream processing (e.g., personalized responses, access control).

Properties

Name Type Meaning
Cognito Region String AWS region where the Cognito User Pool is hosted (e.g., us-east-1).
Cognito User Pool ID String Identifier of the AWS Cognito User Pool whose tokens are being validated.
Cognito Access Token String The JWT access token to validate and decode. Typically sourced from the authorization HTTP header.
Ignore JWT Expiration? Boolean If true, the node will not fail on expired JWTs; otherwise, expiration is enforced during validation.

Output

The node outputs an object with the following structure in the json field:

{
  "user": { /* Decoded user information from the JWT */ },
  "body": { /* Original input body, if present */ }
}
  • user: Contains the decoded user claims extracted from the JWT (such as sub, email, etc.).
  • body: Passes through the original input data's body property, if available.

If an error occurs during validation or decoding, the output will be:

{
  "error": { /* Error details */ }
}

Dependencies

  • AWS Cognito: Requires a valid Cognito User Pool ID and region.
  • JWT Access Token: Must be provided, typically via the authorization header.
  • No explicit API key is required, but the node must be able to reach AWS Cognito's JWKS endpoint.

Troubleshooting

Common issues:

  • Invalid or missing JWT: If the access token is malformed or absent, the node will return an error.
  • Expired JWT: If the token is expired and "Ignore JWT Expiration?" is false, validation will fail.
  • Incorrect User Pool ID or Region: Mismatched pool ID/region will prevent fetching the correct JWKS, causing validation errors.
  • Network issues: Failure to fetch JWKS due to connectivity problems.

Error messages:

  • "invalid signature" or "jwt expired": Indicates token is invalid or expired.
  • "Cannot read properties of undefined" (or similar): May occur if expected input fields are missing.

Resolution:

  • Ensure all required properties are correctly set.
  • Confirm the JWT is valid and unexpired (unless ignoring expiration).
  • Verify network connectivity to AWS endpoints.

Links and References

Discussion