AWS Cognito JWT Debugger

Decode Cognito ID and access tokens with cognito:groups, custom attributes, and tenant claims.

shield

Private: Decoding, analysis, signature verification, and token generation all run in your browser. Nothing is sent to any server, except a JWKS URL you explicitly enter and click Verify on.

At a glance

Groups claim
cognito:groups (string array)
Username claim
cognito:username
Custom attributes prefix
custom:
Token use
token_use (id | access)
Default algorithm
RS256

Cognito doesn't have a built-in tenant claim — multi-tenant Cognito apps either prefix tenant data with `custom:` (e.g. `custom:tenant_id`) or run a separate user pool per tenant. This debugger highlights `cognito:groups` (Cognito's built-in role/group claim) and any `custom:*` attributes you've defined, so you can confirm your tenant scoping is in place.

The cognito: namespace

Cognito reserves the `cognito:` prefix for its built-in claims: `cognito:groups`, `cognito:username`, `cognito:roles`, etc. Your own claims must use the `custom:` prefix.

This is enforced at the user pool schema level. You define each `custom:` attribute in the pool's schema, set its type and mutability, and only then can it be written. The constraint protects you from typo bugs (`custom:tennant_id` would be rejected) but means schema changes require redeploying the pool.

Frequently asked questions

How do I store tenant_id in a Cognito JWT?expand_more
Define a custom attribute on the user pool, e.g. `custom:tenant_id`. Set it via the Admin API or during signup. It will appear in the JWT prefixed with `custom:` (so the JWT key is literally `custom:tenant_id`). Your backend reads it the same way as any other claim.
Should I use one user pool per tenant or one pool with custom attributes?expand_more
Both are valid. One pool with `custom:tenant_id` is simpler and lets users belong to multiple tenants by storing an array attribute. One pool per tenant gives you stronger isolation (separate user spaces, separate password policies) but requires routing logic to pick the pool at login. Use multiple pools if regulatory isolation matters; use one pool otherwise.
What's the difference between an ID token and an access token?expand_more
Cognito issues both for each authenticated session. The ID token is meant for the client (carries identity claims like `email`); the access token is meant for APIs (carries `cognito:groups` and `scope`). Most authorization middleware should validate the access token, not the ID token.
Can I rename cognito:groups?expand_more
No — the prefix is fixed. If you want a friendlier claim name on the verifier side, alias it in your authorization library (`role: token["cognito:groups"]`) rather than trying to rename it in the token.

Related guides

Firebase JWT Debugger
Decode Firebase Auth tokens with firebase.tenant, sign_in_provider, and custom claims.
Auth0 Multi-Tenant JWT Debugger
Decode Auth0 access and ID tokens with Organizations, namespaced custom claims, and RBAC permissions.
tenant_id vs sub: where to put tenant context in a JWT
Why conflating tenant identity with user identity in the sub claim is a multi-tenant anti-pattern, and the conventions that work instead.

Related Tools

vpn_key

JWT Decoder

Decode and inspect JWT tokens — header, payload, timestamps.

terminal

Base64

Encode and decode Base64 strings instantly.

tag

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files. Supports HMAC authentication codes.

fingerprint

UUID Generator

Generate random UUID v4 identifiers. Bulk generate up to 100 UUIDs, toggle uppercase/lowercase and hyphen formatting.

code

JSON Formatter

Clean, minify, and validate JSON data structures.