AWS Cognito usually responds with 3 JWTs (IDToken, AccessToken, RefreshToken) for each successful login request. There is a fair chance that your application would use these tokens to

• secure API requests.
• manage permissions/roles based authorization to the resources.

& other custom authorization requirements.
Usually, IDToken & AccessToken are verified for such purposes, but not RefreshToken. It is there just to refresh the session.

Both IDToken & AccessToken have some common as well as unique claims so its 100% your own choice to decide where to verify which token according to your use-case.

More on using Tokens here

Find Cognito JWT Verification Algorithm here 👉 github-gist

You can use same algorithm with minor additions/deletions to verify both IDToken & AccessToken. This algorithm is written in TypeScript and follows the steps as described in officical Cognito guide here to verify the JWTs.

cheers :)