AWS cognito: What's the difference between Access and Identity tokens?

Question

Just reading the docs, they seem very similar to me so I can\'t really discern why to use one over the other. Although identity token seems better since it has custom attributes

Answer 1

The id_token is for your application to process, so you can get all the personal details for your user, like their name, age, email address etc. Generally speaking you shouldn't send this token anywhere else as it contains sensitive user data.

The access_token is used to call other 'external' services (and by external I include other AWS services - these are often called over http). It provides service access authorisation for your user without having to include their personal details.

On the face of it this appears slightly confusing as you can actually use the id_token to access services in the same way as the access_token. However, good practise is to use the access_token in this circumstance and if backend services need user data, they should look it up themselves in Cognito.