结果是我没有正确阅读文档. 此处(向下滚动至在Web API中使用ID令牌和访问令牌").

Turns out I didn't read the docs right. It's explained here (scroll down to "Using ID Tokens and Access Tokens in your Web APIs").

API服务可以下载Cognito的机密，并使用它们来验证收到的JWT的机密.完美.

The API service can download Cognito's secrets and use them to verify received JWT's. Perfect.

修改

@Groady的评论很重要:但是如何您如何验证令牌?我会说使用经过 jose4j 或

@Groady's comment is on point: but how do you validate the tokens? I'd say use a battle-tested library like jose4j or nimbus (both Java) for that and don't implement the verification from scratch yourself.

此处是使用Spring Boot的示例实现当我最近不得不在java/dropwizard服务中实现此功能时，让我起步的灵气.

Here's an example implementation for Spring Boot using nimbus that got me started when I recently had to implement this in java/dropwizard service.