Cognito user pools have the following limitations.
- Token expiration
- Access tokens and ID tokens will have maximum expiration of 1 day, default 1 hour
- Refresh token defaults to expire 30 days after issue, but can be set to last 10 years
- There is no way to revoke access tokens or ID tokens, they are valid until they expire
- You can revoke refresh tokens using
globalSignOut
operation
- Implicit flow
- Does not return a refresh token, per standard