JWT Id token has three parts:
Header
Payload
Signature
The signature is used to verify the message wasn’t changed along the way. When either of your header or payload changes the token becomes invalid due to signature mismatch.
Decode and Verify
https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/
https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt