cognito-decode-jwt-token.php

<?php
/**
 * Assumes https://github.com/Spomky-Labs/jose library is installed and autoloading is set up
 * Decode and verify token guide: https://github.com/Spomky-Labs/jose/blob/master/doc/operation/Verify.md
 */
use Jose\Factory\JWKFactory;
use Jose\Loader;

// We load the key set from a URL
// JSON Key URL (JKU) - https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json.
// See: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-identity-user-pools-using-id-and-access-tokens-in-web-api
$jku = 'https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_EPyUfpQq7/.well-known/jwks.json';
$jwk_set = JWKFactory::createFromJKU($jku);

// We create our loader.
$loader = new Loader();

// This is the token we want to load and verify.
$token = 'JWT TOKEN FROM USER POOL';

// The signature is verified using our key set.
if ($token) {
    try {
        $jws = $loader->loadAndVerifySignatureUsingKeySet(
            $token,
            $jwk_set,
            ['RS256'],
            $signature_index
        );

        $valid = $jws->getPayload(); // contains the username, sub, expiry and other details for use in your application 
    } catch (Exception $e) {
        $valid = $e->getMessage();
    }
}

Where do you get $signature_index from?

Where do you get $signature_index from?

$signature_index is a reference.