An identity token (ID token) is used to authenticate requests to the backend (for example, the API gateway). For example, to send a request to an API gateway API with Cognito Authorizer, we use the authorization type Bearer Token and pass the ID token. This will be demonstrated later, in the recipe on Integrating Cognito with the API gateway. The ID token will also contain additional information, such as the user ID and any other user attributes that we provide while generating it. We will demonstrate this in a later recipe.

The access token is used within Cognito APIs, in order to authorize updates to the users' parameters. The Cognito API commands that accept access tokens include associate-software-token, change-password, confirm-device, delete-user, delete-user-attributes, forget-device, get-device, get-user, get-user-attribute-verification-code, global-sign-out, list-devices, set-user-mfa-preference, set-user-settings, update-device-status, update-user-attributes, verify-software-token, and verify-user-attribute. 

The refresh token is used to get new identity and access tokens. For example, the initiate auth sub-command can specify the auth flow as REFRESH_TOKEN_AUTH, and can pass a refresh token to get back the access token and the ID token. We can configure the refresh token expiration (in days) when creating the user pool.