This article discusses the importance of proper token validation in serverless architectures, focusing on AWS Lambda functions and Amazon Cognito. It demonstrates a vulnerability in the DVSA application where manipulated Cognito access tokens could be used to access unauthorized user data. The issue stemmed from a lack of API Gateway authorizers and insufficient token verification in the Lambda function. The article explains the structure of JSON Web Tokens (JWTs) and shows how to decode and manipulate them. It then presents two solutions to address the vulnerability: implementing a Cognito Authorizer in the API Gateway and performing token signature validation within the Lambda function code. The article emphasizes the need for multiple security layers to protect against unauthorized access and data exposure in serverless applications.