cognitoIdentityId is null but cognito:username is not. Why? And is it safe to use the latter?

For some reason, in my express app, the event.requestContext.identity.cognitoIdentityId is null, but I could get event.requestContext.authorizer.claims['cognito:username'] after much messing around with serverless. So I have two questions:

What is required in my app for cognitoIdentityId to not be null?
Is cognito:username safe to use as an alternative? I’m wanting to lock down certain express routes using it.