Custom Authorizer: create IAM Policy for Unauthenticated Session

I have a GraphQL API Gateway endpoint which sits behind a custom authentication function which I’d like to also allow certain endpoints for consumption by ‘unauthenticated’ users (for which my Cognito User Pool allows).

Currently, the custom authenticator only caters for Cognito authenticated sessions. This function validates the Cognito token passed from the client (as per this logic), generates an IAM Allow Policy and then passes this to the GraphQL function.

I can generate the unauthenticated session on my clients using the Amplify library and attaching the sessionToken as my ‘Authorization’ header value:

Auth.currentCredentials().then((credentials: ICredentials) => {
  this.unauthenticatedCredentials = credentials; // credentials.sessionToken

However, passing this through my custom authorizer as is throws an error token is expired.

According to the Cognito token deserializer (link above), the claims expiration date: <5 days ago (tested after clearing local storage).

If this is possible, how can I generate an Allow Policy and get Claim based off an unauthenticated user session?

Note: I’ve seen the option to create a secondary identical GraphQL endpoint which serves functions I want to allow with no authentication, but I was trying to avoid it as it seems architecturally wrong.

I’m not sure if I’m going down the wrong track here, any suggestions?