Ok, so short description: Upon login I run a workflow against a lambda on AWS - basically a post request to an /auth endpoint that returns a jwt-token with a 1h expiration. This is done server side with a client_credentials oauth2 workflow. In my case I don’t send the users login information - those has already been verified by bubble, so I don’t need them). The returned jwt is saved on the user together with the expiration (remember privacy settings so only current user can see it). The token can now be reused by any workflow to my other lambdas. I have another workflow that checks the expiration. It is run at login, page-changes AND every 5min. If there is <10 min to expiration, I create a new token.
In my case I use http api which have built in jwt authorizer, but for your case you could make a lambda authorizer instead and simple verify the jwt here. Remember to use caching so that your authorizer don’t need to run at every request.
The /auth endpoint can include data about the user (email, id etc.) which you can save in the jwt. When your authorizer reads the jwt in can pass along the data to any lambda that comes after via a context field, which means you don’t have to parse the jwt in each lambda - its done once in the authorizer and passed on to every lambda after.
It certainly is an advanced method, but its very reliable once setup!