Setup includes non-persistent tokens and the "idle timeout" value does not seem to ever be honored in this case. Cookie is created with a 15 minute idle timeout and that is honored by ALL other Web Agents with the exception of the API Gateway.
The API Gateway just takes it and considers it good when using the chain of "check protected resource", "authenticate against", and "authorize against".
Just curious if there's some special setup or requirements to support idle timeouts, or if that's simply not supported.