Access token issuer and unisolated domains

Based on this question I am curious as to how the issuer is determined when generating the tokens. Is it based on the domain that generates the token (e.g. https://myapp- sandbox .eu.auth0.com/oauth/token in the linked question, or the mapped Tenant coming from the client_id ( https://myapp- stage .eu.auth0.com/oauth/token in the linked question)?

Is it sufficient to just verify the signature of the token based on the endpoint of the intended tenant (client_id mapped tenant)? Or would I still have to check the issuer in the token?

Also, I’d like to add this would help me understand how to handle the situation with custom/multiple domains on a single tenant.

Hi @ ggjersund and welcome to the community :wave:

That question only applies to the client credentials flow, which is unique in that it is issuing a token based only on the client_id and client_secret. Therefore, it does not need for the client_id to be for the associated domain. However, for all other flows the client_id will have to be one mapped to the tenant.

For validating the token you should really just use a middleware that will handle the details for you. However, if you want to manually check them you’ll need to do more than just check the signature, as explained here: Validate JSON Web Tokens

Multiple custom domains are not currently possible, but should be possible in the future.

Hopefully that was all clear. Please let me know if you have any questions about that.