Based on this question I am curious as to how the issuer is determined when generating the tokens. Is it based on the domain that generates the token (e.g. https://myapp- sandbox .eu.auth0.com/oauth/token in the linked question, or the mapped Tenant coming from the client_id ( https://myapp- stage .eu.auth0.com/oauth/token in the linked question)?
Is it sufficient to just verify the signature of the token based on the endpoint of the intended tenant (client_id mapped tenant)? Or would I still have to check the issuer in the token?
Also, I’d like to add this would help me understand how to handle the situation with custom/multiple domains on a single tenant.