In the whole article, it is never mentioned to add this credential to the Rails credentials.yml.enc file. Nonetheless the authentication and authorization works correctly. Why is that? Is this credential not necessary? Does this have any security compromises?
The audience is the uri of your API. In the quickstart they use https://quickstarts/api as the identifier for example. In this example it looks like that param is taken from the .env file as AUTH0_AUDIENCE. You may have added it there if you are following the tutorial.
More specifically, the function that you mention is for the decode and verification of the token. If it was incorrect, then the signature of the token would not match and would not be verifiable.
Completely agree with you, which is why I expected the tutorial to mention that line somewhere, but it didn’t. It’s nowhere mentioned to add this credential to the env file or similar, which is why I haven’t done so so far, yet the app works fine, which surprised me.
I just tried it. It will fill in that .env automatically if you use the Download Sample button. You can always check to see if it is filled in correctly. Otherwise it is mentioned at the top of the GitHub repo README here.
I think it is purposefully omitted from the quickstart page because it will be auto-filled when you select the api you are downloading the sample for. If there something that is misleading or unclear, please let me know and we can work on it. Thanks.