Auth0 Issued JWT has invalid issuer

Bear with me, new to Auth0/authentication flow.

I have a .NET Core Web API that I need to authenticate with so that I can internally run integration tests (from the .NET Core Web API App) involving endpoints. I have setup a development account w/ Auth0 with a development application “Development App”, a Machine to Machine app type, and a development endpoint “Development API”.

I have configured the web api to authorize on my endpoints using JWT tokens received from Auth0 and am successfully receiving JWT tokens from Auth0. However, whenever I try to access my endpoints, all my tests fail from a Bad Request error ( Bad Request : Request to url Return status Unauthorized Response Content).

I try to access the endpoint through Postman and I receive the following error: Bearer error=“invalid_token”, error_description=“The issuer ‘’ is invalid”.

Not sure what I’m doing wrong. . .I am posting my requests to and passing in the following key/value set:

ClientSecret = DevAppSecret
ClientId = DevAppClientID
Username = Auth0User
Password = Auth0PW
GrantType = password
Scope = openid

Not sure if it matters, but I have my audience set to “”. Updating this post after a response from @glorat. I have been testing the tokens received from Auth0 in . .the token I receive back contains an Access Token and an ID token. I’ve tried both tokens in the token verifier. The access token contains a valid signature, however the ID token does not. Not sure if this makes a difference.

I also tried to ping my endpoint in Postman with the Access Token instead of the ID Token, and I get the following error: Bearer error=“invalid_token”, error_description=“The signature key was not found”

Any assistance would be greatly appreciated, and thanks in advance!

During my debugging, I would capture the tokens being received and manually check them on to see if the fields and validation are as expected

Thanks your response. I have been debugging as you mentioned and checking to see if my credentials are valid or not. While the payload data in the token does contain my login information and account info ( etc etc, I am still getting a red “Invalid Signature” at the bottom of the page.

I don’t understand why this is happening. Obviously the token isn’t being signed correctly, but I am passing in a client secret with my token request and the application on the Auth0 side uses HS256 for the signing algo.