Authorization API signs JWTs as RS256 when HS256 is selected

I do believe that /oauth/token does indeed support HS256.

This endpoint requires a “client_secret” parameter in the payload if the client is configured for HS256 and OIDC unsupported.

RS256 does not require the client secret

https://auth0.com/docs/api/authentication#client-credentials

As a proof of concept I performed the following steps:

Auth0 Client Configuration:
Auth0 → Clients → [client] → Settings → Advanced Settings:
JsonWebToken Signature Algorithm : HS256
OIDC Conformant : unchecked

curl --request POST \
  --url 'https://[DOMAIN]/oauth/token' \
  --header 'content-type: application/json' \
  --data  '{"grant_type":"http:\/\/auth0.com\/oauth\/grant-type\/password-realm","client_id":"[CLIENTID]", "client_secret":"[CLIENT SECRET]", "realm":"Username-Password-Authentication", "scope":"openid","username":"[USERNAME]","password":"[PASSWORD]"}'