Thanks for confirming - You should definitely be using the access token against your backend. I believe the issue is related to the access token being opaque as I mentioned here:
Once you include an audience param (AuthorizationParams
in auth0-react) in the request to get tokens the middleware should be able to verify the access token successfully. The audience is just the API identifier you use when registering an API in your Auth0 dashboard.