Are you setting an audience to be a custom/external API that you’ve added in your Auth0 Dashboard? If so, you may need to re-create the API and change the signing algorithm.
No problem I’m happy to help where I can and thanks for following up!
I’d be curious as to the need for HS256 in your use case? The default (and recommended) signing algorithm is RS256 as you’ve noticed. Some more on signing algorithms in particular can be found in this FAQ:
When registering an API in Auth0 the identifier is typically the URL of the API that the API as it exists in Auth0 represents. Basically, you would use this identifier as the audience in an authorization flow where the token returned is verified on your end for said API. The following article goes into more detail regarding the validation of Access Tokens by an API:
I thought that storing the Client Secret as an environment variable was easier then the multiline certificate and for RS256 I was expecting to find a certificate starting with -----BEGIN PUBLIC KEY BLOCK-----.
But now I set the RS256 with the provided certificate and everything works correctly.