how do we authenticate the server site?

Coming from the “old fashioned” java / jsp all in the server architecture, I am having trouble understanding how the server site can authenticate a request coming from a client site that can be an ios app, an angular web site or an android app. The clients just sent a JWT token, correct? What do we do with that token on the server site? Do we call back to Auth0 to validate this token? Where are the docs for this?

Clients should send an access_token(which will be a JWT) to your server. Your server will perform the token verification on the server itself; JWT’s do not need to be sent to Auth0 to verify.

Have a look through the following document which outlines the verification steps that should be taken on your server. Note, most of these can be handled by setting up the middleware using the SDK’s suggested in the quickstarts:

I also suggest reading through the API Authorization docs to learn more about the various flows involved.

The JWT is signed with Auth0 private key. You can verify it with with a public key you find at https://<your-auth0-domain>/.well-known/jwks.json

The server can, in line of theory just verify the signature and be done with it; that’s the whole point of JWT. How you do it depends on language; the node.js examples provided are surprisingly contrived. I use c# and Microsoft.IdentityModel.Tokens.Jwt ; I think they are way more straightforward. Once the public keys are fetched they stay constant for a long time; in theory there’s no further need for communication.