Everything is working except for what happens between Step 6 and Step 7. When my backend receives the access token from the browser, how does the backend validate that access token? I assume, that the backend doesn’t make a call to Auth0 to validate that token because there is no arrow back to Auth0 after Step 6. So, how does the backend know that the token it received is valid?
It looks like I need to retrieve a public key from https://your_domain/.well-known/jwks.json in order to validate access tokens.
If I’m reading the docs correctly, then I need to know what “your_domain” is. Where is that domain name set? Is it set when I create the API application?
“your_domain” is your Auth0 tenant domain name, which is the name of your tenant (which you can see in the top right corner of the management console in the drop-down menu… see screenshot below), plus auth0.com.
I see. I was expecting that the public key be at the application level and not the tenant level. I guess, for me to have multiple environments, I should create multiple tenants say … dev, staging and production.
That’s what we do … separate production and non-production tenants. This can be a challenge to manage however as there aren’t yet really good tools for managing configuration between tenants. Requires a lot of discipline from your Auth0 developers / managers!