I guess I should say is this a good practice which it sounds like it is! I just want to make sure I’m not supposed to be sending it from the client rather than having Auth0 rules handle it.
I chose to use my API identifier as a my namespace. Does that sound good or could that create problems in the future?