Ok, yes I managed to get this done! I’ll drop some more refs and docs for others, but my main problem was not declaring a aud, which meant I was getting an opaque string instead of JWT.
@sandrino-a0 My next question is. What part of this is secure, if we never hit the Auth0 API (which for my context is preferred)? What’s to stop an attacker from forging request or replaying request?