I make a get request to the url I have generated I will verify the url.
But I am not authorized to make that get request. However, if I replace the token with the generated url I have access.
How do you make this request? Where do you put that token, as query parameter in the URL, as POST body or as Bearer token in the header?
Since you’re, from my understanding, in full control of the resource server (the app that serves the second form), you should also be in control of how the token is being verified (which at the moment only you know). Maybe you can post the code snippet that handles the authorization on the backend. And also the raw requests to you make, to get a better understanding.
I am generating the url and then signing it with jsonwebtoken
That’s a JWT that you generate on our end, there’s no involvement of the Auth0 platform at that time (other than the initial login at the beginning, but that’s even before the user can submit the first form and thus also before the generation of the random url), right?