I’m not perfectly clear whether ID Token verification is needed/advised in a native mobile app. We get the ID Token back from Universal Login directly from Auth0 and are able to parse it. I would think we can trust it. We know we got it from the trusted authority - directly; it was not passed via another app or party. The docs have me confused but I’m wondering if that is because they are for multiple use cases like SPAs, etc.
We do clearly understand that when we pass the Access Token to our API server it must verify that token and does so using JWKS.