Issuer difference between access token and session token

Hi, I have a question regarding the content of the “iss” field on access tokens.

In practice, it appears to be https://{{tenant}}.{{region}} when the access token is obtained via the Auth0 login process.

I recently experimented with the post login actions, and generated a token to pass information securely to an application, following this post: Login Flow

const token = api.redirect.encodeToken({
    secret: event.secrets.MY_SHARED_SECRET,
    payload: {

It appears that token created contains an issuer which is not an absolute URI but the domain name: {{tenant}} instead of https://{{tenant}}.{{region}}

Is that an expected behaviour ? why is the issuer different ?

1 Like