Issuer mismatch in ID token

Problem Statement

The issuer of the ID token is the Canonical Domain. We want the Custom Domain.

Token object:



  • Check iss property inside the payload of the ID token with
  • Check Custom Domain configuration
  • Check Allowed Web Origins and Allowed Origins (CORS)


The /authorize call is made from the canonical domain so it’s placed as the issuer. Also, this could happen with /oauth/token endpoint requests.


Auth0 issues tokens with the iss claim of whichever domain you used with the request. For example, if you used to obtain an Access Token, the iss claim of the token you receive will be If you used your custom domain, the iss claim value will be