I have it working. In case this is helpful for anyone else I used the following setup. Next call /userinfo to validate your token.
realm is the name of the dB connection name under ‘connections’
also under your ‘applications’ under advanced enable grant-type of password
under that tenant set a user with Username-Password-Authentication credentials
Request Body
grant_type: “http://auth0.com/oauth/grant-type/password-realm”
client_id: “[CLIENT_ID]”
client_secret: “[CLIENT_SECRET]”
username: “[EMAIL_USERNAME]”
password: “[PASSWORD]”
scope: “openid profile email”
realm: “[DATABASE_CONNECTION_NAME]”
With this I get back a access_token and id_token. I send the access token to the /userinfo and get back user details.