Is there an RFC or standard describing the use of JWT for access tokens, the way Auth0 does?
Thanks for the link. I assume you mean Auth0 assumes resources servers verify access tokens in the same way as client are expected to verify id tokens? There are some small differences, of course, for example in that the audience should represent the resource server in some way. I was wondering if the specifics of using JWTs for access tokens was standardised.