Sanity Check: RS256 JWT tokens, signing and verifying?

When we get a JWT token from Auth0, is this signed by the Auth0 “Tenant” secret key, not a client secret key?

And when this is verified, using the Public Key (via jwks url e.g.: https://[domain]/.well-known/jwks.json), this ensures that the whole token has not been tampered with?

and in .Net core, this validation is performed automatically since we have setup this code:

.AddJwtBearer(options =>
                        options.Authority = domain;
                        options.Audience = Configuration"Auth0:ApiIdentifier"];

and when if check the payload contents we can be sure this is not been changed?