In the SPA + API architecture scenario (https://auth0.com/docs/architecture-scenarios/spa-api), using a framework like VueJS or React against a REST API, I believe I understand that it is the responsibility of the SPA to authenticate the user against Auth0. In doing so, the SPA will receive back an Access Token (a JWT I suppose). The SPA then must include that JWT in the Authorization header of HTTP requests to the REST API.
The API would then need to validate the token in various ways, most importantly that it hasn’t been tampered with. I believe that, since Auth0 issued the token, the API application would need to use the AUTH0_DOMAIN (issuer) and AUTH0_CLIENT_SECRET (signing secret).
Is that a correct understanding?