Hi Dan, thanks for the quick response.
I have retrieved the client id JWT from the “token” response that I receive on authentication, I decoded it and it appears to be different from the access token I get when I call:
getAccessTokenSilently()
However, the information when decoded is the exact same. I realize there’s not really a question there.
A followup question would be, how does my node.js backend verify that the JWT is valid? All the information it has is environment variables:
AUTH0_AUDIENCE=
AUTH0_ISSUER=
How does my backend know that an authenticated client hasn’t changed scopes to include “admin”, for instance. Or is that what the secret key is for?