I understand that you’re seeing different session behavior from two apps that sound fairly similar. The first thing I’d check is if you’re using the same scopes in both, more specifically are you using the offline_access scope in both?
I’m glad to hear you were able to resolve the initial issue!
In terms of token validation, looking at the code you shared I think you might just need to add algorithms: ["RS256"] (or whatever algorithm you’re using) to the object after audience: process.env.AUTH0_AUDIENCE.
Let me know if it still doesn’t work after making that change!
InvalidTokenError: KeyObject or CryptoKey instances for asymmetric algorithms must not be of type “secret”.
I searched for info but found nothing, so I also tried with the keys I might have in the dashboard config, although in theory they would not be needed since I use the new login and should already share the public keys, but there was no way to fix that bug.