Okay I took a look at it.
Signing Key
is going to depend on the algorithm.
We recommend you use RSA256 for the signing algorithm, which should eliminate the need for a signing secret unless you are generating tokens. I’m not sure how simple JWT is going to treat this, so you may need a signing key. I am a bit unsure here tbh.
The public key or Verifying Key
(if you choose RSA256) can be found at a discovery endpoint; more on that here.
If you choose to go with HSA256, you will need to ensure that your api is registered as such when you create it in the dashboard, then the signing key will be listed below your chosen algorithm. No verifying key necessary.
Issuer
is usually your auth0 domain. e.g. https://{AUTH0_DOMAIN}/
Audience
is the consumer of the token, typically a uri of some kind. It is usually the whatever you register the API as in the auth0 dashboard. If you navigate to your api it would be marked as the identifier
.
I can’t speak to JTI_Claim. That may require more research but shouldn’t be necessary.
With all that being said, it will be a bit simpler to go with the recommended library from the quickstart, and should have the same end result, but cheers to learning new libraries!
Let me know if that helps!
Thanks,
Dan