I can also confirm this isn’t working on our end either. It’s been working for months and even worked a couple hours or so ago but it’s borked now. I can confirm their error message
The access token signature could not be validated. A common cause of this is requesting multiple audiences for an access token signed with HS256, as that signature scheme requires only a single recipient for its security. Please change your API to employ RS256 if you wish to have multiple audiences for your access tokens
is junk because the API is RS256 and the token looks like below (obviously sensitive data removed)
{
"name": "xxx@xxx.com",
"nickname": "xxx",
"picture": "xxx",
"updated_at": "2017-09-27T20:24:29.554Z",
"email": "xxx@xxx.com",
"email_verified": true,
"iss": "https://auth0domain.hidden.com",
"sub": "auth0|xxxx",
"aud": "doF5nW9DkLvO84EOOGX8gwgPSnxjXcWt",
"iat": 1506543870,
"exp": 1506579870
}