I have a SPA and an API that trust each other and share the Auth0 client properties. I followed the example from https://auth0.com/docs/architecture-scenarios/spa-api . The SPA successfully logs in and sends Bearer access tokens for the API to check and validate the authorization. The issue is that the API (written in Spring Boot + Spring Security 5) rejects the token saying it’s malformed. I did some debugging and the issue appears when Spring wants to update the jwkSet from the URL specified under spring.security.oauth2.resourceserver.jwt.issuer-uri . The value of this property is the domain of the Auth0 tenant but when the URL is actually being hit, it returns this page: https://auth0.com/
I think the 01-authorization example is missing something, like providing properties to login to that domain so spring can get the jwtk set.