Verifying at_hash on rs256 id token without access token

Hi, I saw a couple of other similar questions to mine in the community db but no answers. Hoping someone can shed some light.

I have a client app that’s using the node js library to authenticate a user. It receives and stores the resulting id_token. Our Auth0 application is set up to use RS256. The client sends our python service the id_token in the Authorization header. The service is calling jwt.decode to verify the id_token, however it appears to be failing on the at_hash which is included in the claims.

If I specify the access_token argument to jwt.decode, hard-coding it to the value I manually stole from the client after authing, it all works perfectly. However, that means that the client now has to send the service both the id_token and the access_token. My (admittedly hazy) understanding is that it’s using the access_token to sign the id_token, so sending them both across the wire seems counter-productive.

Is that accurate? How else can I validate the at_hash successfully in a BE service, from a token created by a node app? Is it even necessary to verify the at_hash?

Thanks much,
EH