Why can't Auth0 access my data?

Given that Auth0 is signing JWT / tokens, can someone explain in layman’s terms why they don’t have the keys to the castle and access to create credentials to log into our app?

Other than the legalities, what in the technology keeps Auth0 honest?

bumping this up the priority list too

It’s theoretically possible for any Identity Provider that issues tokens to manually create such a token. The short answer is that Auth0 (and other similar providers) go through certifications intended to make sure that enough internal security controls are present to prevent that: https://auth0.com/security

If you log in to your Auth0 Support portal, you can download the compliance-related documents and reports at https://support.auth0.com/compliance