Description

The section at https://github.com/auth0/express-jwt#multi-tenancy describes the function signature of the (poorly-named, in the case of RSA-256 verification) "secret" function signature as req, payload, done, but, in usage, I found the signature to actually be req, header, payload, callback. I didn't dig into the code too much, so I'm not sure what that arity check is actually doing, but this seems to be the default behavior when I used it so it would be good to at least call this out as a possibility.

Reproduction

You should just have to follow the documentation; I don't think I appreciably deviated from it.

Environment

Latest versions of all of express-jwt, jwks-rsa, etc (tried updating them all as a first fix attempt).
I'm using an RSA-256 keypair.

Interestingly the typescript types have a SecretCallback, which matches the documentation, and a SecretCallbackLong, which has the header in it. It's setup as a union type, which makes no sense because the two functions would conflict.