i can't seem to find an audience (and the rest params) verifier.
it seems that only signature is verified

i see a decode method that should do all that and get the needed information back here https://github.com/mpdavis/python-jose/blob/master/jose/jwt.py#L57

can this be used?

@spawn-guy Thank you for your issue and proposing solution.
This is fixed at #45

@tokusumi Hi! I just upgraded to 0.4.0. I'm using auth0 and I see that customAPI is now a required parameter to Auth0().

I understand this will essentially validate the client ID that is trying to authenticate. Now, what if there are multiple valid client IDs we want to authenticate against?

One scenario I could see: An android app, an iOS app and an electron app all three with different client IDs, trying to auth against the same endpoint.

This is a bit confusing and not made clear in the docs (it just says "audience"). WDYT?

@jleclanche you need to validate against server keys, not the client keys.

Client gives you a token, and server validates that it can accept the token. The token is valid an the token allows access to this server.

@spawn-guy Thanks for the pointers. I think this could use some examples for auth0; I will try to figure out how to do it properly.