I know this is old, but I’m having this issue as well. The kid in the token matches the jwks.json endpoint and has the correct audience as set up in the config. This is my first time trying to set this up and it has never worked. Any help would be appreciated.