so, this is the flow: 1. auth0 login -> auth0 token 2. auth0 token -> graphcool token (JWT) 3. request external app -> verification of graphcool JWT However, for the last step, since graphcool is using HS256 (right?), I need the server secret (that was used to generate the token). Where can I find the secret for verification? (I prefer to use the graphcool token, since I need the payload as well. If I have to use the auth0 JWT, I have to make an extra call to auth0 every time...)