I am trying to decode a Auth0 returned JWT that has header information of:
{"alg":"RS256","typ":"JWT","kid":"thisisthekid"}
How do I decode the payload in ColdFusion? Is the kid the key to be used in the ColdFusion decrypt function? I tried using that with SHA-256 and I get an error that SHA-256 is not used by the sender.
The kid stands for "JWK Key ID", it's a reference to an asymmetric RSA public key in JWK format. These public keys are available in the /.well-known/jwks.json route of your Auth0 tenant.
There are various Java libraries capable of handling the token validation for you. The first one listed from Auth0 is probably your best bet.