https://github.com/auth0-blog/auth0-golang-jwt/blob/master/main.go#L45
secret := []byte("{YOUR-AUTH0-API-SECRET}")
secretProvider := auth0.NewKeyProvider(secret)
audience := []string{"{YOUR-AUTH0-API-AUDIENCE}"}
configuration := auth0.NewConfiguration(secretProvider, audience, "https://{YOUR-AUTH0-DOMAIN}.auth0.com/", jose.HS256)
validator := auth0.NewValidator(configuration)
token, err := validator.ValidateRequest(r)
Make sure that secret is the "Signing Secret" in "APIs" instead of the "Client Secret" in "Applications".