can my server trust the access token from auth0?

I'm using this workflow: https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow

In step 5, the app make a request with an accesstoken which is generated by auth0

This is the guide to validate the access token in the server: https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/interactive

According to the guide, I see they only validate the issuer and audience, what if someone know the issuer and audience and create a fake access token with that information? will my server be tricked?

Is there a way to validate the access token in my server securely?

The access token, generated by Auth0, is in the format of a Json Web Token (JWT).
In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:

• Header
• Payload
• Signature

When a JWT is created, a signature is made of the content of the JWT, including a timestamp which is in the payload. For this hash the server uses a private key and an algorithm. If you want to validate the JWT, thus check the hash, you need the public key of the JWT server (Auth0). You can download this from the .well-know url.

https://{yourDomain}/.well-known/openid-configuration

With the public key, you can validate the content (payload) of the JWT and verify if the signature is signed by the private key of Auth0.

You can learn more about how JWT works at https://jwt.io/introduction