Hi, @danielcosta
It appears that your application is using the org auth server rather than a custom authorization server. If the issuer is just the org domain and does not have /oauth2/default, that will be the org authorization server. An issuer including /oauth2/default would be referring to the default custom authorization server, which is available with the API Access Management feature. Please refer to this document: Authorization Servers | Okta Developer
If you are using the org authorization server and debugging the access token in jwt.io, you will see the invalid signature message, as per this support article.
Please let me know if you have any further questions.