Private_key_jwt: The audience claim for client_assertion must be the endpoint invoked for the request

The documentation for the aud field of the JWT used in the private_key_jwt authentication mode lists https://${yourOktaDomain}/oauth2/default/v1/token. Any value other than a precise issuer URI + endpoint seems to result in the error included in the title. Are there other valid possibilities here? I would prefer to specify my authorization server’s audience as the audience to be provided on the JWT, rather than the token endpoint on the issuer URI. I’d prefer to not have to distribute the knowledge of the precise AZ issuer URI to all consumers.

@casba Did you try to create a customize server?
Under Security -> API, do you see authorization server tab?