Not sure what you mean with "by domain name".
The typical flow would be:
- client requests a (JWT) token from an authorization server (using OAuth2)
- client sends the token to the API using the authorization header
The JWT is signed by the authorization server - the API verifies the signature.
So trust between the API and the authorization server is established by being able to validate the token (using the signature, issuer name and audience name).
see also here: https://github.com/thinktecture/Thinktecture.AuthorizationServer/wiki