The application sometimes fails with Bearer error="invalid_token" and OpenIddict error ID2088 because the issuer (iss claim) in the access token does not match the issuer expected by the API.
In development, the SPA is running on http://localhost:5173 while tokens are issued by https://localhost:44357. Since OpenIddict implicitly derives its issuer from the incoming request when SetIssuer is not configured, the API validated the token against a different issuer URL, resulting in an issuer mismatch and token rejection.