We’re building a mobile app and a corresponding API for this app to call.
Our goal is to log in the user and then use access_token
s to authenticate them on the backend whenever our app makes an API call.
Is there a way to avoid redirecting the user to give permission to use our API after they log in? OR is there a way to authenticate them to call our API during login? It seems weird that users have to take extra steps in order for our app to call our own API.
One possibility I see would be for us to use the id_token
given upon login to authenticate the user on the backend upon API call, but I realize that’s not what an id_token
is for. Is this a valid option?