I have an API which uses JWT for authorization. How can I make API calls from an application (mobile and web) for users logged in? For example, an API call to change the display name in the database, for the logged in user? Is it mandatory to make a HTTP request to /authorize?audience=IDENTIFIER
to get a JWT first and then make a call to the API? Secondly, how can I make my API authorize users by just checking if they are logged in users or not? How to call such an API?
Like you mentioned the recommended way is to make an authorization request according to OAuth2 protocol and including the audience
parameter with the value associated with your API. This will provide you with an access token (currently in a JWT format) that can then be used to call your API (assuming the API was already configured to accept access tokens issued by your Auth0 account).
The above is generally accomplished by performing a request to the /authorize
endpoint and depending on the grant type being used a possible additional request to /oauth/token
endpoint. The following documentation will guide you on the exact flow you should use depending on the type of the client application: