Hi @MickCG,
Honestly, I would avoid passing the access token to the WASM client.
I would implement a sort of BFF instead.
In other words, I would configure the Auth0 SDK to request an access token for your external API via the WithAudience() method.
Then I would create an API exposed to the WASM client, secured through classic cookie-based authentication.
This API will map to the external API. When your WASM client calls the internal cookie-based API, your code will call the external API using the access token.
Take a look at this article to have an idea of how to implement BFF in ASP.NET Core.
Does this make sense?
cc: @fedemartino Maybe this can help you as well