I’m currently implementing passwordless authentication with a SPA + API. We’re storing most user information in our DB. My goal is to only allow users to read their own records from the API.
It seems like I can do this using only ID tokens. So the user would hit a link in their email which would redirect to my SPA. The SPA would receive an access token and ID token corresponding to the user. The SPA would then make a call to the API for the user’s details.
Is there any reason I need to use the access token when calling my API? Can I not just pass along the ID token, then check the ID token details and signature in the API before responding?