This seems to work pretty well, thank you for the excellent writeup and direction. Hope this makes it into the official docs and quickstarts.
One question I still have: while this middleware (checkJWT) successfully protects the API endpoints, how best can I access the current user? For e.g. I could use the Auth0Api->userinfo($access_token) call to retrieve the user’s “sub” (auth0 id), find that sub in my app’s db and then display the relevant user info. But that seems cumbersome as it requires an Auth0 API call for every API endpoint accessed - surely there are better ways? An example use-case would be a native app, where a user logs in via Lock.js or other native auth0 library, and then the app makes a request to mystore.com/api/user/orders to retrieve various orders placed by this user.
Lastly, if possible, it would be great to have a quickstart for both this method (API being accessed via token) and one for API for asynchronously loading. 