In my architecture I have a Client (Android application), Auth0 as authorization server and a Backend Server that provides data to logged users with RESTful Apis.
I am struggling to understand which is the correct practice to implement to provide RESTful Apis to only Logged Users.
1- I should use as authorization header of my request the access token provided by auth0 after the login operation, and validate it on server side with /userinfo auth0 api
2- I should protect my Apis with client credentials and provide as authorization an access token provided by auth 0 with /oauth/token method with grant_type client credentials ? In this way how can I add user id or email data to access token?
I think the first one is the correct one, but I am still confused.