Auth0 Secure Api for logged users

In my architecture I have a Client (Android application), Auth0 as authorization server and a Backend Server that provides data to logged users with RESTful Apis.

I am struggling to understand which is the correct practice to implement to provide RESTful Apis to only Logged Users.

1- I should use as authorization header of my request the access token provided by auth0 after the login operation, and validate it on server side with /userinfo auth0 api


2- I should protect my Apis with client credentials and provide as authorization an access token provided by auth 0 with /oauth/token method with grant_type client credentials ? In this way how can I add user id or email data to access token?

I think the first one is the correct one, but I am still confused.


For mobile apps, you would use the Authorization Code (PKCE) grant to obtain an access_token authorized to call your API. The following docs outline this flow:

Ok thanks, but after auth server successfully authenticate the user, my client got a server response that is OIDC connect with an ID_token used by the client to get user information and an access_token which I think I will use to authenticate the user to the resource server API.
Now how can I verify that this access_token is valid?

1- I should make a server call to /userinfo endpoint and consume the response every time?


2- I should verify this token on server side? This token is not JWT format, do you know which format is used for this token?