So As I understand it you recco0mmend using my user’s authentication token to validate calls to my APIs. Is there a way I can validate from my API server that a given token is valid (and ideally which sub ID it belongs to)?
From your description you’re trying to leverage API authorization functionality so a good starting point would be to check the information available at (https://auth0.com/docs/api-auth) and links specific to your scenario (SPA client application, mobile client application, etc).
In addition, the information at (https://auth0.com/docs/api-auth/tutorials/verify-access-token) would be particularly relevant for how to validate an access token issued for a custom API. After validation you can use the value of the
sub claim to identifier the user for who the call is being made.