We built an API for our application that is authenticated and authorized using JWT from Auth0. It works great!
Now we have a third party application that would like to call these APIs from a SPA on their website.
Is there a standard approach to this? Would this require setting up SAML or OIDC to connect their identity provider to authorize their clients?
Another option might be to create an API the third party would need to call with a hashed userId from their server with an API key/secret that would create a “stub” user and return a JWT?