Thanks for the clarifying questions, Nicolas!
When your API is accessed by your clients application, should it be accessed on behalf of the user using the application?
Yes, the API should be accessed on behalf of the user. A primary function of the API is storing and retrieving data that users upload and curate on their accounts.
Do you need to let your customers decide how to authenticate their users? Or should all the users reside in your own Auth0 domain?
This is a good question, and I’m not completely sure of the answer. I believe that we’d like to give our clients as much freedom as possible to make decisions about authentication (without compromising security on our end, of course). Right now we have clients set up on their own Auth0 tenants. But if the answer to this question changes the recommendation you’d make, I’d be curious to hear how.