We are using ReactJS and Auth0, which works great. Post authentication, SPA is passing id-token and access-token to backend service. Which endpoint should the backend service hit to verify these tokens are legit, also, should the backend service want more info regarding the user, how should it get it?
Thanks!
You should send the access token via the Authorization request header whenever you make a request to your backend that requires authorization. Your backend should verify the token and use the scopes attribute to determine whether to allow access to a particular resource.
You can pass the access token to the userinfo endpoint to retrieve the user profile. Keep in mind that you will need to make sure you requested the profile scope when you first requested the tokens otherwise the information will come back empty.