Pleasure. See you guys are in Pretoria. Pity I’m not around anymore otherwise I could have hopped over to help you out quickly 
Yes, this makes sense if the API is being consumed from other clients.
You mention 2 ASP.NET apps. And that makes sense as well - though the SPA route would still have made more sense though.
What confused me was that you had the OIDC and JWT middleware all in the same Startup file. So it seemed to me like this is a single ASP.NET Core application containing both the MVC app and the API.
Just to clarify:
Yes, been in Pretoria for 33 years 
where do you stay?
I now live in Bangkok, Thailand. But I was born and raised in Pretoria, and lived there for 40 years. Ek is 100% boertjie
Ok thanks for that tip - I have removed the JWT middleware from my web app. Yeah, that’s what happens when you copy and paste from various sources Yeah I see the norm appears to be an Angular frontend with an ASP .Net web api backend? Gonna start learning Angular today…
Ja boetie - I was born in Argentina but moved here in '84 when I was 7 so, well, let’s say I’m 99% boertjie? LOL Must be awesome living in Bangkok!
Thanks again for all your help - I truly appreciate it! I’ll maybe spend another hour trying to figure out why I’m getting such a short token, even though I’m specifying the audience - just out of curiosity and a sense of accomplishment haha But ja will eventually port the front end to Angular.
Oh, one of Auth0’s offices are located in Buenos Aires, with a large part of the team situated there. So be sure to go say hello if you ever head back home
Yes, Angular is a popular frontend framework to combine with ASP.NET. Along with others such as React, Aurelia and Vuejs.
Haha will do!