You are on the right track. Your API should be defined as an API in Auth0, and your flutter app should request an access token for it. This access token will have a lifetime, and when it expires, you use silent authentication to get a new one (or refresh tokens).
John