Never mind I found the answer to my question here.
You are correct in that the access_token should be used to make authenticated calls to your API. The access_token contains a
subclaim, that will contain the user identifier of the user for which the application was granted an access_token. In your API, after you have validated the access_token, you can use thesubclaim as the user_id in your backend