While we typically recommend a single logical API approach, this doesn’t exactly make sense for your use case.
I haven’t tried this out myself but I believe our SDKs should be able to handle multiple access tokens - That is, you will need to make a separate authorize request for each audience and use the resulting tokens against the relevant API.
Yes I think it is pretty clear how to handle this in a generic way - if you would not use any SDK and build it your self with a few redirects, callbacks and a post request.
But a lot of our clients are using the express-openid-connect library and looks like it doesn’t at least document any way to handle two separate audiences. I guess the way to do it would to create two instances of the middleware and mount those in separate paths.
There is a comment implying something like this in this issue: