In general, the approach would be for the client application to perform direct communication with your Auth0 service domain both to start the flow (send phone number to which OTP will be sent) as well as to complete the flow (exchange OTP code for tokens).
The mobile application would then store the access token and refresh token locally; use the access token to call your API while the access token is valid and use the refresh token to obtain additional access tokens.
From the received access token the API would be able (after validation) to trust that the call is associated to a specific user as the access token will contain the user identifier. The ID token should only be processed by the client application and may be used by the client (after validation) as means to populate the user interface with information about the currently logged in user (as in, about the user to which the access token is also associated).
Ah thanks, it makes more sense to me now. I am getting a better understanding of the Authentication process (starting in the front end) and the authorization process (starting in API).