Thanks for your understanding @tehpsalmist. I agree that it is a point of confusion generally amongst users who are trying to understand identity best practises, not just those of Auth0. Education in this area is an ongoing process.
To that end, we’ve made available our entire “Learn Identity” video course to the public, which may help your understanding. In particular, allow me to direct you to a particular section which may help, around ID tokens vs access tokens.
I think Hasura possibly has some responsibility in this area to help educate users too. They’re providing an API so it makes sense that they try and steer people towards API security best practises.