Thanks for your reply. I understand that the first diagram indicates that I should use Id Tokens for a traditional old fashioned web app, and the second indicates that I should use Access Tokens for APIs.
What I don’t understand is why. What is the nature of a traditional web app that makes Id Tokens suitable for it, while APIs do not have that nature? If I refactor my web app so that is now API-centric, why is an identity token now unsuitable?