I’m having trouble getting my head around how users access to my API expires/renews. I’ve followed the quickstarts whereby my SPA sends the User to the hosted login screen, which then returns the User to the callback page, with the access token and id token.
When the SPA makes requests to my API, it sends the id token in the request’s “Authorization” header - the access token that the SPA receives is not a valid JWT - which the API verifies against the jwks file on my Auth0 domain. On verification, the API then uses the subscription field on the id token to find the User in its database.
Is this correct workflow? How is token expiry managed? It feels like once anything that makes calls to my API has a valid id token, it can make calls indefinitely.