Hi! I’m having trouble understanding how JWTs should be managed for an application like mine through Auth0. First, some context: I have a Regular Web Application (using Next.js) that integrates with Auth0 to use the passwordless login to validate user credentials. This works perfectly but I need to integrate the UI with an independent API living on a different server.
The API needs to receive a JWT to ensure that the users making the request are who they say they are. However, the User object that the RWA library generates doesn’t have a JWT that I can use for the API.
So far, I’ve tried using an Action on the Postlogin flow to generate a JWT through the M2M oauth/token endpoint which the UI could later use to make requests to the API. Sadly, this JWT has no user information, and the API cannot use it to know who the request is from. I have tried lots of ways to enrich that JWT with user data but seems like it’s not possible.
How should a solution to an architecture like this look like? Am I on the right path? What am I missing?