We’re building a mobile app and a corresponding API for this app to call.
Our goal is to log in the user and then use
access_tokens to authenticate them on the backend whenever our app makes an API call.
Is there a way to avoid redirecting the user to give permission to use our API after they log in? OR is there a way to authenticate them to call our API during login? It seems weird that users have to take extra steps in order for our app to call our own API.
One possibility I see would be for us to use the
id_token given upon login to authenticate the user on the backend upon API call, but I realize that’s not what an
id_token is for. Is this a valid option?