Just to clarify, id_token is meant purely for the client side and access_token is what is passed to the API.
In our system we make an API call from the client to retrieve the user’s permissions after the client has validated that it has a valid set of JWTs.