Thanks for the response @dan.woda. So, that’s the approach I was heading towards, but what I’m not sure about is how to do the token validation in the API. We’re using jwt for the access token, and I’m assuming we will want to do audience and signature validation in the API to ensure the token hasn’t been tampered with, right? How can I do that if each application uses a different client-id, client-secret? Would switching to RS256 instead of HS256 allow multiple apps to access the same API?
Sorry, I’ve been so deep in the docs that my eyes are going crossed. Every time I feel like I understand the solution, I come up with a different concern.