Hi, @mietwise-storm. Somehow I missed the messages on this post.
What do you mean by “managing access tokens”? I mean, the API that the article teaches how to build just validate tokens that are embedded into requests (more specifically on the Authorization header). Fetching access tokens (and managing their lifecycle) would pretty much depend on what type of client you are developing to consume this API.
For example, if you were building a server-side rendered app with Next.js and React, you would use Passport to authenticate users and to fetch tokens. Then, inside this app, you would store access tokens and, if needed, refresh tokens.
Does that help? Or what have I missed?