Thanks a lot for the reply! Just to make sure I understand this correctly, let me paraphrase this in absolute beginner terms:
My React frontend SPA makes a request to the Auth0 server via Lock.
The Auth0 server replies with a id-token & an access token.
Now I take the access token & include it in my request to my node server. The node server grabs the access token & itself sends a request to the Auth0 server. Auth0 responds and says: Yes, that’s a valid token. And then (then & only then) my node server sends back the requested data to the frontend.
Is this correct?
Also, and relatedly, is it ok for my SPA to store access token & id token in state (React state for example)? Or is there something to worry about?
Thanks a lot!