I have an API that will be called from back-end applications as well as a mobile app. I am confused about token generation from these applications. Which one of these is the correct approach:
The back-end application uses the Client Credentials grant (CCG) to obtain an Access Token, the mobile app uses the Authorization Code Flow with PKCE (ACF) to obtain an Access Token. Both applications use their respective tokens to call the API. The API does not need special handling for different types of tokens - they are all verified the same way.
The back-end application uses the CCG to obtain an Access Token, and calls the API. The mobile app uses ACF to authenticate the user, and then uses CCG to obtain an Access Token to call the API. The API only accepts tokens generated using CCG, and rejects other tokens. Is there anything in the token to differentiate how it was generated? Should it matter to the API?
I hope my question is clear. I am open to discussion.