It would make more sense for the callback to be directed to the frontend.
Then you pass the access token in every request.
The upside is that if if you use a JWT as a token your backend only need to verify its signature and then it can trust its content (permissions etc …). So your backend doesn’t needs to talk to auth0 at all except at boot time usually to fetch the public key of your auth0 instance.
1 Like