I’m trying to figure out how to set up the login workflow correctly so that our users can login once, get access token and then use it for authentication in our APIs. The issue is that I cannot yet grasp how to set up and request tokens for our APIs.
Essentially our infrastructure is this
Mobile user → API → Internal API
Where mobile user logs in via username/password into Auth0 and then uses the token to access API. In turn, API will call Internal API to perform actual work.
My question is how to request access token so that I can pass it to Internal API? Must I request another access token inside API for Internal API every call, or can I re-use API token and pass it there? The second approach is the best, but as far as I can see there’s no option to request access token with multiple audiences. Instead it’s recommended to use scopes, but then how I do receive access token without an audience?