If your app is using a sign in scenario that doesn’t require API calls, only an ID token is required. There is no need to store it. You can validate it and get the data from it that you required.
If your app needs to call APIs on behalf of the user, access tokens and (optionally) refresh tokens are needed. These can be stored server-side or in a session cookie. The cookie needs to be encrypted and have a maximum size of 4 KB. If the data to be stored is large, storing tokens in the session cookie is not a viable option.
So according to these docs, a statically generated site with user-specific info only requires that a user logs in once, and then we can use the user-token to display what’s needed. This makes sense to me. But as soon as API calls are required, then we need the overhead of access tokens and token validation? Why is that exactly? And what’s meant by api calls? API calls to my own server or auth0?
API calls requires an access token because they provide access a protected resource. Whereas ID tokens are used to provide information about the authenticated user.
An example of an API call is making a request with the Management API. To do so, you will need to get an access token for the Management API before you can call an endpoint in the API.
You could also have your own APIs, where you would need to get an access token to make those API calls.
I recommend reviewing the resources below for more information:
Thanks for the clarity and the resources. I think my confusion stems from not understanding the nuances of the different parts. I was trying to take a short cut and understand how they work together without understanding the parts themselves. Doing some deep diving now, thanks!