Let’s say we have frontend client app Client1 and we have two APIs API1 and API2. Client1 authenticates on Auth0 and uses Access Token to communicate with API1 but for some requests API1 needs to obtain some data from API2. Is it ok to reuse Access Token that was sent from Client1 to API1 in communication between API1 and API2 or should we always create M2M connection between API1 and API2?
From the information available, here’s my thoughts on it and I’m afraid they may just make you have more questions. If both API’s are under your control I would check if there’s any simpler way to establish trust between calls originating from one API to the other that does not even involve OAuth. For example, can trust be established at the network level?
The above suggestion is due to the fact that if you considered M2M then individual user identity is either not relevant in these calls or will be communicated through other means than the actual tokens. In this situation client credentials may be overkill.
In relation to the proposal of reusing access tokens that does not seem right, in particular, token validation would be really weird because now one API would be accepting tokens that have been issued to a different API.
In conclusion, in general I would be tempted to recommend against re-using access tokens and would likely try to see if there’s a simpler mechanism to establish trust than OAuth client credentials.