Hey there @WTP welcome to the community!
If I’m not mistaken, it sounds like a very standard scenario which is outlined here - Basically, when a user logs in to your web app you will include an audience param and scopes/permissions related to the API registered in Auth0. Your web app will then make requests to your API with the user’s access token at which point the API will validate it, and perform any necessary actions. Auth0 provide various Backend SDKs to make this process easier.
These posts seem to be more directed at the Auth0 equivalent of API Keys, which are client credentials. Some more on that here:
Let us know if this helps to clarify at all!