I’ve setup a basic web application and can get an id token for it. Now i have some set of API’s ( none interactive clients ) which communicate which each other. Each API is a different client. The API’s must be able to use the token they got from the web application. Which grant type do i have to use so the API’s can use the id token because the API’s dont’t do some kind of interaction?
Or does an API only validate the JWT tokens they got in the Authorization header ?
APIs should be passed the
access_token, not the
id_token, in the Authorization Header. Your APIs will need to be configured correctly in Auth0, as well as setup to validate the
access_token. I suggest reading through the following docs which outline the API Authorization features:
But how does my API know about the identity who called it ?