So what you are saying is that The front end spa does not have a token that the backend can verify and use, but the backend can use that token when calling a function? And if that function doesn’t return what you expect, that will be the hint the user is not authenticated or authorized?
Sounds a little unusual…
I had a look at Auth0’s way of doing it. They have a concept of api tokens. When setting up the auth configuration I can also give them the url for my backend. The front end can then ask Auth0 for a token to be used for my api. This token is a regular jwt with a rs256 signature that the backend can verify without external calls.
Is there anything similar in Realm? Or would a better solution be to setup Realm with an external token provider and just use Auth0?