Authenticating using API Token vs JWT Token

Hi There,

I’m getting a little confused with authentication flows in Okta.

I have two .Net Core 3.x applications; a front end Open ID Connect authenticated application and a second JWT authenticated API application.

I would like to be able to use a valid JWT token created when a user logs in OR an API Token created via the Okta API token management. I am leveraging the .Net Core [Authorize] to secure the endpoints.

I have two approaches for JWT validation:

.AddOktaWebApi(new OktaWebApiOptions()
OktaDomain = $“https://{Configuration.GetValue(“Okta:OktaDomain”)}”,
AuthorizationServerId = Configuration.GetValue(“Okta:AuthorizationServerId”),
Audience = Configuration.GetValue(“Okta:ClientId”),

or the longer non-Okta specific JWT version:

		.AddJwtBearer(async options =>
                var issuer =

                var configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
                    new OpenIdConnectConfigurationRetriever(),
                    new HttpDocumentRetriever());

                var discoveryDocument =
                    await configurationManager.GetConfigurationAsync(default(CancellationToken));
                var signingKeys = discoveryDocument.SigningKeys;

                // Configure JWT Bearer Auth to expect our security key
                options.TokenValidationParameters =
                    new TokenValidationParameters
                        RequireExpirationTime = true,
                        RequireSignedTokens = true,
                        ValidateIssuer = true,
                        ValidIssuer = issuer,
                        ValidateIssuerSigningKey = true,
                        IssuerSigningKeys = signingKeys,
                        ValidateLifetime = true,
                        ValidateAudience = true,
                        ValidAudience = Configuration.GetValue<string>("Okta:ClientId"),
                        ClockSkew = TimeSpan.FromMinutes(2),

Both of these methods will validate a valid JWT token, but I can’t puzzle out how I also treat an API token as valid. Any guidance with this would be appreciated, a lot of historic documentation is .Net Core 2.x specific and most of it is fairly useless for .Net Core 3.x.