I have some .net core APIs that will be accessed by a web client and also will be invoked using a browser or Postman.
to access the API from the client we send a Bearer token in the http header and using AddJwtBearer we can validate the token and authorize the user.
But how can we secure the API if someone tries to invoke from outside the app? in that case I want to use OPenIdConnect default scheme. How can I use both Bearer token when a token is provided and when I can use an authentication scheme when no Bearer token is provided.