Best way of propagating token to backend API?

Hi, looking for some advice for how I can implement the following pattern.

I have a user-facing web app built using ASP.NET core mvc, this app is responsible for performing authentication using the authorization code flow (which presumably returns a cookie to the browser?). I have another RESTful API service that I will often need to fetch data from when users interact with the frontend app, this will also require authentication/authorization.

Am I correct in assuming I can simply take the id/access token that was issued as part of the initial authentication and propagate that to other backend API services? If so, what’s the best way of accessing the user’s tokens after they have authenticated, do I need to extract it from the cookie or is there an easier way? It seems like an extremely common use case but I haven’t been able to find much information online.

Also should I propagate both the id_token AND the access_token, or is just the access_token sufficient?

Any help would be most welcome!

Only access_token has to be sent to your API service. Your backend should send you the token after authentication is done and access_token is received from Okta. I’m not sure, how it’s implemented in your application, so can’t tell anything on “extracting”. You can have it as a separate cookie, so nothing to extract then. If your API is in the same domain, you may not even need to send it explicitly.