How to have API authorize both Access Tokens and Client Credentials?

I have an internal API used by a UI. I have set up Okta SSO and the users are able to sign in. When they interact with the UI they query the API using their Access Token and they are able to retrieve data. I have a service that uses some of the same end points that is now not authenticated with the API. I set up a Client Credentials workflow so it it able to get a bearer token but the API won’t authorize it. I have set up the Okta Middleware like this:

builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultChallengeScheme = OktaDefaults.ApiAuthenticationScheme;
options.DefaultSignInScheme = OktaDefaults.ApiAuthenticationScheme;
})
.AddOktaWebApi(new OktaWebApiOptions()
{
OktaDomain = {{ my domain }},
AuthorizationServerId = {{ my server }},
Audience = {{ audience }}
});

The client credentials have the same domain and auth server but a different audience. When I switch the audience to the new one, the client credentials work and the API authorizes the query, but then the UI no longer works. Is it possible to somehow add both audiences? Or multiple OktaWebApi options?

Are you sure they are both using the same authorization server? The Audience you pass in your config will be matched against the aud claim in the Access Token, which will be the same no matter which application was issued the token, as long as the same authorization server is used.

Okay I just checked and the Access Token and Client Credentials have the same aud and iss. But the Client Credentials is receiving a 403 response and the endpoint has default authorization.

What type of app did you make in Okta and how are you currently authorizing your request?