We are trying to set up a scheduled job based on NodeJS which will call an API via an API gateway. The API calls another API. There is no user or browser involved. The call must be authenticated and have a valid OAuth token from our IdP. How should it look like to have a more secure approach?
How the flow should look like? Which one the API Gateway or the second API should validate the token? or both? Thanks
A key point is that JWT access token validation is designed to scale. In older architectures it was common to use perimeter security (eg API gateway validates token) but this is no longer recommended.
Instead validate the JWT in each API using a library. Here is some example code and for other technologies see Curity API Guides.
Here are a couple of related articles if you are interested in API security trends:
Finally, this article discusses that JWTs can often be forwarded between microservices, to keep your code simple.