Hi @mc ,
You need firstly send the request to the account controller to auth. Then if the login success, it will return an access token to the client.
Then the client will use this access token to access the api resources.
The identity has its own logic to check the access token.
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Best regards,
Yijing Sun