Scenario: A web API that calls web APIs

Learn what you need to know to build a web API that calls web APIs.


This scenario, in which a protected web API calls other web APIs, builds on Scenario: Protected web API.


  • A web, desktop, mobile, or single-page application client (not represented in the accompanying diagram) calls a protected web API and provides a JSON Web Token (JWT) bearer token in its "Authorization" HTTP header.
  • The protected web API validates the token and uses the Microsoft Authentication Library (MSAL) AcquireTokenOnBehalfOf method to request another token from Azure Active Directory (Azure AD) so that the protected web API can call a second web API, or downstream web API, on behalf of the user. AcquireTokenOnBehalfOf refreshes the token when needed.

Diagram of a web app calling a web API.


The app registration part that's related to API permissions is classical. The app configuration involves using the OAuth 2.0 On-Behalf-Of flow to use the JWT bearer token for obtaining a second token for a downstream API. The second token is added to the token cache, where it's available in the web API's controllers. This second token can be used to acquire an access token silently to call downstream APIs whenever required.

Next steps

Move on to the next article in this scenario, App registration.