use cURL for protected endpoint

[pinpom]

regarding your "sample-web-server.js" for okta-hosted login, if i want to send cURL request to your protected endpoint (the /profile endpoint), do i need access token & then include it as Authentication Bearer token inside cURL request? or what kind of token do I need?

[swiftone]

The main server is written with the assumption that you are serving browser clients - it relies on the browser to obtain the token and save it to the browser, which can then use the token both in handling requests for web pages as well as passing along to backend servers.

It sounds like you are interested in the backend server portion ( "resource server" in OIDC terminology) - for an example of that, see https://github.com/okta/samples-nodejs-express-4/blob/master/resource-server/server.js

In this case, the token is sent as a header (authorization) with the value Bearer TOKEN_VALUE_HERE

The resource server can then verify that token (which is a JWT) to decide if the call is authorized.