id_token is used when invoking API, README says access_token is

[smcl]

In the README.md we've got the following:

The access_token obtained during login is saved to localStorage and will be used later to invoke the API. It is also used to fetch the user's profile.

In reality though we use the id_token (see line 52 of the SPA/views/index.jade).

I think that this is because we call auth0.WebAuth({ ... }) with audience: 'https://' + '#{auth0Domain}' + '/userinfo' - so we get back an opaque string instead of a JWT token as our access_token. The API cannot really get any useful information from this without performing some other calls, so to simplify things perhaps the id_token was used instead.

To make this clearer could we maybe either:

• change the README.md to say that we're using the id_token to simplify the example, and that using the id_token for purpose is not really best practice
• include a couple of pre-requisites stating that you'd need to have an API app setup in each tenant, modify the code so that it reads the expected audience for each of these APIs from the tenant store, and add placeholder entries into the tenants-sample.js with values like "TENANT1_API_AUDIENCE" and "TENANT2_API_AUDIENCE"

I am not 100% sure if my second suggestion makes sense (please let me know if I'm mistaken!) but we should at least correct the README, since it does say we're using the access_token when we are instead using the id_token.