What is the difference between getOrganizationToken and getAccessToken(orgId)

[Klucherev]

Hello everyone! I'm confused to choose the right way for getting token to protect my app/api. I have Nextjs multitennant application and API by Nestjs. In client side i have to obtain access token for every api call and verify it on server side. In case of using getOrganizationToken i have to verify audience (urn:logto:organization:orgId), but need to send custom http headers with tenant id. And if i use getAccessToken(orgId) i have organization_id in jwt with audience 'api resource'.

[wangsijie]

getOrganizationToken is a wrapper around getAccessToken, you can review the source code: https://github.com/logto-io/js/blob/master/packages/next/server-actions/index.ts#L143.

[Klucherev]

I mean if i use getOrganizationToken('orgId') there is aud: urn:logto:organization:orgId, but if i use getAccessToken there is organization_id in token claims. It's very tricky to understand what should i use in case using Logto in multi tenant app, where every user has different roles in different organizations

[wangsijie]

That is called "organization tokens for API resource": https://docs.logto.io/authorization/organization-level-api-resources#obtain-organization-tokens-for-api-resources