Scenario: Web API that calls web APIs

Learn all you need to build a web API that calls web APIs.


This scenario, protected web API that calls web APIs, builds on top of the "Protect a web API" scenario. To learn more about this foundational scenario, see Protected Web API - Scenario first.


  • A client (web, desktop, mobile, or single-page application) - not represented on the diagram below - calls a protected web API and provides a JWT bearer token in its "Authorization" Http header.
  • The protected web API validates the token and uses the MSAL AcquireTokenOnBehalfOf method to request (from Azure AD) another token so that it can, itself, call a second web API (named the downstream web API) on behalf of the user.
  • The protected web API uses this token to call a downstream API. It can also call AcquireTokenSilentlater to request tokens for other downstream APIs (but still on behalf of the same user). AcquireTokenSilent refreshes the token when needed.

Web API calling a web API


The part of app registration related to the API permissions is classical. The application configuration involves using the OAuth 2.0 on-behalf-of flow to exchange the JWT bearer token against a token for a downstream API. This token is added to the token cache, where it's available in the web API's controllers, and can acquire a token silently to call downstream APIs.

Next steps