Scenario: A web API that calls web APIs

Learn what you need to know to build a web API that calls web APIs.


This scenario, in which a protected web API calls other web APIs, builds on Scenario: Protected web API.


  • A web, desktop, mobile, or single-page application client (not represented in the accompanying diagram) calls a protected web API and provides a JSON Web Token (JWT) bearer token in its "Authorization" HTTP header.
  • The protected web API validates the token and uses the Microsoft Authentication Library (MSAL) AcquireTokenOnBehalfOf method to request another token from Azure Active Directory (Azure AD) so that the protected web API can call a second web API, or downstream web API, on behalf of the user. AcquireTokenOnBehalfOf refreshes the token when needed. Diagram of a web API calling a web API


The app registration part that's related to API permissions is classical. The app configuration involves using the OAuth 2.0 On-Behalf-Of flow to exchange the JWT bearer token against a token for a downstream API. This token is added to the token cache, where it's available in the web API's controllers, and it can then acquire a token silently to call downstream APIs.

Next steps

Move on to the next article in this scenario, App registration.