When I log in through my front-end layer, a request is sent to my authentication server which, in turn, returns a Bearer Token that can be saved in a cookie, for example. No doubt about it!
My problem is that my front layer requests N other APIs and I need to be authenticated in all of them since I can not release the routes to receive requests without being authenticated.
How do I plan authentication?
You should use the same Machine Key in all APIs
In the API Web.config where you generate the token there is a line saying this:
<system.web>
<machineKey
validationKey="80F23AB9386C5D204479.............." decryptionKey="5E26E9609FF8636A584A2C34671E..........."
validation="SHA1" decryption="AES" />
</system.web>
You use this same "MachineKey" key in the other API's that they will share the same token.