I am designing an architecture for my application. I plan on having 2 servers: auth and main. Auth server is responsible signing and issuing access tokens.
auth and main are on different servers and communicate via HTTP requests. With this setup, I have no way to verify access_token of the main server, since only auth has the secret key. I'd have to send user's JWT to verify on auth on every request.
This means I no longer have simple client->main and instead have client->main->auth. This seems like a bad idea because it essentially doubles the number of total requests made.
Is there a better way to do this?