Call Your API
It is possible to use AAC to protect the access to your API. More specifically, it is possible to use AAC to generate the necessary access tokens for your app and use the tokens to call the APIs. Server side, the tokens may be validated in order to control whether the calling party has access to the API.
In this scenario, it is possible to distinguish the access to the API / resources that deal with the user-specific information on behalf of that user from the access that is performed on behalf of the app (Machine-to-Machine scenario). OAuth2.0 protocol allows for the tokens that refer to both the authenticated user and the client app (the tokens obtained, e.g., with Authorization Code Flow, Implicit Flow, Password Flow) from the tokens that refer to the client app only (Client Credentials Flow).