Hi @ursboller , first of all it would be good to identify whether your app is an SPA or headless, as described in the Security Overview . I assume you have the `require-adobe-auth` flag set to true for your actions.
If it is an SPA, the user token must be passed from the Adobe Experience Cloud (ExC) Shell, specific to the user session you are logged in.
If it is a headless app, you need to pass a service token which is obtained with the JWT auth flow.
You could also use a user token in a headless app to call the backend services, as long as it has valid authorization and scopes. However, you can not use a service token to call backend services of an SPA, because the session has to be tied to a specific user.
Please let me know if something needs further clarification.