F. I guess this is the case since the api app is located inside a different project and organization.Yes that sounds valid, you can send a scope though to include other clients in the token.
However, usually I recommend to have all you components (web/api) in the same project.
Granting access to a tenant could me made work with project_grants (like delegating a role to two orgs, so that they can access the same data)
FOr you can set orgMetadata so that you app can check these to see that they belong to the same tenant on your end
FWhen you use opaque tokens we provide the info to what org a user belong and what org the users has access right on the introspect endpoint.
Meaning you can all Zitadel to give you that answer.
Meaning you can all Zitadel to give you that answer.