code exchange with Auth0 and retrieve the user's id_token and access_token which will be stored in memory.

When using account linking it is important to be aware that some limitations exist. First, only two accounts can participate in a link. If an attempt is made to link to an account which is already linked, the new link will replace the original link. It is also not possible to link two accounts associated with the same authentication provider. While a Facebook account may be linked with a Google account, for example, it is not possible to link two Google provider based accounts. An attempt to link accounts from the same provider will result in an exception containing a message which reads as follows: User has already been linked to the given provider. Account linking can only be performed at the point at which a new account is created. It is not possible, in other words, to link two pre-existing accounts. A workaround to this limitation is to delete one of the two accounts and then establish the link while re-creating the account

recommend using Firebase when the API calls involve any user data and the API is intended to be used in flows where the user has an user interface

Cloud Endpoints handles both API keys and authentication schemes, such as Firebase or Auth0

Access control for GCP APIs encompasses authentication, authorization, and auditing. Authentication determines who you are, authorization determines what you can do, and auditing logs record what you did

API keys are for projects, authentication is for users