Hello

Need some advice how to handle this situation.

I'm building three websites and one web api (c#).

The websites:
- Institutional website, just showing statical content and will have a contact us form
- OnlineStore website, will need authentication for some operations (user management, checkout, etc.), and for calling the methods from the api i don't know if I force for all requests or just for some of them..
- BackOffice website, manage everything and need authentication all the time, on the website and for calling the api.

So for that I'll have two types of authentication, cookies (users that access the store and the backoffice), and jwt for calling the most of the methods of the api.

My question is related how to, let's say, combine the two authentications and manage the all thing...

I'm thinking in this approach, with 3 "users" in the database for the api :

- In the Backoffice, the user must be logged all the time, so when it authenticates behind the scenes it logs in in the api, let's say BackOfficeUser, and retrieve the jwt token and store in local storage (I know that it's dangerous...), so i'll have the cookie for accessing the website pages and jwt in localstorage to use when needed to call some method from the api.

- In the Online Store, in this case i'll have "StoreUser", the default user, that it's used when the user it's not authenticated. Then if the user is authenticated, i'll get another jwt token "AuthStoreUser", in the same way of the backoffice and start to use the new one.

Does this make sense?
Or I'm complicating this too much?

My doubts are all "design" related...

Thanks