I am using FusionAuth hosted by myself. I registered some users, and now want to login into my app with those users. First I tried with the "api/login" endpoint, this one just returned a token, but no refresh or access, then i tried the /oauth/token endpoint which i had to send the client-id, client-secret and the scope for returning access_token, refresh_token and id_token. I would like to know the difference between these endpoints. Also, which is the endpoint to validate the token is it "/api/jwt/validate"? Or which is the validation flow in every request to know if the token is valid?
The Login API and the Password Grant using the /oauth2/token endpoint are very similar. If you want to follow an OAuth2 spec, then use the OAuth Password grant.
The Login API requires an applicationId to receive a Refresh Token in the response body, the the OAuth2 Password grant requires the offline_access scope to be provided on the request to receive a Refresh Token in the response body.
Both of these scenarios assume you have enabled Refresh Tokens in the Application OAuth configuration and Login API security settings respectively.
The JWT can be verified using several mechanisms, it may depend upon your use case as to how you choose to do this.
The Validate JWT API, Introspect and UserInfo endpoints all will verify the token integrity.