Integrating Elsa 3.0 Server into our ASP .NET core web server with it's own existing Auth

Question

We're looking at implementing Elsa 3.0 into our asp.net core web server that currently uses wasm as the client. It's all currently setup with if it's own identity combined with OpenID etc. Im just wondering what the architecture should be for working Elsa into the server. All requests currently coming into the server are running through our own auth middleware which will mean if we're using Elsa to expose Http endpoints they would also need to run through that middleware otherwise that seems like a fair security hole. Either way, I've got elsa server being setup using the following:

builder.Services.AddElsa(elsa =>
{
// Configure Management layer to use EF Core.
elsa.UseWorkflowManagement(management => management.UseEntityFrameworkCore());

// Configure Runtime layer to use EF Core.
elsa.UseWorkflowRuntime(runtime => runtime.UseEntityFrameworkCore());   

// Expose Elsa API endpoints.
elsa.UseWorkflowsApi();

// Setup a SignalR hub for real-time updates from the server.
elsa.UseRealTimeWorkflows();

// Enable JavaScript workflow expressions
elsa.UseJavaScript(options => options.AllowClrAccess = true);

// Use email activities.
elsa.UseEmail(email =>
{
    email.ConfigureOptions = options =>
    {
        options.Host = "localhost";
        options.Port = 2525;
    };
});

// Register custom webhook definitions from the application, if any.
elsa.UseWebhooks(webhooks => webhooks.WebhookOptions = options => builder.Configuration.GetSection("Webhooks").Bind(options));

});

.....

app.UseWorkflowsApi(); // Use Elsa API endpoints.
app.UseWorkflows(); // Use Elsa middleware to handle HTTP requests mapped to HTTP Endpoint activities.
app.UseWorkflowsSignalRHubs();

This is working fine in our prototype outside of our server that I based off Elsa's online examples. But whenever I try and hit something like: https://localhost:7136/elsa/api/workflow-instances

I get the following error:

[13:57:15 INF] Request starting HTTP/2 GET https://localhost:7136/elsa/api/workflow-instances - null null
[13:57:15 WRN] Connected tenant: Dev-Tenant (-1)
[13:57:15 WRN] Connected tenant: Dev-Tenant (-1)
[13:57:15 INF] Authorization failed. These requirements were not met:
Handler assertion should evaluate to true.
[13:57:15 INF] AuthenticationScheme: Bearer was forbidden.
[13:57:15 INF] Request finished HTTP/2 GET https://localhost:7136/elsa/api/workflow-instances - 403 0 null 41.6199ms

I have checked and all the appropriate headers are being sent across with the call which would pass fine on all our other api calls.

Do we need to have Elsa on it's own authentication system inside the server? i.e. using an api key for instance? What is best practices for that? How would I change Elsa to run off an APIKey and everything else to stay on the current authentication that it is already?