External app calls IG.
IG retrieves an access_token from the API provider using the client credentials grant type.
IG then adds the access_token to its context.
IG the acts as a reverse proxy and sends the request to the actual API provider, adding the access_token in the header.
The api provider responds to IG which then passes the response back to the original caller.