Question originally asked here What is the #1 concept you wish you understood better in auth? - #18 by huyennbl by @huyennbl
What’s the point of creating a SPA app in this page? https://auth0.com/docs/architecture-scenarios/spa-api/part-2#define-permissions .
Because I see that another M2M app will be created automatically after creating an API, I have no idea why we have to create this. And then of course, I wonder how these 2 apps would connect to each other?
In the next step, API and SPA Configuration (SPAs + API), the docs tells me to input clientId, but currently I have SPA and M2M app, which clientId should I input there.
An additional question to this. Why Authorization extension doesn’t recognize M2M app.
@kim.maida hello, is there any update about this 
Hi @huyennbl,
According to the Authorization Extension docs, permissions are not attached directly to APIs in the Authorization extension. The Authorization Core (the roles and permissions functions directly in the dashboard) will allow you to set up permissions for users that are directly related to your registered APIs.
I would be happy to help further if you have any questions.
Thanks,
Dan
Thanks Dan, but my main questions for this topic are
What’s the point of creating a SPA app in this page? https://auth0.com/docs/architecture-scenarios/spa-api/part-2#define-permissions .
Because I see that another M2M app will be created automatically after creating an API, I have no idea why we have to create this. And then of course, I wonder how these 2 apps would connect to each other?
In the next step, API and SPA Configuration (SPAs + API), the docs tells me to input clientId, but currently I have SPA and M2M app, which clientId should I input there.
@huyennbl,
I think I may be missing some context, so please forgive me if I don’t properly address your question.
The point of the SPA in this architecture is to act as a user interface with the API. It allows a user to log in, and based on that users permissions or roles, regulates what kind of access (or scopes) the user has with regards to the API.
I am not sure I understand where the other M2M is created after creating the API. The API should be acting as the M2M in this instance. The applications (SPA and API) will connect to each other via http requests that are authorized with an access token.
I am not seeing where the part mentioning the inputting of client id is, but it should be the client ID for the app that is making the request. If the request is coming from the SPA, then the respective client id should be used. Same goes for the API/M2M app.
The diagram on this doc does a great job of illustrating the configuration.
Please let me know if this makes sense, and if I can clarify further.
Thanks,
Dan