Hi @kkulakou,
I understand your confusion, and it is good feedback. For now, this is the way to enable API access to your Machine-to-Machine and Regular Web Applications. Single Page Applications and Native Apps are excluded from this list since they do not require additional configuration.
Note that granting API access through this interface is separate from the grant type flows such as code or client_credentials as you described.
In this case, granting your regular web app API access will still allow you to call the API using the authorization code flow. In the request, you can specify the API identifier in the audience parameter.
And to reiterate, regular web applications will only receive an unauthorized error when trying to authorize with an API that they do not have access to.
Hoped this helps!
Please let me know if you have any further questions.
Thank you.