I’ve set up several APIs in my dashboard. Some of them are to be exposed in M2M flows only, and two of them to be accesses both by other APIs and the frontend, which is an SPA.
I’ve also one Application for each of the APIs that need access to another API, and an application for the SPA.
As for the M2M flows, I can manage which applications can access each API, and it’s working fine. However, my Frontend application can always access any API as long as it requests the correct authorities. As far as I know I can manage permissions only in a user basis, but I would like just to block the application from completely accessing an API.
Is there a reason for not being able to do so?