Confusion around authorizing an Application to access an API

The Machine-to-Machine Application page has an API tab where I can select which APIs that m2m app has access to. However, the Regular Web Application page has no API tab.

The API page has a Machine to Machine Applications tab, however it lists all m2m and web apps.

Am I confused, or is the UX? Specifically:

  • should the Web Application page have an API tab?
  • should the Machine to Machine Applications tab on the API page be called Applications?

Hi @jconkling,

Welcome to the Auth0 Community Forum!

What would you like to see in an API tab in applications?

In regards to your second question, I think the reason why the naming convention is machine to machine is because a backend server for a web app is making a connection to an API server. This suggests that two servers are making a connection, or two machines, regardless of whether or not they are two APIs or an API and a web server. Does that make sense?

In addition, we highly encourage customer feedback! Each feedback ticket is fielded by a member of the product team.

Hope this helps!

Thanks,
Dan

Hi Dan,

Thanks for the feedback.

What would you like to see in an API tab in applications?

Given that an M2M app has an API tab to authorize that app to retrieve access tokens, I would expect Regular Web Application to also have a similar API tab. See below:

08

53

In regards to your second question, I think the reason why the naming convention is machine to machine is because a backend server for a web app is making a connection to an API server.

Yeah, that makes sense. Given that so much of the Auth0 setup and supporting docs suggest different workflows for Native, Single Page Web Applications, Regular Web Applications, and Machine to Machine Applications, it’s a little confusing to me that the API page would include a Machine to Machine Applications tab that includes applications set up as both Regular Web Applications and Machine to Machine Applications.

It’s totally possible I just don’t fully understand the relationship between an Application and an API.

Thanks for taking the time to respond, and thanks for the feedback link. Looks like that’s probably a better place to post this, so I’ll copy the above over there.

1 Like

Just to continue the conversation, a regular web app can use multiple types of grants for different purposes. For instance, it can use a client credentials grant to make an M2M token request, and can use the auth code flow for authenticating the user. So it can kind of be both.

As far as having an API tab on an application, if the function that it provided was to toggle on and off permission for the application to make requests to an API, that would be the same function that the M2M tab has in API settings. The overlap there is likely why it doesn’t exist, but if that UX is something that is desired we highly encourage you to provide that feedback. I can’t say it will be implemented, but the demand for it will definitely be noted.

a regular web app can use multiple types of grants for different purposes. For instance, it can use a client credentials grant to make an M2M token request, and can use the auth code flow for authenticating the user. So it can kind of be both.

Yeah, however for a tab that is about authorizing any application to use an API, calling that tab Machine to Machine Applications seems weird.

As far as having an API tab on an application, if the function that it provided was to toggle on and off permission for the application to make requests to an API, that would be the same function that the M2M tab has in API settings. The overlap there is likely why it doesn’t exist […]

Agreed, the UX to authorize an application to use an API does not need to be on both the application page and the API page. I would think the best place to put it would be on the API page, w/ the caveat that, IMHO, putting it under a tab called Machine to Machine Applications as it is now is confusing. As it is now, though, it is implemented on the API page and on some of the application pages (M2M), but not others, which is both redundant (as you point out), and inconsistent.

@jconkling,

Thanks for elaborating further. At this point the best way to communicate this information to the product team would be to submit your input, and even a link to this topic, to the product team via the feedback link from my previous post. I would be happy to submit it on your behalf if that is easier.

Thanks for all of the input! We get a lot of value from our customers, and appreciate your feedback greatly.

Warm Regards,
Dan,

Yeah, I’ve submitted. Thanks for fielding the questions.

1 Like

No problem! Let us know if there is anything else to discuss.

Thanks,
Dan

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.