Auth0 Home Blog Docs

Confusion around authorizing an Application to access an API

The Machine-to-Machine Application page has an API tab where I can select which APIs that m2m app has access to. However, the Regular Web Application page has no API tab.

The API page has a Machine to Machine Applications tab, however it lists all m2m and web apps.

Am I confused, or is the UX? Specifically:

  • should the Web Application page have an API tab?
  • should the Machine to Machine Applications tab on the API page be called Applications?

Hi @jconkling,

Welcome to the Auth0 Community Forum!

What would you like to see in an API tab in applications?

In regards to your second question, I think the reason why the naming convention is machine to machine is because a backend server for a web app is making a connection to an API server. This suggests that two servers are making a connection, or two machines, regardless of whether or not they are two APIs or an API and a web server. Does that make sense?

In addition, we highly encourage customer feedback! Each feedback ticket is fielded by a member of the product team.

Hope this helps!

Thanks,
Dan

Hi Dan,

Thanks for the feedback.

What would you like to see in an API tab in applications?

Given that an M2M app has an API tab to authorize that app to retrieve access tokens, I would expect Regular Web Application to also have a similar API tab. See below:

08

53

In regards to your second question, I think the reason why the naming convention is machine to machine is because a backend server for a web app is making a connection to an API server.

Yeah, that makes sense. Given that so much of the Auth0 setup and supporting docs suggest different workflows for Native, Single Page Web Applications, Regular Web Applications, and Machine to Machine Applications, it’s a little confusing to me that the API page would include a Machine to Machine Applications tab that includes applications set up as both Regular Web Applications and Machine to Machine Applications.

It’s totally possible I just don’t fully understand the relationship between an Application and an API.

Thanks for taking the time to respond, and thanks for the feedback link. Looks like that’s probably a better place to post this, so I’ll copy the above over there.

1 Like

Just to continue the conversation, a regular web app can use multiple types of grants for different purposes. For instance, it can use a client credentials grant to make an M2M token request, and can use the auth code flow for authenticating the user. So it can kind of be both.

As far as having an API tab on an application, if the function that it provided was to toggle on and off permission for the application to make requests to an API, that would be the same function that the M2M tab has in API settings. The overlap there is likely why it doesn’t exist, but if that UX is something that is desired we highly encourage you to provide that feedback. I can’t say it will be implemented, but the demand for it will definitely be noted.