Difference Between API and APP and Associated Login Methods

I have a webapp I want to have authenticated via Auth0. Authorization isn’t what I’m looking for right now, just authentication. There is already an authorization system built into our backend.

I see there are Apps that you can create: SP apps, traditional websites, mobile apps, etc. and then there are APIs you can register.

I’m having a hard time understanding the difference between the two. In my case once the user had logged-in via Auth0 and received their tokens, my backend only needs to confirm the user’s identity and then the authorization layer takes over. Nothing needs to happen on the webapp itself. In fact the webapp could ignore all data in the tokens and simply pass them on to the backend, which is what it mostly does right now.

So which option do I go for? Do I Set Up an API? Do I Set Up a SP App? Where do I go from here?

Hi shaun.das

I think you only need the session cookie, for authentication.

You don’t need an API, just an app of the right type (traditional or SPA or Mobile etc).
Then the login will set the cookie, and your middleware should verify the cookie is there.


1 Like

Hi @shaun.das,

In addition to what @john.gateley provided, which type of app you choose is usually determined by your stack. E.g., you would usually chose ‘regular web app’ for something server side like python+django, or single-page for javascript / express / vue etc … something that runs entirely in the browser.

Under the hood, the app type you chose is selecting your authentication / authorization flow, specifically selecting the flow most commonly used with each app type. If you understand which flow you need, you can select an app type based on that.

Auth0’s Architecture Scenarios may be helpful as well:

Hi @john.gateley ,
I had the same question as Shaun, so thanks for the answer.
However I also want my services to be stateless, so I don’t want to use session cookies.
In that case I suppose the expectation would be for the client to keep sending the accessToken with each request - is that correct?