Doubt about "Client Secret" and Applications types

If I have an application (Regular web application, Single page web application (SPA), Native application)… Is the purpose of “Client Secret” to check or validate the JWT (back-end)?

The only way to update:xxx, read:xxx, delete:xxx or do any actions into Auth0 is with an application “Machine to machine (M2M)”? (back-end with “Client Secret”)

With “Regular web application”, “Single page web application (SPA)”, “Native application” is possible to update:xxx, read:xxx delete:xxx (back-end with “Client Secret”).

I’m still fairly new to this, so I may be missing something.

Hi @gersveo,

Welcome to the Auth0 Community!

SPA and native applications run on the user’s device. This could be a browser or mobile device and as such, these applications cannot keep any information secret from the user.

If you were to request/issue a management API token from a single page app/native app, the user could inspect the application on their device, get the token, and make read/update/delete requests against your tenant. This could in effect give a random user admin-style access.

As a result, we recommend management API requests be made from a trusted M2M application.

Thnks @dan.woda for you response.

I know the proposal of each APP (Regular web application, Single page web application (SPA), Native application)… I understant the importance of “Client Secret” is for backend use only…
I tested each APP… for example: I tested (without Client Secret) “Regular web application” and “Native application” in React (SPA)… And I tested a “Single page web application (SPA)” and “Native application” with nodeJS and php (with Client Secret)…

In the two tests, the Auth0 “Applications” worked the same way, I did not see any difference between the three Auth0 “Applications”, even the settings of these three Auth0 “Applications” were the same.

When I tried to use Auth0 application “Machine to Machine (M2M)” with ReactJS (front) and NodeJS-PHP (backend) it didn’t work (try to verify token). (I had expected functionality, it only worked for machine-to-machine communication.)

I have not yet tested the operation of the three previous Apps (Regular Web Application, Single Page Web Application (SPA), Native Application) trying to make a Machine to Machine communication, I hope that with these three applications it does not work.