For Android and iOS, what is the difference between SPA and native application types?

Hi @hasan.alqaisi2000,

Welcome to the Auth0 Community!

Sometimes, SPA and native apps are using the same grant type Auth Code + PKCE (this is a fairly recent development in the land of Auth0/OAuth2), which means that it’s possible for an app that is registered as SPA to work for a native app.

With that said, these two types of application are still different. For instance, SPAs- or so-called user-agent-based applications, are generally more open to the user, and open to the possibility of dynamic credentials being exposed (think XSS attack). This means that a user has more access to the credentials themselves (like an access token) and it’s important to treat them that way.

Native applications on the other hand, have a higher expectation of security when it comes to these dynamic credentials (access tokens, refresh tokens) and can we can assume that they can store them safely.

Keep in mind, both are public clients, and cannot safely store a global credential like a client secret. They are also different types of applications (JS vs iOS etc) and should be registered as such.

Also, the spec tells us to register them seperately :smile:.

4 Likes