Grant API access to SPA and m2m applications

Hi everyone,

I have an graphql API with a gateway that provides access to all the available data in my system. Subgraphs and individual fields are secured by permissions according to a token’s scope. There are two things I’m trying to accomplish:

  1. Since this is a microservice architecture, I have other services that need to access data. I’d like to only grant permissions to the fields each service needs, which means each service should be able to request a token with a different scope. Do I have to create a different m2m application and custom API in order to generate tokens with different scopes?

  2. This API can also be accessed by users, although the scope will obviously be different. Is it possible to have an API that can be accessed by a SPA application, and m2m? I’ll throw Native in there as well because that will become a requirement soon as well.

Any advice or questions would be greatly appreciated, thanks!
-JB