Dear fellow Auth0nians,
I need parts of my API the be open to my SPA from the browser without the user logging in, but not the outside world. In other words I need to authorize/authenticate the client SPA to API endpoints, even when a user is not logged in. Once the user is logged in they can obviously do more stuff (call users API, POST, DELETE, etc.).
Is this in the scope of OAuth? Or do I have any options outside of rate throttling the API?