I need parts of my API the be open to my SPA from the browser without the user logging in, but not the outside world. In other words I need to authorize/authenticate the client SPA to API endpoints, even when a user is not logged in. Once the user is logged in they can obviously do more stuff (call users API, POST, DELETE, etc.).
Is this in the scope of OAuth? Or do I have any options outside of rate throttling the API?
Forgive me if I’m missing the point but it seems like you’d be able to do this simply by limiting the allowed origins in your API to the deployed link for your app. Please disregard if I’m not fully appreciating the scope of your question.