My app is an SPA React app which uses webauth to access an auth0 API, more or less what this tutorial describes. Most user interaction occurs in the webapp, but I would like to provide a Google App the ability to query against the API. This means it needs to be limited in which API endpoints it can access because I want to prevent any potential vulnerabilities.
Google Apps can support OAuth2 so I’ve created a separate client (native) to allow my Google Apps Add On to query my API. It more or less follows this template from their sample code and uses the jwt generated to make queries directly against my API. Now, while I want the Google Apps Add On to be able to query against my API, it should not have anything close to the permissions of my main React API client. What is the best way to restrict access to this separate client? Should it be a third-party client instead? Should I use a separate node middleware on top of checking the jwt to restrict endpoint access on client id? Was curious what best practice is here for adding additional OAuth clients that need to use a subset of API endpoints.