Hi @ben.davidson it is correct that for the SPA apps this setting needs to be “None”. For regular Web Applications though it should be better set to the other secure options as “None” allows creating a token for your ASP.NET app without using the client-secret of your application.
Ideal setup is to create a separate SPA app which will set the type to none for your React Application and then you may keep your current application for the ASP.NET app unchanged.
Having two apps on Auth0 wouldn’t increase your usage stats or force the users to login again. With seamless SSO turned on, when a user logs in to one app, the other app login will happen without a re-login.