I’m creating an application that will have an SPA for the front end that will call APIs in the back end and for this use case I want to authenticate users with the Authorization Code grant type. The back end will also expose a few APIs designed for machine to machine integration and I’d like to use the Client Credentials grant type for this use case. Is using the “Web Application” application type ok for this job? I know I can use both of the grant types I need with this application type and I assume for the SPA app I just wouldn’t store/pass the client secret in the Authorization Code flow? Are there any problems with this approach or am I best hosting the APIs for machine to machine integration in another app entirely? Are there any pros/cons to either approach?