In order to obtain an Access Token a Client application must authenticate with the Authorization Server, using its client credentials.
The Client application credentials are obtained by creating an OAuth application, within an Organization Account.
Two types of OAuth applications can be created before being able to request tokens, in order to access protected resources:
In line with OAuth 2.0, a Client application can either be Public or Confidential based on its ability to authenticate securely with the authorization server i.e. the ability to maintain the confidentiality of its client credentials.
Depending on the use case, the Appibase user creates the relevant OAuth application. For instance, a storefront application is typically expected to be a Single Page Application (SPA), running on the browser, therefore a Public (or non-confidential) Storefront Application is the appropriate choice.
The Authorization Grant Type chosen to request an Access Token is also a determining factor in choosing which OAuth application to create.
When creating an OAuth client application, in addition to setting the application to be an Admin or Storefront app, as well as setting it to be Confidential or Public, the user can also optionally add Callback URLs (or redirection URIs), which allow the Authorization Server to direct the End-User, via the User-Agent, back to the Client.
The Callback URL is the one within your frontend app that will receive the OAuth 2.0 credentials, namely the Authorization Code, as part of the Authorization Code flow only.