I have some APIs that I would like to secure using OKTA.
These APIs will be accessed by Web clients (Single page applications) , Mobile or by other services (e.g; Cron jobs, CURL commands, service to service).
My understanding is for service to service it is best to implement the credential workflow and for SPA or mobile apps it is better to implement implicit or code workflow.
As far as OKTA is concerned, How many applications I need to create for this in OKTA?
Should I create SPA application or Web?
Should I have my resource server handle the authentication and authorization of the client whether it is SPA or Service to service?
Where do I store access token? and should I send the access token back to the client or not?
In the case of SPA app should the client store the token? and for the service to service where should the token be stored?