First I will put them in context.
I am developing a Rest API using laravel and as authorization method oauth2 using Laravel Passport implementation.
The situation is as follows:
Some endpoints of the Rest API should always be accessible by the client ( a valid client since the API is not published ) and other endpoints should only be accessible by the client when a user is logged in. .
In a first approach, what has been stated is that when the SPA is initially opened in the browser, obtain a token of type Client Credential Grant Token so that it is a valid client and can make requests to the "Basic" endpoints of the API. Later when a user loguee generates a Personal Access Token which will allow the client to make requests to all endpoints of the Rest API.
I am a bit confused as to how to put this into practice.
I hope, please, you can help me.