Chapter 12 explained ASP.NET Core Identity, which includes full user and sign-in management. This works really well for traditional, page-based web applications. The server issues an authentication cookie, which is automatically returned to the server with each subsequent HTTP request—that’s just how cookies work. For APIs or single-page applications (SPAs), this approach is still viable, but rather uncommon. Let’s take an API, for instance. It may have clients that are not web browsers (e.g., console applications, desktop applications, or other servers) and as such might not even support cookies. Things get even more complicated if the server doing the authentication (e.g., validating credentials) is different from the one doing the authorization. One server cannot reliably issue cookies for another server, and SameSite cookie settings make things even harder.