For many websites, users need to be able to log in, and the application needs to decide whether or not users are allowed to perform an action. This gets more complicated when using the same login provider for various sites (single sign-on) or when working with APIs or single-page applications (SPAs).