We use APIs rather than raw databases so we can control who gets to see what data when and where. The OAuth Authorization Code Grant allows us to combine the security allowed for an App with the security rules allowed for a User. This video gives a quick look at how a person, app, API and Identity service all interact together in that flow.
You can try a live walkthrough with some quick JavaScript code snippets over on my tutorial site at uxapi.io/howto...