When you open the site, you are redirected to the login form where authentication occurs.
On the server side, credentials are checked and a session is created, so that the application can access the messages, posts, personal data, etc. from the user in question through calls to the restfull API.
The need to give permission to third parties to access user data has arisen. I want to change the API to accept authentication via oauth.
When a request is made to the API, it is checked whether the session exists to allow access but in case oauth would have to skip the session and verify that the token is valid.
One solution would be to use oauth on the site itself, ie the site would be an oauth authentication API client, eliminating the need for a session.
The point is, when a third-party application tries to access the API, the user will have to allow access through a login to the site. With that in mind, if the site is also API client, would not it be a looping?