Authentication just verifies the user, not the client application. Once you publish a web site, it’s an open api that can be used by any tool that can make web requests.
You need to be sure the site does not allow abuse, that is don’t assume you code is calling it.