The transport layer for web apps means HTTP/HTTPS. It means that all the authorization functionality works independently of the way you have accessed the application. In the context of web apps specifically, there's nothing HTTP/HTTPS-specific about authorization. That's different from authentication, where (e.g.) Basic authentication or client-cert authentication are wedded closely to HTTP.