Authentication vs Authorization: A Simple Guide

calendar Sep 8, 2025 · 3 min read · security backend basics rbac  ·
Share on: linkedin copy

After reading this article you will understand about Authentication and Authorization. You see Login everywhere. But after you log in, the app still needs to know what you’re allowed to do. That’s the difference between Authentication and Authorization.

  • Authentication (AuthN) → Proves who you are (login with password/OTP/Google/biometric).
  • Authorization (AuthZ) → Decides what you can do (roles, permissions, access rules).

Order matters: First AuthN, then AuthZ.

Comparison

Topic Authentication (AuthN) Authorization (AuthZ)
Core Question Who are you? What can you do?
Examples Password, OTP, Google Sign-In, Face ID Admin can delete, Teacher can edit, Viewer can read
Output Session/JWT token, user identity Roles/permissions/scopes applied
Typical Errors 401 Unauthorized (not logged in/invalid token) 403 Forbidden (logged in, but not allowed)
When It Happens First After AuthN

Real-Life Analogies

  • 🏠 House Key vs Rooms: Your key proves you live there (AuthN). Which rooms you can enter is AuthZ.
  • 🛫 Airport: ID check at security (AuthN). Your boarding pass seat/zone/class (AuthZ).

Why You Need Both

  • Security: Keep strangers out (AuthN) and limit actions (AuthZ).
  • Least Privilege: Give people only the access they need.
  • Compliance & Audits: Clear logs of who did what.

Where You See Them

  • Web & Mobile Apps: Sign in, then features unlocked by role.
  • APIs: Tokens prove identity; scopes/roles control endpoints.
  • Admin Dashboards: Only some users can manage users, billing, or deletes.

Roles, Permissions, and Scopes

  • Role: A bundle of permissions (e.g., Admin, Teacher, Viewer).
  • Permission/Scope: A specific right (e.g., packages:read, packages:write).
  • Good practice: Use roles for simplicity, permissions for fine control.

Common Models

  • RBAC (Role-Based Access Control): Assign users to roles. Simple and popular.
  • ABAC (Attribute-Based): Rules based on attributes (owner, department, time). Flexible but more complex.

Status Codes You’ll Meet

  • 401 Unauthorized: Not logged in or token invalid/expired → Fix: log in again.
  • 403 Forbidden: Logged in but not allowed → Fix: request proper role/permission.

Best Practices

  • Use strong authentication: MFA/2FA for important accounts.
  • Hash passwords: bcrypt/argon2; never store plaintext.
  • Keep tokens short-lived: Rotate/refresh regularly.
  • Least privilege: Start with no access; add only what’s needed.
  • Deny by default: Explicitly allow known actions.
  • Protect secrets: Store keys in environment/secret manager, not in code.
  • Log important events: Failed logins, role changes, access denials.

Common Mistakes

  • Mixing up 401 and 403.
  • Giving broad Admin to everyone “for speed.”
  • Skipping logout/token expiry.
  • Storing secrets in code repositories.
  • Relying on front-end checks only (must also check on the server).

FAQ

Q: Do I need both?
A: Yes. AuthN proves identity; AuthZ controls access.

Q: Which happens first?
A: Authentication first, then Authorization.

Q: Are sessions and JWT the same?
A: No. Both carry identity, but they work differently. Either can be used securely if configured well.