← Lessons

quiz vs the machine

Silver1020

Security

Authentication vs Authorization

Two distinct questions: who are you, and what are you allowed to do.

3 min read · intro · beat Silver to climb

Two Different Questions

Authentication answers who you are by verifying an identity claim, such as a password, passkey, or token. Authorization answers what you may do once identity is known, by checking permissions against a policy.

Why The Distinction Matters

  • Confusing them leads to broken access control, where a logged in user reaches data they should not.
  • Authentication happens once per session, while authorization is checked on every request to a protected resource.
  • A valid token proves identity but never implies permission by itself.

Doing It Well

  • Verify identity with strong factors and short lived sessions.
  • Enforce authorization on the server side for each action, never trusting the client.
  • Apply least privilege so each role gets only the access it needs.
  • Log authorization failures to detect probing.

Key idea

Authentication establishes identity and authorization grants access, so enforce both separately and check permissions on every request.

Check yourself

Answer to earn rating on the learn ladder.

1. What does authorization decide?

2. How often should authorization be checked?