What is the Difference Between Authorization and Authentication?
What is the Difference Between Authorization and Authentication?
Authentication and Authorization are two different but interconnected security processes in web applications.
Authentication
Authentication is the process of verifying user identity. The system determines who you are.
Key Characteristics
- Answers the question: "Who are you?"
- Verifies credentials (login/password, token, biometrics)
- Happens before authorization
- Result: user is identified or not
Authentication Examples
// Simple authentication example
async function authenticate(email, password) {
const response = await fetch('/api/auth/login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email, password })
});
if (response.ok) {
const { token } = await response.json();
// Save token for subsequent requests
localStorage.setItem('authToken', token);
return true;
}
return false;
}
Authentication Methods
- Username and Password — classic approach
- OAuth 2.0 — login via Google, Facebook, etc.
- JWT Tokens — digitally signed tokens
- Biometrics — fingerprint, Face ID
- Two-Factor Authentication (2FA) — additional code from SMS or app
- Magic Links — login link sent via email
Authorization
Authorization is the process of verifying access rights. The system determines what you are allowed to do.
Key Characteristics
- Answers the question: "What are you allowed to do?"
- Checks user permissions and roles
- Happens after authentication
- Result: access granted or denied
Authorization Examples
// Access control check example
function checkAuthorization(user, resource, action) {
// Check user role
if (action === 'delete' && user.role !== 'admin') {
throw new Error('Insufficient permissions to delete');
}
// Check resource ownership
if (action === 'edit' && resource.ownerId !== user.id) {
throw new Error('You can only edit your own resources');
}
return true;
}
// Middleware to protect routes
function requireAdmin(req, res, next) {
if (req.user?.role !== 'admin') {
return res.status(403).json({ error: 'Access denied' });
}
next();
}
Authorization Models
- Role-Based Access Control (RBAC) — based on roles (admin, user, moderator)
- Attribute-Based Access Control (ABAC) — based on user attributes
- Access Control Lists (ACL) — access lists for each resource
- Policy-Based Access Control (PBAC) — based on security policies
Key Differences
| Criteria | Authentication | Authorization |
|---|---|---|
| Question | "Who are you?" | "What can you do?" |
| Purpose | Verify identity | Verify permissions |
| Order | First step | Second step |
| Data | Login, password, token | Roles, permissions, policies |
| Result | Login successful / denied | Access granted / denied |
| HTTP Status | 401 Unauthorized | 403 Forbidden |
| Example | System login | Admin panel access |
Practical Example
// 1. AUTHENTICATION — verify who the user is
app.post('/api/auth/login', async (req, res) => {
const { email, password } = req.body;
const user = await User.findOne({ email });
if (!user || !await user.comparePassword(password)) {
return res.status(401).json({ error: 'Invalid credentials' });
}
const token = generateJWT(user);
res.json({ token, user: { id: user.id, role: user.role } });
});
// 2. AUTHORIZATION — verify access permissions
app.delete('/api/posts/:id', authenticateToken, async (req, res) => {
const post = await Post.findById(req.params.id);
// Check permissions: only author or admin can delete
if (post.authorId !== req.user.id && req.user.role !== 'admin') {
return res.status(403).json({ error: 'Insufficient permissions' });
}
await post.delete();
res.json({ success: true });
});
// Authentication middleware
function authenticateToken(req, res, next) {
const token = req.headers.authorization?.split(' ')[1];
if (!token) {
return res.status(401).json({ error: 'Authentication required' });
}
try {
req.user = verifyJWT(token);
next();
} catch (error) {
return res.status(401).json({ error: 'Invalid token' });
}
}
Process Flow
┌─────────────────┐
│ User │
└────────┬────────┘
│
▼
┌─────────────────────────┐
│ 1. AUTHENTICATION │
│ "Who are you?" │
│ Login + Password │
└────────┬────────────────┘
│
▼
✓ Success
│
▼
┌─────────────────────────┐
│ 2. AUTHORIZATION │
│ "What can you do?" │
│ Permission check │
└────────┬────────────────┘
│
▼
✓ Access granted
│
▼
┌─────────────────────────┐
│ Access to resource │
└─────────────────────────┘
HTTP Error Codes
401 Unauthorized — Authentication Error
- User is not authenticated
- Token is missing or invalid
- Invalid credentials
// 401 Example
res.status(401).json({ error: 'Login required' });
403 Forbidden — Authorization Error
- User is authenticated but lacks permissions
- Insufficient rights to perform action
// 403 Example
res.status(403).json({ error: 'Access denied' });
Real-Life Examples
Authentication
- Logging into Gmail with username and password
- Unlocking phone with fingerprint
- Showing passport at border control
Authorization
- Admin panel access only for administrators
- Editing only your own posts on social media
- Viewing private files only by owner
Interview Tips
- Remember the order: authentication first, then authorization
- Distinguish HTTP codes: 401 for authentication, 403 for authorization
- Provide examples: JWT for authentication, RBAC for authorization
- Understand the connection: no authorization without authentication
- Know the methods: OAuth, JWT, 2FA for authentication; RBAC, ACL for authorization
Summary
- Authentication — identity verification ("Who are you?")
- Authorization — permission verification ("What can you do?")
- Authentication always happens before authorization
- 401 — authentication error, 403 — authorization error
- Both processes are critical for application security