Authentication and authorization: The difference

Authentication and authorization are closely related, and, because of that, many people mix them up.

In this post, we will clearly explain the differences in authentication vs authorization, so you can understand the concept of each and how they work together.

Authentication is the process of verifying who someone is (i.e., their identity). It answers the question: “Are you really who you claim to be?

This applies not only to human users, but also to non-human identities (NHIs) such as applications, bots, and service accounts. Authentication, in general, verifies any identity. That could be human or machine; the process is to verify that it is what it claims to be.

A typical authentication workflow looks like this:

1. The user enters their credentials to log in
2. The system tries to match the entered credentials with those stored in its database
3. If the credentials match, the user is authenticated

Common authentication factors

There are several common ways people prove their identity when logging into a system:

• Something you know: A password, PIN or answer to a security question
• Something you have: A one-time code sent to your phone or a smart card
• Something you are: A fingerprint or any other biometric data
• Somewhere you are: Your physical location, verified through GPS or IP address

Multi-factor authentication

Multi-factor authentication (MFA) is a way to strengthen authentication by using more than one factor to verify identity. For example, you may be required to enter your password and then confirm a code sent to your phone.

Authorization is the process of deciding what an authenticated user is allowed to do. It answers the question: “Now that we know who you are, what are you allowed to access?”

A typical authorization workflow looks like this:

1. A user successfully logs into a system (i.e., their authentication is done).
2. The system retrieves the access rights or permissions assigned to the user.
3. The system evaluates the user's specific request against their retrieved permissions to grant or deny access to the resource.

APIs also implement authentication and authorization. The goal is the same as in any other system.

Authentication is used to verify the identity of the user making the request.

Authorization is used to decide what that user is allowed to access or modify.

Let’s look at how different frameworks handle authentication vs authorization in APIs.

REST API

In REST APIs, authentication is commonly handled using credentials like API keys or bearer tokens. For example, a client may send a token in the authorization header with each request.

Once the server verifies the credentials, it moves to authorization. At this stage, the system checks whether the authenticated user has permission to perform the requested action.

For example, a user may be authenticated successfully but still be blocked from deleting a resource if they do not have the required permission.

OAuth 2

OAuth 2 is a widely used authorization framework, though it also plays a role in authentication when used with systems like OpenID Connect.

In OAuth, authentication usually happens when the user logs in with an identity provider. After successful authentication, the system issues an access token. This token represents the user’s approved permissions.

Authorization happens when an API receives that token and checks what scopes or access rights are attached to it. The API then decides whether the requested action is allowed based on those scopes.

JWT stands for JSON Web Token. It is a compact token format that is often used in modern web apps and APIs to handle authentication and (sometimes) authorization.

In JWT-based authentication, a user logs in with credentials such as a username and password. After successful authentication, the server generates a signed token and sends it back to the user. The user then includes this token in future requests, usually in the authorization header. The server verifies the token to confirm the user’s identity.

JWT can also play a role in authorization. The token often contains information about the user, such as roles or access rights. When the server receives the token, it reads this information and decides whether the user is allowed to perform a specific action.

JWT claims

Claims are pieces of information stored inside a JWT. They are written as key value pairs and provide details about the user and the token itself, such as who issued the token and whether it’s still valid.

Claims vs permissions

Claims and permissions are related but not the same.

Claims are pieces of data inside the token. They describe facts about the user or the token. For example, a claim may state that the user has the role of administrator.

Permissions are the actual rights granted within the system, such as the ability to create a user or delete a record.

In short, claims carry information, while permissions define what actions are allowed.

Identity and access management (IAM) is a framework used to manage authentication and authorization across an organization. It defines how users are identified, how their credentials are managed, what resources they are allowed to access and what the login process looks like.

Single sign-on (SSO) is a feature often built into IAM platforms. With SSO, a user logs in once and gains access to multiple applications without needing to log in again for each one.

Authentication happens during the initial login. After that, authorization rules are applied each time the user tries to access a specific application or resource.

Authentication and authorization are two closely linked concepts that are part of every security system. Authentication confirms identity, while authorization determines what that identity is allowed to do.

We hope this guide has made the differences in authentication vs authorization clear and given you a solid foundation to apply these concepts in your own systems.