Authentication vs. Authorization

“What is the difference between Authentication and Authorization?”

These two words look quite alike and are unfortunately used interchangeably sometimes. But they refer to two different things.

Authentication is a way for your service to determine whether the user is who they claim to be. When that is determined then your service checks whether they are allowed to access certain information. That is when authorization comes into play. Let me illustrate with an example:

Let’s say you have created an API for your new web app. A user can authenticate with your API, for example, by sending a token you have given them. They can look at their own account, change it, delete it, whatever. But they cannot change someone else’s account. They don’t have permission to do it. Neither should they be able to bombard your API service with thousands of requests per second. Even though they are authenticated, they might not have the authority to do certain things. Authenticated but not authorized!

I hope that helped in clearing the confusion between these two concepts.

Subscribe via RSS