Search tools and guides ⌘K
ELI5 · Security & glue

Authentication vs authorization.

Proving who you are at the door, versus what that identity is actually allowed to do inside.

These two are often lumped together as "auth", but they answer different questions. Authentication (authn) asks "who are you?" — it is the act of proving your identity, like showing ID at the door of a building.

Authorization (authz) asks "what are you allowed to do?" — once we know who you are, it decides which rooms you may enter. Your ID badge might get you into the building (authenticated) but the door to the server room stays locked unless your role grants it (not authorized).

  1. Name? ID, please.
    who?
    1

    Authentication asks one thing: who are you? Prove it.

  2. Checks out. You’re Alice.
    ID you’re Alice
    2

    You show ID — password, passkey, token. The door now knows you’re really Alice.

  3. which rooms? badge
    3

    That badge gets you into the building. But it doesn’t say what you may touch.

  4. Alice the viewer, says your role.
    ROLE Alice viewer allowed to do?
    4

    Authorization asks the second question: now that we know you, what are you allowed to do?

  5. Read: yes. Delete: no.
    read delete
    5

    The server-room door stays locked — Alice’s role grants reading, not deleting.

  6. Knowing who ≠ letting them in.
    EVERYONE’S DATA no check!
    6

    Skip that second check and a real user overreaches — the classic broken-access-control hole.

Proving who you are at the door, then checking which rooms that identity may enter — two questions, always in this order.

Order matters, and so does keeping them separate

Authentication always comes first — you cannot decide what someone may do until you know who they are. Conflating the two is a classic source of bugs: a system that authenticates a user but then forgets to check whether that specific user is allowed to touch this specific record creates exactly the "broken access control" holes that top security risk lists. Authentication is necessary but never sufficient.

How authorization is expressed

Once identity is established, permissions are usually modelled as roles or rules. Role-based access control (RBAC) groups permissions into roles like "admin" or "viewer" and assigns users to them. Finer-grained schemes consider attributes — the resource's owner, the time, the user's department — to decide each request. Standards like OpenID Connect handle the authentication and identity side and hand the application verified claims, which the app then uses to make its own authorization decisions.

The real version How OpenID Connect works →
← All explainers
Related Concepts Related Concepts
Study Path Eli5 — overview
Found this useful?