Search tools and guides ⌘K
Semicolony ELI5 · comic

Authentication vs authorization.

Proving who you are at the door, versus what that identity is actually allowed to do inside.

  1. Name? ID, please.
    who?
    1

    Authentication asks one thing: who are you? Prove it.

  2. Checks out. You’re Alice.
    ID you’re Alice
    2

    You show ID — password, passkey, token. The door now knows you’re really Alice.

  3. which rooms? badge
    3

    That badge gets you into the building. But it doesn’t say what you may touch.

  4. Alice the viewer, says your role.
    ROLE Alice viewer allowed to do?
    4

    Authorization asks the second question: now that we know you, what are you allowed to do?

  5. Read: yes. Delete: no.
    read delete
    5

    The server-room door stays locked — Alice’s role grants reading, not deleting.

  6. Knowing who ≠ letting them in.
    EVERYONE’S DATA no check!
    6

    Skip that second check and a real user overreaches — the classic broken-access-control hole.

Proving who you are at the door, then checking which rooms that identity may enter — two questions, always in this order.
Semicolony semicolony.dev/eli5/authn-vs-authz/comic
← All ELI5 explainers