What is Authentication and Authorization? Explain the difference b/w them.

Authentication and Authorization are core concepts of API security we use to secure resource access.

  • Let's say you want to watch a movie at a nearby theater. You do three things: 1. You buy a ticket at the ticket counter 2. Show it to the personnel at the entrance 3. Enter the auditorium and watch

  • Any person who doesn't possess a (valid) ticket can't enter the auditorium. In other words, a ticket means that you are "authenticated" to enter the screen and no ticket means you are unauthenticated. This is "Authentication".

  • An auditorium would contain many "classes" of seats (like economy, first-class or diamond or so on..) and the ticket you just bought would belong to some class.

  • You'd have to sit only on the class where you're ticket belongs to. It means you're only allowed to do something (sit in a certain class) although you're allowed to watch. This is called "Authorization".

  • The ability to enter is "Authentication", while the ability to access is "Authorization". A Request may be "Authenticated" to access an API, but may not be "Authorized" to access it.

  • A Request "must be Authenticated" in order to be "Authorized". A Request subject to "Authorization" would already be "Authenticated".

Authentication and Authorization are core concepts of API security we use to secure resource access.

  • Let’s say you want to watch a movie at a nearby theater. You do three things:
    1. You buy a ticket at the ticket counter
    2. Show it to the personnel at the entrance
    3. Enter the auditorium and watch

  • Any person who doesn’t possess a (valid) ticket can’t enter the auditorium. In other words, a ticket means that you are "authenticated" to enter the screen and no ticket means you are unauthenticated. This is "Authentication".

  • An auditorium would contain many "classes" of seats (like economy, first-class or diamond or so on..) and the ticket you just bought would belong to some class.

  • You’d have to sit only on the class where you’re ticket belongs to. It means you’re only allowed to do something (sit in a certain class) although you’re allowed to watch. This is called "Authorization".

  • The ability to enter is "Authentication", while the ability to access is "Authorization". A Request may be "Authenticated" to access an API, but may not be "Authorized" to access it.

  • A Request "must be Authenticated" in order to be "Authorized". A Request subject to "Authorization" would already be "Authenticated".

Default image
Sriram Mannava

I'm a full-stack developer and a software enthusiast who likes to play around with cloud and tech stack out of curiosity.

Leave a Reply