Authentication vs Authorization Explained

Two Different Concepts

Often confused, these are distinct security steps. Authentication verifies who you are; authorization determines what you can do.

Simple Analogy

• Authentication — showing ID to enter a building.
• Authorization — your keycard only opens certain rooms.

Comparison

Aspect	Authentication	Authorization
Question	Who are you?	What can you do?
Comes	First	After auth
Method	Password, biometrics	Roles, permissions

Authentication Example

// Verify identity
const user = await login(email, password);
if (!user) return res.status(401); // Unauthorized

Authorization Example

// Check permissions
if (user.role !== "admin") {
  return res.status(403); // Forbidden
}
deleteAllUsers();

Status Codes

• 401 Unauthorized — not authenticated.
• 403 Forbidden — authenticated but not authorized.

FAQs

Which comes first?

Authentication always comes before authorization. More in our Security guides.

What is RBAC?

Role-Based Access Control — assigning permissions by user role.