What's the difference between Authentication and Authorization?

May 2, 2021 · 1 min read
api design backend security
Guard in front of Buckingham Palace
Photo by Kutan Ural on Unsplash

Don't use the word "auth".

Unless everyone knows what you're referring to.

There's authentication and then there's authorization.

Let's look at the definitions of both and what to do instead of "auth".

Authentication vs Authorization

Here's a handy definition:

  • Authentication answers the question, “is this user who they say they are?”
  • Authorization answers the question, “is this user allowed to do that specific action?”

The answers to both questions are important on every user action. In the web, you can't trust user input.

Even if you render specific UI only for a specific subset of your users, anyone may call the respective API endpoints. So make sure you not only validate their login. Check if the user is allowed to do that action.

What to do in discussions

Language is vague.

And everybody has different interpretations, different mental images for a subject of discussion.

Your job when talking about tech is to make it clear what you're talking about, within the shared context you have with the people involved.

So unless everybody knows you're only talking about authentication when you say auth, just say authentication.

When you mean both, say so. Other people, especially non-techies, don't have a clear mental image of what "auth" is, and that it means two different things. This can lead to confusion down the road.

Back to Blog
Mindfulness for Developers