Authentication and Authorization
Understand the difference between authentication and authorization and learn how to decide when to use API keys, sessions, or token-based authentication.
We'll cover the following
Authentication vs. authorization
Authentication and authorization are two essential API security processes that we must implement to protect our web applications. Though the terms sound similar and folks often incorrectly use them interchangeably, it’s important to understand the difference.
Authentication (AuthN) verifies the identity of a user or service. It’s how we check that someone is who they say they are. A real-world example of authentication is matching a person’s face with a driver’s license. For online services, authentication often involves matching a user-supplied username and password with what we have securely stored in our database.
A simple user authentication system, such as a username and a password, is admittedly vulnerable. Many web applications do not enforce sufficiently secure and complex passwords, which allows users to enter passwords they can easily remember like “password” or “12345.” Unfortunately, weak passwords like these are easy to guess with brute-force hacking tools. Two-factor authentication (2FA) is an additional layer of security built upon the username/password authentication system. Instead of immediately granting access after a correct username/password is verified, users are required to provide some additional information, which usually falls into one of the following three categories (ranked from less secure to more secure):
Get hands-on with 1400+ tech skills courses.