People mix these two words all the time, and the mix up causes real bugs. The difference between authentication vs authorization is simple once you see it: authentication proves who you are, and authorization decides what you are allowed to do. This post walks through both with a concrete login example, then shows how confusing them leads to broken access control.
Authentication vs authorization in one sentence each
Authentication answers the question “who are you?” You prove your identity, usually with a password, a passkey, or a one time code. When the app is satisfied, it knows it is talking to a specific user.
Authorization answers a different question: “are you allowed to do this?” Once the app knows who you are, it checks whether that identity may read a record, edit a setting, or delete an account. Same user, different question.
Authentication is the bouncer checking your ID at the door. Authorization is the staff checking whether your ticket lets you into the VIP room.
A login is authentication
You type an email and password into a SaaS app called Acme Notes. The server checks the password hash, sees it matches, and starts a session. That whole exchange is authentication. At the end of it the app is confident you are alice@example.com and nobody else. Nothing here has decided what Alice can touch yet.
Opening a record is authorization
Alice is now logged in. She clicks an invoice and the browser requests /invoice/123. The server has to answer a separate question before it returns anything: does invoice 123 belong to Alice? That check is authorization. If invoice 123 belongs to Bob, the correct answer is no, even though Alice is a fully authenticated, real user.
The example that shows the gap
Here is the request Alice’s browser sends after she logs in:
GET /invoice/123 HTTP/1.1 Host: app.acmenotes.example Cookie: session=alicevalidsessiontoken
The session cookie is valid. Authentication passes. The dangerous question is what the server does next. A correct server loads invoice 123, checks the owner field against the session user, and returns the invoice only if they match. A broken server skips that check and returns the invoice to anyone who is logged in.
Now Alice edits the URL by hand and asks for /invoice/124, then /invoice/125, walking the numbers up one at a time:
GET /invoice/124 HTTP/1.1 Host: app.acmenotes.example Cookie: session=alicevalidsessiontoken
If the server returns Bob’s invoice because Alice’s session is valid, the app has confused authentication with authorization. Alice proved who she is. The app never checked what she is allowed to see. This is the most common shape of broken access control, often called an insecure direct object reference, or IDOR.
Why the confusion is so easy to ship
Login code gets careful attention. Teams test it, rate limit it, and add multi factor. So authentication tends to be solid. Authorization is spread across every endpoint that returns or changes data, and it is invisible when you test with a single account, because that account owns everything it can reach. The bug only appears when a second user asks for the first user’s data. Many test suites never try that, so the gap survives to production.
Authentication vs authorization, side by side
- Question asked. Authentication: who are you? Authorization: what may you do?
- When it runs. Authentication runs once at login or per token. Authorization runs on every protected action.
- What proves it. Authentication uses passwords, passkeys, or codes. Authorization uses ownership rules, roles, and permissions.
- Typical failure. Authentication failing lets a stranger become a user. Authorization failing lets a real user reach data that is not theirs.
- Where it lives. Authentication sits at the front door. Authorization sits at every record, field, and button behind it.
- Status code on denial. Authentication problems return
401 Unauthorized. Authorization problems return403 Forbidden.
The status codes are worth a closer look, because their names are backwards from the concepts. The 401 code is literally named “Unauthorized” but it means you are not authenticated, so log in. The 403 code means you are authenticated but not authorized for this thing. If your code uses these interchangeably, that is often the first sign the two ideas are blurred in the codebase too.
“Authentication and authorization difference” in plain terms
If you search for the authentication and authorization difference, you will see them paired constantly, sometimes shortened to authn and authz. They run in order. Authn first, because you cannot decide what a user may do until you know who the user is. Authz second, on every single request that touches protected data. Reverse them or skip the second step and you get the invoice bug above.
How to spot the gap before an attacker does
You do not need fancy tooling to start. You need two accounts and a habit of suspicion.
- Create two real users, Alice and Bob, with separate data.
- Log in as Alice and note an object you own, like
/invoice/123. - Log in as Bob and request Alice’s object directly by its id.
- If Bob sees Alice’s data, you found a broken authorization check.
- Repeat for write actions, not just reads. A
POSTorDELETEto another user’s object is worse than a read.
Then push past predictable ids. Swap a numeric id for a UUID and the manual walk gets harder, but the missing check is still missing. The fix is the same in every case: every endpoint must check that the current authenticated user is allowed to act on the specific object, on the server, on every request. Never trust the client to hide a button or skip a URL.
The vs authorization vs authentication ordering trap
Some teams write a global middleware that confirms a valid session, then treat every authenticated request as fully allowed. That handles authentication and stops there. Authorization needs object level and field level rules that the middleware cannot know. A user may be allowed to read their own profile but not change their own role to admin. Same identity, different permissions, decided per action.
If you only remember one thing about authentication vs authorization, make it this: proving who you are is not the same as being allowed, and the gap between them is where access control breaks. For more on this class of bug, see our access control articles. Tracking down a missing ownership check across hundreds of endpoints is exactly the kind of bug an autonomous researcher that tests an app’s assumptions is built to find. You can read how we approach that on our about page.