Authentication

VS

Authorization

Objectives

  • Differentiate authentication vs authorization

  • Define authorization

Authentication IS NOT

Authorization

Just because you are signed in, it does not mean you are authorized to do any action in the application

Authentication is verifying who you are

Authorization

Verifying that a user has the permission to take a specific action

Example:

POST /users/1234/messages

Authorization: Bearer <JWT>

{ "text": "userId in token should match route" }

Only user 1234 should be allowed

Your

Turn