Authentication (AuthN) vs Authorization (AuthZ)

Published Apr 02, 2026

Authentication (AuthN)

• Verifies who a user is
• Answers: 'Are you really who you claim to be?'
• Examples:
  • Password login
  • OAuth login (Google, GitHub)
  • Biometrics, 2FA
• Output: identity (user ID, session, token)

Authorization (AuthZ)

• Determines what a user can do
• Answers: 'Are you allowed to do this?'
• Examples:
  • Role-based access (admin vs user)
  • Permissions (read/write/delete)
  • Feature flags, scopes in JWTs
• Output: access decision (allow/deny specific actions)

Key difference

• AuthN happens first → establishes identity
• AuthZ happens after → enforces permissions for that identity

Quick analogy

• AuthN: showing your ID at the door
• AuthZ: being allowed into specific rooms once inside