Authentication answers “who are you?” — verifying identity (e.g. login, token). Authorization answers “what are you allowed to do?” — checking permissions after identity is known.
Order of operations
flowchart LR
R[Request] --> A[Authentication]
A --> |Identity?| B{Authenticated?}
B -->|No| 401[401 Unauthorized]
B -->|Yes| C[Authorization]
C --> D{Permitted?}
D -->|No| 403[403 Forbidden]
D -->|Yes| OK[200 Process]
Definitions
Concept
Question
Examples
Authentication
Who are you?
Login, JWT validation, API key, OAuth token
Authorization
What can you do?
Roles (admin, user), permissions (read:invoice), resource-level (can edit this post?)
In the request pipeline
sequenceDiagram
participant C as Client
participant API as API Gateway / Middleware
participant App as Application
C->>API: Request (e.g. + Bearer token)
API->>API: Authenticate → who is this?
alt Not authenticated
API-->>C: 401 Unauthorized
else Authenticated
API->>API: Authorize → can they do this action?
alt Not allowed
API-->>C: 403 Forbidden
else Allowed
API->>App: Request + user/roles
App-->>API: Result
API-->>C: 200 OK
end
end
Always do authentication first. If the user is not authenticated, return 401. If they are authenticated but not allowed to perform the action, return 403.