Authentication vs Authorization for APIs - Tech For PM
Why I am seeing this on a Monday morning? I wanna sleep :P
Before diving into authentication and authorization, as I sit here writing this newsletter at 1:19 AM (midnight), I’ve just had a sudden realization—we're already in September, nearing the end of 2024! The cycle of the year continues, and so do our dreams, aspirations, and ambitions.
Okay! Happy Monday and let’s start with understanding authentication and authorization.
Imagine your house. Before you let anyone in, you check whether the person is allowed to enter. Is it a known person, or perhaps someone who has been referred by a family member? This is authentication—checking the identity of the person before allowing them into your house.
But not everyone who enters your house can go everywhere. A family member may have access to the bedrooms, while a professional guest might only be allowed in the living room and lawn, and a driver may only have access to the lawn. This is called authorization—once someone is allowed into your house, determining what resources they are eligible to access.
I'm usually too lazy to draw diagrams, but here's one I actually attempted using my favorite tool—Miro! (Not a paid sponsorship, but hey, Miro, if you're reading this... 😉)
I hope you've got the gist of authentication and authorization in simple terms! But let me dive a little deeper (so you can impress in interviews and sound super smart when chatting with engineers 😎).
Authentication 🔑
Authentication is the process of verifying the identity of a user or system. It's about confirming that the entity trying to access the API is who they claim to be.
Purpose: To ensure that the user or system is genuine.
Process: Typically involves checking credentials, such as:
Username and password
API keys (It’s like a secret key; something like fy34r74y3fyydywvdf6wyfwef)
Tokens (like JWT - JSON Web Tokens)
Example: When you log in to a service with your username and password, the service verifies your credentials to confirm your identity.
Authorization 👤
Authorization is the process of determining what actions an authenticated user or system is allowed to perform. It controls access to resources and operations.
Purpose: To ensure that the authenticated user or system has the right permissions to access specific resources or perform specific actions.
Process: Typically involves checking permissions or roles assigned to the authenticated user or system against the requested resource or action.
Example: After you log in to a service, you may have different levels of access, such as:
Read-only access to certain data
Write access to update or delete data
Admin access to manage users and settings
By now, you’ve probably realized just how simple authentication and authorization really are. (But shhh… don’t tell your engineers!). Let me quickly sum up the difference again for an easy reference.
Key Differences 🤷🏼♀️
Order: Authentication always comes before authorization. First, the system verifies who you are (authentication), and then it determines what you can do (authorization).
Focus:
Authentication focuses on identity verification.
Authorization focuses on permissions and access control.
Data Checked:
Authentication checks credentials.
Authorization checks permissions or roles.
Tada! 💌
Authentication: "Who are you?"
Authorization: "What are you allowed to do?"
In the context of APIs, you might authenticate with an API key or OAuth token, and then the API will check what resources and actions you are authorized to access based on your identity and permissions.
And yeah, if you love reading my newsletter; do share on LinkedIn and Twitter. Tada!