Authentication and Authorization for Dummies

A much needed post on clearing these fundamental concepts and helping in setting up an analogy that you'd never forget!

Shivam Bathla

~3 min read · February 3, 2026 (Updated: February 3, 2026) · Free: Yes

Introduction

Most of the OWASP API Security Top 10 list is crowded with Authorization issues.

So I think it's important to know the difference between Authentication & Authorization.

Now if you already know the difference or want to read the gist, feel free to skip everything and check the TL;DR section. Else stick with me so we can get these fundamental concepts cleared.

Authentication

John wants to visit his office and as soon as he reaches the office building, he has to show his ID card at the door to get the permission to enter the premise.

Not only that, he also has to put his ID card again at the office security gates to enter inside.

Photo by Eric Prouzet on Unsplash

So that's Authentication:

The act of proving that you are who actually the person that you are claiming to be, that is, John is proving that he is indeed John, via his ID card!

So, authentication is the act of proving that you are who you are claiming to be!

In the software world, it's equivalent to prompting for the user credentials to verify they are indeed the user whose account they wish to access.

That's authentication. Plain and simple.

The following image makes everything clear:

So if John has his ID card, then it helps him to get in!

Or if John has correct credentials to his Gmail account, then it helps him to get into access to all his emails.

One down! Over to the next one.

Authorization

It's good to know that you have the right clearance to enter the office building and maybe the specific floor as well, going past the office gates.

Now to enter a cabin — say the meeting hall, you would need your office badge again. Why? To check if you are really on the meeting member list.

If yes, then the door opens wide, letting you in. Else it will not open for you.

And that's what Authorization means:

The act of proving what all access do you have for a particular resource.

In software world, that would be like taking your cookie, API Key or a JWT token to the backend to help it fullfil your request, provided that you have the rights to do so.

So the following image should do the job:

So if John's name is in the meeting list, he gets in the meeting hall. Else he won't be able to get in. Else, better luck next time?

Or if John has the rights to update his account details and not his account balance, then the application would only allow account details updation and not the balance.

Amazing, another one cleared up too.

TL;DR

Authentication

The act of proving you are who you say you are!

Authorization

The act of checking what is the stuff that you can do — what things you can access, what can you modify and what can you delete.

Check these images to make things more clear:

Closing Thoughts

Achievement unlocked! Well done. You understand the two most fundamental and quite important concepts of Authentication (or AuthN) and Authorization (or AuthZ).

Now you won't be confused when you hear these 2 terms, just remember these 2 images and everything would be crystal clear :)

#pentesting #bug-bounty #hacking #cybersecurity #information-security

Authentication and Authorization for Dummies

A much needed post on clearing these fundamental concepts and helping in setting up an analogy that you'd never forget!

Introduction

Authentication

Authorization

TL;DR

Authentication

Authorization

Closing Thoughts

Reporting a Problem