[ LOG.ENTRY // Jan 16, 2026 ]

Authentication vs Authorization

Archive
Authentication vs Authorization

Introduction

Every secure web application needs both authentication and authorization, but they serve different purposes. Many beginners use these terms interchangeably, which can lead to design and security mistakes. In simple terms, authentication verifies who you are, while authorization determines what you are allowed to do. This blog explains both concepts clearly with examples and code.

What is Authentication

Authentication is the process of verifying a user’s identity. It answers the question: Who are you.

Common examples include

  • Logging in with username and password
  • Signing in with Google or GitHub
  • Using fingerprint or face ID on mobile apps

If authentication is successful, the system knows that the user is real and trusted.

Simple Authentication Example in Node.js

const express = require("express");
const app = express();

app.use(express.json());

const users = [
  { username: "admin", password: "1234" },
  { username: "user", password: "abcd" }
];

app.post("/login", (req, res) => {
  const { username, password } = req.body;

  const user = users.find(
    u => u.username === username && u.password === password
  );

  if (user) {
    res.send("Authentication successful");
  } else {
    res.send("Invalid credentials");
  }
});

app.listen(3000);

Here, the system checks whether the username and password match a stored user.

What is Authorization

Authorization happens after authentication. It determines what a user is allowed to do. It answers the question: What can you access.

For example

  • An admin can delete users
  • A normal user can only view their own profile
  • A guest user can only read public content

Even if you are authenticated, you may not be authorized to perform certain actions.

Simple Authorization Example in Node.js

const express = require("express");
const app = express();

const users = [
  { username: "admin", role: "admin" },
  { username: "user", role: "user" }
];

app.get("/admin", (req, res) => {
  const username = req.query.user;
  const user = users.find(u => u.username === username);

  if (!user) {
    return res.send("Not authenticated");
  }

  if (user.role !== "admin") {
    return res.send("Not authorized");
  }

  res.send("Welcome to admin panel");
});

app.listen(3000);

Here, even if a user exists, only admins can access the admin panel.

Authentication vs Authorization Comparison

Authentication

  • Verifies identity
  • Happens first
  • Answers who you are
  • Example: login process

Authorization

  • Checks permissions
  • Happens after authentication
  • Answers what you can do
  • Example: role based access

Real World Example

Think of a bank

  • Authentication: Showing your ID to enter the bank
  • Authorization: Being allowed to access your account but not someone else’s

You may be authenticated as a customer, but you are not authorized to access other people’s accounts.

Using JWT for Authentication and Authorization

Creating a JWT after login

const jwt = require("jsonwebtoken");

const token = jwt.sign(
  { username: "admin", role: "admin" },
  "secretKey",
  { expiresIn: "1h" }
);

console.log(token);

Verifying and checking authorization

const express = require("express");
const jwt = require("jsonwebtoken");

const app = express();

function authMiddleware(req, res, next) {
  const token = req.headers["authorization"];

  if (!token) {
    return res.send("Not authenticated");
  }

  jwt.verify(token, "secretKey", (err, user) => {
    if (err) {
      return res.send("Invalid token");
    }
    req.user = user;
    next();
  });
}

app.get("/admin", authMiddleware, (req, res) => {
  if (req.user.role !== "admin") {
    return res.send("Not authorized");
  }
  res.send("Welcome admin");
});

app.listen(3000);

Here, authentication is done by verifying the token, and authorization is checked by verifying the user role.

Best Practices

  • Always authenticate before authorizing
  • Use HTTPS to protect credentials
  • Store passwords securely using hashing
  • Use role based access control
  • Limit user permissions to what they actually need

Conclusion

Authentication and authorization are both essential for secure web applications, but they serve different roles. Authentication proves who the user is, while authorization controls what they can do. Understanding this difference helps developers design safer, more reliable systems.

#authentication#authorization#authenticationvsauthorization
All Insights