What is Authentication & Authorization?
Authentication (AuthN) verifies who you are — passwords, fingerprints, SSH keys. Authorization (AuthZ) decides what you can do — roles, permissions, access policies. Every secure system needs both.
JWT refresh token rotation is where most homegrown auth implementations go wrong. The common mistake is issuing long-lived access tokens (24+ hours) to avoid implementing refresh token logic. A stolen access token then grants access for the full validity window with no way to revoke it short of rotating the signing secret (which invalidates every token for every user). The secure pattern is short-lived access tokens (15 minutes) with stateful refresh tokens stored in the database — revoking a refresh token invalidates only that user's session. The OWASP Top 10 identifies broken authentication as a persistent top-three vulnerability.
OAuth 2.0 with PKCE (Proof Key for Code Exchange) is now the recommended flow for single-page applications and mobile apps — not the implicit flow, which the OAuth 2.0 Security Best Current Practice RFC has deprecated. The PKCE flow prevents authorization code interception attacks without requiring a client secret. The OAuth 2.0 PKCE specification explains the code verifier and code challenge mechanism.
Authorization (what a user can do) is systematically harder than authentication (who a user is) in most applications. RBAC (role-based) covers 80% of cases; ABAC (attribute-based) is needed when permissions depend on resource attributes (e.g., "can edit documents they own"). Design your data model for the correct access control model early — retrofitting ABAC onto an RBAC schema is painful.
The Big Picture
Every time you log into a website, swipe a badge, or SSH into a server, two questions get answered: "Are you who you claim to be?" (authentication) and "Are you allowed to do this?" (authorization). These two concepts are the foundation of all security — from a simple login form to enterprise zero-trust architectures.
Explain Like I'm 12
Imagine your school has a front gate and a bunch of rooms inside. Authentication is the security guard at the gate checking your student ID — proving you actually go to this school. Authorization is the rules about which rooms you can enter — students can go to classrooms but not the teacher's lounge. You need BOTH: the guard has to know who you are, and then the rules decide where you're allowed to go.
Why It Matters
Get authentication wrong, and attackers impersonate your users. Get authorization wrong, and regular users access admin features. Major breaches — from leaked databases to ransomware — almost always trace back to a failure in one of these two areas.
| Concept | Question It Answers | Example |
|---|---|---|
| Authentication | Who are you? | Username + password, SSH key, fingerprint |
| Authorization | What can you do? | Admin role, read-only access, file permissions |
Authentication Types at a Glance
| Type | How It Works | Common Use |
|---|---|---|
| Password-based | User provides a secret string | Web logins, databases |
| SSH Keys | Public/private key pair — server checks your public key | Server access, Git |
| OAuth 2.0 | Delegated access via tokens — "Login with Google" | Third-party app access |
| JWT Tokens | Self-contained signed tokens carry user claims | APIs, microservices |
| Multi-Factor (MFA) | Combines 2+ factors: something you know/have/are | Banking, enterprise apps |
| API Keys | Static secret string sent with each request | Service-to-service calls |
| Certificate-based | X.509 certificates prove identity via PKI | mTLS, enterprise VPN |
Who Is This For?
- Backend developers building login flows, API auth, and access control
- DevOps engineers managing SSH keys, service accounts, and secrets
- Frontend developers handling tokens, sessions, and OAuth redirects
- Anyone preparing for interviews — auth questions come up constantly
What You'll Learn
Test Yourself
What is the difference between authentication and authorization?
A user logs into a web app with a password, then tries to access the admin panel but gets a "403 Forbidden" error. Which step succeeded and which failed?
Why are API keys considered weaker than OAuth tokens for user-facing applications?
Name the three factors of multi-factor authentication.