DEV Community

Njoki
Njoki

Posted on

Authentication vs Authorization (Explained in the Simplest Way Possible)

#security #webdev #beginners

Understanding authentication and authorization is essential for any backend, frontend, or full-stack developer. These two security concepts sound similar, but they solve completely different problems.

Let’s break them down in a simple, beginner-friendly way.

Authentication: Who Are You?
Authentication answers: Are you really the person you claim to be? If authentication succeeds the system already knows who you are.

It usually involve:

  • Providing a username/email
  • Providing a password

Authorization: What Can You Do?

Once the system knows who you are, it must decide:
“What are you allowed to do?”
Authorization controls:

  • Which endpoints you can access.
  • What actions you can perform.
  • Which resources you are allowed to modify.

Example:
A normal user can view their profile, but an admin can view all users.

*Examples of Authentication Methods
*

Bearer Token Authentication

A Bearer Token is a random string given to a user after they successfully log in.You store the token (usually in localStorage) and send it on future requests.

How it works:

  1. You enter your email + password
  2. Server verifies your credentials against the database
  3. If correct, server generates a random token
  4. The token is stored in the server database
  5. On every future request, you send: Authorization: Bearer
  6. Server looks up token in DB and checks: is it valid? is it expired? which user does it belong to? Key point: Server must check the token in its databse every time.

JWT Authentication

A JWT(Jason Web Token) is not random.It contains encoded information such as: userId, email ,Expiration time.
JWTs can be decoded and verified without checking a database.

How it JWT works:

  1. User enters credentials
  2. Server validates them
  3. Server generates a JWT containing user data
  4. Client sends the JWT on every request: Authorization : Bearer 5.Server verifies: JWT signature Expiration time Key point:JWT verification does not require a database lookup. Everything needed to validate the user is inside the token.

Session & Cookie Authentication

It is the most traditional web authentication method.

How Session/Cookie Auth Works

  1. User logs in
  2. Server verifies credentials
  3. Server creates a session in the database
  4. Server sends back a secure cookie
  5. The browser stores the cookie
  6. Every future request automatically includes that cookie
  7. Server checks the session ID to identify the user

Key point: The browser handles cookies automatically perfect for SPAs and websites.

OAuth2 / Social Login (Google, GitHub, Twitter, etc.)

OAuth2 lets users log in using third-party accounts without sharing their password with your app.

How OAUTH2 works

  1. User clicks “Log in with Google”
  2. Your app redirects the user to Google
  3. Google asks the user for permission
  4. User approves
  5. Google sends your app an authorization code
  6. Your backend exchanges the code for an access token
  7. Your server retrieves the user’s profile from Google
  8. User is logged in no password shared

Key point:OAuth2 provides secure authentication without revealing user credentials.

Top comments (0)