Understanding authentication and authorization is essential for any backend, frontend, or full-stack developer. These two security concepts sound similar, but they solve completely different problems.
Let’s break them down in a simple, beginner-friendly way.
Authentication: Who Are You?
Authentication answers: Are you really the person you claim to be? If authentication succeeds the system already knows who you are.
It usually involve:
- Providing a username/email
- Providing a password
Authorization: What Can You Do?
Once the system knows who you are, it must decide:
“What are you allowed to do?”
Authorization controls:
- Which endpoints you can access.
- What actions you can perform.
- Which resources you are allowed to modify.
Example:
A normal user can view their profile, but an admin can view all users.
*Examples of Authentication Methods
*
Bearer Token Authentication
A Bearer Token is a random string given to a user after they successfully log in.You store the token (usually in localStorage) and send it on future requests.
How it works:
- You enter your email + password
- Server verifies your credentials against the database
- If correct, server generates a random token
- The token is stored in the server database
- On every future request, you send: Authorization: Bearer
- Server looks up token in DB and checks: is it valid? is it expired? which user does it belong to? Key point: Server must check the token in its databse every time.
JWT Authentication
A JWT(Jason Web Token) is not random.It contains encoded information such as: userId, email ,Expiration time.
JWTs can be decoded and verified without checking a database.
How it JWT works:
- User enters credentials
- Server validates them
- Server generates a JWT containing user data
- Client sends the JWT on every request: Authorization : Bearer 5.Server verifies: JWT signature Expiration time Key point:JWT verification does not require a database lookup. Everything needed to validate the user is inside the token.
Session & Cookie Authentication
It is the most traditional web authentication method.
How Session/Cookie Auth Works
- User logs in
- Server verifies credentials
- Server creates a session in the database
- Server sends back a secure cookie
- The browser stores the cookie
- Every future request automatically includes that cookie
- Server checks the session ID to identify the user
Key point: The browser handles cookies automatically perfect for SPAs and websites.
OAuth2 / Social Login (Google, GitHub, Twitter, etc.)
OAuth2 lets users log in using third-party accounts without sharing their password with your app.
How OAUTH2 works
- User clicks “Log in with Google”
- Your app redirects the user to Google
- Google asks the user for permission
- User approves
- Google sends your app an authorization code
- Your backend exchanges the code for an access token
- Your server retrieves the user’s profile from Google
- User is logged in no password shared
Key point:OAuth2 provides secure authentication without revealing user credentials.
Top comments (2)
There was recently a social media discussion on how to invalidate JWT when a user logs out while the JWT hasn't expired ,I would like to get your take on that
You cannot directly invalidate a JWT token since it's stateless . However, you can achieve similar effect by:
1.Token blacklist
Store token Id like(jti) in blacklist when a user logs out. Every request checks the blacklist and if found JWT rejects it.
2.Short-lived access tokens + refresh tokens
Keep access tokens very short-lived (minutes).Use refresh tokens to generate new ones and revoke refresh tokens when needed.
3.Clear browser storage
Remove the token from localStorage or sessionStorage on logout.Simple, but doesn’t stop stolen tokens from being used.
4.Stateful session-style JWTs
Store session info on the server and invalidate that session on logout.This removes statelessness but guarantees instant revocation.
_Best Practice: Use short-lived access tokens + a blacklist if you need immediate revocation.
If you require strict logout across all devices, use a stateful approach.
_