Authentication vs authorization comes down to two different questions. Authentication answers "who are you," and authorization answers "what are you allowed to do." A system verifies identity first, then decides what that identity can access. They run in that order, they use different mechanisms, and treating them as one step is the single most common source of access-control bugs.
The words look alike and often get shortened to the same "auth," which is part of the problem. But the distinction is concrete: you can authenticate a user perfectly and still be right to deny their request, because being who you say you are is not the same as being allowed to do the thing you asked for. This guide defines each term, shows where they happen in a real login flow, gives a side-by-side comparison, and explains why the authorization half is the one teams tend to underbuild.
Authentication confirms identity; authorization grants or denies access to a specific action or resource. Authentication happens once at the start of a session, using something the user has, knows, or is. Authorization happens on every request afterward, checking whether the established identity is permitted to do what it is now attempting. One proves who; the other decides what.
A concrete example makes it clear. When you sign in to a banking app with a passkey, that is authentication: the app now knows it is you. When you try to move money out of an account that is not yours and the app refuses, that is authorization: you are a known user, but not one permitted for that action. Same user, same session, different question.
Authentication is the process of verifying that someone is who they claim to be, before any access is granted. It relies on one or more factors: something you know (a password), something you have (a phone or passkey), or something you are (a fingerprint or face). Combining factors is multi-factor authentication, which raises the cost of impersonation.
Modern authentication has moved past the password. Passkeys, built on the FIDO and WebAuthn standards, bind a cryptographic credential to the user's device and resist phishing because the credential cannot be handed to a fake site. Magic links and one-time codes sent by email or SMS trade some security for easy onboarding. When one application delegates authentication to a central provider, that is single sign-on, usually built on OpenID Connect, the identity layer on top of OAuth 2.0.
Authorization is the process of deciding whether an authenticated identity may perform a specific action on a specific resource. It runs after authentication and repeats on every protected request. Where authentication produces a yes-or-no on identity, authorization produces a yes-or-no on permission, and it usually depends on context: the user's role, the resource, and sometimes the time, location, or device.
Authorization models scale up in expressiveness. Scopes on an OAuth access token state what the token may do, such as read:invoices. Role-based access control (RBAC) assigns permissions to roles and roles to users. Policy-based and attribute-based approaches go further, deciding each request against rules that can weigh many attributes at once, for example "allow refunds only during business hours from a corporate network." The more your real rules depend on context, the less a flat scope list can carry them.
The two are easiest to hold apart in a table. Each row is a property where they differ.
| Property | Authentication | Authorization |
|---|---|---|
| Question it answers | Who are you? | What are you allowed to do? |
| When it runs | Once, at sign-in | On every protected request |
| Depends on | Credentials and factors | Identity, role, resource, context |
| Typical mechanisms | Passwords, passkeys, OTP, SSO/OIDC | Scopes, RBAC, policy-based rules |
| Result | A verified identity | An allow or deny decision |
| Standard it leans on | OpenID Connect | OAuth 2.0 scopes, policy engines |
The confusion is costly because the two failures look nothing alike in production. A broken authentication check locks people out and gets noticed immediately. A broken authorization check lets the wrong person through and often goes unnoticed until data leaks. Most access-control incidents are authorization failures, not authentication failures, which is the opposite of where most teams spend their attention.
Here is the stance worth taking: authorization is the underbuilt half of auth. Teams adopt a solid login provider, tick the authentication box, then scatter authorization logic across API gateways, middleware, and request handlers where no single place answers "who can call this, and when." Authentication has been a solved, outsourced problem for years. Authorization is where the real design work still lives, and where the expensive mistakes still happen.
In an OAuth 2.0 and OpenID Connect flow, the two split cleanly. Authentication happens at the identity provider, where the user proves who they are and the provider issues an ID token confirming it. Authorization is expressed through the access token: its scopes, audience, and any policy applied when it was issued decide what the holder may reach. The application trusts the provider for identity and enforces permission on each call.
This is why the token step matters so much. OAuth 2.0, defined in RFC 6749, is an authorization framework; it hands out tokens that grant limited access. OpenID Connect, specified at openid.net, adds the authentication layer that tells the app who logged in. The strongest systems decide authorization at the moment the token is issued, using everything known about the request, rather than leaving each service to reconstruct the rules on its own.
MonoCloud covers both halves on one platform. For authentication, it is an OIDC-certified identity provider with passwordless login, passkeys, social sign-in, one-time codes, and single sign-on, so verifying who a user is takes no custom code. For authorization, MonoCloud evaluates Cedar policies at the moment an access token is issued, deciding whether a token may be granted and shaping what it carries.
Doing authorization at token issuance is the part worth noting. Instead of scattering permission checks across services, you write human-readable rules that run before a token exists, and a request that breaks them never produces a credential to leak or replay. To go deeper on the authorization side, read What Are Cedar Policies? or the API Access Policies guide. To start building, create a free MonoCloud account.