API Academy
🌐 English
  • 🌐 English
  • 🌐 繁體中文
HomePetstore APIExplore more APIs
HomePetstore APIExplore more APIs
🌐 English
  • 🌐 English
  • 🌐 繁體中文
🌐 English
  • 🌐 English
  • 🌐 繁體中文
  1. API Security
  • Introduction
  • Table of Contents
  • API Academy
    • Get Started
      • What is an API?
      • How Does an API Work?
      • How to Call an API?
      • How to Read an API Documentation?
      • Chapter Summary
      • Get realtime weather
    • API Fundamentals
      • API Funtamentals: Overview
      • Method & Path
      • Parameters
      • Request Body
      • Responses
      • API Specification & OAS
      • Chapter Summary
    • Working with APIs
      • Working with APIs: Overview
      • Making Requests from Spec
      • Environments and Variables
      • Chaining Multiple Endpoints
      • Handling Authentication
      • Handling API Signatures
      • Introduction to Scripts
      • Chapter Summary
    • Mocking APIs
      • Mocking APIs: Overview
      • Smart Mock
      • Mock Expectations
      • Cloud Mock
      • Mock Scripts
      • Chapter Summary
    • Designing APIs
      • Designing APIs: Overview
      • Introduction to API Design
      • Creating Your First API Project
      • Analyzing Requirements and Planning Your API
      • Designing Data Models
      • Designing Endpoints
      • Using Components and Reusability
      • Setting Up Authentication
      • API Design Guidelines
      • Chapter Summary
    • Developing APIs
      • Developing APIs: Overview
      • Setup: Install Your AI Coding Assistant
      • Quick Start: From Spec to Running API in 30 Minutes
      • Understanding the Generated Code
      • Testing Your API with Apidog
      • Deployment: Put Your API Online
      • Chapter Summary
    • Testing APIs
      • Testing APIs: Overview
      • Getting Started: Your First Test Scenario
      • Integration Testing and Data Passing
      • Dynamic Values
      • Assertions and Validations
      • Flow Control: If, For, ForEach
      • Data-Driven Testing
      • Performance Testing
      • Test Reports and Analysis
      • CI/CD Integration
      • Scheduled Tasks and Automation
      • Advanced Testing Strategies
      • Chapter Summary
    • API Documentations
      • API Documentations: Overview
      • Publishing Your First API Doc
      • Customizing Documentation Appearance
      • Interactive Features for Consumers
      • Advanced Publishing Settings
      • Managing API Versions
      • Chapter Summary
    • Advanced API Technologies
      • API Technologies: Overview
      • GraphQL
      • gRPC
      • WebSocket
      • Socket.IO
      • Server-Sent Events (SSE)
      • SOAP
      • Chapter Summary
    • API Lifecycle
      • API Lifecycle: Overview
      • Stages of the API Lifecycle
      • API Governance
      • API Security Best Practices
      • Monitoring and Analytics
      • API Versioning Strategies
      • The Future of APIs
      • Chapter Summary
    • API Security
      • API Security: Overview
      • API Security Fundamentals
      • Authentication vs Authorization
      • Understanding OAuth 2.0 and OpenID Connect
      • JSON Web Tokens (JWT)
      • OWASP API Security Top 10
      • Encryption and HTTPS
      • Chapter Summary
    • API Tools
      • API Tools: Overview
      • The Evolution of API Tools
      • API Clients
      • Command Line Tools (cURL, HTTPie)
      • API Design and Documentation Tools
      • API Mocking Tools
      • API Testing Tools
      • All-in-One API Platforms
      • Chapter Summary
    • API Gateway
      • API Gateway: Overview
      • What is an API Gateway?
      • Key Features of API Gateways
      • API Gateway vs Load Balancer vs Service Mesh
      • Popular API Gateway Solutions
      • The BFF (Backend for Frontend) Pattern
      • Chapter Summary
  • Modern Pet Store
    • Pet
      • Get Pet
      • Update Pet
      • Delete Pet
      • Create Pet
      • List Pets
      • Upload Pet Image
    • User
      • Update User
      • Get User
      • Delete User
      • Login
      • Logout
      • Create User
    • Store
      • List Inventory
      • Create Order
      • Get Order
      • Delete Order
      • Callback Example
      • Pay for an Order
    • Payments
      • Pay Order
    • Chat
      • Create Chat Completion
    • Webhooks
      • Pet Adopted Event
      • New Pet Available Event
  • Schemas
    • Pet
    • Category
    • User
    • ApiResponse
    • OrderPayment
    • Tag
    • Order
    • Links-Order
    • PetCollection
    • Bank Card
    • Bank Account
    • Links
    • Error
HomePetstore APIExplore more APIs
HomePetstore APIExplore more APIs
🌐 English
  • 🌐 English
  • 🌐 繁體中文
🌐 English
  • 🌐 English
  • 🌐 繁體中文
  1. API Security

Authentication vs Authorization

In API security discussions, you will often hear strictly about "AuthN" and "AuthZ". While they sound similar and are often used together, they solve two completely different problems. Understanding the distinction is the first step to securing an API.

Authentication (AuthN): "Who are you?"#

Authentication is the process of verifying the identity of a user, device, or system. It answers the question: Is this entity who they claim to be?

Common Authentication Factors#

1.
Something you know: Password, PIN, Security Question.
2.
Something you have: Phone (SMS code), Hardware Key, Smartphone (Authenticator app).
3.
Something you are: Fingerprint, Face ID, Retina scan.

In APIs#

In the context of APIs, authentication usually happens once (e.g., exchanging a username/password for a token) or via API Keys.
Example: The client sends a specific API Key in the header x-api-key: 12345. The server checks its database: "Does key 12345 exist? Yes, it belongs to Alice." -> Alice is Authenticated.

Authorization (AuthZ): "What can you do?"#

Authorization is the process of determining what permissions an authenticated identity has. It answers the question: Is this user allowed to perform this specific action on this specific resource?
Authorization always happens after successful authentication.

In APIs#

Example: Alice is authenticated (we know it's her). She tries to DELETE /users/bob.
The server checks permissions: "Is Alice an Admin? No. Does Alice own the resource 'bob'? No."
Result: 403 Forbidden. Alice is identified, but not authorized.

Comparison Table#

FeatureAuthentication (AuthN)Authorization (AuthZ)
QuestionWho are you?What are you allowed to do?
TimingComes first.Comes after authentication.
MechanismPasswords, Biometrics, API Keys.Permissions, Roles, Scopes, Policies.
Failure Code401 Unauthorized403 Forbidden
Data StandardOpenID Connect (OIDC), SAML.OAuth 2.0 (Scopes).

Real-World Analogy: The Hotel#

1.
Authentication: You walk to the front desk and show your ID and credit card. The receptionist confirms you are who you say you are and gives you a key card.
2.
Authorization: You take the key card to the elevator.
You tap it for the Penthouse suite (Action). It works (Permitted).
You tap it for the Staff Only room (Action). It beeps red (Denied).
The key card knows who you are, but the lock system decides where you can go.

Combining Them in APIs#

Most modern APIs use OAuth 2.0 (for Authorization) often paired with OpenID Connect (for Authentication).
1.
AuthN: The user logs in via an Identity Provider (like Google). The system verifies the credential.
2.
AuthZ: The provider issues an Access Token containing Scopes (e.g., read:profile, write:posts).
3.
API Call: The client sends the token to the API. The API validates the token and checks the scopes to allow or deny the request.

Key Takeaways#

Authentication (AuthN) = Identity (Who are you?) -> Returns 401.
Authorization (AuthZ) = Permissions (Access rights) -> Returns 403.
They are distinct steps but work together in every secure API request.
Next Step: The industry standard for handling this flow is complex but powerful. Let's demystify Understanding OAuth 2.0 and OpenID Connect.
Modified atΒ 2025-12-29 04:30:23
Previous
API Security Fundamentals
Next
Understanding OAuth 2.0 and OpenID Connect
Built with