Many developers struggle with the concepts authentication and authorization. They are often used interchangeably. What is the difference between these concepts? While the difference is subtle, it is vitally important. Let's take a look at authentication first.

Authentication

Authentication is tightly coupled to identity. When you sign in to a website with email and password, you authenticate yourself. You prove to the website that you are who you claim to be.

In this example, you use email and password to authenticate yourself. While there are many forms of authentication, the basic idea is that you provide a service, a website in this example, with information it can use to verify your identity.

Authorization

Authorization is about permissions, what you can do and what you cannot do. Let's revisit the example we used earlier. You sign in to a website. You successfully signed in, which means the website knows who you are.

You decide to write a blog post next. The website doesn't agree, though. It throws an error. It says that you are not authorized to create, update, or delete blog posts. What is that about? The website looks at your profile and decides that you are not authorized or permitted to create a blog post.

An Example

Let's take a look at another example. You are building an application that queries an API. To query the API, you need an API key. The API uses the API key to authenticate your application. The API key is created specifically to identify your application. This is similar to a user signing in with email and password.

The API key can also be used for authorization. Your application may use a read-only API key. It can use the read-only API key to retrieve data, but it isn't authorized to modify data (create, update, delete).

403

It is understandable why some developers mix up authentication and authorization. Let's say your application accesses a resource through an API and it receives a response with status code 403, forbidden. What does that mean? It could mean a few things.

It could mean that your application successfully authenticated with the API, but it wasn't authorized to access the resource. It could also mean that authentication failed. In that scenario, your application was also not authorized to access the resource because the API wasn't able to authenticate your application.

In summary, a 403 status code can be translated as you are not authorized to access this resource. A well-designed API includes an error code or message in the response that clarifies why the application wasn't authorized to access the resource.