GAP·MAP
← all breakdowns
AuthenticationAuthorizationAccess Controljunior level

Authentication vs. Authorization

the question

What is the difference between authentication and authorization, and where does each happen in a backend request?

what they're testing: The interviewer is checking whether you can separate identity verification from permission enforcement and place both controls at the right trust boundaries.

a strong answer

Authentication verifies which identity is making a request; authorization decides whether that identity may perform the requested action on the requested resource. A system can verify a claimed identity by checking a password, one-time code, certificate, or another authenticator. It usually carries that result forward in a server-side session or a validated token.

Suppose Alice signs in to a document service. Successful authentication means the service has verified the caller as Alice. Authorization must still decide whether Alice may read document 42, edit it, or delete it. That decision can use roles, permissions, ownership, tenant, or other policy inputs. Being logged in is not a blanket grant, and public resources may be accessible without authentication.

In a backend, authenticate the caller before trusting identity claims, then enforce authorization on every protected request for the specific action and resource. Hiding an admin button can improve the UI, but it is not access control; the API must reject an unauthorized action. The shorthand is AuthN for identity and AuthZ for permission. Bad authentication can let someone impersonate an identity, while bad authorization can let a known identity do too much.

Where people slip

the tempting wrong answer, and what's actually true

  • Once a user is authenticated, they can access any protected resource in the application.

    Authentication proves an identity but grants no blanket access; authorization must approve the requested action and resource.

  • Authorization happens once, immediately after login.

    Permissions must be validated on every protected request because the resource, action, and policy context can differ.

  • OAuth handles authentication, while OpenID Connect handles API authorization.

    OAuth is an authorization framework for delegated API access, while OpenID Connect adds an identity layer for authentication.

If they push further

How would you enforce authorization in a multi-tenant API?

Evaluate the caller, action, resource ownership, and tenant on every request, with denial as the default. Keep the check on the server near the resource boundary so a client-supplied ID cannot bypass it.

How do OAuth and OpenID Connect fit into this distinction?

OAuth delegates authorization to APIs through access grants and tokens. OpenID Connect adds identity claims and an ID token so a client can authenticate the end user.

Sources

Now answer it yourself.

Reading a strong answer is easy. Producing one under pressure is the skill the interview tests. Gapmap grades your answer against the same bar an interviewer would.

was this useful?

beta

The interviewer part is in the works.

The diagnostic, personal maps, and AI mock interviews are being finished right now. The notes stay free either way. Leave an email and you'll get the first-cohort invite, plus a month of Pro when it opens.