Authentication vs Authorization
Two words that sound alike and get conflated constantly — yet they answer completely different questions. Authentication (authn) asks "who are you?" and proves it. Authorization (authz) asks "what are you allowed to do?" once identity is established. You authenticate first, then authorize. A login form is authentication; a check that "only admins can delete users" is authorization. This page draws the line clearly, walks the request lifecycle, and previews the building blocks — password hashing, sessions, JWTs, and access control — that the rest of this section covers in depth.
The core distinction
Authentication (authn) | Authorization (authz) | |
|---|---|---|
Question | Who are you? | What may you do? |
Happens | First — at login | After — on each protected action |
Proves | Identity (credentials) | Permission (roles/scopes) |
Example | Email + password, OAuth, passkey | Admin-only delete, owner-only edit |
Failure code |
|
|
The request lifecycle
1. LOGIN client sends credentials → server verifies → issues a
session cookie or token proving identity
2. AUTHENTICATE on each request, server validates that cookie/token and
loads the user → req.user
3. AUTHORIZE server checks req.user's roles/ownership against what the
action requires → allow (proceed) or deny (403)
4. ACT the handler runs, scoped to what this user may touchFactors: what counts as proof of identity
Factor | Examples |
|---|---|
Something you know | Password, PIN, security question |
Something you have | Phone (TOTP/SMS code), hardware key, passkey |
Something you are | Fingerprint, face, biometric |
How identity is carried between requests
Approach | Server stores? | Covered in |
|---|---|---|
Session + cookie | Yes — session in DB/store | |
JWT (stateless token) | No — token is self-contained | |
Access + refresh tokens | Refresh token tracked | |
Delegated (OAuth) | Provider holds identity |
What this section covers
Password hashing — store passwords with bcrypt/argon2, never in plaintext.
Sessions & cookies — server-side sessions and secure cookie flags.
JWT and implementing JWT auth — stateless tokens.
Refresh tokens — short-lived access + long-lived refresh.
Passport.js and OAuth/social login — strategies and delegated auth.
RBAC and protecting routes — the authorization half.