Authentication answers "who are you?" while authorization answers "what are you allowed to do?" — understanding the difference clarifies most access-control questions.

Authentication vs Authorization

A login form authenticates a user. Checking whether that user can delete a specific record is authorization — a separate step that happens after authentication.

Session-based Auth

After login, the server stores a session and gives the browser a cookie referencing it. Every subsequent request includes that cookie automatically.

Token-based Auth

Instead of server-side sessions, the server issues a signed token (often a JWT) that the client stores and sends with each request, typically in an Authorization header.

http
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

API Keys

API keys identify the calling application rather than an individual user, and are common for server-to-server or third-party integrations.

Never expose sensitive API keys in frontend JavaScript — anything shipped to the browser is publicly visible.

AuthenticationSecurityAPI