Authentication and Authorization

Learn about authentication and authorization and their respective protocols.

What are authentication and authorization?

To fulfill our security goals, the API needs to be able to differentiate users in our system and potentially fend off nefarious users. Let’s take the example of a banking API. It would be detrimental if we couldn't verify the identity of the individual users utilizing our API, and because of the inability to do so, an imposter gains access to another user’s account and the assets within. Also, not all service users are alike—some might be individual users, while others might belong to a large organization. The authorization mechanism manages what each user is permitted to do based on their user category, such as having the ability to call different functions or make specific number of API calls per day. Therefore, to implement the methods above, authentication and authorization become essential to implementing the security goals we defined earlier in this chapter.

Authentication refers to the procedure through which our API verifies who the user is. Typically, applications fulfill this by implementing a login system utilizing usernames and passwords for verification. There are other techniques for authenticating users in the API paradigm that we’ll explore in this lesson.

Authorization is controlling what the user has access to. This is when applications verify whether the user is even allowed to call the request they are making. For example, we may be authorized to view a Google Doc but not edit it.

Level up your interview prep. Join Educative to access 70+ hands-on prep courses.