What's the Difference Between Authentication and Authorization?

Last Updated Aug 20, 2021
Emma Jagger

Engineer, maker, Google alumna, CMU grad

While learning about APIs, web services, and development, you've probably heard about API authentication and authorization. When an API endpoint offers its services to a user via HTTP, it is said to be "exposed". This means traffic can flow in or out of the API endpoints, including potentially malicious traffic. API authentication protects the user and the API developers from data loss or service outages. It also allows developers to know what endpoints are most trafficked with API analytics, and throttle potential problem users who are making too many requests.

Authentication and authorization are fundamental parts of what makes REST APIs so popular. It allows developers to expose resources only to approved users who have an API key. How this key is distributed and handled by the different sides of the API illustrates the differences between authentication and authorization. This article will discuss both sides, their differences, and similarities.

What is Authentication?

Authentication is the process of proving that you are who you say you are. A password to access your email, or biometrics to access your phone, are examples of authentication. In REST APIs, we authenticate a user with the API key. You ask for a key, and the API owner grants you a key. Your key is a long, unique string of numbers and letters. Once you have an API key, you are allowed to use the API, the owner also knows who you are and what you are doing in their API. There are many different API multi-factor authentication (or MFA) methods, such as HMAC and OAuth.

How Do I Get an API Authentication Key?

Getting an API key is similar to signing up for any other service. We will use the Abstract API as an example. Go to the Abstract API and select **Create Your Free Account**. Enter your information and select **Sign Up**. You will receive a confirmation email with a link to your Abstract API dashboard. Navigate to any of the APIs listed, for example, the **IP Geolocation** API. This page displays your unique API key for this API, and has a host of console options for testing it out.

You can test this API key in two ways:

  • A quick cURL request in your terminal: `curl -v get https://ipgeolocation.abstractapi.com/v1/?api_key={YOUR API KEY}`  
  • Use the in-browser Abstract API console to test your new API with your new credentials.  

The request should return your geolocation by IP. This means a successful authentication, and you are authorized to use the API's resources.

Authentication Methods

  • Password - A user's identity is authenticated by knowing their password. A form of single-factor authentication.
  • Two-step authentication- A PIN being required in addition to your bank card at an ATM is a good example of two-step authentication. It requires additional authentication information that your user knows to complete the authentication process.
  • Multi-factor authentication - A user entering a username and password, and then being prompted to enter a one-time passcode sent to a mobile phone via SMS is MFA or two-factor authentication.
  • SSO (Single Sign On)- You may have used the SSO method of authentication setting up a remote Git repository on your computer. After successful user authentication with GitHub, you must authorize any personal access token, SSH key, or OAuth App you would like to access the organization's resources.

No matter what authentication method is used, once you have credentials, you are authorized for use.

What is Authorization?

Authorization is the act of granting an authenticated party permission to do something. If we think about the above process from the API owner's point of view, we will learn a little more about authorization. After the API user is authenticated and receives their API key, they are authorized to use the API to access resources with HTTP requests. This is like an employee getting a background check (a cursory one, anyhow) and receiving a keycard to access a restricted building. From the example above, once you have the Abstract API key, Abstract confirms who you are and how you're using their system, and in exchange, you're authorized to call their APIs.

From the API owner's side, authorization grants or denies permissions based on settings maintained by security teams. Authorization user access tokens grant permission to department-specific files and reserve access to confidential data- like a security level.

Some methods of authorization include role-based access control (RBAC), the JSON web token, SAML, OpenID, and OAuth.

Authentication vs Authorization

Authentication is the process of proving that you are who you say you are. Authorization is the act of granting an authenticated party permission to do something. Authentication checks credentials, authorization checks permissions. Both are means of access control.

Authentication and Statelessness

In our conversation about statefulness and statelessness, we discussed how one of REST's advantages is its statelessness. A stateless architecture retains no information as part of a user's state. Every interaction is independent of the server's state and depends only on the data held by the system (or in the request) at that moment. This means that every client request must contain all necessary information for the server to execute and respond to the request, including authentication keys. This API key is passed in the request query parameter when the endpoint is called:

`curl 'https://ipgeolocation.abstractapi.com/v1/?api_key={YOUR API KEY}'`

The parts of this request are the URL (https://ipgeolocation.abstractapi.com/v1/) and the query parameters `api_key` and `ip_address`.

Every request to the API must include the API key for authentication, and once the user is authenticated, they perform the tasks they are authorized for.

Conclusion

Authentication and authorization are important parts of REST APIs, because they allow developers to judiciously expose resources via API with enough security to be safe, but not so much security that it significantly slows functionality. Remember that authentication checks credentials, and authorization checks permissions, to tell the two security measures apart.

Related articles

No items found.
Start using one of Abstract's 10+ API's for free today
Get started