AccentureWeb DevelopmentEasy

Difference between authentication and authorization

AuthenticationAuthorizationJWTSecurityAPI

Question

What is the difference between authentication and authorization? Explain with a real API example.

Interview Answer

Authentication verifies who the user is, while authorization decides what that authenticated user can do. In API flow, you first validate credentials/token, then enforce endpoint-level permissions (role/policy). That is why 401 and 403 represent different failure states.

Explanation

A user can be authenticated but still unauthorized for certain actions. Mention 401 for invalid/missing identity and 403 for insufficient permissions. This distinction is critical in secure API design.

Key Points

  • Authentication = identity proof
  • Authorization = permission enforcement
  • 401 and 403 represent different failure states
  • Apply least-privilege access design

Common Mistakes

  • Using authentication and authorization interchangeably
  • Returning wrong status codes for auth failures
  • Encoding sensitive authorization logic only on client side

Likely Follow-Up Questions

  • How do refresh tokens improve security?
  • Where should role checks happen in microservices?
  • What is RBAC vs ABAC?

Interview Timing

Target speaking time: about 3 minutes.

Related Questions

Explain the concept of RESTful API(Accenture)What is the difference between abstract class and interface in Java?(Accenture)What is the difference between SQL and NoSQL databases?(Accenture)What are database indexes and when can they hurt performance?(Accenture)
Previous
Explain the concept of RESTful API
Back to Web Development