Authentication and authorization often

get lumped together as just off. But in

reality, they're two very different

things. Authentication is step one, and

that's all about determining who are

you. This is something like a login,

two-factor authentication. Even

something like an API key is part of

authentication because it verifies who

you are. Even a guest account

technically counts as authentication

because you're authenticating that you

are a guest. And anytime that you're

unable to authenticate a user, you

should throw a 401 HTTP status code that

essentially says, "Hey, I am unable to

authenticate who this is." On the other

side of the coin, we have authorization.

Authorization essentially figures out

what can you do. So once you've done

authentication and you know who you are,

the next step is figuring out, okay,

what can I do? And this is your

permission system. Things like

role-based access control,

attribute-based access control, or even

just an admin account are all different

ways that you can determine what someone

can do. And if for some reason someone

tries to do something that they're

unable to do, you should always throw a

403 status code with HTTP. That is the

forbidden status code. Essentially

telling someone that they do not have

permission to do what they're trying to

do. And this is always a two-step

process. First, you authenticate who the

user is. Even if they're just a guest

account, you're authenticating who they

are. And now that you know who they are,

you then determine what they can do by

using authorization. Understanding these

differences is incredibly important

because it makes talking about these

different concepts much easier. Now, if

you want to dive deeper into

authorization specifically, I'm going to

link a video at the bottom of your

screen that goes into role-based access

control, attribute access control, and

all the other things related to

authorization that you need to handle

from scratch.