Interview kitsBlog

Your dream job? Lets Git IT.
Interactive technical interview preparation platform designed for modern developers.

XGitHub

Platform

  • Categories

Resources

  • Blog
  • About the app
  • FAQ
  • Feedback

Legal

  • Privacy Policy
  • Terms of Service

© 2026 LetsGit.IT. All rights reserved.

LetsGit.IT/Categories/Security
Securityeasy

Authentication vs authorization — what’s the difference, with examples?

Tags
#authn#authz#security
Back to categoryPractice quiz

Answer

Authentication proves who the user is (e.g., password, OAuth, MFA). Authorization decides what they can do (e.g., role can edit invoices). AuthN comes before AuthZ.

Advanced answer

Deep dive

AuthN answers "who are you?"; AuthZ answers "are you allowed?":

  • AuthN: passwords, SSO, MFA, device or token-based identity.
  • AuthZ: roles (RBAC), attributes (ABAC), ownership checks, tenant boundaries.
  • Every request should re-check authorization, not just at login.
  • Least privilege and explicit deny rules reduce blast radius.

Examples

User logs in with OAuth (AuthN), receives a token, then the API checks role + resource ownership (AuthZ):

GET /invoices/123
AuthN: valid token for user=42
AuthZ: user=42 owns invoice=123 OR has role=finance_admin

Common pitfalls

  • Trusting client-side role checks only.
  • Using broad roles instead of resource-level checks.
  • Returning 403/401 inconsistently (leaks info).

Interview follow-ups

  • When would you choose RBAC vs ABAC?
  • How do you enforce multi-tenant isolation?
  • How do you test authorization rules?

Related questions

Security
How should passwords be stored securely?
#passwords#hashing#security
Security
What is threat modeling, and how do you run a lightweight threat model for a feature?
#threat-modeling#risk#security
DevOps
What are best practices for secure and small Docker images?
#docker#containers
#security
DevOps
Configuration vs secrets — how should you manage them in DevOps?
#secrets#config#security