Authentication vs Authorization

Authentication (authn) answers 'Who are you?' — typically via passwords, tokens, or SSO. Authorization (authz) answers 'What can you do?' — enforcing role-based or attribute-based access control. AI-generated code frequently handles authentication (login works) but neglects authorization (any logged-in user can access any resource). This confusion leads to IDOR vulnerabilities where a user can access or modify another user's data simply by changing an ID in the URL. Production applications need both: robust authentication to verify identity and granular authorization checks on every API endpoint and data access. Tools like Auth0, Clerk, and Supabase Auth handle authentication, but authorization logic must be implemented in your application code.