AuthN vs AuthZ

23. October 2020 • edited 4. December 2020

When you do some “login stuff” nowadays you may stumbled upon the terms AuthN and AuthZ. Maybe you wondered what these “N” and “Z” means? Short answer:

  • AuthN stands for Authentication, and
  • AuthZ stands for Authorization.

That’s easy right? We’re done for this blog post 🙃

Authentication vs. Authorization

But what is the difference of these two terms? Is it not the same? Short answer: No, it isn’t!


Authentication is all about who you are. In the most simple form when you type a username and password somewhere. In a more complex scenario – eg. when you buy a TLS certificate – when you go to a notary showing your identity card.

So authentication is the process of verify that you are the person you are pretending to be.


Authorization is all about what you are allowed to do. In the most simple form you are allowed to clone a Git repository and push into it, but you are not authorized to delete branches in that repository. Authorization must be granted by an entity which have more rights (is privileged) than you. Eg. when you want to buy a new laptop you request this to your boss and she authorizes this by granting or declining it.

So authorization is the process of verify what you are allowed to do.

Last Words

Authentication can be used without authorization but vice versa is not possible. To authorize someone or something – not only natural persons may be authenticated or authorized, but also entities like computers, servers, APIs, etc. – it is required to authenticate first to know who you grant or decline access (authorize). Eg. when you walk around in a large factory there may be restricted areas with a security guard protecting it. You must show him your corporate identity card for authentication. Then the guard looks up in some system, if you are allowed to access that ares (authorization) and grants or declines that you go on.

UPDATE Above I wrote you can’t do authorization without authentication. I think that’s not completely true. As far as I konw this is feasable with some zerro knowledge protocols, but this is a topic I have no clue at the moment.

Cover image by Zachary Lisko from Unsplash.

SecurityOAuth 2.0AuthenticationAuthorization
Published under the THE BEER-WARE LICENSE.
If you like what I do you can subscribe my RSS feed or follow me on Twitter.

Credential Stuffing vs Password Spraying

OAuth 2.0 Implicit Flow Considered Harmful