🔐Authentication vs Authorization
Stop conflating authentication and authorization — define each precisely, reason about the threats specific to each, and design authorization for a multi-tenant SaaS feature you can defend on a security review.
Phase 1Two Words, Two Different Problems
Define authn and authz with analogies and threat models
Authn answers who, authz answers what
6 minAuthentication and authorization answer two different questions and live in two different layers. Treating them as one concept is the root of most permission bugs.
Passport at the door, ticket for the seat
5 minA passport proves who you are. A boarding pass says which seat you're allowed to sit in. They're issued by different parties, checked at different points, and useless on their own.
Different threats, different defenses
7 minAuthn threats target 'become someone else.' Authz threats target 'do something you shouldn't as yourself.' They need different mitigations, and most teams only defend against the first.
Authz at the edge is a polite lie
7 minIf authorization decisions only happen in your API gateway or middleware, every internal service trusts every other internal service. Real authz lives close to the data.
Phase 2Sessions And Tokens, Side By Side
Implement sessions and JWTs side by side in a tiny app
Sessions remember; tokens declare
7 minA session is a server-side record the cookie points to. A JWT is a self-describing claim the server reads each request. The difference is where the truth lives.
Wire a session login in twenty lines
8 minA working session login is shorter than its threat model. Build the smallest possible version once and the rest of your career you'll know exactly what's happening.
Replace the cookie with a JWT and feel the tradeoff
8 minSwitching from session to JWT is a thirty-line diff that changes which problems you have. Same login, totally different operational shape.
Where you put the token decides which attacks you face
7 minCookie-based auth and bearer-token-in-header auth have different attack surfaces. Cookies expose CSRF; bearer in JS exposes XSS. Know which one you're choosing.
Refresh tokens are the missing half of every JWT story
8 minShort-lived access tokens plus long-lived refresh tokens give you JWT scaling and near-instant revocation. Skipping the refresh half is why JWT auth feels broken.
Phase 3Choosing The Right Authorization Model
Compare RBAC, ABAC, and policy engines on real tradeoffs
RBAC is great until two roles collide on one resource
7 minRole-Based Access Control scales to dozens of permissions and crashes into a wall the moment a single permission depends on the resource, not just the user.
ABAC speaks in attributes, not roles
7 minABAC asks 'do the attributes of this user, action, resource, and context satisfy a policy?' That single question expresses everything RBAC can plus everything RBAC can't.
When authz becomes a product, extract it
8 minOnce authz logic spans more than a handful of services, in-app policy code becomes a coordination problem. Policy engines exist to make 'who can do what' a first-class artifact your team can read and version.
Multi-tenancy is authz's hardest exam
8 minMulti-tenant SaaS turns every authz bug into a cross-tenant data leak. The model you pick for tenant isolation is the most important authz decision your product will ever make.
Phase 4Design Authz For A Multi-Tenant SaaS Feature
Design authorization for a multi-tenant SaaS feature
Design authz for a multi-tenant feature, end to end
8 minDesign authz for a multi-tenant feature, end to end
Frequently asked questions
- What's the actual difference between authentication and authorization?
- This is covered in the “Authentication vs Authorization” learning path. Start with daily 5-minute micro-lessons that build from fundamentals to hands-on application.
- Should I use sessions or JWTs for a new web app in 2026?
- This is covered in the “Authentication vs Authorization” learning path. Start with daily 5-minute micro-lessons that build from fundamentals to hands-on application.
- When should I pick RBAC over ABAC for a SaaS product?
- This is covered in the “Authentication vs Authorization” learning path. Start with daily 5-minute micro-lessons that build from fundamentals to hands-on application.
- Where in my stack should authorization checks actually live?
- This is covered in the “Authentication vs Authorization” learning path. Start with daily 5-minute micro-lessons that build from fundamentals to hands-on application.
- How do I design authorization for a multi-tenant SaaS without leaks?
- This is covered in the “Authentication vs Authorization” learning path. Start with daily 5-minute micro-lessons that build from fundamentals to hands-on application.
Related paths
🐍Python Decorators Introduction
Build one mental model for Python decorators that covers closures, argument passing, functools.wraps, and stacking — then ship a working caching or logging decorator from scratch in under 30 lines.
🦀Rust Lifetimes Explained
Stop reading `'a` as line noise and start reading it as scope arithmetic — one failing snippet at a time — until you can thread lifetimes through a small parser or iterator adapter without fighting the borrow checker.
☸️Kubernetes Core Concepts
Stop drowning in 30+ resource types. Build the mental model one primitive at a time -- pods, deployments, services, ingress, config -- then deploy a real app with rolling updates and health checks.
📈Big O Intuition
Stop treating Big O as math you memorized for an interview — build the intuition to spot O(n²) disasters, pick the right data structure without thinking, and rewrite a slow function from O(n²) to O(n) in under five minutes.