Understanding Authentication, Authorization, and Tokens: A Practical Guide

Authentication

Authentication is the process of verifying a user's identity, such as matching a fingerprint to the stored record.

Common authentication methods include username/password login, email login links, mobile SMS verification codes, and any method that proves the user is the account owner.

Authorization

Authorization grants an application permission to access specific resources of a user, like accessing photos, location, or personal profile information.

Implementation methods include cookies, sessions, tokens, and OAuth.

Credentials

Credentials act as a medium (similar to an ID card) that marks the visitor's identity for both authentication and authorization.

Cookie

Because HTTP is a stateless protocol, a cookie is a small piece of data stored on the client to maintain session state across requests.

Cookies are domain‑bound and cannot be accessed across different domains, though subdomains can share them via the domain attribute.

Session

A session records server‑client session state, usually based on a cookie that holds a unique SessionID. The server stores the session data, while the client only keeps the identifier.

The server creates a session after the first request and returns the SessionID to the browser.

The browser stores the SessionID in a cookie.

On subsequent requests, the browser sends the cookie; the server retrieves the session using the SessionID.

If the session exists, the user is considered logged in; otherwise, the login is invalid or expired.

Token

An access token is a credential required to access API resources. It typically contains a user identifier (uid), a timestamp, and a cryptographic signature.

Features of access tokens include stateless server design, good extensibility, mobile support, security, and cross‑program invocation.

The client sends username/password to log in.

The server validates the credentials.

Upon successful validation, the server issues a token and returns it to the client.

The client stores the token (e.g., in a cookie or localStorage).

For each protected request, the client includes the token in the Authorization: Bearer header.

The server verifies the token and, if valid, returns the requested data.

Refresh Token

A refresh token is used exclusively to obtain a new access token without requiring the user to re‑enter credentials.

When the short‑lived access token expires, the client can request a new one using the refresh token; if the refresh token also expires, the user must log in again.

Token vs Session

Session stores state on the server, making the server stateful; token enables stateless authentication where the server does not keep session data.

Tokens generally provide better security because each request carries a signed token, while sessions rely on transport‑layer security.

If you need to maintain server‑side state, you can still use sessions alongside tokens.

JWT (JSON Web Token)

JWT is a widely adopted cross‑domain authentication solution based on the open standard RFC 7519.

It carries claims about the user and can be signed with HMAC or RSA, ensuring the information is trustworthy.

The user logs in with username/password; the server returns a JWT upon successful authentication.

The client stores the JWT (commonly in localStorage or a cookie).

When accessing protected resources, the client includes the JWT in the Authorization: Bearer header.