Understanding Authentication vs Authorization: JWT, MFA, and Casbin Explained

Introduction

Before an API request is sent, the client must prove its identity. Different APIs require different authentication mechanisms, such as an API key in the request header or more complex security schemes that protect sensitive data and prevent tampering.

Definitions

Authentication : the process of verifying that a claimed identity is correct.

Authorization : the process of granting permission to perform a specific action on a resource.

An API can authenticate a request without authorizing it.

Authentication

Authentication validates credentials (e.g., username, user ID, password) to confirm the user’s identity. It is typically performed via a login password, but may also involve additional factors.

Three categories of authentication factors are used:

Something you know – passwords, PINs, security questions.

Something you have – hardware tokens, smart cards, mobile OTP apps.

Something you are – biometrics such as fingerprints or facial recognition.

Strong security usually requires at least two of these factors (multi‑factor authentication, MFA).

Single‑factor authentication

The simplest method, typically a username and password. The user provides one credential set to gain access.

Two‑factor authentication (2FA)

Combines a password with a second factor, such as an OTP sent to a mobile device or an ATM PIN. The additional secret makes credential theft significantly harder.

Multi‑factor authentication (MFA)

Uses two or more independent factors from different categories. Financial institutions, banks, and law‑enforcement agencies commonly deploy MFA to protect critical systems.

Example: an ATM card (something you have) plus a PIN (something you know) verifies the card holder’s identity before any transaction.

JWT Authentication

JSON Web Token (JWT) is a widely adopted standard for stateless authentication, especially in Java ecosystems. A JWT consists of three Base64‑URL‑encoded parts: header, payload, and signature.

Signature generation flow :

User sends username and password to the authentication server.

Server validates the credentials and creates a secret key (e.g., a random HMAC secret).

Server builds the JWT header (typically {"alg":"HS256","typ":"JWT"}) and the payload, which may contain a user identifier and an expiration timestamp ( exp).

Both header and payload are Base64‑URL‑encoded. The server computes the signature using HMAC‑SHA256:

HMAC‑SHA256(secretKey, Base64UrlEncode(header) + "." + Base64UrlEncode(payload))

The three parts are concatenated with dots to form the JWT token, which is returned to the client.

The client includes the token in the Authorization: Bearer <token> header for subsequent API calls. The token acts as a temporary credential.

Authorization

Authorization determines whether an authenticated principal is allowed to access a specific resource (e.g., a file, database row, or API endpoint). It is evaluated after authentication and can deny access even when the identity is verified.

Analogy: a boarding pass proves identity (authentication), but the airline crew must authorize you to board a particular flight.

Casbin Authorization Framework

Casbin is an open‑source access‑control library that supports multiple models (ACL, RBAC, ABAC, etc.). Its core concepts are:

Model : defines the structure of a policy (e.g., request format {subject, object, action}).

Policy : concrete rules that grant or deny permissions.

Key features:

Custom request format (default {subject, object, action}).

Multi‑level role inheritance for both subjects and objects.

Super‑user support (e.g., root or Administrator) that bypasses policy checks.

Built‑in operators such as keyMatch for pattern‑based resource matching (e.g., /foo/bar matches /foo*).

Summary

Authentication answers “who you are”; authorization answers “what you are allowed to do.” Understanding the distinction is essential for designing secure web services and API ecosystems.