Java Selenium TestNG CI/CD API Testing Database Playwright Performance

Chapter 7: Authentication and Authorization Testing

Authentication vs Authorization

These two words get mixed up all the time. Even experienced developers use them interchangeably. But they are completely different concepts. Getting this wrong in an interview is an instant red flag.

The Hotel Analogy

You walk into a hotel. At the front desk, you show your ID and they give you a key card. That is authentication — proving who you are. Now you go to the 5th floor and swipe your card. It opens room 502 but not room 503. That is authorization — what you are allowed to do.

The front desk verified your identity. The key card controls your access. Two different steps. Two different systems. Two different error codes.

Authentication (AuthN)

●Proves WHO you are
●Happens first — before authorization
●Uses credentials: username/password, API key, token
●Hotel analogy: showing your ID at front desk
●Failure returns 401 Unauthorized
●Question it answers: "Are you who you claim to be?"

Authorization (AuthZ)

✓Decides WHAT you can do
✓Happens second — after identity is confirmed
✓Uses roles, permissions, policies, scopes
✓Hotel analogy: key card opening only your room
✓Failure returns 403 Forbidden
✓Question it answers: "Are you allowed to do this?"

HTTP Status Codes That Matter

Status Code	Name	Meaning	Real Example
401	Unauthorized	Server does not know who you are	No token sent, expired token, invalid credentials
403	Forbidden	Server knows who you are but says NO	Regular user hitting admin endpoint
200	OK	Authenticated + authorized — access granted	Admin accessing admin panel
400	Bad Request	Malformed auth header or missing fields	Sending "Bearer" without a token

The HTTP spec calls 401 "Unauthorized" but it actually means "Unauthenticated." This naming mistake has confused developers for decades. Remember: 401 = identity problem. 403 = permission problem.

AuthN vs AuthZ Flow

Client sends request

With or without credentials

→

Authentication check

Who are you? Valid token?

→

FAIL → 401

Unknown identity

→

Authorization check

What can you access?

→

FAIL → 403

Not permitted

→

SUCCESS → 200

Access granted

Key Point: Authentication is the lock on the front door. Authorization is the lock on individual rooms inside. You must pass through the front door first. No authentication = no authorization check even happens.

Q: What is the difference between authentication and authorization? Give a real-world example.

A: Authentication verifies identity — WHO you are. Authorization verifies permissions — WHAT you can do. Example: logging into Gmail is authentication. Being able to read your emails but not your manager's emails is authorization. In APIs, failed authentication returns 401. Failed authorization returns 403. Authentication always happens first — you cannot check permissions if you do not know who the user is.

In interviews, always mention the status codes. Say "401 for authentication failure, 403 for authorization failure." It shows you understand the difference at the HTTP level, not just the concept level.

Key Point: Authentication = who you are (401 on failure). Authorization = what you can do (403 on failure). Authentication always happens first.

Previous Up NextAPI Key Authentication