Authentication
It Provides you with who you are, like login into the website, and the website verifies the email and password.
Authentication is like showing your ID to enter a secure building. When you log in to a website or app, it checks your username and password to confirm that you are who you say you are. Once Verified, you’re granted access to your account, just like unlocking a door with a key.
Authentication Under the Hood
It happens on the server, the client sends the login request to the server and the server verifies it and sends a response, in that response there will be a session ID, the session ID is nothing but a unique ID stored as a cookie on your local machine, it is used for server to remember who you are, without session-ID server can’t remember, so every time you make the request the session-ID is sent along with the request to the server.
Authorization
Permission to do this, like users and admin, it’s role-based
Once you’re authenticated the server authorizes you
Authorization is like having different levels of access in a building. Once you’re inside, you might have permission to enter certain rooms, but some rooms are restricted for you. it’s a role-based thing, if you are the manager of the hotel, you have access to certain rooms that are restricted to the client. Similarly, in a web application, authorization determines what actions you’re allowed to take.
Authorization Under the Hood
It is going to send a request to the server, for example, on a website let’s say you want to delete something that you are not permitted to, when you click the button the request is sent to the server along with the session ID. The server verifies that if the user has permission to delete this if the user doesn’t have permission, it will send the response “Not permitted” or something.