What is the difference between authentication and authorization?

The main idea is that authentication and authorization serve different roles in access control. Authentication verifies identity—proving who you are, such as by entering a password, using a biometric, or presenting a token. Authorization determines what you’re allowed to do once you’re identified, like which resources you can access or which actions you can perform. These steps usually happen in sequence: you prove who you are, then the system checks your permissions.

Options that say logging in is authentication describe part of the process but miss the broader purpose, and saying authorization is simply about determining permissions captures only one side of the picture. Saying the two are interchangeable is incorrect because they are distinct stages with different goals. The strongest phrasing combines both ideas: authentication verifies identity, authorization determines access rights.