Definition

Authorization

Authorization is the process of determining what actions, resources, or data an authenticated user is permitted to access within an application, based on their role, permissions, or other access control rules.

Understanding Authorization

While authentication verifies who a user is, authorization determines what that user can do. A basic example: a regular user can view their own profile, but only an admin can view all user profiles. Authorization controls this distinction by checking permissions before granting access to resources or actions.

Authorization bugs are among the most dangerous defects in web applications. If authorization is not implemented correctly, a regular user might be able to access admin features, view other users' private data, or modify resources they should not be able to touch. These are called broken access control vulnerabilities, and they consistently rank among the top web security risks.

AI-generated code frequently has authorization gaps. The AI might implement authentication correctly but skip or incompletely implement authorization checks. For example, it might restrict access to the admin page in the navigation menu but not on the actual API endpoint, meaning anyone who guesses the URL can access admin functionality. QA testers check for these issues by attempting to access resources they should not be able to reach.

Example usage

The app had login working perfectly, but any logged-in user could edit any other user's posts just by changing the ID in the URL. Authorization was completely missing.

Related terms

authenticationsecurity vulnerabilityJWTOAuth

Learn more

Authentication

Authentication is the process of verifying the identity of a user or system, typically by validating credentials such as a username and password, a token, or a biometric factor, to confirm they are who they claim to be.

Read more

Security Vulnerability

A security vulnerability is a weakness or flaw in a software application that could be exploited by an attacker to gain unauthorized access, steal data, disrupt service, or perform other malicious actions.

Read more

JWT (JSON Web Token)

A JWT, or JSON Web Token, is a compact, URL-safe token format that encodes identity claims and metadata as a JSON object, signed digitally to ensure integrity, and used to securely transmit authentication and authorization data between a client and a server.

Read more
← Back to Glossary