← Advanced learning mapbridge lesson · connect

Authentication and permissions

Separate proving identity from deciding what that identity may do.

  • 10 minutes
  • foundation
  • Reviewed 2026-07-16
01

What is it?

API keys and tokens identify a caller. OAuth lets a user or service grant limited access. Scopes and roles define permitted operations.

02

Why does it matter?

A connection that works can still be dangerous. Least privilege reduces the damage from mistakes, leaked credentials, and compromised tools.

03

The mental model

Authentication proves who is asking. Authorization determines what they are allowed to do.

04

A simple example

A reporting workflow receives read-only access to invoices, while a separate approved service account may update payment status.

05

What it is not

Authentication is not encryption, approval, auditing, or input validation. Security is a set of reinforcing controls.

06

Learn this first

These ideas make the lesson easier to place.

  • APIs
  • Accounts and roles
07

Your first 60 minutes

Use one focused hour to make the idea concrete.

  • List identities in one simple integration.
  • Write the minimum operations each identity needs.
  • Compare a broad administrator token with a scoped read-only token.
08

Build this first

Design a credential plan for an order checker: where the token lives, what it can read, how it rotates, and what is logged.

09

When not to use it

Never embed long-lived secrets in browser code, shared documents, URLs, or prompts. Avoid OAuth complexity for a private service-to-service connection when a narrower supported identity fits.

10

What to learn next

Learn tool boundaries and human approvals.