Authentication and permissions
Separate proving identity from deciding what that identity may do.
- 10 minutes
- foundation
- Reviewed 2026-07-16
What is it?
API keys and tokens identify a caller. OAuth lets a user or service grant limited access. Scopes and roles define permitted operations.
Why does it matter?
A connection that works can still be dangerous. Least privilege reduces the damage from mistakes, leaked credentials, and compromised tools.
The mental model
Authentication proves who is asking. Authorization determines what they are allowed to do.
A simple example
A reporting workflow receives read-only access to invoices, while a separate approved service account may update payment status.
What it is not
Authentication is not encryption, approval, auditing, or input validation. Security is a set of reinforcing controls.
Learn this first
These ideas make the lesson easier to place.
- APIs
- Accounts and roles
Your first 60 minutes
Use one focused hour to make the idea concrete.
- List identities in one simple integration.
- Write the minimum operations each identity needs.
- Compare a broad administrator token with a scoped read-only token.
Build this first
Design a credential plan for an order checker: where the token lives, what it can read, how it rotates, and what is logged.
When not to use it
Never embed long-lived secrets in browser code, shared documents, URLs, or prompts. Avoid OAuth complexity for a private service-to-service connection when a narrower supported identity fits.
What to learn next
Learn tool boundaries and human approvals.