Updated Jun 19, 2026

Auth vs Authz (Sessions, JWT, OAuth)

Everyone who builds anything with a login screen ends up here. You can wire up a login form, you've copy-pasted a JWT library, you've clicked "Sign in with Google" a thousand times - and yet if someone asked you to explain, precisely, the difference between authentication and authorization, or whether a JWT is encrypted, or what OAuth actually does, you'd hedge. This is the topic everybody half-understands.

That's not a you-problem. The words look almost identical (authn, authz), the acronyms pile up, and most tutorials hand you working code without ever showing you the moving parts underneath. This guide fixes that. By the end you'll have a clean mental model for each piece and you'll be able to reason about an auth system instead of guessing.

How to read this

  • Need one specific answer right now? Jump to the phase that matches: identity vs permissions is Phase 1, staying logged in is Phase 2, "Sign in with…" is Phase 3.
  • Want it to finally click for good? Read in order. Each phase builds on the last - Phase 1 gives you the vocabulary the other two lean on.

The phases

  1. Authentication vs Authorization - who you are (proving identity) versus what you're allowed to do (permissions). Two different jobs, both required. The passport-vs-ticket mental model.
  2. Keeping You Logged In: Sessions vs Tokens - after login, the server has to remember you. Server-side sessions versus stateless tokens (JWT), with the honest trade-offs: revocation, size, scaling.
  3. Delegated Access: OAuth & "Sign in with…" - how an app gets limited access to your data without your password, the valet-key mental model, access vs refresh tokens, scopes, and how OAuth (authz) differs from OpenID Connect (authn).

This guide deliberately stops at the concepts and the shapes of things. Picking a specific library, hardening a production login flow, and the deeper cryptography of token signing are their own topics - the goal here is the mental model that makes those next steps make sense. Related reading: How Passwords Are Stored, HTTPS & TLS, What an API Is.