Authorization and Authentication

Authentication and authorization are two separate, but connected, steps used to verify that an application or user has permission to access a different, secured application.

Authentication

Authentication is the process of verifying who is making API calls.

OpenID Connect is used for authentication on web applications, mobile phone apps, embedded web components, online banking portals and other user-centric applications. Using OpenID Connect, users are verified by providing credentials, such as a username and password. Once logged in, users can view the information they have been authorized to access.

Authorization

Authorization determines what actions an entity can perform on the secured application. An entity could be a user, an application or other piece of technology.

For example, individual users accessing an API will have differing entitlements. Each entitlement grants a different permission. An account owner may have permission to view transactions associated with their accounts and permission to schedule transfers from their accounts, but not have permission to delete their account. That action can only be done by an employee.