Hey There! Daniel from Permit.io here. Welcome to our Substack 👋
We’ll be using this Substack to dive into the intricate world of Identity and Access Management (IAM), share tips, insights, resources, and (hopefully) relatable memes 😉
Now that only the cool people are here - let’s kick things off with a topic that might sound rather basic, but you’d be surprised how much confusion it can actually cause. We're talking Authentication vs. Authorization. While both are fundamental components in every application, many developers find it hard to draw an exact line between the two.
Tackling this issue, we’ve not only rewrote our comprehensive guide to AuthN vs. AuthZ, but also ended up making a comic strip that we think illustrates the frustration this question can cause -

Publishing the comic on Reddit only sparked further debate about the difference between the two, resulting in a bit of a race for “best definition of AuthN vs. Auth”, alongside some pretty funny responses -
One of the more annoying issues in this topic is in the natively mislabeled HTTP error codes - 401 vs. 403, which aptly call an authentication error “Unauthorized”🤦. So, we’ve thrown together a short guide to make it easier for you to tell the two apart.
Understanding the difference between the two is one thing, but the real challenge is implementing these concepts in your API layer. This is the critical juncture where Authentication and Authorization should be carefully and distinctly applied. To make it easier for you, we’ve assembled some best practices to create secure authentication and authorization in APIs.
If you want to get a deeper dive into the subject and prefer a video over reading a guide, we also have a recording of our latest webinar with James Perkins (Unkey), and Viktor Gamov (Startree) talking about Auth in APIs - From AuthN to AuthZ.
Feeling ready to implement some top-notch authentication and authorization in your application? Check out our list of 12 outstanding open source Auth tools, ranging from AuthN with Hanko to AuthZ with OPAL, and from OAuth Server with Ory Hydra to Zero Trust with OpenZiti. We can't wait to see the amazing things you'll create with these resources!
Want to support our open-source project? Give OPAL a star on GitHub, and join our Slack Community!
Finally, make sure to subscribe to our Substack for more insightful updates. Share this with your friends and invite them to join our growing community! 🌟
See you next time!
Check, the Dog and Permit.io team