# Authentication vs Authorization
Status: public
Confidence: high (0.875) (verified)
Last verified: 2026-06-02
Generation: ai_structured


## TL;DR

Authentication establishes who or what is making a request. Authorization determines what that authenticated party is allowed to do. Modern identity systems usually combine authenticators, sessions or tokens, and authorization policy checks.

## Core Explanation

NIST authentication guidance focuses on authenticators and assurance levels. OAuth 2.0 is an authorization framework for delegated access to HTTP services, while OpenID Connect layers identity assertions on top of OAuth 2.0. Role-based access control is one common authorization model: users are assigned to roles, and roles carry permissions.

## Further Reading

- [NIST SP 800-63B](https://pages.nist.gov/800-63-4/sp800-63b.html)
- [RFC 6749 - The OAuth 2.0 Authorization Framework](https://datatracker.ietf.org/doc/html/rfc6749)
- [NIST Role Based Access Control](https://csrc.nist.gov/projects/role-based-access-control)

## Related Articles

- [AI for Digital Forensics: Deepfake Provenance, Evidence Authentication, and Digital Crime Investigation](../../ai/ai-digital-forensics.md)
- [AI Identity Verification: Document Authentication, Liveness Detection, and KYC Compliance](../../ai/ai-identity-verification.md)
- [JWT: JSON Web Tokens - Authentication, Claims, and Security](../jwt-json-web-tokens-authentication-claims-and-security.md)