VCA

Auth

Auth answers two questions: who are you (authentication) and what can you do (authorization).

Updated 1 min readEditorial policy#System Basics#Security#Login
Part ofCRM PathSaaS Path

In one sentence

Auth handles 'who you are' and 'what you can do' — the first door of system security.

In Plain Language

Auth is really two things combined: Authentication is "proving you are you" — entering a username and password, or logging in with Google; Authorization is "deciding what you can do" — for example, a regular user can't enter the admin panel.

After a successful login, the system issues you a "pass" (a token or session). Every later request carries it, so the system knows it's you without asking for your password again. This pass must have an expiry and be revocable, or it's dangerous if stolen.

Architecture

How It Flows

The Mistakes That Cause Real Breaches

Most auth disasters aren't exotic — they come from a handful of repeated mistakes:

  • Trusting the frontend's check — hiding the admin button but leaving the backend endpoint open, so anyone who calls it directly gets in.
  • Tokens with no expiry or no way to revoke them — a stolen pass then works forever.
  • Storing passwords in plain text — one database leak exposes every account at once (passwords should be hashed).
  • Forgetting the authorization check on a single endpoint — one route that skips "are you allowed?" is all an attacker needs.

Common misconception: that a working login means auth is done. Logging in only answers "who are you" (authentication); every sensitive action still needs a separate "are you allowed?" check (authorization) on the backend — and the pass (token) needs an expiry and a way to revoke it, or a stolen one stays valid forever.

Key Takeaways

  • Auth = authentication (who you are) + authorization (what you can do).
  • After login, a token/session acts as the pass — with expiry and revocation.
  • Authorization checks must be on the backend; hiding buttons on the frontend is not security.

An everyday analogy

Like entering an office: badge in to prove you're an employee (authentication), then the access system decides which floors you can enter (authorization).

Pros

  • Protects user data from being seen or tampered with by others
  • Controls what different people can do by role
  • Mature standard practices; AI can produce secure templates

Cons

  • Get it wrong and it's a security hole with serious consequences
  • Concepts like tokens and sessions are abstract for beginners

Good for

  • Systems with members, admin panels, or paid features
  • Platforms with multiple collaborators and permission tiers

Not for

  • Fully public static sites with no personal data

Beginner scorecard

Beginner-friendly
2/5
Learning cost(higher = more cost)
4/5
Market demand
5/5
AI-generation friendly
4/5

Frequently asked questions

What’s the difference between authentication and authorization?

Authentication is “who are you” (verifying identity, like logging in); authorization is “what may you do” (checking permissions, like whether you can delete someone else’s data). You need both.

Should I store user passwords myself?

Avoid it if you can. Prefer OAuth (“log in with Google/GitHub”) or a mature auth service. If you must store them, passwords have to be hashed (e.g. bcrypt) — never in plain text.

Which is safer, JWT or sessions?

Both are safe; they differ in how you manage them — sessions are easy to revoke instantly, JWTs suit stateless scaling. As a beginner, use your platform’s built-in solution and don’t invent your own auth.

Next in CRM Path: Login with AI

Next in SaaS Path: Keys & secrets