API Boundaries: Authentication vs Authorization

Separate authentication from authorization and apply both to a learning platform API.

The lesson is public. The pressure loop lives inside the app where submissions, revision, and AI review happen.

A technical readiness brief and first backend boundary review.

Each lesson contributes to a week-level artifact and eventually to the shipped AI-native SaaS.

This lesson teaches a boundary that every serious SaaS depends on: proving who the caller is versus deciding what that caller may do.

Production systems fail quietly when auth and authorization are mixed. You either block valid work or, worse, allow privileged actions to untrusted users because “the user is logged in” felt sufficient.

Authentication is identity. Authorization is policy. API handlers should first establish principal, then evaluate policy, then perform business logic.

A route should never infer privilege from convenience. Auth verifies a session, token, or credential. Authz evaluates resource ownership, role, feature flag, or approval state. Mature systems make these checks obvious in code because ambiguity invites abuse. This matters even more in AI systems, where generated handlers often skip the policy layer entirely.

In a learning platform, `POST /submissions` requires an authenticated learner, but `POST /admin/reviews` requires a founder or staff reviewer. Both routes may use the same session primitive, yet their policy checks are completely different. A good design states those checks explicitly, not by implication.

Common failures include “logged in means allowed”, checking role but not resource ownership, and pushing policy into the frontend where it can be bypassed.

Better Auth Documentation

Use this for identity primitives and auth flow expectations.

OWASP Access Control

Anchor the lesson in a real security failure category.

Cloudflare Zero Trust Concepts

Connect policy thinking to perimeter and application access.