Authentication
What is auth (authentication)?
Auth, short for authentication, is the process of verifying that a user, device, or service is who it claims to be before granting access to an application. In practice “auth” covers the whole identity layer: authenticating users, managing sessions and tokens, and authorizing what each identity can do.
Authentication vs. authorization
The two halves of auth are often confused. Authentication answers “who are you?” — proving identity with passwords, passkeys, magic links, or an external identity provider. Authorization answers “what can you do?” — enforcing permissions through models like role-based access control (RBAC) or fine-grained authorization.
A complete auth system does both on every request: it establishes a trusted identity, then checks that identity against the policies protecting each resource. Getting either half wrong is a security incident, which is why most teams delegate auth to a dedicated platform rather than rebuilding it per app.
How modern auth works
Today most applications delegate auth to a dedicated platform. A user signs in through a standards-based flow — OAuth 2.0, OpenID Connect, or SAML for enterprise SSO — and the platform returns a signed token the app can trust on subsequent requests.
From there the platform manages sessions, token refresh and revocation, multi-factor authentication (MFA), passwordless login, and multi-tenant isolation for B2B products. This lets teams ship secure login in hours instead of maintaining a security-critical subsystem themselves.
Auth in the AI era
AI agents and MCP servers now act on behalf of users, which extends auth beyond human login. Authenticating an agent, scoping exactly what it is permitted to do, and auditing every action it takes are becoming core parts of the identity layer — a category often called agentic or non-human identity.
Frequently asked questions
- What is the difference between authentication and authorization?
- Authentication verifies who a user is (identity). Authorization decides what that authenticated user is allowed to do (access). Auth systems handle both: they confirm identity, then enforce permissions on every request.
- What is an authentication API?
- An authentication API lets developers add login, session management, and token issuance to an app without building the security layer themselves. It exposes endpoints for sign-up, sign-in, token refresh, and logout, and handles protocols like OAuth 2.0 and OpenID Connect.
- What is auth vs OAuth?
- “Auth” is the general term for authentication and authorization. OAuth 2.0 is a specific open standard for authorization — it defines how an app obtains scoped access to a resource on a user's behalf, without handling the user's password directly.
Related terms
Add auth to your app in minutes
Authentication, SSO, MFA, RBAC, SCIM, and multi-tenant identity — with developer-first APIs and a console non-devs can use.