Authentication vs authorization: what’s the difference?

**Authentication** verifies who the user is (login). **Authorization** verifies what the user can do (permissions). A common pattern: authenticate once (session/JWT), then authorize on every request using roles/permissions/policies. **Interview tip:** mention least privilege and that authorization must be enforced server-side regardless of frontend checks.