← Back to all blogs

Blog

Authentication and Authorization for Backend Engineers

May 22, 2026saif

Most developers use authentication every day, but very few truly understand how JWT, OAuth, sessions, and authorization actually work behind the scenes. This blog breaks down the complete evolution of modern authentication systems in the simplest way possible.

Every day, without even thinking about it, we interact with authentication systems. We log into social media platforms, unlock our phones, access banking apps, and sign into developer dashboards. Behind every “Login” button lies one of the most important concepts in modern computing: authentication and authorization.

Although these two terms are often used together, they solve very different problems.

Authentication answers the question:

“Who are you?”

Authorization answers the question:

“What are you allowed to do?”

Together, they form the security foundation of modern software systems.

Understanding Authentication

Authentication is the process of verifying identity.

When you enter your email and password into a website, the system checks whether you are really the person you claim to be. If the credentials are correct, the system assigns you an identity within that platform.

This identity could exist in many contexts:

  • A web application
  • A mobile app
  • An operating system
  • A cloud service
  • A company network

Authentication simply establishes trust between a user and a system.

The Origins of Authentication

Authentication did not begin with computers. Its roots go back to early human societies.

In pre-industrial communities, identity was based almost entirely on trust and recognition. If a respected village elder vouched for someone, that person was accepted. Deals were sealed with handshakes because communities were small and people knew each other personally.

This form of authentication was implicit. Identity came from familiarity.

But as societies expanded, this approach stopped working. Trust could not scale across cities, countries, and civilizations. People needed explicit proof of identity.

That need led to one of the earliest authentication systems: seals.

Seals and the Birth of Cryptographic Thinking

During medieval times, wax seals became a common method of verifying authenticity.

Kings, merchants, and officials used unique seal patterns on letters and agreements. These seals acted like signatures. If someone possessed the correct seal, they could prove legitimacy.

In many ways, these seals were the first authentication tokens.

But they had weaknesses. Forgery became common. Attackers could imitate seals and bypass trust systems. This was an early version of what we now call authentication bypass attacks.

As a result, societies started developing stronger verification methods such as:

  • Watermarks
  • Encoded markings
  • Secret symbols
  • Encrypted trade codes

This was the beginning of cryptographic thinking.

Passwords and Shared Secrets

During the Industrial Revolution, communication systems evolved rapidly. One major invention was the telegraph.

Because telegraphs carried sensitive information, operators needed ways to validate messages securely. They started using pre-agreed passphrases — an early form of passwords.

This introduced a major shift in authentication philosophy.

Earlier systems relied on:

Something you possess

Now authentication relied on:

Something you know

This principle still powers most authentication systems today.

The Digital Era of Authentication

As computers emerged in the twentieth century, authentication entered its first digital phase.

In the early 1960s, researchers working on multi-user computer systems introduced passwords to separate users and protect their data.

Initially, passwords were stored in plain text files. This turned out to be a massive security vulnerability. Once someone printed the password file directly from the system, the dangers became obvious.

This incident led to one of the most important security concepts in computing:

Passwords should never be stored in plain text.

Instead, systems started using hashing algorithms.

Hashing and Secure Password Storage

Hashing transforms a password into a fixed-length cryptographic representation.

For example:

  • The same password always produces the same hash
  • Different passwords produce different hashes
  • The original password cannot easily be recovered from the hash

Modern systems store hashed passwords instead of raw passwords.

When a user logs in:

  1. The provided password is hashed
  2. The system compares it with the stored hash
  3. If they match, authentication succeeds

This became the standard approach for password security.

Sessions and Stateful Authentication

As the internet evolved, websites became interactive.

Users no longer just viewed static pages. They:

  • Added products to carts
  • Stayed logged in
  • Switched between pages
  • Performed continuous interactions

But HTTP had a problem.

HTTP is stateless.

That means every request is independent. The server does not automatically remember previous interactions.

To solve this, developers introduced sessions.

A session creates temporary server-side memory for a user.

The flow usually works like this:

  1. User logs in
  2. Server creates a session ID
  3. Session data is stored on the server
  4. The session ID is sent back to the client
  5. Future requests include the session ID

This allowed websites to remember users between requests.

Over time, session storage evolved:

  • File-based storage
  • Database-backed sessions
  • Distributed in-memory systems like Redis

Sessions are still widely used today.

JWT and Stateless Authentication

As applications became globally distributed, session systems started facing scalability problems.

Maintaining session data for millions of users became expensive. Synchronizing sessions across servers introduced latency and complexity.

This led to the rise of JWTs (JSON Web Tokens).

JWTs are self-contained authentication tokens.

A JWT typically contains:

  • User identity
  • Roles and permissions
  • Metadata
  • Cryptographic signatures

Instead of storing session data on the server, the token itself carries the necessary information.

The server verifies the token’s signature and trusts its contents.

This introduced stateless authentication.

How JWT Authentication Works

JWT authentication follows a simple but powerful flow.

+-------------------+
|       User        |
+-------------------+
          |
          | 1. Login Request
          |    (email + password)
          v
+-------------------+
|      Server       |
+-------------------+
          |
          | 2. Validate Credentials
          |
          | 3. Generate JWT
          v
+-------------------+
|   JWT Token       |
|-------------------|
| Header            |
| Payload           |
| Signature         |
+-------------------+
          |
          | 4. Send JWT to Client
          v
+-------------------+
|      Browser      |
|  Stores JWT       |
| (cookies/local    |
|   storage etc.)   |
+-------------------+
          |
          | 5. Future Requests
          |    Authorization:
          |    Bearer <JWT>
          v
+-------------------+
|      Server       |
+-------------------+
          |
          | 6. Verify Signature
          |    & Validate Token
          |
          | 7. Grant Access
          v
+-------------------+
| Protected Routes  |
| /profile          |
| /dashboard        |
| /admin            |
+-------------------+

Understanding the Structure of JWT

A JWT contains three parts:

HEADER.PAYLOAD.SIGNATURE

Example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.
eyJ1c2VySWQiOiIxMjMiLCJyb2xlIjoiYWRtaW4ifQ
.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

The header contains metadata about the token.

Example:

{
  "alg": "HS256",
  "typ": "JWT"
}

This tells the server:

  • Which algorithm is used
  • That the token is a JWT

Payload

The payload contains claims or user information.

Example:

{
  "userId": "123",
  "role": "admin"
}

It may include:

  • User ID
  • Roles
  • Permissions
  • Expiration time

Signature

The signature is used to verify token integrity.

The server generates it using:

Header + Payload + Secret Key

If someone modifies the payload, the signature becomes invalid.

This ensures the token is tamper-proof.

Why JWT Became Popular

JWT solved several major problems of traditional session systems.

Stateless Authentication

Servers no longer need to store session data for every user.

Better Scalability

JWT works extremely well in distributed architectures and microservices.

Lightweight

JWTs can easily travel through HTTP headers.

Cross-Service Authentication

Multiple services can verify the same token independently.

Problems with JWT

JWT also introduced several trade-offs.

Token Revocation

Once a JWT is issued, it usually remains valid until expiration.

If a token gets stolen, invalidating it immediately becomes difficult.

Security Risks

Improper token storage can expose systems to:

  • XSS attacks
  • Token theft
  • Replay attacks

Hybrid JWT Systems

Many applications solve these issues using hybrid architectures.

They combine:

  • Stateless JWT authentication
  • Stateful blacklist storage using Redis or databases

This allows systems to revoke compromised tokens while still benefiting from JWT scalability.

API Keys and Machine-to-Machine Communication

Authentication is not limited to humans.

Modern applications also need secure communication between servers.

This is where API keys become useful.

An API key is a secret identifier used by applications or machines to authenticate themselves.

For example:

  • Backend services calling AI APIs
  • Payment gateway integrations
  • Third-party cloud services
  • Internal microservices

API keys are especially useful for machine-to-machine communication because they avoid complicated login workflows.

OAuth and Delegated Authorization

As the internet expanded, users started facing another major problem:

Too many passwords.

At the same time, applications needed access to resources from other platforms.

Examples include:

  • A travel app reading flight emails
  • A social media app importing contacts
  • A note-taking app accessing cloud storage

Initially, users solved this by sharing passwords.

This was extremely dangerous because it granted full account access.

OAuth solved this issue using delegation.

Instead of sharing passwords, users grant limited permissions through tokens.

OAuth introduced four important actors:

  • Resource Owner
  • Client Application
  • Resource Server
  • Authorization Server

This allowed applications to access only the resources they were permitted to access.

OAuth 2.0 and OpenID Connect

OAuth evolved into OAuth 2.0, which simplified implementation and introduced multiple authorization flows.

Examples include:

  • Authorization Code Flow
  • Client Credentials Flow
  • Device Code Flow

OAuth 2.0 focused primarily on authorization.

Authentication still required improvement.

That led to OpenID Connect (OIDC).

OIDC extended OAuth 2.0 by introducing ID Tokens, usually implemented using JWTs.

This enabled modern authentication experiences like:

  • Sign in with Google
  • Sign in with Facebook
  • Sign in with Discord

Applications could now both:

  • Authenticate users
  • Request resource access

using standardized protocols.

Understanding Authorization

Authentication proves identity.

Authorization determines permissions.

Imagine a note-taking platform.

Normal users may be able to:

  • Create notes
  • Edit notes
  • Delete notes

Administrators, however, may also:

  • Access deleted data
  • Restore notes
  • Manage users
  • View system analytics

Authorization systems ensure that users only access what they are allowed to access.

This is commonly implemented using:

  • Roles
  • Permission systems
  • Access control lists
  • Policy-based access control

Without authorization, every authenticated user could potentially access sensitive operations.

Security Lessons Every Backend Engineer Should Know

Authentication systems are not just about logging users in. They are also about minimizing information leakage.

One common mistake is detailed error messages.

For example:

  • “User not found”
  • “Incorrect password”

Although these messages help legitimate users, they also help attackers.

A safer approach is using generic responses such as:

“Authentication failed.”

Another subtle issue is timing attacks.

Different authentication paths may take different amounts of time to execute. Skilled attackers can analyze response timing to infer whether usernames or passwords are valid.

Secure systems attempt to minimize these timing differences.

The Future of Authentication

Authentication systems continue to evolve rapidly.

Modern trends include:

  • Passwordless authentication
  • Biometrics
  • Hardware security keys
  • Zero-trust architectures
  • Decentralized identity systems

The industry is gradually moving away from traditional passwords toward stronger and more user-friendly systems.

Final Thoughts

Authentication and authorization are among the most fundamental concepts in software engineering.

From handshakes in ancient villages to cryptographic tokens in distributed cloud systems, the evolution of authentication reflects humanity’s continuous effort to establish trust at scale.

Every login form, session token, JWT, API key, OAuth flow, and permission check is part of a much larger system designed to answer two simple questions:

Who are you?

and

What are you allowed to do?

For backend engineers, understanding these concepts is not optional.

It is essential.