Authentication
aw-then-tih-KAY-shun
The process of verifying who a user is, typically through credentials like a password or token.
Authentication answers one question: who are you? When you type your email and password into a login form, the system checks your credentials against its database. If they match, you are authenticated. The system knows your identity. This is distinct from authorization, which determines what you are allowed to do once your identity is confirmed.
Modern authentication goes far beyond passwords. Multi-factor authentication (MFA) adds a second verification: a code from your phone, a fingerprint, or a hardware security key. OAuth lets you authenticate with Google or GitHub instead of creating another password. Passwordless authentication sends a magic link to your email or uses biometrics. Each method trades convenience for security.
For developer tools, authentication is table stakes. Every API needs to verify that requests come from legitimate users. JWTs (JSON Web Tokens) are the most common mechanism: after login, the server issues a signed token that the client sends with every subsequent request. The server verifies the signature without hitting the database. This is how Supabase, Firebase, and Auth0 handle authentication for millions of applications.
Examples
A SaaS product implements authentication from scratch.
The team uses Supabase Auth. Users sign up with email and password. Supabase hashes the password with bcrypt, stores it securely, and issues a JWT on login. The frontend stores the JWT and includes it in every API request. The backend verifies the JWT signature on each request. Adding Google OAuth takes 30 minutes: configure the provider in Supabase, add a 'Sign in with Google' button, and handle the callback. No custom auth code needed.
A company adds multi-factor authentication after a breach.
An attacker gains access to several accounts using credentials from a data breach on another site (credential stuffing). The company mandates MFA for all users. After enabling MFA, users enter their password and then a 6-digit code from an authenticator app. The credential stuffing attacks drop to zero because stolen passwords alone are no longer sufficient.
An API authenticates requests using API keys.
The developer platform issues API keys to each user. Every API request includes the key in the Authorization header. The server validates the key, associates it with the user's account, and applies rate limits and permissions. When a key is compromised, the user regenerates it in the dashboard. The old key stops working immediately. No password reset required.
In practice
Read more on the blog
Frequently asked questions
What is the difference between authentication and authorization?
Authentication verifies identity: who are you? Authorization verifies permissions: what are you allowed to do? Authentication happens first. You prove you are Jane (authentication). Then the system checks if Jane has permission to delete this project (authorization). A bouncer checking your ID is authentication. The bouncer checking if you are on the VIP list is authorization. They are separate concerns and should be implemented separately.
Should I build my own authentication system?
Almost certainly not. Authentication has too many ways to go wrong: password hashing, token management, session expiration, CSRF protection, brute force prevention, MFA, OAuth flows, and security patching. Use an established service like Supabase Auth, Auth0, Clerk, or Firebase Auth. They handle the hard parts. You focus on your product. The only reason to build custom auth is if you have specific compliance requirements that no existing service meets, and even then, think twice.
Related terms
The process of determining what actions or resources an authenticated user is allowed to access.
An open standard that lets users grant third-party apps limited access to their accounts without sharing passwords.
Single sign-on: one login that grants access to multiple applications without signing in separately to each.
A unique string that identifies and authenticates an application or user when making API requests.
Application programming interface: a defined way for software programs to communicate with each other.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.