Glossary: AuthorizationGlossary

Authorization is the process of determining if a client — an end user, application, or device — has permission to access a specific resource or perform a particular action. It answers the question "What are you allowed to do?"

The authorization process usually takes place along with authentication. The client’s identity is verified, after which their permissions are determined.

These are the most common authorization mechanisms used by APIs:

• API key / API key _ secret: These authentication methods can also act as authorization methods; the assumption is that if a client is known to the API, it has permission to access the API. This approach doesn’t have any granularity of permissions unless the API uses a mechanism like an access control list.
• OAuth 2: An open standard for authorization that grants client applications limited access to an end user's information without exposing their passwords. It is widely adopted for securing API access and is particularly popular in scenarios involving third-party integrations, where an end user grants a third-party application access to their resources hosted by another service.