// Learn

What is authentication?

Authentication is the process of proving your identity to a system so it can decide what you're allowed to do.

The short version

Every time you log into a website, enter a password, or click "Sign in with Google," you're authenticating. The system needs to know who you are before it can show you your data and not someone else's. Authentication answers the question "who are you?" Its companion, authorisation, answers "what are you allowed to do?"

Most people encounter two types: logging into apps as a user, and providing API keys when connecting tools together.

How it works

Several authentication methods are common:

  • Username and password is the simplest. You prove your identity by knowing a secret. The problem is that people reuse passwords, choose weak ones, and fall for phishing. It works, but it's fragile.

  • OAuth ("Sign in with Google/GitHub/Apple") lets you use an existing account to log into a different service. The service never sees your Google password. Instead, Google confirms your identity and passes back a token, a temporary credential the service can use. This is why you see a Google popup when logging into other apps.

  • API keys are long strings that identify your application (not you personally) when calling an API. They're stored in environment variables, not in your code. If someone gets your API key, they can make requests as your app and run up your bill. Treat them like passwords.

  • Tokens are temporary credentials issued after authentication. A session token (stored in a cookie) keeps you logged in as you browse. A JWT (JSON Web Token) is a self-contained token that carries identity information and is commonly used in APIs. Tokens expire, which limits the damage if one is stolen.

  • Multi-factor authentication (MFA/2FA) adds a second proof of identity on top of your password. A code from an authenticator app, a text message, or a hardware key. It means a stolen password alone isn't enough to get in.

Why it matters

If you build anything that has users, you need authentication. Services like Supabase, Clerk, and Auth0 handle the implementation so you don't have to build it yourself. But understanding how tokens, OAuth, and API keys work helps you debug login issues, secure your integrations, and understand what's happening when you see "401 Unauthorized" in an error log.

=++==+==++=

//Read more

fundamentalsWhat is an API?APIs let software talk to other software. They're how everything on the internet connects.fundamentalsWhat is an environment variable?Environment variables are settings that live outside your code. They're how apps keep secrets safe.fundamentalsWhat are security headers?Security headers are instructions your server sends to browsers, telling them how to handle your site safely.