Authorization.
The process of deciding whether an authenticated principal is allowed to perform a specific action on a specific resource, distinct from authentication.
The recurring confusion: OAuth 2.0 / 2.1 is named an "authorization framework" but most people use it for authentication via OIDC layered on top. The distinction is real and worth keeping straight — OAuth grants the client permission to act on the user's behalf (authorization), and OIDC adds the identity claims that tell the client who the user is (authentication).
Authorization complexity scales with the resource model, not the user count. A B2B SaaS with three roles and one resource type is fine on RBAC; a SaaS with hierarchical organizations, per-resource permissions, and shared resources outgrows RBAC quickly and needs ABAC or ReBAC. Picking the wrong model early is one of the most expensive refactors in CIAM.
Common questions
What is the difference between authentication and authorization?
Is OAuth authentication or authorization?
When should I use RBAC vs ABAC vs ReBAC?
Related terms
In the guides
API Authorization Patterns: A 2026 Practitioner's Guide
How to authorize API requests in modern CIAM. Bearer tokens, scopes, OAuth 2.1 client patterns, machine-to-machine, and where the architectural lines fall.
Authentication vs Authorization: The Difference, Explained Properly
Authentication answers 'who are you'; authorization answers 'what may you do'. The split is structural, the confusion is endless, and the integration bugs hide in the gap.
Fine-Grained Authorization (FGA): A 2026 Implementation Guide
FGA is the umbrella for per-resource permissions at scale. The Zanzibar model, the production implementations (OpenFGA, SpiceDB, Permify, Keto), and how to choose.
RBAC vs ABAC vs ReBAC: Choosing an Authorization Model
Three authorization models, Role-Based, Attribute-Based, and Relationship-Based Access Control, with concrete examples, scaling characteristics, and when each is the right answer.