Authentication: Verifies who the user is (identity verification)

• "Are you really John Doe?"
• Methods: passwords, biometrics, certificates

Authorization: Determines what the authenticated user can do (permission checking)

• "Can John Doe access this resource?"
• Methods: roles, permissions, ACLs

Both are typically required for secure APIs. Authentication happens first, then authorization checks permissions.