Authentication vs Object Authorization: The API Security Mistake Everyone Makes
Source: Dev.to
Authentication
Question answered: Who are you?
Typical mechanisms:
- JWT tokens (RFC 7519)
- OAuth 2.0 access tokens (RFC 6749)
- API keys
- Session cookies
When authentication succeeds, the backend simply says:
“Okay, I know who you are.”
GET /api/v1/profile
Authorization: Bearer eyJhbGciOi...✅ Token is valid → the request is allowed to proceed.
No decision is made about what data can be accessed.
Object Authorization
Question answered: Are you allowed to access THIS specific object?
Object authorization must verify:
- Object ownership
- User role
- Organization/tenant scope
- Object state (draft, deleted, archived, paid)
Failure to do so is classified as Broken Object Level Authorization (BOLA) (OWASP API Top 10 – API1:2023).
Why authentication is easier than object authorization
| Aspect | Authentication | Object Authorization |
|---|---|---|
| Scope | User / session | Object / resource |
| Frequency | Once per request | For every object accessed |
| Typical implementation | Centralized, framework‑handled, easy to test | Custom logic, endpoint‑specific, often rushed |
| Common bug | Auth bypass | BOLA / IDOR |
| OWASP API Top 10 rank | Rare | #1 issue |
A Typical Vulnerable Flow
- Authenticate user ✅
- Trust
object_idfrom request ❌ - Return data ❌
GET /api/v1/invoices/8421
Authorization: Bearer USER_A_TOKEN{
"invoice_id": 8421,
"user_id": 999,
"amount": 4500,
"status": "paid"
}What went wrong?
- Authentication succeeded.
- No ownership validation → User A accessed User B’s invoice.
This is a textbook IDOR vulnerability (OWASP IDOR explanation).
Common Misconception: “IDs are unguessable, so we’re safe”
- UUIDs, hashes, encrypted IDs, Base64 strings all prevent guessing, not authorization bypass.
- If the backend does not verify ownership, any identifier format fails.
OWASP explicitly warns about this misconception in the OWASP API Authorization Guide.
Correct Backend Flow
- Authenticate user
- Extract
user_id/org_idfrom the token - Fetch the object from the database
- Verify
object.owner_id == user_id(or appropriate role/tenant check) - Return the response
Anything less is a risk. Authentication lets you enter the building; object authorization decides whether you can open a particular door.
Practical Checklist
- Whenever you see IDs in URLs, JSON payloads, or filter parameters (
user_id,org_id), ask: “Should this user be able to see THIS data?” - Review export/download endpoints and mobile APIs that may return extra fields.
- Ensure ownership/role checks are performed for every object returned.
References
- OWASP API Security Top 10 –
- OWASP IDOR –
- RFC 7519 – JWT –
- RFC 6749 – OAuth 2.0 –