Once we authenticate the user, we need to decide what kind of actions they can perform.
The popular option is to have multiple roles associated with the API. We can have permissions for different API actions that are associated with the roles; for example:
- The user role can perform all actions on their todos—Read, Update, Delete, and Create.
- The support role can only view the todos—only Read is allowed.
The process of establishing whether the user has the right permissions to perform an action is called authorization.
Authorization – Is the valid user allowed to perform an action?