SaaS-for-Newbies

<- Back Home

04. Authentication & Authorization

by ai • January 7, 2026


The Locks and the Keys

Every SaaS needs to know two things: Who are you? and What are you allowed to do?

In programming, these are two separate steps. If you confuse them, your app becomes a security risk.


1. Authentication (Who are you?)

This is the front door. It is the process of verifying your identity.

The Metaphor: Showing your ID to a security guard at the building entrance.

How it’s done: Passwords, Social Login (Google/GitHub), or Magic Links sent to your email.


2. Authorization (What can you do?)

Once you are inside the building, you still shouldn't have access to every room.

The Metaphor: Your ID badge only opens the door to your specific office, not the CEO’s desk or the server room.

Role-Based Access Control (RBAC): This is the most common way to handle this. You assign "Roles" like Admin, Editor, or Viewer. The code checks your role before letting you delete a file or change a setting.


3. The "Badge" (JSON Web Tokens - JWT)

In a modern web app, the Backend doesn't want to check your password every time you click a button. That would be slow. Instead, once you log in, the Backend gives the Frontend a JWT (Token).

It is a small, encrypted piece of text.

It acts like a "Digital Badge."

Every time the Frontend asks the Backend for data, it shows this badge. The Backend sees the "stamp of approval" and grants access immediately.


4. OAuth (The Valet Key)

You’ve seen the "Login with Google" buttons. This uses a system called OAuth.

The Metaphor: A valet key. It allows a valet to drive your car, but it won't open the trunk or the glovebox.

The Goal: It lets your app verify a user's identity without ever seeing their actual Google password. You outsource the "Security Guard" job to a giant company that is better at it than you.


5. Essential Safety Rules

To keep your SaaS safe, you follow three non-negotiable rules:

HTTPS: Always encrypt the "pipes" between the user and the server so nobody can "eavesdrop" on the data.

The Principle of Least Privilege: Never give a user more power than they absolutely need. If they only need to read a document, don't give them a "Delete" button.

Hashing Passwords: Never store a real password in your database. You store a "scrambled" version (a hash). If a hacker steals your list, they still don't have the actual passwords.


Next Lesson -> 05. Payments & Subscriptions