Authorization Patterns
Complete guide to implementing authorization and access control in AI-generated applications. Learn RBAC patterns, resource permissions, and secure access control strategies.
Authorization Must Be Checked on Every Request
AI-generated code often performs authentication once at login but skips authorization checks on individual resource access. Just because a user is logged in does not mean they have permission to access every resource. Every API endpoint must verify the user has permission to perform the requested operation on the specific resource.
Authorization Implementation Checklist
Follow these 12 steps to properly implement authorization. Critical items must be verified on every API endpoint that accesses user data.
Verify ownership on every request
Check that the authenticated user owns or has permission to access the requested resource. Never trust client-provided resource IDs without verification.
Implement role-based access control (RBAC)
Define roles (admin, user, moderator) with specific permissions. Check user role before allowing access to administrative or privileged operations.
Use deny-by-default policies
Start with no access and explicitly grant permissions. Require authorization checks for all protected resources, not just sensitive ones.
Separate read and write permissions
Users who can view data may not be allowed to modify it. Implement separate authorization checks for read, create, update, and delete operations.
Validate permissions server-side
Never rely on client-side permission checks or hidden UI elements. All authorization logic must execute on the backend before data access.
Implement resource-level permissions
Some resources require granular access control. Allow users to share specific documents, projects, or records with collaborators.
Use permission scoping for API tokens
API keys and tokens should have limited scope. Allow read-only tokens, resource-specific tokens, or time-limited access tokens.
Implement hierarchical permissions
Organize permissions in hierarchies. Admin inherits moderator permissions, moderator inherits user permissions.
Add permission inheritance for teams
Users inherit permissions from team or organization membership. Workspace admins can manage resources within their workspace.
Log authorization failures
Record when users attempt to access resources without permission. Monitor for privilege escalation attempts or access pattern anomalies.
Implement permission caching carefully
Cache permissions to improve performance but invalidate cache when roles or permissions change to prevent stale access grants.
Audit permission changes
Log when users are granted or revoked permissions, role assignments change, or access policies are modified for compliance and security review.
Common Authorization Vulnerabilities
Insecure Direct Object References
CriticalAPI accepts resource IDs without verifying user has access, allowing users to view or modify others' data by guessing IDs
Client-Side Authorization Checks
CriticalUI hides buttons or links based on permissions but backend accepts requests from unauthorized users
Missing Authorization on Updates
HighAuthentication checked on reads but not on updates or deletes, allowing unauthorized modifications
Role Confusion in Authorization
HighUser role stored in JWT token but not revalidated on server, allowing users to modify their own role claims
Related Resources
Test Your Authorization Logic
VibeEval automatically tests authorization by attempting to access resources as different users, testing privilege escalation, and identifying missing authorization checks across your API endpoints.
Start Free Authorization Testing