In the OWASP API Security Top 10, what is the difference between BOLA and BFLA?

Both are authorization failures but at different granularities. BOLA (Broken Object-Level Authorization, API1) is about which records you can touch — the API checks you're logged in but not that this object belongs to you, e.g. GET /orders/123 returns someone else's order (classic IDOR). BFLA (Broken Function-Level Authorization, API5) is about which operations/roles you can invoke — a regular user can call an admin-only function like DELETE /users/123 or POST /admin/promote because the endpoint never checks the caller's role/privilege for that function. Mnemonic: BOLA = wrong object, BFLA = wrong function/role. Prevent both with centralized, deny-by-default authorization enforced per object and per function, driven by the authenticated principal — never by what the UI exposes.