Explain the difference between authentication and authorization.

Authentication verifies who you are (identity); authorization decides what you may do (permissions). Authn comes first and produces a verified principal; authz then enforces access against that principal. A common interview trap: 'IDOR/BOLA' is an authorization failure, not an authentication one.