In partnership with

Hello “👋

Welcome to another week, another opportunity to become a Great Backend Engineer.

Today’s issue is brought to you by Masteringbackend → A great resource for backend engineers. We offer next-level backend engineering training and exclusive resources.

Before we get started, I have a few announcements:

I have a special gift for you: You will love this one.

The ultimate “Land Your Dream Job” Challenge is here.

We are launching the ultimate guide to landing your dream job in any programming language you choose. We are starting with the Python Programming language.

Land your dream Python Job in 90 days by shipping 30 Python projects in 30 days by completing our daily tasks.

It’s a cohort-based and project-focused challenge where you will be challenged to build 30 Python projects in 30 days.

Here is what you will get:

• Ship 30+ Python backend projects in 30 days.

• Instant Access to all 30+ videos

• Access to data structure and algorithm interview kits.

• Access our Complete Backend Job Preparation kits (Resume, Cover letter reviews, mock interviews, and job placements).

• Join & learn from a thriving community of helpful students & alumni from top companies.

Limited Access. The first 500 students will be at $54, others at $100 (We have only 220 slots left.)

Click here to join the challenge.

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

2. Master AI tools, tutorials, and news in just 3 minutes a day

3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

Sign up and start learning AI

In our previous issue, "Authentication Methods in API Design," we explored the most widely adopted authentication methods in API design, detailing how they work, when to use them, and how to implement them securely.

This issue explores API design's most widely adopted authorization methods, detailing how they work, when to use them, and how to implement them securely.

Introduction

In API design, ensuring that authenticated users only access the resources they are permitted to access is just as important as verifying who they are. This is where authorization comes in.

While authentication answers the "Who are you?" authorization asks, "What are you allowed to do?"

Authorization methods form the backbone of secure access control in APIs. They enforce rules that determine which clients—whether users, services, or applications—can access what data and perform what actions. This is essential for protecting sensitive information, preserving data integrity, and ensuring business logic is correctly enforced.

This issue explores key authorization methods in API design, how they function, and when to use each based on security, scalability, and user experience considerations.

Authorization vs. Authentication

Before diving into the various methods, it’s important to distinguish authentication from authorization:

• Authentication verifies who a user or application is.

• Authorization verifies what they can access or do.

While often used together, they serve distinct purposes and require different implementation strategies.

Role-Based Access Control (RBAC)

RBAC assigns permissions to users based on their role within an organization. For example, a user with an "Admin" role may have access to more resources than a "Viewer".

Roles are defined at the system level, and each role has predefined privileges. When a user is authenticated, the API checks their assigned role and determines whether they are authorized to perform the requested action.

How it Works

1. Users are assigned roles (e.g., Admin, Editor, Viewer).

2. Each role is mapped to a set of permissions.

3. The API checks the user’s role on each request and determines whether the action is allowed.

For example, a customer support agent needs access to user account information but does not require administrative control over system settings, whereas a system administrator does.

All RBAC models include the following core elements:

• Administrators: Users responsible for defining roles and assigning permissions.

• Roles: Groups of users categorized by the tasks or responsibilities they perform.

• Permissions: Each role is granted specific actions and access levels, which determine what users in that role are allowed to do.

Role-Based Access Control (RBAC) enables administrators to create roles, assign users to them, and manage permissions to control access within a system.

if (req.user.role !== 'admin') {
  return res.status(403).send('Forbidden: Admins only');
}

Role-based access control is best for Enterprise systems with well-defined roles and Multi-user platforms like CMSs or SaaS apps.

Attribute-Based Access Control (ABAC)

ABAC controls access using attributes rather than roles. These attributes can include user details (e.g., department, clearance level), resource metadata, or environmental conditions (e.g., time of day).

ABAC is highly flexible and supports complex access policies.

How it Works

1. Define attributes for users, resources, and environment.

2. Create policies based on combinations of these attributes.

3. Evaluate each request against the relevant policy.

if (req.user.department === 'finance' && req.resource.type === 'report') {
  // allow access
}

The attribute-based access control is best for fine-grained and dynamic access control and scenarios with many user-resource-environment combinations.

Conclusion

Properly implemented authorization is essential to any API's security architecture. Whether you’re designing internal APIs or exposing functionality to third parties, choosing the right authorization strategy ensures that only permitted actors can perform certain operations.

• RBAC offers straightforward, role or resource-based permissions.

• ABAC allows for highly dynamic and context-aware access policies.

As your application grows, so do your authorization needs. Consider starting with a simple RBAC model and evolving toward ABAC as complexity increases. Whichever method you choose, ensure it is consistently enforced across your API ecosystem.

Did you learn any new things from this newsletter this week? Please reply to this email and let me know. Feedback like this encourages me to keep going.

Remember to start learning backend engineering from our courses:

Get a 50% discount on any of these courses. Reach out to me (Reply to this mail)

1. Become a Node.js Backend Engineer is Live

2. Become a Rust Backend Engineer is Live

3. Become a Python Backend Engineer is Live

4. Become a Java + Spring Backend Engineer is Live

Backend Engineering Resources

1. Backend Engineering Hub

2. All Backend Books

3. Visit our Backend Store

4. Join our Community

5. Backend Engineering Courses

LAST WORD 👋 

How am I doing?

I love hearing from readers, and I'm always looking for feedback. How am I doing with The Backend Weekly? Is there anything you'd like to see more or less of? Which aspects of the newsletter do you enjoy the most?

Hit reply and say hello - I'd love to hear from you!

Stay awesome,
Solomon

I moved my newsletter from Substack to Beehiiv, and it's been an amazing journey. Start yours here.