Authorization is the gate between "logged in" and "allowed to do this."
Authentication proves who you are — you entered the right password, so you're Alice. Authorization decides what Alice can do. Can she view the admin dashboard? Can she delete another user's note? Those are authorization questions.
Think of a nightclub. The ID check at the door is authentication — proving you're old enough to enter. But once inside, the VIP section has its own rope. Showing your ID again doesn't help. You need to be on the list. That's authorization.
Authorization must be enforced on the server, never just in the UI. Hiding a button doesn't prevent access — anyone can type a URL or submit a form directly. The server is the only place where the check actually matters.
A common pattern is a guard function that runs at the start of a loader or action:
let user = await requireAdminFromCookie(request)
If the user isn't an admin, the request stops before any data is returned. The UI can also hide admin links from members — that's a courtesy, not security.
The simplest authorization is a single check: is this user an admin? That's one column in the database and one if statement in the code. You don't need a permissions table, a policy engine, or a library.
Start with the simplest model that works. Add complexity only when you have a real use case that demands it.