The step right after authentication: once your app knows who you are, authorization decides what you're allowed to do, like whether you can edit someone else's post or open an admin panel.