As noted more than once, HTTP_Authentication_Services
is the core routine that handles authentication into the API. However, authentication is different from authorization (even though HTTP Basic Authentication uses the Authorization request header field) and this is important when building access to the API. Authentication normally means the user’s credentials are valid. However, this does not guarantee that the user has sufficient privileges to access (or modify) the requested resource. This is where authorization comes in. Failure in authentication or authorization can both return a 401 (Unauthorized) status code, but a failed authorization might return a 403 (Forbidden) status code.