From f9d09e2bbe0a1ac8fd16597c373b868b77025906 Mon Sep 17 00:00:00 2001
From: Artem Zakirullin <artemzr@gmail.com>
Date: Mon, 3 Jun 2024 17:13:17 +0100
Subject: [PATCH] add note about auth

---
 README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/README.md b/README.md
index baef347..33e4e47 100644
--- a/README.md
+++ b/README.md
@@ -218,6 +218,7 @@ The same rule applies to all sorts of numeric statuses (in database or wherever)
 
 > People spend time arguing between `401` and `403`, making choices based on their level of understanding. But in the end it just doesn't make any sense. We can separate errors into either user-related or server-related, but apart from that, things are kind of blurry. As for following this mystical "RESTful API" and using all sorts of HTTP verbs and statuses, the standard simply doesn't exist. The only valid document on the matter is a paper published by Roy Fielding, dated back in 2000, and it says nothing about verbs and statuses. People get along with just a few basic HTTP statuses and POSTs only, and they are doing just fine.
 
+P.S. Most developers have to spend some mental effort when thinking about the differences between `authentication` and `authorization`. To reduce cognitive load, we could use simpler terms like [login and permissions](https://ntietz.com/blog/lets-say-instead-of-auth/).
 
 ## Abusing DRY principle