Disclaimer: I am a consultant at Amazon Web Services, and this is my personal blog. The opinions expressed here are solely mine and do not reflect the views of Amazon Web Services (AWS). Any statements made should not be considered official endorsements or statements by AWS.
As Web API (Rest API) is stateless, so there should be some mechanism by which a server can identify the user in every request. So to enable a user's identity to a web server, we pass some data in headers in each web request to the server. The server reads that data & understands to identify the user. This process of identifying the user & ensuring that he is a valid one is known as Authentication.
Now once we know that the user is authenticated but we don't know how many access rights this particular user has over the application. So, authorization is the process of giving access rights to a user.