API Access vs Authentication vs Authorization: What's the Difference?
May 26, 2026
Key Takeaways
- Access Control is the overarching security framework that determines whether a request can reach your API system, typically enforced at the network or gateway level
- Authentication verifies the identity of the user or application ("Who are you?") and must occur before authorization checks
- Authorization determines what permissions an authenticated entity has ("What can you do?") and enforces the principle of least privilege
- These three security layers work sequentially: Access Control → Authentication → Authorization, and all three are essential for robust API security
- API gateways provide centralized enforcement of all three security layers, reducing complexity and improving consistency across your API infrastructure
- Modern APIs should implement industry-standard protocols like OAuth 2.0, OpenID Connect, and JWT for authentication and authorization
- Following the principle of least privilege and implementing proper credential management are critical to preventing security breaches
What Are API Access, Authentication, and Authorization?
When building secure APIs, developers often encounter three critical security concepts: access control, authentication, and authorization. While these terms are frequently used interchangeably, they represent distinct security mechanisms that work together to protect your API resources.
According to the 2021 OWASP API Security Top 10, broken authentication and authorization consistently rank among the most critical security vulnerabilities. Understanding the precise differences between these concepts is essential for implementing effective API security.
Let's start with a real-world analogy. Imagine you're entering an airport:
- Access Control: You must enter through designated airport entrances (not through restricted areas or employee entrances)
- Authentication: At security, you show your ID and boarding pass to prove your identity
- Authorization: Your boarding pass grants you access to specific gates and your ticketed flight, but not to the cockpit or first-class lounge
In API security, these three layers work sequentially to protect your resources. Access control determines if a request can even reach your API. Authentication verifies the identity of the requester. Authorization determines what actions that authenticated entity can perform.
The confusion arises because many developers implement authentication and authorization together, using a single token or credential. However, separating these concerns conceptually and architecturally leads to more secure, maintainable systems. Modern API gateways help enforce this separation by providing distinct policy layers for each security mechanism.
Understanding these distinctions becomes crucial as your API infrastructure scales. A microservices architecture, for example, requires consistent security policies across dozens or hundreds of services. Without clear boundaries between access control, authentication, and authorization, security policies become inconsistent and vulnerabilities emerge.
flowchart TD
A[API Request] --> B{Access Control<br/>Can request reach API?}
B -->|Denied| C[403/404 Response]
B -->|Allowed| D{Authentication<br/>Who are you?}
D -->|Invalid| E[401 Unauthorized]
D -->|Valid| F{Authorization<br/>What can you do?}
F -->|Denied| G[403 Forbidden]
F -->|Granted| H[Access Resource]
style B fill:#e1f5ff
style D fill:#fff4e1
style F fill:#f0ffe1
style H fill:#e8f5e9
Understanding API Access Control: The Foundation of Security
Access control is the broadest security layer, serving as the first line of defense for your API infrastructure. It determines whether a request can even reach your API services before any authentication or authorization checks occur.
What is API Access Control?
Access control encompasses all mechanisms that regulate whether a request is allowed to interact with your API system. This includes network-level restrictions, gateway policies, and infrastructure security. Think of it as the perimeter security of your API ecosystem.
The primary goal of access control is to reduce your attack surface by preventing unauthorized traffic from reaching your application layer. According to Cloudflare's DDoS report, network-layer attacks increased by 60% in 2023, making robust access control essential.
Types of API Access Control
Network-Level Access Control operates at the infrastructure layer:
- IP Whitelisting: Restricting API access to known IP addresses or CIDR blocks
- VPN Requirements: Requiring clients to connect through secure VPN tunnels
- Geographic Restrictions: Blocking traffic from specific countries or regions
- API Gateway Enforcement: Centralizing all traffic through a managed gateway
Application-Level Access Control operates at the API layer:
- API Key Validation: Requiring valid API keys before processing requests
- Rate Limiting: Controlling request frequency per client
- Protocol Enforcement: Accepting only HTTPS/TLS encrypted connections
Resource-Level Access Control operates at the endpoint level:
- Endpoint Accessibility: Controlling which endpoints are publicly accessible
- Method Restrictions: Allowing only specific HTTP methods per endpoint
Access Control Models
Role-Based Access Control (RBAC) assigns permissions to predefined roles. Users inherit permissions through role membership. This model works well for organizations with clear hierarchical structures.
Attribute-Based Access Control (ABAC) makes access decisions based on attributes of the subject, resource, action, and environment. ABAC provides fine-grained control, evaluating conditions like time of day, device type, or data sensitivity.
Discretionary Access Control (DAC) allows resource owners to control access to their resources. This model is common in collaborative platforms where users share resources with specific colleagues.
Best Practices for API Access Control
Every API should enforce TLS/HTTPS encryption for all communications. Unencrypted HTTP traffic exposes credentials and sensitive data to interception. Modern certificate authorities like Let's Encrypt make TLS implementation straightforward and free.
Implement rate limiting and throttling to protect against denial-of-service attacks and resource exhaustion. Configure limits per API key, IP address, or user account based on your use case.
Use an API gateway to centralize access control policies. Rather than implementing security controls in each microservice, enforce policies at the gateway layer for consistency and easier management.
Here's an example of configuring IP whitelisting in Apache APISIX:
routes: - uri: /api/admin/* plugins: ip-restriction: whitelist: - 192.168.1.0/24 - 10.0.0.0/8 message: "Access denied: Your IP is not whitelisted" upstream: nodes: "backend.internal:8080": 1
Monitor and audit all access attempts, both successful and failed. Security information and event management (SIEM) systems help detect unusual patterns that may indicate attacks or misconfigurations.
API Authentication: Verifying Identity
Authentication is the process of verifying that a user, application, or service is who they claim to be. In API security, authentication must occur before authorization checks. Without proper authentication, authorization becomes meaningless—you cannot grant permissions to an unverified entity.
What is API Authentication?
Authentication answers the question "Who are you?" It validates credentials presented by the requester and establishes their identity. The authentication process typically involves presenting credentials (something you know, have, or are) and having the system verify those credentials against a trusted source.
In API architectures, authentication often involves validating tokens, API keys, or certificates rather than traditional username/password combinations. This approach better suits programmatic access patterns where human users aren't directly involved.
Common Authentication Methods
1. API Keys
API keys are the simplest authentication method. The server generates a unique key for each client, which the client includes in request headers or query parameters.
// API Key authentication example (Node.js with Express) const express = require('express'); const app = express(); const VALID_API_KEYS = new Set([ 'ak_prod_123abc456def789ghi', 'ak_prod_456def789ghi012jkl' ]); function authenticateAPIKey(req, res, next) { const apiKey = req.headers['x-api-key']; if (!apiKey) { return res.status(401).json({ error: 'API key required', message: 'Please provide X-API-Key header' }); } if (!VALID_API_KEYS.has(apiKey)) { return res.status(401).json({ error: 'Invalid API key', message: 'The provided API key is not valid' }); } // Store API key metadata for authorization checks req.apiKey = apiKey; next(); } app.use(authenticateAPIKey); app.get('/api/data', (req, res) => { res.json({ message: 'Authenticated successfully' }); }); app.listen(3000);
API keys work well for server-to-server communication but have limitations. They don't expire automatically, can't represent user context, and if compromised, require manual revocation.
2. OAuth 2.0 and OpenID Connect
OAuth 2.0 is an authorization framework that also enables authentication when combined with OpenID Connect (OIDC). This approach is ideal for user-facing applications requiring Single Sign-On (SSO).
The OAuth 2.0 authorization code flow works as follows:
- Client redirects user to authorization server
- User authenticates and consents to permissions
- Authorization server redirects back with authorization code
- Client exchanges code for access token
- Client uses access token to access protected resources
OpenID Connect adds an identity layer, providing ID tokens that contain user information. This combination enables both authentication (proving user identity) and authorization (granting access permissions).
3. JWT (JSON Web Tokens)
JSON Web Tokens provide stateless authentication by encoding user information and claims in a cryptographically signed token. JWTs consist of three parts: header, payload, and signature.
// JWT authentication example (Node.js with jsonwebtoken) const jwt = require('jsonwebtoken'); const JWT_SECRET = process.env.JWT_SECRET; // Store securely in environment // Generate JWT (typically during login) function generateToken(user) { const payload = { sub: user.id, email: user.email, role: user.role, iat: Math.floor(Date.now() / 1000), exp: Math.floor(Date.now() / 1000) + (60 * 60) // 1 hour }; return jwt.sign(payload, JWT_SECRET, { algorithm: 'HS256' }); } // Verify JWT middleware function authenticateJWT(req, res, next) { const authHeader = req.headers.authorization; if (!authHeader || !authHeader.startsWith('Bearer ')) { return res.status(401).json({ error: 'Authentication required', message: 'Please provide Bearer token in Authorization header' }); } const token = authHeader.substring(7); try { const decoded = jwt.verify(token, JWT_SECRET); req.user = decoded; // Available for authorization checks next(); } catch (err) { if (err.name === 'TokenExpiredError') { return res.status(401).json({ error: 'Token expired', message: 'Please refresh your authentication token' }); } return res.status(401).json({ error: 'Invalid token', message: 'The provided token is not valid' }); } } app.use(authenticateJWT);
JWTs enable horizontal scaling because servers don't need to maintain session state. However, they cannot be revoked before expiration without additional infrastructure (token blacklists or short expiration times with refresh tokens).
4. Multi-Factor Authentication (MFA)
Multi-factor authentication adds security layers beyond a single credential. Common second factors include:
- One-Time Passwords (OTP): Time-based codes from authenticator apps
- SMS Codes: Text message verification (less secure than app-based OTP)
- Biometrics: Fingerprint or facial recognition
- Hardware Tokens: Physical security keys using FIDO2/WebAuthn
For APIs accessed by applications rather than humans, certificate-based authentication (mutual TLS) serves as an effective second factor.
Authentication Best Practices
Never store credentials in code repositories, configuration files, or client-side storage. Use environment variables or secure secret management systems like HashiCorp Vault or AWS Secrets Manager.
Implement token refresh mechanisms for long-lived sessions. Use short-lived access tokens (15-60 minutes) paired with longer-lived refresh tokens (days or weeks). When access tokens expire, clients use refresh tokens to obtain new access tokens without re-authentication.
Set appropriate token expiration times balancing security and user experience. High-security APIs should use shorter expiration times (15-30 minutes), while lower-risk APIs can extend to several hours.
For web applications, store tokens in secure, httpOnly cookies rather than localStorage. This prevents JavaScript-based XSS attacks from stealing tokens. Combine with SameSite=Strict cookie attribute to prevent CSRF attacks.
// Secure cookie configuration example res.cookie('access_token', token, { httpOnly: true, // Prevents JavaScript access secure: true, // HTTPS only sameSite: 'strict', // CSRF protection maxAge: 3600000 // 1 hour in milliseconds });
Always use HTTPS/TLS for API communications. Authentication credentials transmitted over unencrypted connections can be intercepted through man-in-the-middle attacks.
API Authorization: Controlling Permissions
While authentication verifies identity, authorization determines what an authenticated entity can do. Authorization enforces the principle of least privilege, granting only the minimum permissions necessary for each user or application.
What is API Authorization?
Authorization answers the question "What can you do?" After successful authentication establishes identity, authorization checks determine whether that identity has permission to perform the requested action on the requested resource.
Authorization operates at multiple granularity levels:
- Endpoint-level: Can this user access this API endpoint?
- Resource-level: Can this user access this specific resource instance?
- Field-level: Can this user view or modify specific fields?
- Action-level: Can this user perform this operation (read, write, delete)?
Authorization Mechanisms
Role-Based Access Control (RBAC)
RBAC assigns permissions to roles, then assigns roles to users. This model scales well for organizations with defined job functions and clear permission boundaries.
// RBAC authorization middleware example const ROLES = { admin: ['read', 'write', 'delete', 'manage_users'], editor: ['read', 'write'], viewer: ['read'] }; function requirePermission(requiredPermission) { return function(req, res, next) { const userRole = req.user.role; // Set during authentication const permissions = ROLES[userRole] || []; if (!permissions.includes(requiredPermission)) { return res.status(403).json({ error: 'Insufficient permissions', message: `This action requires '${requiredPermission}' permission` }); } next(); }; } // Usage in routes app.get('/api/articles', authenticateJWT, requirePermission('read'), (req, res) => { // Return articles } ); app.delete('/api/articles/:id', authenticateJWT, requirePermission('delete'), (req, res) => { // Delete article } );
RBAC works well for static permission structures but becomes complex when permissions depend on contextual factors or resource ownership.
Attribute-Based Access Control (ABAC)
ABAC evaluates access decisions using attributes of the subject (user), resource, action, and environment. This enables fine-grained, dynamic authorization policies.
// ABAC authorization example with policy evaluation function evaluatePolicy(subject, resource, action, environment) { // Example policy: Users can edit their own articles, // or any article if they're editors and it's during business hours if (action === 'edit') { // Resource owner can always edit if (resource.authorId === subject.id) { return true; } // Editors can edit during business hours if (subject.role === 'editor') { const hour = environment.currentTime.getHours(); return hour >= 9 && hour < 17; // 9 AM - 5 PM } } return false; } function requireAuthorization(action) { return async function(req, res, next) { const subject = req.user; const resource = await getResource(req.params.id); const environment = { currentTime: new Date(), ipAddress: req.ip }; if (!evaluatePolicy(subject, resource, action, environment)) { return res.status(403).json({ error: 'Access denied', message: 'You do not have permission to perform this action' }); } req.resource = resource; next(); }; }
ABAC provides flexibility but increases complexity. Consider using policy engines like Open Policy Agent (OPA) for complex authorization requirements.
Scope-Based Authorization
OAuth 2.0 uses scopes to limit token capabilities. When requesting an access token, clients specify desired scopes, and users approve those permissions. The resulting token includes granted scopes, which APIs verify before performing actions.
// OAuth scope-based authorization function requireScope(...requiredScopes) { return function(req, res, next) { const tokenScopes = req.user.scopes || []; // From JWT or token introspection const hasRequiredScope = requiredScopes.some( scope => tokenScopes.includes(scope) ); if (!hasRequiredScope) { return res.status(403).json({ error: 'Insufficient scope', message: `This endpoint requires one of: ${requiredScopes.join(', ')}`, required_scopes: requiredScopes }); } next(); }; } // Usage app.get('/api/user/profile', authenticateJWT, requireScope('profile:read', 'profile:full'), getUserProfile ); app.put('/api/user/profile', authenticateJWT, requireScope('profile:write', 'profile:full'), updateUserProfile );
Authorization Best Practices
Implement the principle of least privilege rigorously. Grant only the minimum permissions necessary for each role or scope. It's easier to grant additional permissions later than to revoke overly broad permissions.
Separate authentication logic from authorization logic in your code architecture. Authentication should establish identity and populate user context, while authorization should check permissions. This separation enables changing authorization policies without modifying authentication code.
Use centralized policy management rather than scattering authorization logic throughout your codebase. Policy engines like OPA, Casbin, or cloud provider authorization services (AWS IAM, GCP IAM) centralize and standardize policy evaluation.
Handle authorization failures appropriately. Return 403 Forbidden when an authenticated user lacks permissions, and 401 Unauthorized when authentication fails or is missing. Never return 404 Not Found to hide resources—this reveals information through timing attacks.
// Proper error handling for authorization app.get('/api/sensitive-resource/:id', authenticateJWT, async (req, res) => { try { const resource = await getResource(req.params.id); if (!resource) { // Resource doesn't exist - return 404 return res.status(404).json({ error: 'Resource not found' }); } if (!userCanAccessResource(req.user, resource)) { // User lacks permission - return 403, not 404 return res.status(403).json({ error: 'Access denied', message: 'You do not have permission to access this resource' }); } res.json(resource); } catch (err) { res.status(500).json({ error: 'Internal server error' }); } });
Regularly audit and review permissions. User roles change, employees leave organizations, and applications get decommissioned. Implement automated reviews and manual audits to revoke unnecessary permissions.
Authentication vs Authorization vs Access Control: Key Differences and How They Work Together
Let's consolidate our understanding with a comprehensive comparison:
| Aspect | Access Control | Authentication | Authorization |
|---|---|---|---|
| Core Question | Can you reach the system? | Who are you? | What can you do? |
| Timing | First gate | Second step | Third step |
| Common Methods | IP filtering, API gateway, network policies | API keys, OAuth, JWT, certificates | RBAC, ABAC, scopes, permissions |
| Success Result | Request reaches API | Identity established | Permission granted |
| Failure Result | Connection refused (403/404) | 401 Unauthorized | 403 Forbidden |
| Token Type | Network credentials | ID Token, API Key | Access Token, Permissions |
| Protocol Examples | TLS, mTLS, VPN | OpenID Connect, SAML | OAuth 2.0, custom policies |
| Enforcement Layer | Network/Gateway | Application | Application/Resource |
| State Required | IP lists, network rules | Credential validation | Permission policies |
How They Work Together in Practice
These three security layers create a defense-in-depth strategy. Each layer provides protection against different attack vectors:
sequenceDiagram
participant C as Client
participant G as API Gateway
participant A as Auth Service
participant B as Backend API
participant D as Database
C->>G: API Request with Token
rect rgb(225, 245, 255)
Note over G: Access Control Layer
G->>G: Check IP whitelist
G->>G: Verify rate limits
G->>G: Validate TLS certificate
end
rect rgb(255, 244, 225)
Note over G,A: Authentication Layer
G->>A: Validate token
A->>A: Verify signature & expiration
A-->>G: Token valid + user identity
end
rect rgb(240, 255, 225)
Note over G,B: Authorization Layer
G->>G: Check user permissions
G->>G: Evaluate access policies
end
G->>B: Forward authorized request
B->>D: Query data
D-->>B: Return data
B-->>G: Response
G-->>C: API Response
Consider a real-world API request flow:
-
Access Control: A mobile app sends a request to
https://api.example.com/users/123/profile. The API gateway first checks if the request originates from an allowed IP range and hasn't exceeded rate limits. If these checks fail, the request is rejected before reaching application code. -
Authentication: The gateway validates the JWT token in the Authorization header. It verifies the token signature using the public key, checks expiration time, and extracts user identity claims. If the token is invalid or expired, it returns 401 Unauthorized.
-
Authorization: The gateway checks if the authenticated user (from the token) has permission to access user 123's profile. If the token belongs to user 123 or an admin role, access is granted. Otherwise, it returns 403 Forbidden.
-
Resource Access: Only after all three security checks pass does the request reach the backend service, which retrieves and returns the user profile.
This layered approach means that even if one security mechanism fails, others provide protection. For example, if an attacker somehow obtains a valid authentication token, access control (rate limiting) prevents them from rapidly extracting data, and authorization prevents them from accessing resources they shouldn't see.
Implementing Secure API Access with API Gateways
API gateways serve as centralized policy enforcement points, implementing all three security layers consistently across your API infrastructure.
Why Use an API Gateway?
Centralized Security Enforcement: Rather than implementing authentication, authorization, and access control in every microservice, enforce policies once at the gateway layer. This reduces code duplication and prevents inconsistencies.
Separation of Concerns: Backend services focus on business logic while the gateway handles security, routing, and traffic management. This architectural separation simplifies both gateway and service code.
Consistent Policy Application: As your API infrastructure grows to dozens or hundreds of services, the gateway ensures every request passes through the same security checks. Without this consistency, security gaps inevitably emerge.
Performance and Scalability: Gateways implement caching, connection pooling, and request optimization, improving API performance. They also provide a single scaling point for handling traffic spikes.
API Gateway Security Features
Modern API gateways provide built-in authentication plugins supporting:
- JWT Validation: Verify signatures, expiration, and extract claims
- OAuth 2.0 Integration: Token introspection and scope validation
- API Key Management: Generate, rotate, and revoke keys
- OpenID Connect: SSO integration with identity providers
Authorization capabilities include:
- Policy Engines: Evaluate complex authorization rules
- RBAC/ABAC Support: Implement role or attribute-based policies
- Scope Checking: Validate OAuth scopes against endpoint requirements
Access control features:
- Rate Limiting: Control request frequency per consumer
- IP Whitelisting/Blacklisting: Network-level access control
- DDoS Protection: Identify and block malicious traffic patterns
- Circuit Breaking: Protect backend services from cascading failures
Additional security features:
- TLS Termination: Handle certificate management centrally
- Audit Logging: Record all authentication and authorization events
- Request/Response Transformation: Sanitize data and remove sensitive headers
Implementation Checklist
✓ Enable TLS/HTTPS for all endpoints: Configure valid certificates and enforce HTTPS-only access
✓ Implement proper authentication method: Choose API keys for server-to-server, OAuth/JWT for user-facing APIs
✓ Configure role-based or scope-based authorization: Define clear permission boundaries for different user types
✓ Set up rate limiting per consumer: Protect against abuse and ensure fair resource allocation
✓ Enable comprehensive audit logging: Track all authentication attempts and authorization decisions
✓ Monitor authentication failures: Alert on suspicious patterns indicating potential attacks
✓ Regularly rotate credentials and keys: Implement automated rotation schedules for API keys and secrets
✓ Test authorization policies thoroughly: Verify that users can only access intended resources
Apache APISIX Configuration Example
Here's a practical example implementing all three security layers in Apache APISIX:
routes: - uri: /api/users/* name: user-api-route # Access Control Layer plugins: ip-restriction: whitelist: - 10.0.0.0/8 - 192.168.1.0/24 limit-req: rate: 100 burst: 50 key: "consumer_name" rejected_code: 429 # Authentication Layer jwt-auth: key: your-secret-key algorithm: HS256 exp: 3600 # Authorization Layer authz-keycloak: discovery: https://keycloak.example.com/realms/master/.well-known/openid-configuration permissions: ["resource:users#view"] # Audit logging syslog: host: 127.0.0.1 port: 5044 # Enforce HTTPS redirect: http_to_https: true upstream: type: roundrobin nodes: "user-service:8080": 1
This configuration enforces:
- Access Control: IP whitelist and rate limiting (100 requests/minute)
- Authentication: JWT validation with HS256 algorithm
- Authorization: Keycloak integration checking "users#view" permission
- Audit: Logging all requests to syslog
- TLS: Automatic HTTP to HTTPS redirection
Conclusion: Building a Robust API Security Strategy
Understanding the distinctions between access control, authentication, and authorization is fundamental to building secure APIs. These three security layers work together sequentially, each providing protection against different attack vectors:
Access control serves as your perimeter defense, ensuring only legitimate traffic reaches your API infrastructure. Implement IP filtering, rate limiting, and TLS encryption at this layer.
Authentication establishes identity, verifying that users and applications are who they claim to be. Use industry-standard protocols like OAuth 2.0, OpenID Connect, and JWT rather than inventing custom authentication schemes.
Authorization enforces the principle of least privilege, granting authenticated entities only the minimum permissions necessary. Implement RBAC or ABAC based on your complexity requirements, and centralize policy management for consistency.
Security is not a single decision but a layered strategy. All three components are essential—weakness in any layer compromises your entire API. Start with strong authentication using proven protocols, implement granular authorization with clear permission boundaries, and enforce access control at the network and gateway layers.
API gateways provide the architectural foundation for implementing these security layers consistently across your infrastructure. Rather than scattering security logic throughout microservices, centralize enforcement at the gateway for better consistency, maintainability, and security.
Regular security audits, credential rotation, and monitoring are equally important. Technology alone cannot secure your APIs—you need processes for reviewing permissions, detecting anomalies, and responding to incidents.
Balance security requirements with developer experience. Overly complex security creates friction that developers circumvent, while insufficient security exposes your organization to breaches. Design security that's strong enough to protect your resources but simple enough to implement correctly.
Next Steps
To deepen your API security implementation:
- Explore Apache APISIX authentication plugins for JWT, OAuth, and API key management
- Review authorization policy patterns and implement RBAC or ABAC based on your needs
- Set up comprehensive monitoring and alerting for authentication failures and suspicious patterns
- Conduct security audits of your current API infrastructure to identify gaps
- Implement automated credential rotation for API keys and secrets
Building secure APIs requires understanding not just the "what" but the "why" behind each security mechanism. With clear understanding of access control, authentication, and authorization working together, you can design API security that protects your organization while enabling innovation.
graph TB
subgraph "Complete API Security Architecture"
A[API Request] --> B[API Gateway]
subgraph "Security Layers"
B --> C{Access Control}
C -->|Pass| D{Authentication}
C -->|Fail| E[Reject: 403/429]
D -->|Pass| F{Authorization}
D -->|Fail| G[Reject: 401]
F -->|Pass| H[Backend Services]
F -->|Fail| I[Reject: 403]
end
H --> J[Return Data]
subgraph "Supporting Systems"
K[Identity Provider]
L[Policy Engine]
M[Audit Logs]
N[Monitoring & Alerts]
end
D -.->|Validate| K
F -.->|Check| L
C -.->|Record| M
D -.->|Record| M
F -.->|Record| M
M -.->|Analyze| N
end
style C fill:#e1f5ff
style D fill:#fff4e1
style F fill:#f0ffe1
style H fill:#e8f5e9