1. Extract session id from header. 2. Get session from session store by session id 3. Get user id from session then fetch user plus permissions (cached) 4. Check permissions 5. Proceed