> ## Documentation Index > Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. > Get started using Auth0. Implement authentication for any kind of application in minutes. # Identity Glossary export const GlossaryPage = () => { const GLOSSARY = [{ term: "Access Token", description: "Credential that can be used by an application to access an API. It informs the API that the bearer of the token has been authorized to access the API and perform specific actions specified by the scope that has been granted. An Access Token can be in any format, but two popular options include opaque strings and JSON Web Tokens (JWT). They should be transmitted to the API as a Bearer credential in an HTTP Authorization header." }, { term: "Account Linking", description: "Connecting user accounts across multiple platforms to allow users access to more than one resource or application by providing credentials one time." }, { term: "Actions", description: "Secure, tenant-specific, versioned functions written in Node.js that execute at certain points during the Auth0 runtime. Actions are used to customize and extend Auth0's capabilities with custom logic." }, { term: "Adaptive Multi-factor Authentication", description: "Multi-factor authentication (MFA) that is only triggered for users when an attempted login is determined to be a low confidence login. With Adaptive MFA, Auth0 triggers MFA only when needed to add friction for bad actors while keeping the login experience unchanged for good actors." }, { term: "Application", description: "Your software that relies on Auth0 for authentication and identity management. Auth0 supports single-page, regular web, native, and machine-to-machine applications." }, { term: "Attack Protection", description: "Features that Auth0 provides to detect and mitigate attacks, including brute-force protection, suspicious IP throttling, breached password detection, bot detection, and adaptive multi-factor authentication." }, { term: "Audience", description: "Unique identifier of the audience for an issued token, identified within a JSON Web Token as the aud claim. The audience value is either the application (Client ID) for an ID Token or the API that is being called (API Identifier) for an Access Token. At Auth0, the Audience value sent in a request for an Access Token dictates whether that token is returned in an opaque or JWT format." }, { term: "Auth0 Dashboard", description: "Auth0’s primary administrator interface in which you can register your application or API, connect to a user store or another identity provider, and configure your Auth0 services." }, { term: "Authentication Device", description: "The device on which the user will authenticate and grant consent in the Client-Initiated Backchannel Authentication Flow." }, { term: "Authentication Server", description: "Server that confirms or denies a user’s identity. An authentication server does not limit the actions or resources available to the user (although it can provide context for this purpose)." }, { term: "Authorization Code", description: "Random string generated by the authorization server and returned to the application as part of the authorization response. The authorization code is relatively short-lived and is exchanged for an Access Token at the token endpoint when using the Authorization Code Flow (either with or without Proof Key for Code Exchange (PKCE))." }, { term: "Authorization Flow", description: "Another name for Authorization Grants outlined in OAuth 2.0. Authorization flows are the workflows a resource (an application or an AIP) uses to grant requestors access. Based on the type of technology and the type of requestor, resource owners can use Authorization Code Flow, PKCE, ROPG, Implicit, or Client Credential." }, { term: "Authorization Server", description: "Centralized server that contributes to defining the boundaries of a user’s access. For example, your authorization server can control the data, tasks, and features available to a user. An authorization server does not authenticate users. It’s the role of the authentication server to verify a user’s identity." }, { term: "Bad Actors", description: "Also known as threat actors. Entity (a person or group) that poses a threat to the business or environment with the intention to cause harm. Harm can constitute physical or cyber damages, from breaking into a data center to hacking into systems with stolen credentials." }, { term: "Beta", description: "Product release stage during which the referenced feature or behavior is provided to subscribers to give them time to explore and adopt new product capabilities while providing final feedback prior to a GA release. Functionality is code-complete, stable, useful in a variety of scenarios, and believed to meet or almost meet quality expectations for a GA release. Beta releases may be private or public." }, { term: "Block/Unblock Users", description: "Removing or restoring a requestor's access to a resource. Refers to the features from Auth0's Attack Protection suite. Each service assesses login/sign-up trends and blocks IP addresses associated with suspicious activity." }, { term: "Bot Detection", description: "Form of attack protection in which Auth0 blocks suspected bot traffic by enabling a CAPTCHA during the login process." }, { term: "Breached Password Detection", description: "Form of attack protection in which Auth0 notifies your users if they use a username/password combination that has been compromised in a data leak on a third-party website or app." }, { term: "Breaking Change", description: "Change to the Auth0 platform that, to Auth0's knowledge, will cause failures in the interoperation of the Auth0 platform and customer applications." }, { term: "Brute-force Protection", description: "Form of attack protection that safeguards against brute-force attacks that occur from a single IP address and target a single user account." }, { term: "Callback", description: "URL to which Auth0 sends its response after authentication. It is often the same URL to which a user is redirected after authentication." }, { term: "Claim", description: "Attribute packaged in a security token which represents a claim that the provider of the token is making about an entity." }, { term: "Client ID", description: "Identification value assigned to your application after registration. This value is used in conjunction with other third-party services and can be found in Auth0 Dashboard > Application Settings." }, { term: "Client Secret", description: "Secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable." }, { term: "Confidential Client", description: "According to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public. Confidential clients can hold credentials securely and require a trusted backend server to do so. They can use grant types that require authentication by specifying their client ID and secret when calling the token endpoint." }, { term: "Confused Deputy", description: "Situation in which an attacker tricks a client or service into performing an action on their behalf." }, { term: "Connection", description: "Relationship between Auth0 and the sources of users for your applications. Examples include identity providers, passwordless authentication methods, or user databases." }, { term: "Consumption Device", description: "The device that helps the user consume a service in the Client-Initiated Backchannel Authentication Flow." }, { term: "Custom Domain", description: "Third-party domain with a specialized, or vanity, name. Also known as a CNAME." }, { term: "Deprecation", description: "Product release stage indicating that the referenced feature or behavior is not supported for new subscribers, is not actively being enhanced, and is being only minimally maintained." }, { term: "Digital Identity", description: "Set of attributes that define a particular user in the context of a function delivered by a particular application." }, { term: "Digital Signature", description: "Encrypted string that protects bits in a token from tampering. If the bits are changed or tampered with, the signature will no longer be able to be verified and it will be rejected." }, { term: "Directory", description: "Centralized repository of users (the most well-known of which is Active Directory) which centralizes credentials and attributes and makes it unnecessary for each application to have their own local identity setup." }, { term: "Early Access", description: "Product release stage during which the referenced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to test and provide feedback." }, { term: "End of Life", description: "Product release stage indicating that the referenced feature or behavior is removed from the platform. Continued use will likely result in errors." }, { term: "End of Life Date", description: "Date when access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types." }, { term: "Fine-grained Authorization (FGA)", description: "Auth0’s SaaS product that gives individual users access to specific objects or resources within your application." }, { term: "Flow", description: "Processes that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey." }, { term: "General Availability", description: "Product release stage during which the referenced feature or behavior is fully functional and available to all subscribers for production use." }, { term: "Group", description: "Set of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time." }, { term: "ID Token", description: "Credential meant for the client itself, rather than for accessing a resource. It has a fixed format that clients can parse and validate." }, { term: "Identity Provider (IdP)", description: "Service that stores and manages digital identities. Auth0 supports trusted social, enterprise, and legal identity providers." }, { term: "JSON Web Token (JWT)", description: "Open, industry standard RFC 7519 method for representing claims securely between two parties. At Auth0, ID Tokens are always returned in JWT format, and Access Tokens are often in JWT format." }, { term: "Localization", description: "Ability to render the New Universal Login experience into a supported language." }, { term: "Lock", description: "Auth0's UI widget for authenticating users. It is ready to go as-is and is the default face of the Classic Universal Login experience." }, { term: "Management API", description: "Auth0's API to manage Auth0 services and perform administrative tasks programatically." }, { term: "Metadata", description: "Information users can update, such as preferences or profile settings. Metadata is added to ID tokens and can be stored in user profiles." }, { term: "Migration", description: "Process by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation stage." }, { term: "Multi-factor authentication (MFA)", description: "Authentication process that considers multiple factors. Typically the first factor is username/password, and the second is a code or link via email/SMS, or OTP via an app." }, { term: "Nonce", description: "Arbitrary (often random or pseudo-random) number issued in an authentication protocol that can be used to help detect and mitigate replay attacks." }, { term: "OAuth 2.0", description: "Authorization framework that defines authorization protocols and workflows. OAuth 2.0 defines roles, authorization grants, authorization requests and responses, and token handling." }, { term: "OpenID", description: "Open standard for authentication that allows applications to verify users are who they say they are without needing to collect or store login information." }, { term: "Organizations", description: "Auth0 product that allows B2B customers to categorize end-users and define specific roles, login experience, and access to resources." }, { term: "Passwordless", description: "Form of authentication where the first factor is not a password. Instead, it could be a one-time password received by email or SMS, a push notification, or a biometric sensor." }, { term: "Perimeter", description: "Set of boundaries that encompass a directory, all of its users, and all of the applications which use the directory." }, { term: "Product Release Stages", description: "Phases that describe how Auth0 stages, releases, and retires product functionality." }, { term: "Public Client", description: "According to the OAuth 2.0 protocol, clients can be confidential or public. Public clients cannot hold credentials securely, so should only use grant types that do not require the use of their client secret." }, { term: "Raw Credential", description: "Shared secret or set of information that is agreed upon between the user and the resource that allow the resource to verify the identity of a user." }, { term: "Refresh Token", description: "Special kind of token that can be used to obtain a renewed Access Token. It is useful for renewing expiring Access Tokens without forcing the user to log in again." }, { term: "Refresh Token Rotation", description: "Strategy of frequently replacing refresh tokens to minimize vulnerability. Each exchange also returns a new refresh token." }, { term: "Relying Party", description: "Entity (such as a service or application) that depends on a third-party identity provider to authenticate a user." }, { term: "Resource Owner", description: "Entity (such as a user or application) capable of granting access to a protected resource." }, { term: "Resource Server", description: "Server hosting protected resources. Resource servers accept and respond to protected resource requests." }, { term: "Role", description: "Aspect of a user’s identity assigned to the user to indicate the level of access they should have to the system." }, { term: "Scope", description: "Mechanism that defines the specific actions applications can be allowed to do or information they can request on a user’s behalf." }, { term: "Security Assertion Markup Language (SAML)", description: "XML-based standardized protocol by which two parties can exchange authentication information without the use of a password." }, { term: "Security Token", description: "Digitally-signed artifact used to prove that the user was successfully authenticated." }, { term: "Session Cookie", description: "Entity emitted by middleware after it establishes that the token it is receiving is signed, valid, and comes from a trusted source." }, { term: "Shadow Account", description: "Difficult-to-sustain practice of manually provisioning a user from a local directory separately in a remote directory when they need access to remote applications." }, { term: "Signing Algorithm", description: "Hashing algorithm used to digitally sign tokens to ensure the token has not been tampered with." }, { term: "Single Sign-On (SSO)", description: "Service that, after a user logs into one application, automatically logs them into other applications as well. Single Logout works similarly in reverse." }, { term: "Subscription", description: "Agreement that defines the features and quotas available for each of your tenants." }, { term: "Suspicious IP Throttling", description: "Form of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address." }, { term: "Tenant", description: "A logically-isolated group of users who share common access with specific privileges to a single software instance." }, { term: "Token Endpoint", description: "Endpoint on the Authorization Server that is used to programmatically request tokens." }, { term: "Trigger", description: "Event that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime." }, { term: "Trust", description: "A resource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users." }, { term: "Universal Login", description: "Auth0’s implementation of the authentication flow, which is the key feature of an Authorization Server." }, { term: "Web Service Federation (WS-Fed)", description: "Protocol for managing user identities between systems, domains, and identity providers with established trust using WS-Trust. Mainly used for Microsoft products." }]; const A_TO_Z = Array.from({ length: 26 }, (_, i) => String.fromCharCode(65 + i)); const norm = s => s.normalize("NFKD").toLowerCase().trim(); const useQueryParamState = (key, initial = "") => { const [value, setValue] = useState(() => { if (typeof window === "undefined") return initial; const url = new URL(window.location.href); return url.searchParams.get(key) ?? initial; }); useEffect(() => { if (typeof window === "undefined") return; const url = new URL(window.location.href); if (value) url.searchParams.set(key, value); else url.searchParams.delete(key); window.history.replaceState({}, "", url.toString()); }, [key, value]); return [value, setValue]; }; const highlight = (text, query) => { if (!query) return text; const i = norm(text).indexOf(norm(query)); if (i < 0) return text; const end = i + query.length; return <> {text.slice(0, i)} {text.slice(i, end)} {text.slice(end)} ; }; const [term, setTerm] = useQueryParamState("term", ""); const groups = useMemo(() => { const filtered = term ? GLOSSARY.filter(g => norm(g.term).includes(norm(term))) : GLOSSARY; const map = new Map(); for (const item of filtered.sort((a, b) => a.term.localeCompare(b.term))) { const key = (item.term[0] || "").toUpperCase(); map.set(key, [...map.get(key) || [], item]); } return map; }, [term]); const letterRefs = useRef({}); const handleJump = letter => { const el = letterRefs.current[letter]; if (el) el.scrollIntoView({ behavior: "smooth", block: "start" }); }; return
{}
setTerm(e.target.value)} className="w-full rounded-lg border border-gray-300 dark:border-gray-700 bg-white dark:bg-black pl-10 pr-4 py-3 outline-none focus:border-indigo-500 dark:focus:border-indigo-400 text-gray-900 dark:text-gray-100" />
{} {}
{A_TO_Z.filter(L => groups.has(L)).map(letter => { const items = groups.get(letter); return

letterRefs.current[letter] = el} className="text-3xl font-semibold glossary_h2"> {letter}

    {items.map(it =>

  • {it.term}

    {highlight(it.description, term)}

    • )}
; })} {groups.size === 0 &&

No results for “{term}”. Try a different term.

}
; }; We've put together a glossary of identity terms for newcomers and seasoned developers, alike. Hopefully this helps put any identity terminology confusion to rest. ​ Application Settings.", }, { term: "Client Secret", description: "Secret used by a client (application) to authenticate with the Authorization Server; it should be known to only the client and the Authorization Server and must be sufficiently random to not be guessable.", }, { term: "Confidential Client", description: "According to the OAuth 2.0 protocol, clients (applications) can be classified as either confidential or public. Confidential clients can hold credentials securely and require a trusted backend server to do so. They can use grant types that require authentication by specifying their client ID and secret when calling the token endpoint.", }, { term: "Confused Deputy", description: "Situation in which an attacker tricks a client or service into performing an action on their behalf.", }, { term: "Connection", description: "Relationship between Auth0 and the sources of users for your applications. Examples include identity providers, passwordless authentication methods, or user databases.", }, { term: "Consumption Device", description: "The device that helps the user consume a service in the Client-Initiated Backchannel Authentication Flow.", }, { term: "Custom Domain", description: "Third-party domain with a specialized, or vanity, name. Also known as a CNAME.", }, { term: "Deprecation", description: "Product release stage indicating that the referenced feature or behavior is not supported for new subscribers, is not actively being enhanced, and is being only minimally maintained.", }, { term: "Digital Identity", description: "Set of attributes that define a particular user in the context of a function delivered by a particular application.", }, { term: "Digital Signature", description: "Encrypted string that protects bits in a token from tampering. If the bits are changed or tampered with, the signature will no longer be able to be verified and it will be rejected.", }, { term: "Directory", description: "Centralized repository of users (the most well-known of which is Active Directory) which centralizes credentials and attributes and makes it unnecessary for each application to have their own local identity setup.", }, { term: "Early Access", description: "Product release stage during which the referenced feature or behavior is provided to a limited number of subscribers or customer development partners (CDPs) to test and provide feedback.", }, { term: "End of Life", description: "Product release stage indicating that the referenced feature or behavior is removed from the platform. Continued use will likely result in errors.", }, { term: "End of Life Date", description: "Date when access to a feature or behavior is removed from the platform. End Of Life Dates can vary between different plan types.", }, { term: "Fine-grained Authorization (FGA)", description: "Auth0’s SaaS product that gives individual users access to specific objects or resources within your application.", }, { term: "Flow", description: "Processes that can be extended using Actions. Each Flow is made up of one or more Triggers and represents the logical pipeline through which information moves during a single point in the Auth0 journey.", }, { term: "General Availability", description: "Product release stage during which the referenced feature or behavior is fully functional and available to all subscribers for production use.", }, { term: "Group", description: "Set of one or more users. In the Auth0 Authorization Extension, use groups to grant access to many users at a time.", }, { term: "ID Token", description: "Credential meant for the client itself, rather than for accessing a resource. It has a fixed format that clients can parse and validate.", }, { term: "Identity Provider (IdP)", description: "Service that stores and manages digital identities. Auth0 supports trusted social, enterprise, and legal identity providers.", }, { term: "JSON Web Token (JWT)", description: "Open, industry standard RFC 7519 method for representing claims securely between two parties. At Auth0, ID Tokens are always returned in JWT format, and Access Tokens are often in JWT format.", }, { term: "Localization", description: "Ability to render the New Universal Login experience into a supported language.", }, { term: "Lock", description: "Auth0's UI widget for authenticating users. It is ready to go as-is and is the default face of the Classic Universal Login experience.", }, { term: "Management API", description: "Auth0's API to manage Auth0 services and perform administrative tasks programatically.", }, { term: "Metadata", description: "Information users can update, such as preferences or profile settings. Metadata is added to ID tokens and can be stored in user profiles.", }, { term: "Migration", description: "Process by which a customer moves away from a particular feature or behavior. Migrations should occur during the Deprecation stage.", }, { term: "Multi-factor authentication (MFA)", description: "Authentication process that considers multiple factors. Typically the first factor is username/password, and the second is a code or link via email/SMS, or OTP via an app.", }, { term: "Nonce", description: "Arbitrary (often random or pseudo-random) number issued in an authentication protocol that can be used to help detect and mitigate replay attacks.", }, { term: "OAuth 2.0", description: "Authorization framework that defines authorization protocols and workflows. OAuth 2.0 defines roles, authorization grants, authorization requests and responses, and token handling.", }, { term: "OpenID", description: "Open standard for authentication that allows applications to verify users are who they say they are without needing to collect or store login information.", }, { term: "Organizations", description: "Auth0 product that allows B2B customers to categorize end-users and define specific roles, login experience, and access to resources.", }, { term: "Passwordless", description: "Form of authentication where the first factor is not a password. Instead, it could be a one-time password received by email or SMS, a push notification, or a biometric sensor.", }, { term: "Perimeter", description: "Set of boundaries that encompass a directory, all of its users, and all of the applications which use the directory.", }, { term: "Product Release Stages", description: "Phases that describe how Auth0 stages, releases, and retires product functionality.", }, { term: "Public Client", description: "According to the OAuth 2.0 protocol, clients can be confidential or public. Public clients cannot hold credentials securely, so should only use grant types that do not require the use of their client secret.", }, { term: "Raw Credential", description: "Shared secret or set of information that is agreed upon between the user and the resource that allow the resource to verify the identity of a user.", }, { term: "Refresh Token", description: "Special kind of token that can be used to obtain a renewed Access Token. It is useful for renewing expiring Access Tokens without forcing the user to log in again.", }, { term: "Refresh Token Rotation", description: "Strategy of frequently replacing refresh tokens to minimize vulnerability. Each exchange also returns a new refresh token.", }, { term: "Relying Party", description: "Entity (such as a service or application) that depends on a third-party identity provider to authenticate a user.", }, { term: "Resource Owner", description: "Entity (such as a user or application) capable of granting access to a protected resource.", }, { term: "Resource Server", description: "Server hosting protected resources. Resource servers accept and respond to protected resource requests.", }, { term: "Role", description: "Aspect of a user’s identity assigned to the user to indicate the level of access they should have to the system.", }, { term: "Scope", description: "Mechanism that defines the specific actions applications can be allowed to do or information they can request on a user’s behalf.", }, { term: "Security Assertion Markup Language (SAML)", description: "XML-based standardized protocol by which two parties can exchange authentication information without the use of a password.", }, { term: "Security Token", description: "Digitally-signed artifact used to prove that the user was successfully authenticated.", }, { term: "Session Cookie", description: "Entity emitted by middleware after it establishes that the token it is receiving is signed, valid, and comes from a trusted source.", }, { term: "Shadow Account", description: "Difficult-to-sustain practice of manually provisioning a user from a local directory separately in a remote directory when they need access to remote applications.", }, { term: "Signing Algorithm", description: "Hashing algorithm used to digitally sign tokens to ensure the token has not been tampered with.", }, { term: "Single Sign-On (SSO)", description: "Service that, after a user logs into one application, automatically logs them into other applications as well. Single Logout works similarly in reverse.", }, { term: "Subscription", description: "Agreement that defines the features and quotas available for each of your tenants.", }, { term: "Suspicious IP Throttling", description: "Form of attack protection that protects your tenant against suspicious logins targeting too many accounts from a single IP address.", }, { term: "Tenant", description: "A logically-isolated group of users who share common access with specific privileges to a single software instance.", }, { term: "Token Endpoint", description: "Endpoint on the Authorization Server that is used to programmatically request tokens.", }, { term: "Trigger", description: "Event that automatically invokes an Action when a specific operation, such as a user logging in, occurs at runtime.", }, { term: "Trust", description: "A resource trusts an identity provider or authority when that resource is willing to believe what the authority says about its users.", }, { term: "Universal Login", description: "Auth0’s implementation of the authentication flow, which is the key feature of an Authorization Server.", }, { term: "Web Service Federation (WS-Fed)", description: "Protocol for managing user identities between systems, domains, and identity providers with established trust using WS-Trust. Mainly used for Microsoft products.", }, ]} />