Access Token
An Access Token is a credential used to access protected resources in an API, typically issued by an authorization server and used in OAuth and OpenID Connect protocols.
Learn the key terms and concepts in authentication and user management.
An Access Token is a credential used to access protected resources in an API, typically issued by an authorization server and used in OAuth and OpenID Connect protocols.
Account Linking is the process of connecting multiple user accounts from different services or platforms, allowing users to access various services with a single set of credentials.
An Account Portal is a user interface that allows users to manage their account settings, personal information, and preferences within an application.
An Account Takeover refer to the unauthorized access and control of a user’s account by malicious actors. This security breach often involves exploiting weak passwords, phishing attacks, or other vulnerabilities to gain access to personal information, financial data, or other sensitive content. Preventing account takeovers is crucial for maintaining user trust and safeguarding data integrity.
An Action Function is a function that handles user actions, such as form submissions or button clicks, often performing tasks like data processing or API calls.
Active Device Monitoring is a continuous security practice that involves tracking and analyzing the behavior of devices connected to a network. This technique helps in identifying suspicious activities, unauthorized access attempts, and potential security threats in real-time. Implementing active device monitoring enhances the overall security posture by ensuring only trusted devices can access sensitive information.
An Admin Dashboard is a user interface that provides administrators with access to various tools and data for managing and monitoring an application, including user management, analytics, and settings.
AI Authentication leverages artificial intelligence to enhance the security and efficiency of the authentication process. By analyzing patterns, behaviors, and biometric data, AI authentication can provide a more secure and seamless user experience. This advanced method reduces the risk of fraud and unauthorized access by continuously learning and adapting to new threats.
An API Key is a unique identifier used to authenticate a user, developer, or calling program to an API (Application Programming Interface). API keys are essential for controlling access to the API, tracking usage, and preventing unauthorized access. Proper management and security of API keys are critical to protect sensitive data and maintain the integrity of the API.
An App Router is a routing system in a web application framework that manages the navigation and rendering of different views or pages based on URL paths.
An Application Programming Interface (API) is a set of rules and protocols that allows different software applications to communicate with each other, enabling integration and data exchange.
Artificial Intelligence (AI) refers to the simulation of human intelligence in machines that are programmed to think, learn, and perform tasks typically requiring human intelligence. AI encompasses a variety of technologies, including machine learning, natural language processing, and robotics. In web development and security, AI is used to enhance user experiences, automate processes, and improve threat detection.
Authentication is the process of verifying the identity of a user, device, or application before granting access to a system or resource. This critical security measure ensures that only authorized individuals can access sensitive information. Authentication methods can include passwords, biometrics, tokens, and multi-factor authentication (MFA) to enhance security and user trust.
An Authentication Challenge is a request for additional verification during the authentication process, often used in multi-factor authentication to ensure the user’s identity.
Authenticator Apps using TOTP (Time-Based One-Time Password) generate temporary, time-sensitive passcodes used for two-factor authentication (2FA). These apps, such as Google Authenticator or Authy, provide an additional layer of security by requiring users to enter a code from the app in addition to their password. This method significantly reduces the risk of unauthorized access by ensuring that only users with access to the physical device can log in.
Authorization is the process of determining the access rights and privileges of a user, device, or application within a system, ensuring they have the necessary permissions to perform specific actions.
Bot Detection involves identifying and mitigating automated scripts or bots that attempt to interact with a website or application, often to prevent malicious activities and ensure genuine user interactions.
Brute Force Detection is the practice of identifying and preventing repeated attempts to guess user credentials by monitoring login attempts and blocking suspicious activities to enhance security.
The California Consumer Privacy Act (CCPA) is a state law that grants California residents new rights regarding their personal information, including the right to know, delete, and opt-out of the sale of their data.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security measure used to differentiate between human users and automated bots, often by presenting challenges that are easy for humans but difficult for bots.
A claim represents a piece of information about a user or entity that is encoded within a JSON Web Token (JWT). When a token is created, claims are added to provide specific details about the token's subject, such as user ID, permissions, or expiration time. Claims are typically key-value pairs that describe attributes of the authenticated entity. The claims are digitally signed as part of the token, ensuring they cannot be altered without invalidating the token. One JWT can, and typically does, contain multiple claims that provide different types of information about the user or session.
ClerkProvider is a component in Clerk’s authentication library that wraps the application, providing context and configuration for authentication and user management.
A Component Library is a collection of reusable UI components that developers can use to build applications, ensuring consistency, efficiency, and ease of maintenance in the development process.
Control Components are components in a user interface that manage user input and interactions, such as buttons, forms, and sliders.
Convex is a backend platform that provides real-time data synchronization and serverless functions, enabling developers to build dynamic and responsive web applications.
Credential Stuffing Attacks involve using stolen username-password pairs to gain unauthorized access to user accounts by automating login attempts across multiple websites and services.
Cross Site Request Forgery (CSRF) is an attack that tricks a user into performing actions on a web application without their consent, often by exploiting the user’s authenticated session.
Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft, session hijacking, and other exploits.
Custom Onboarding refers to the process of creating a tailored user onboarding experience, guiding new users through initial setup and familiarization with an application.
Custom Permissions allow developers to define specific access rights for different users within an application, providing fine-grained control over what each user can do based on their role.
Custom Roles enable developers to create specific roles with tailored permissions for different user types, ensuring that users have appropriate access levels within an application.
Customizable Session Tokens are session tokens that can be configured to include specific data or metadata, enhancing the flexibility and security of session management.
A Data Router is a routing system that manages data fetching and rendering based on URL paths, ensuring that the necessary data is available for each route.
Developer Velocity refers to the speed and efficiency with which developers can deliver software, often enhanced by tools, processes, and practices that streamline development workflows.
Disposable Email Detection identifies and blocks the use of temporary email addresses, which are often used for fraudulent activities, ensuring that only legitimate users can sign up and interact with an application.
Elements refer to the library of unstyled, composable components for building custom UIs, allowing developers to create tailored authentication experiences that fit their application’s design.
An Endpoint is a specific URL where an API can be accessed by a client application, serving as a communication point between different systems or components.
Environment Keys are configuration settings stored in environment variables, used to manage different environments (development, testing, production) in software applications.
Environment Variables are dynamic values that can affect the behavior of running processes, commonly used to configure applications without hardcoding sensitive information.
Expo is a framework and platform for universal React applications, providing tools and services to build, deploy, and manage native apps for iOS and Android.
Fingerprinting is a technique used to uniquely identify devices and users based on their browser and device characteristics, enhancing security measures and preventing unauthorized access.
Firebase is a platform developed by Google for creating mobile and web applications, offering services like real-time databases, authentication, and cloud storage.
First Day Free means no charges for users who sign up but never return. Users are only counted as active when they come back after 24 hours, ensuring fair and user-friendly billing practices.
A Framework is a platform for developing software applications that provides foundational structures and tools, such as React, Next.js, Remix, and Expo to streamline the development process.
A Frontend API is an interface that allows client-side applications to interact with backend services, providing secure and straightforward methods for implementing features directly within the application’s frontend.
Gatsby is a React-based open-source framework for building fast, scalable, and secure static websites and applications with a focus on performance and developer experience.
A GitHub Repository is a storage space on GitHub where code, documentation, and other project files are managed and shared, facilitating collaboration and version control among developers.
Hardware Keys are physical devices used for authentication that generate and store cryptographic keys, providing an additional layer of security. Examples include USB security keys like YubiKey, which are used in two-factor authentication (2FA) and multi-factor authentication (MFA) processes to ensure secure access to systems and data.
Hashing is a way of converting data into a unique, fixed-length code that acts like a digital fingerprint. When a piece of information is run through a hashing process, it creates a specific string of characters that uniquely represents the original data. The hash can verify that the original data hasn't been changed, and cannot be 'decoded' to recreate the original information. The same input will always produce the same hash, and different inputs will typically produce different hashes. One piece of data can have multiple types of hashes generated from it depending on the specific purpose, such as checking if a password is correct or ensuring a file hasn't been tampered with.
Hash Routing is a routing method that uses the URL hash (fragment identifier) to manage navigation and rendering of components in a single-page application.
The Health Insurance Portability & Accountability Act (HIPAA) is a U.S. law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other healthcare providers.
HttpOnly cookies are a type of browser cookie that is inaccessible to JavaScript, providing an additional layer of security by mitigating the risk of client-side script attacks like Cross-Site Scripting (XSS).
Identity Provider Single Sign-On (IdP SSO) is a service that allows users to authenticate once and gain access to multiple applications and services without needing to log in separately to each one.
Integration refers to the process of connecting different systems, applications, or services to work together seamlessly, enabling data exchange and functional cooperation.
An Isolated user-pool is a user management system where each application has its own separate pool of user accounts, ensuring isolation and independence between applications.
A JSON Web Token (JWT) is a compact, URL-safe token used for securely transmitting information between parties as a JSON object, commonly used in authentication and authorization.
Least Privilege Access is a security principle where users, applications, and systems are granted the minimum access necessary to perform their tasks, reducing risk.
A Loader Function is a function that fetches or prepares data needed for rendering a component or page in a web application.
Magic Links are a passwordless authentication method where users receive a link via email or SMS that, when clicked, automatically logs them into the application.
Middleware is software that acts as a bridge between an operating system or database and applications, especially on a network, enabling communication and data management.
Monthly Active Users (MAUs) is a metric that counts the number of unique users who interact with an application or service within a given month, indicating user engagement and growth.
Multi-factor Authentication (MFA) is a security process that requires users to provide two or more verification factors to gain access to a resource, enhancing security beyond just a username and password.
Multi-Tenancy is an architecture in which a single instance of software serves multiple customers (tenants), with each tenant’s data isolated and invisible to others.
Next.js is a React-based framework that enables server-side rendering and static site generation for building fast, scalable web applications.
Node Package Manager (NPM) is a package manager for JavaScript that allows developers to install, share, and manage dependencies for their projects.
OAuth is an open standard for access delegation commonly used as a way to grant websites or applications limited access to user information without exposing passwords.
OAuth Scopes define the specific permissions granted to a client application, determining the actions or resources it can access when interacting with a protected API.
One-Time Passcodes (OTP) are temporary codes sent via email or SMS that users enter to verify their identity, commonly used in two-factor authentication processes.
OpenID Connect is an identity layer on top of the OAuth 2.0 protocol, allowing clients to verify the identity of end-users based on authentication performed by an authorization server.
Organizations in user management refer to groups or entities that manage multiple users, roles, and permissions within a larger structure, often used in enterprise applications.
The OWASP Application Security Verification Standard (ASVS) is a framework for testing the security of web applications and ensuring they meet specific security requirements. It provides a basis for designing, building, and testing secure applications by defining levels of security controls. ASVS is widely used by developers and security professionals to standardize security requirements and assessments.
The OWASP Testing Guide is a resource by the Open Web Application Security Project that outlines best practices for testing web application security. It covers vulnerabilities like authentication, data validation, and session management, helping security professionals enhance web application security.
A Pages Router is a routing mechanism that maps URLs to specific pages or components in a web application, often used in frameworks like Next.js.
Passkeys are cryptographic keys used for secure authentication, replacing traditional passwords with more secure alternatives like biometrics or hardware tokens.
Path Routing is a routing method that uses the URL path to determine which component or page to render in a web application.
A Pen Test (Penetration Test) is a simulated cyber attack against a system to check for exploitable vulnerabilities, helping to identify and fix security weaknesses.
A personal account is a user’s unique, individual space within the application, independent of any organization.
Primitives are the basic building blocks or fundamental elements used in programming and design, such as data types in a programming language or basic UI components in a design system.
Public Metadata refers to metadata that is publicly accessible and can be used to store additional information about users or resources in a transparent manner.
A Publishable Key is a public API key used to identify a client application in API requests, typically safe to expose in client-side code.
Rails (Ruby on Rails) is a server-side web application framework written in Ruby, designed to make web development faster and easier by providing default structures for databases, web services, and pages.
Rate Limiting is a technique used to control the amount of incoming or outgoing traffic to or from a network, API, or web service, preventing abuse and ensuring fair usage.
React is a popular JavaScript library for building user interfaces, particularly single-page applications, using a component-based architecture.
React Server Components are a feature in React that allows developers to build components that run on the server, providing better performance and improved user experience.
Recovery Codes are backup codes provided during the setup of two-factor authentication, allowing users to regain access to their accounts if they lose their primary authentication method.
Redwood is a full-stack JavaScript framework designed to help developers build and deploy modern web applications quickly, integrating React, GraphQL, and Prisma.
Remix is a full-stack web framework that enables developers to build fast, scalable, and dynamic web applications with a focus on user experience and performance.
Role Based Access Control (RBAC) is a security model that restricts system access based on roles assigned to users, ensuring that users have appropriate permissions for their roles.
Roles define a set of permissions and access levels assigned to users within an application, determining what actions they can perform and what resources they can access.
A Root Loader is a function or component that loads initial data or performs setup tasks when the root of an application or route is accessed.
rootAuthLoader is a specific loader function responsible for handling authentication logic at the root level of an application, ensuring that user authentication state is properly managed.
Route-Specific Authentication is the practice of applying authentication requirements to specific routes or endpoints within an application, ensuring secure access to sensitive resources.
A Secret Key is a cryptographic key used to secure data, often involved in encryption, decryption, and authentication processes, and should be kept confidential.
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider.
A session represents an instance in which a user has signed in and is authenticated. Normally, when a user signs in successfully, a session is created and typically stored in a database, along with the user's ID, a status (active, revoked, expired, etc) and an expiration time, at miniumum. The session must be active and not expired in order for the user to be seen as authenticated. One user can, and typically does, have multiple sessions. Each time the user signs in, whether on the same or a different device, creates a new session.
Session Fixation is a security vulnerability where an attacker tricks a user into using a known session ID, allowing the attacker to hijack the session once the user logs in.
Session Leak Protection involves measures to prevent the unintended exposure of session identifiers, which could be exploited by attackers to hijack user sessions.
Session Lifecycle refers to the stages a user session goes through from creation, maintenance, and termination, including management of session state and expiration.
Session Management is the process of handling user sessions in a web application, ensuring secure creation, maintenance, and termination of sessions to prevent unauthorized access.
Session Revocation is the process of invalidating a user session, typically used to force logout a user or end a session due to security concerns.
A Shared user-pool is a user management system where multiple applications share the same pool of user accounts, allowing for centralized authentication and user management.
Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials, simplifying user management and enhancing security.
SMS Passcodes are one-time codes sent via SMS to a user’s mobile phone, used for verifying identity and enhancing security in two-factor authentication processes.
SOC 2 (Service Organization Control 2) is a set of standards for managing customer data based on five "trust service principles"—security, availability, processing integrity, confidentiality, and privacy.
A Software Development Kit (SDK) is a collection of tools, libraries, and documentation that developers use to create applications for specific platforms or frameworks.
Source Code is the human-readable set of instructions that define what a software program does, written in a programming language and maintained in a version control system.
Supabase is an open-source backend-as-a-service that provides developers with a real-time database, authentication, and storage solutions, simplifying the creation of modern web applications.
Tailwind CSS is a utility-first CSS framework that provides low-level utility classes to build custom designs directly in the markup, offering flexibility and efficiency in styling web applications.
Testing Tokens are tokens used in the development and testing phases to simulate authentication and authorization processes without using real user credentials.
User Interface Components are reusable building blocks used to create the visual elements of a web application, such as buttons, forms, and navigation bars.
User Management involves the processes and tools for managing user accounts, roles, permissions, and authentication within an application, ensuring secure and efficient access control.
A User Profile is a collection of personal data and preferences associated with a user account, providing a personalized experience within an application.
useSession is a React hook used in web development to manage user session state, providing authentication status and session details, and enabling sign-in and sign-out actions. It helps conditionally render content based on user login status.
Virtual Routing is a routing technique that manages navigation and rendering of views in a web application without changing the URL, often used in client-side routing libraries.
A Webhook is an HTTP callback that allows one system to send real-time data to another system as soon as an event occurs, commonly used for integrating different services.