Glossary

An access control list (ACL) is a resource-scoped policy that lists which principals (users, groups, service accounts) have which permissions on that resource. Each access control entry (ACE) names a subject and a set of allowed or denied actions (read, write, execute, delete), optionally with inheritance. At request time, the system resolves the caller and evaluates ACEs in a defined order with default-deny. ACLs are fine-grained but resource-scoped and hard to operate across thousands or millions of resources, causing many teams to adopt RBAC or ABAC.

An access control list (ACL) is a resource-scoped policy that lists which principals (users, groups, service accounts) have which permissions on that resource. Each access control entry (ACE) names a subject and a set of allowed or denied actions (read, write, execute, delete), optionally with inheritance. At request time, the system resolves the caller and evaluates ACEs in a defined order with default-deny. ACLs are fine-grained but resource-scoped and hard to operate across thousands or millions of resources, causing many teams to adopt RBAC or ABAC.

An Access Token is a credential used to access protected resources in an API, typically issued by an authorization server and used in OAuth and OpenID Connect protocols.

Account Linking is the process of connecting multiple user accounts from different services or platforms, allowing users to access various services with a single set of credentials.

An Account Portal is a user interface that allows users to manage their account settings, personal information, and preferences within an application.

Account recovery refers to controlled verification flows that let a legitimate user regain access to their account when primary factors are lost or unavailable—typically via OTP, email magic link, backup/recovery codes, a trusted device, or passkey recovery.

An Account Takeover refer to the unauthorized access and control of a user’s account by malicious actors. This security breach often involves exploiting weak passwords, phishing attacks, or other vulnerabilities to gain access to personal information, financial data, or other sensitive content. Preventing account takeovers is crucial for maintaining user trust and safeguarding data integrity.

An Action Function is a function that handles user actions, such as form submissions or button clicks, often performing tasks like data processing or API calls.

Active Device Monitoring is a continuous security practice that involves tracking and analyzing the behavior of devices connected to a network. This technique helps in identifying suspicious activities, unauthorized access attempts, and potential security threats in real-time. Implementing active device monitoring enhances the overall security posture by ensuring only trusted devices can access sensitive information.

An Admin Dashboard is a user interface that provides administrators with access to various tools and data for managing and monitoring an application, including user management, analytics, and settings.

Aggregated claims in OIDC are third-party user claims that the OpenID Provider returns inside UserInfo as an embedded, signed JWT. The response includes _claim_names and _claim_sources to show which claims came from which external issuer. The client validates that embedded JWT and then uses the claims, no extra fetch required.

AI Authentication leverages artificial intelligence to enhance the security and efficiency of the authentication process. By analyzing patterns, behaviors, and biometric data, AI authentication can provide a more secure and seamless user experience. This advanced method reduces the risk of fraud and unauthorized access by continuously learning and adapting to new threats.

Allowlist/Blocklist (also called Denylist) are explicit sets of permitted or blocked values (e.g., emails, domains, phone numbers, Web3 addresses) enforced at sensitive points like sign-up and sign-in. It's good practice to adopt a default-deny stance (permit only allowlisted values) and reserve the blocklist for explicit hard blocks.

An API gateway centralizes request routing to backend services, rate limiting, caching, and TLS termination. In auth contexts, it verifies tokens and applies per-route policies. Note: Clerk is not an API gateway but provides authentication middleware that integrates with API gateways to handle JWT verification and authorization checks.

An API Key is a unique identifier used to authenticate a user, developer, or calling program to an API (Application Programming Interface). API keys are essential for controlling access to the API, tracking usage, and preventing unauthorized access. Proper management and security of API keys are critical to protect sensitive data and maintain the integrity of the API.

API rate limits are policies that cap the volume of requests a client (application, user, IP, etc.) can send to specific API endpoints over a defined time interval. Limits may be per token / API key, IP address, user account, or tenant (or a combination).

An App Router is a routing system in a web application framework that manages the navigation and rendering of different views or pages based on URL paths.

An Application Programming Interface (API) is a set of rules and protocols that allows different software applications to communicate with each other, enabling integration and data exchange.

Artificial Intelligence (AI) refers to the simulation of human intelligence in machines that are programmed to think, learn, and perform tasks typically requiring human intelligence. AI encompasses a variety of technologies, including machine learning, natural language processing, and robotics. In web development and security, AI is used to enhance user experiences, automate processes, and improve threat detection.

Assertion Consumer Service (ACS) is a service-provider endpoint that receives SAML assertions from the identity provider. It validates signature, audience, issuer, and time bounds before a session is established.

Attribute mapping translates identity data from an external IdP into Clerk's user schema. During SAML/OIDC sign-in or JIT provisioning, incoming attributes (e.g., email, given_name, family_name) are mapped to Clerk User properties. Additional claims can be mapped to publicMetadata by prepending public_metadata_. Clerk also allows setting default values for missing claims when IdPs return non-standard formats.

Audit Logs are records of security-relevant events (sign-ins, factor changes, role edits, administrative actions) that are timestamped, immutable, and can be queried for investigation and compliance purposes. In Clerk, making authenticated requests to the backend enables you to keep an audit log of which device the user is performing actions from.

Authentication is the process of verifying the identity of a user, device, or application before granting access to a system or resource. This critical security measure ensures that only authorized individuals can access sensitive information. Authentication methods can include passwords, biometrics, tokens, and multi-factor authentication (MFA) to enhance security and user trust.

An Authentication Challenge is a request for additional verification during the authentication process, often used in multi-factor authentication to ensure the user’s identity.

In Clerk, authentication context includes session information like user ID, organization, and factor verification freshness. The fva (factor verification age) array tracks how long since each factor was verified. Clerk supports reverification policies (strict, moderate, lax) to require re-authentication before sensitive actions based on time since last verification. Note: Clerk uses proprietary claims instead of standard OIDC amr/acr/auth_time or SAML AuthnContextClassRef.

Authenticator Apps using TOTP (Time-Based One-Time Password) generate temporary, time-sensitive passcodes used for two-factor authentication (2FA). These apps, such as Google Authenticator or Authy, provide an additional layer of security by requiring users to enter a code from the app in addition to their password. This method significantly reduces the risk of unauthorized access by ensuring that only users with access to the physical device can log in.

Authorization is the process of determining the access rights and privileges of a user, device, or application within a system, ensuring they have the necessary permissions to perform specific actions.

Authorization Code Flow is Clerk's recommended OAuth 2.0 flow for web and mobile applications. Users authenticate through Clerk's hosted UI, which then redirects them back to your application's registered callback URL with a temporary authorization code appended as a query parameter. Your backend extracts this code from the redirect and exchanges it server-side for access and ID tokens, keeping credentials secure and out of browser history. PKCE is required for client-side apps to prevent authorization code interception.

An Authorization Server is the OAuth 2.0/OpenID Connect component responsible for authenticating users (or delegating authentication), obtaining authorization consent, and issuing security tokens. It exposes standardized endpoints (/authorize, /token, /userinfo, /revoke, /introspect) that clients use to initiate authorization flows, exchange authorization codes for tokens, and manage token lifecycles. The authorization server determines token claims and permissions via scopes, enforces security policies, and issues access tokens, ID tokens, and refresh tokens with configurable expiration times. In Clerk, Clerk functions as your authorization server.

B2B single sign-on (SSO) enables multi-tenant applications where each customer organization connects its own identity provider (IdP) to your app via SAML or OpenID Connect (OIDC). Users redirect to their organization's IdP for authentication, which returns a signed assertion/token containing user attributes and group memberships. Your app validates the signature, maps groups to roles, and provisions accounts automatically via just-in-time (JIT) provisioning, with SCIM available for full lifecycle management. This gives enterprise customers centralized access control while providing seamless login experiences.

Back-Channel Logout is an OpenID Connect server-to-server logout method where the Identity Provider directly notifies each Relying Party's logout endpoint with a signed JWT logout token when a user signs out. Relying Parties verify the signature and terminate sessions without browser involvement. More reliable than front-channel logout because it works even if the browser is closed, JavaScript is blocked, or network connectivity is lost.

A Backoff/Retry Policy defines rules for automatically retrying failed API requests to authentication services. When requests fail due to transient issues (network timeouts, server overload, rate limits), the policy determines whether to retry, how long to wait, and how many attempts to make. Standard implementations use exponential backoff with jitter—doubling the wait time between attempts (1s, 2s, 4s, 8s) with random delays to prevent synchronized retry storms—typically limiting to 3-5 total attempts. Policies only retry transient errors (5xx server errors, 429 rate limits, timeouts) and fail immediately on permanent errors (401 unauthorized, 400 bad request). This ensures legitimate requests eventually succeed while preventing service overload.

Backup Codes are single-use recovery codes generated during MFA enrollment that allow account access when primary factors (authenticator app, SMS) are unavailable. Users receive 8-10 codes to store securely, as they bypass MFA verification. Can be regenerated anytime, invalidating previous codes.

A bearer token is a credential that grants access to whoever presents it—possession equals authorization. In OAuth 2.0, access tokens are bearer tokens sent in the HTTP Authorization header as Bearer <token>. Because anyone with the token can use it, bearer tokens require TLS encryption, short expiration times, and narrow scopes to limit exposure risk.

Biometric authentication verifies users by measuring unique physical or behavioral traits (fingerprint, face, voice) and comparing them to stored templates. Modern implementations process biometrics locally in secure hardware with liveness detection to prevent spoofing. Best used to unlock cryptographic keys—such as passkeys via WebAuthn—rather than transmitting to servers. Unlike passwords, biometrics cannot be changed if compromised, making secure local storage and fallback authentication methods essential.

Bot Detection identifies and blocks automated attacks on authentication systems—such as credential stuffing, brute force login attempts, and fake account creation—while allowing legitimate automated traffic like search crawlers. Techniques include IP reputation analysis, behavioral patterns (mouse movement, typing cadence), rate limiting, device fingerprinting, and challenge mechanisms like CAPTCHAs. Critical for protecting login endpoints and preventing account takeover attacks.

Browser Fingerprinting is a technique that derives a likely-unique identifier from a device's and browser's characteristics (e.g., user agent, screen size, fonts, canvas/WebGL output, plugins, GPU) to recognize repeat visitors. It can persist across cookie clears and is used for fraud prevention and tracking, but accuracy varies and it is constrained by privacy controls and changing client signals.

Browser sessions and application sessions are distinct concepts often confused in authentication. A browser session is the browser's native lifetime for a tab/window—storing session cookies (no expiration set), sessionStorage, and in-memory data that typically clear when all windows close. An application session is your app's authenticated state, tracked independently via session cookies or tokens with explicit security policies: idle timeouts, absolute expiration, rotation, and per-device isolation. Understanding this distinction is critical—application sessions must be managed by your authentication logic, not reliant on browser session behavior.

Browser storage is the set of ways a website can store data on the user's device for a specific origin. It includes cookies (sent with requests; configurable via Secure, HttpOnly, SameSite), Web Storage (localStorage and sessionStorage for synchronous key-value data not sent with HTTP), IndexedDB (asynchronous, large structured data), and Cache Storage (request/response pairs via service workers). Choose storage based on payload size, access pattern (sync vs async), and data retention. Do not store long-lived secrets in JavaScript-accessible storage; put session tokens in Secure, HttpOnly cookies.

Brute Force Detection is the practice of identifying and preventing repeated attempts to guess user credentials by monitoring login attempts and blocking suspicious activities to enhance security.

BYOK (Bring Your Own Key) is a key management model where the customer generates and controls the encryption key used to protect their data, rather than the service provider. The organization is responsible for key creation, rotation, revocation, and deletion, providing stronger assurance that only they can decrypt their data.

The California Consumer Privacy Act (CCPA) is a state law that grants California residents new rights regarding their personal information, including the right to know, delete, and opt-out of the sale of their data.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a security measure used to differentiate between human users and automated bots, often by presenting challenges that are easy for humans but difficult for bots.

Certificate Pinning is a security technique in which a client (e.g. mobile app or service) pins a known certificate or public key to a server and rejects TLS/SSL connections that present anything else. It helps prevent man-in-the-middle attacks using fraudulent or misissued certificates, though it can break connectivity if the server's certificate changes without updating the pin.

Challenge–response is an authentication pattern where the server sends a fresh, unpredictable challenge (nonce) and the client returns a response computed with a secret or private key (for example, an HMAC or a digital signature). The server verifies the response to confirm possession of the credential without ever transmitting the secret. This resists replay and eavesdropping; examples include WebAuthn/passkeys (the authenticator signs the server challenge with origin binding) and SCRAM/HTTP Digest. To stay secure, challenges must be unique, time-bound, and tied to the session or origin to prevent reuse or relay.

A claim represents a piece of information about a user or entity that is encoded within a JSON Web Token (JWT). When a token is created, claims are added to provide specific details about the token's subject, such as user ID, permissions, or expiration time. Claims are typically key-value pairs that describe attributes of the authenticated entity. The claims are digitally signed as part of the token, ensuring they cannot be altered without invalidating the token. One JWT can, and typically does, contain multiple claims that provide different types of information about the user or session.

Claims Transformation is the process of mapping attributes or claims issued by an identity provider (IdP) or external system into the schema or fields your application consumes (for example, translating groups into departments). Transformation rules are deterministic and maintain the provenance of each mapped attribute, so you can trace where each output came from.

ClerkProvider is a component in Clerk’s authentication library that wraps the application, providing context and configuration for authentication and user management.

The Client Credentials Flow is an OAuth 2.0 grant for machine-to-machine (M2M) authentication, where a client (e.g. backend service or daemon) authenticates on its own behalf rather than on behalf of a user. The client sends credentials (such as client_id and client_secret) to the token endpoint and receives an access token, which it then uses to call APIs or services under its own identity.

A client_secret is a confidential credential issued to an OAuth confidential client and known only to that client and the authorization server. The client presents it when authenticating at the token endpoint (and sometimes at introspection or revocation endpoints) using methods like client_secret_basic or client_secret_post. It's best practice to store secrets server-side (for example, in a secret manager) and rotate them regularly, especially since SPAs and native mobile apps expose their code and storage and thus can't truly keep secrets. For such public clients, you should not issue a client_secret; instead register them as public clients and use the Authorization Code flow with PKCE. In Clerk, setting up OAuth/Social Connections is straightforward: you enter your external client_id and client_secret in the Clerk dashboard, and Clerk handles the token exchange for you (so you don't have to write and manage boilerplate code).

CNAME / Custom Domains let an organization map a subdomain they control (e.g. auth.example.com) to a vendor-hosted service so authentication pages and API endpoints appear under the organization's domain. To do this, you create a DNS CNAME record pointing that subdomain to the vendor's domain. Adding a custom domain (e.g. auth.myapp.com) to Clerk is straightforward: you just need to create a CNAME record pointing that subdomain to Clerk's provided domain, then Clerk handles verification, TLS certificate provisioning, and routes the traffic so authentication flows use your custom domain seamlessly. However, CNAME records can't be placed on a root (apex) domain, so many DNS providers support ALIAS or ANAME records (or use A/AAAA records) to achieve the same aliasing behavior at the apex.

PKCE (Proof Key for Code Exchange) is an OAuth 2.0 extension that binds an authorization code to the specific client instance using a one-time code_verifier and its hashed code_challenge (S256). The client sends the challenge in the authorization request and later presents the verifier at the token endpoint; the server then recomputes and matches before issuing tokens, which blocks code interception and replay. PKCE is required for public clients like SPAs and mobile apps, and recommended for all clients using the Authorization Code flow.

A Component Library is a collection of reusable UI components that developers can use to build applications, ensuring consistency, efficiency, and ease of maintenance in the development process.

Conditional Access is a policy-based access control pattern that evaluates runtime context to decide whether to allow access, deny, or require additional verification from the user. Policies ingest signals such as user or group membership, role, device compliance, location or network, application sensitivity, and risk scores. Based on these signals, the system can require MFA, block noncompliant devices, limit session scopes or lifetimes, force reauthentication for sensitive operations, or deny access outright. Policies are typically expressed as simple "if–then" rules and can trigger both at initial sign-in and at step-up moments within the application.

A Consent Screen (also called a permissions prompt or authorization interface) is the UI presented during an OAuth/OIDC flow that asks a user to approve the scopes or permissions an application is requesting. It shows what data or actions will be accessed (like profile, email, read/write), who is requesting access, and gives a clear option to accept or deny. The purpose is to ensure transparency and let users make informed decisions. Consent screens can appear at first sign-in or whenever app requests change (new scopes), and for trusted or first-party apps it may sometimes be possible to skip.

Content Security Policy is a browser-security standard (via HTTP headers or meta tags) that tells the browser which sources of content are allowed on a page or app. It defines directives such as script-src, img-src, style-src, etc., which specify trusted origins or allowlists for different content types. CSP helps prevent attacks like Cross-Site Scripting (XSS), data injection, or clickjacking by rejecting or blocking content from untrusted sources. A policy can run in enforcement mode (blocking violations) or report-only mode (just logging them) to help test without breaking functionality.

Control Components are components in a user interface that manage user input and interactions, such as buttons, forms, and sliders.

Convex is a backend platform that provides real-time data synchronization and serverless functions, enabling developers to build dynamic and responsive web applications.

The Credential Management API is a browser standard (accessible via navigator.credentials) that lets websites programmatically create, store, retrieve, and use credentials, such as username/password, federated login, OTPs, or public-key credentials. It helps lower friction in cross-platform sign-in flows (e.g. enabling auto sign-in, remembering federated accounts, or restoring sessions after expiry) while ensuring these operations happen in secure contexts (HTTPS).

Credential stuffing is a cyberattack where attackers use stolen username-password pairs from data breaches to gain unauthorized access to user accounts by automating login attempts across multiple websites and services.

Credential Stuffing Attacks involve using stolen username-password pairs to gain unauthorized access to user accounts by automating login attempts across multiple websites and services.

Cross Site Request Forgery (CSRF) is an attack that tricks a user into performing actions on a web application without their consent, often by exploiting the user’s authenticated session.

Cross-Site Scripting (XSS) is a security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to data theft, session hijacking, and other exploits.

A cryptographic nonce is a unique, unpredictable value generated for one-time use in a cryptographic operation or protocol to bind a request and its response. In OpenID Connect, a nonce is sent in the authentication request and echoed in the ID Token to prevent replay attacks. In OAuth flows, the state parameter plays a related role by binding the redirect request to its response (protecting against CSRF). A nonce must never be reused and is typically random, time-variant, or both, so that stale or duplicated values are detected and rejected.

Custom Onboarding refers to the process of creating a tailored user onboarding experience, guiding new users through initial setup and familiarization with an application.

Custom Permissions allow developers to define specific access rights for different users within an application, providing fine-grained control over what each user can do based on their role.

Custom Roles enable developers to create specific roles with tailored permissions for different user types, ensuring that users have appropriate access levels within an application.

Customizable Session Tokens are session tokens that can be configured to include specific data or metadata, enhancing the flexibility and security of session management.

Data Residency refers to the geographical or physical location where an organization's data is stored, processed, or maintained (for example, in which country, region, or data center). When cloud or hosted services are used, it determines which jurisdiction(s) control or regulate that data. This matters for legal, regulatory, and contractual compliance because different regions have laws about how data may be handled, transferred, or accessed.

Data retention defines how long an organization can store customer or user data, including authentication records such as logs, sessions, tokens, and audit trails. Retention periods are determined by legal, regulatory, and operational requirements, and are essential for supporting investigations, ensuring compliance, and maintaining privacy standards. For instance, HIPAA mandates a six-year minimum retention for audit logs related to protected health information, while PCI DSS requires audit trail logs to be retained for at least one year.

Data Retention defines how long authentication records such as logs, sessions, tokens, and audit trails are kept before deletion or archival. Retention periods support investigations, meet legal and compliance requirements, and respect privacy constraints.

A Data Router is a routing system that manages data fetching and rendering based on URL paths, ensuring that the necessary data is available for each route.

DDoS (Distributed Denial-of-Service) mitigation consists of strategies and defenses designed to protect services against distributed denial-of-service attacks, where many compromised systems send massive amounts of traffic to overwhelm a target. For authentication systems, these attacks can overwhelm login, signup, and token services, preventing legitimate users from signing in or creating accounts. Effective mitigation relies on detecting unusual traffic, filtering out malicious requests, applying rate limits, challenging suspicious activity (e.g., CAPTCHAs or bot checks), and routing traffic through specialized filtering services to distinguish between real users and malicious requests.

Delegated Admin refers to a role-based (RBAC) administrative model where certain management privileges are granted to users or groups without giving them full organizational or system-wide administrative access. This allows tasks such as managing users, groups, or resources within specific scopes like a department, team, or application, while maintaining overall security and limiting exposure. Delegated administration helps organizations enforce separation of duties by empowering trusted individuals to perform targeted administrative tasks without granting complete control.

Deterministic encryption is a cryptographic method where the same plaintext input always produces the same ciphertext output when encrypted with a given key. This allows for operations such as equality checks, deduplication, or indexing on encrypted data without decryption. While convenient for search and comparison, deterministic encryption can leak patterns, such as repeated values, making it less secure than probabilistic encryption for sensitive data. It's often used when structured queries on encrypted fields are required while still providing a level of confidentiality.

Developer Velocity refers to the speed and efficiency with which developers can deliver software, often enhanced by tools, processes, and practices that streamline development workflows.

Device Binding is a security technique that associates a user's authentication credentials or cryptographic keys with a specific device. By linking access tokens, certificates, or cryptographic secrets to a device, systems can ensure that only requests originating from the trusted device are accepted. This reduces the risk of credential theft or replay attacks, as stolen credentials alone are insufficient to gain access without the bound device. Device binding is commonly used in multi-factor authentication, mobile banking, and enterprise security to strengthen trust in user-device relationships.

A device fingerprint is a unique identifier created from a combination of a device's attributes, such as browser type, operating system, screen resolution, installed fonts, and hardware characteristics, that can be used to recognize or track a device across sessions. Unlike traditional identifiers like cookies, device fingerprints don't rely on client-side storage and are harder to tamper with. They're commonly used for fraud detection, risk-based authentication, and security monitoring, helping systems detect unusual login attempts or account takeover attempts by identifying unfamiliar or suspicious devices.

Directory Sync is the process of synchronizing user identities, groups, and related attributes between an organization's identity provider (such as Active Directory, OneLogin, or LDAP) and another system or application. This ensures that user accounts, roles, and permissions remain consistent across platforms, reducing administrative overhead and minimizing the risk of stale or incorrect identity or permission data. Directory synchronization can be one-way or bidirectional and is commonly used to automate onboarding, offboarding, and access updates in enterprise environments.

In OpenID Connect (OIDC), the Discovery Document is a JSON file published by the identity provider that describes its configuration, endpoints, and capabilities. It typically includes URLs for authorization, token, userinfo, and JSON Web Key Sets (JWKS), supported scopes, response types, grant types, and signing algorithms. Clients use this document to automatically configure themselves, ensuring they know where and how to make requests without requiring manual setup or hardcoding of endpoints.

Disposable Email Detection identifies and blocks the use of temporary email addresses, which are often used for fraudulent activities, ensuring that only legitimate users can sign up and interact with an application.

Dynamic Client Registration is an OAuth 2.0 and OpenID Connect feature that allows clients (applications) to register with an authorization server automatically at runtime, rather than requiring manual registration by an administrator. During this process, the client receives credentials such as a client_id and, if applicable, a client_secret. This enables scalable onboarding of new applications and automated workflows in environments where many clients need to connect to an identity provider without manual intervention.

End-to-End Encryption is a security approach where data is encrypted on the sender's device and only decrypted on the recipient's device, ensuring that no intermediate systems (including servers, service providers, or network nodes) can read the data in transit. This protects sensitive information from eavesdropping, interception, or unauthorized access. E2E encryption is commonly used in messaging apps, file storage, and authentication flows to ensure that only intended parties can access the plaintext data, even if the communication channel or server is compromised.

Elements refer to the library of unstyled, composable components for building custom UIs, allowing developers to create tailored authentication experiences that fit their application’s design.

An Email OTP (One-Time Password) is a single-use, time-limited code sent to a user's email address as part of an authentication or verification process. Users enter the OTP to prove ownership of the email account and complete actions such as sign-in, account recovery, or sensitive transactions. Email OTPs provide a simple, passwordless or multi-factor authentication method, but their security depends on the email account being secure, as interception or compromise of the inbox could allow unauthorized access.

Email spoofing is a technique where attackers forge the sender address of an email to make it appear as if it comes from a trusted source, often to carry out phishing or fraud. To combat this, organizations use authentication protocols like SPF, DKIM, and DMARC. SPF (Sender Policy Framework) specifies which mail servers are allowed to send emails on behalf of a domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails, allowing recipients to verify the message hasn't been altered and is from the claimed sender. DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to provide domain owners with policies for handling unauthenticated emails and reporting on suspicious activity. Together, these mechanisms reduce the risk of spoofed emails reaching users and help protect brand reputation and security.

Embedded login refers to authentication flows that appear directly within your application's UI, for example app.company.com/login, allowing users to authenticate without leaving the app. This provides full control over the UI and UX but requires careful handling of credentials and other security tradeoffs. Hosted login, in contrast, redirects users to a provider-managed page, such as auth.provider.com, to handle sign-in, registration, or password recovery. The provider manages credentials and token issuance, reducing your app's exposure to sensitive data, though with less control over the user experience.

Encrypted cookies are HTTP cookies whose contents are encrypted before being sent to the client, ensuring that sensitive data such as session identifiers, authentication tokens, or user preferences cannot be read or tampered with by unauthorized parties. By encrypting the cookie payload, the server protects against data leakage and manipulation while still allowing the client to store and return the cookie on subsequent requests. Secure management of encryption keys and proper use of cookie attributes like Secure and HttpOnly are essential to maintain confidentiality and integrity.

Encryption at rest refers to the practice of encrypting data while it's stored on disk or in persistent storage, protecting it from unauthorized access if the storage medium is compromised. Encryption in transit secures data as it moves across networks, such as between clients, servers, and APIs, preventing eavesdropping or tampering. Together, these encryption strategies ensure that sensitive information like authentication tokens, personal data, or application secrets remains confidential and intact, both when stored and while being transmitted.

An Endpoint is a specific URL where an API can be accessed by a client application, serving as a communication point between different systems or components.

Entitlements are fine-grained rights assigned to a subject or resource, for example "invoice.read" on tenant X, used by authorization engines to determine access. They are often modeled as attributes separate from broader roles, enabling precise control over what actions a user or system can perform.

Environment Keys are configuration settings stored in environment variables, used to manage different environments (development, testing, production) in software applications.

Environment Variables are dynamic values that can affect the behavior of running processes, commonly used to configure applications without hardcoding sensitive information.

Ephemeral Keys are short-lived cryptographic keys created for temporary use in a specific session, handshake, or transaction and then destroyed. They limit blast radius if compromised and enable forward secrecy by ensuring that past encrypted data remains secure even if long-term keys are later compromised. Common use cases include TLS session keys, one-time API tokens, and temporary encryption keys for secure data exchange between clients and servers.

An event audit trail is a chronological record of actions and events within a system, capturing details such as who performed an action, what was done, when it occurred, and from where. In authentication and authorization contexts, audit trails often include logins, logouts, token usage, permission changes, and administrative actions. Maintaining detailed audit trails enable security teams to investigate incidents, verify compliance with regulations, and hold users or systems accountable for their actions.

Event webhooks are signed HTTP callbacks that notify external systems when specific events occur within an application or service. Instead of polling for updates, a system can subscribe to events and receive real-time notifications via HTTP requests to a configured endpoint. Payloads are authenticated with a shared secret or key pair and include timestamps/ids to detect replay.

Evidence of consent is a record that demonstrates a user has knowingly and voluntarily granted permission for an application or service to access their data or perform specific actions on their behalf. This may include timestamps, the scopes or permissions granted, the interface where consent was given, and the user or device identity. This creates an auditable trail that organizations can reference during privacy reviews, compliance audits, or if users later dispute their consent decisions.

Expo is a framework and platform for universal React applications, providing tools and services to build, deploy, and manage native apps for iOS and Android.

Fingerprinting is a technique used to uniquely identify devices and users based on their browser and device characteristics, enhancing security measures and preventing unauthorized access.

Firebase is a platform developed by Google for creating mobile and web applications, offering services like real-time databases, authentication, and cloud storage.

First Day Free means no charges for users who sign up but never return. Users are only counted as active when they come back after 24 hours, ensuring fair and user-friendly billing practices.

A Framework is a platform for developing software applications that provides foundational structures and tools, such as React, Next.js, Remix, and Expo to streamline the development process.

A Frontend API is an interface that allows client-side applications to interact with backend services, providing secure and straightforward methods for implementing features directly within the application’s frontend.

Gatsby is a React-based open-source framework for building fast, scalable, and secure static websites and applications with a focus on performance and developer experience.

A GitHub Repository is a storage space on GitHub where code, documentation, and other project files are managed and shared, facilitating collaboration and version control among developers.

Hardware Keys are physical devices used for authentication that generate and store cryptographic keys, providing an additional layer of security. Examples include USB security keys like YubiKey, which are used in two-factor authentication (2FA) and multi-factor authentication (MFA) processes to ensure secure access to systems and data.

Hashing is a way of converting data into a unique, fixed-length code that acts like a digital fingerprint. When a piece of information is run through a hashing process, it creates a specific string of characters that uniquely represents the original data. The hash can verify that the original data hasn't been changed, and cannot be 'decoded' to recreate the original information. The same input will always produce the same hash, and different inputs will typically produce different hashes. One piece of data can have multiple types of hashes generated from it depending on the specific purpose, such as checking if a password is correct or ensuring a file hasn't been tampered with.

Hash Routing is a routing method that uses the URL hash (fragment identifier) to manage navigation and rendering of components in a single-page application.

The Health Insurance Portability & Accountability Act (HIPAA) is a U.S. law designed to provide privacy standards to protect patients’ medical records and other health information provided to health plans, doctors, hospitals, and other healthcare providers.

HttpOnly cookies are a type of browser cookie that is inaccessible to JavaScript, providing an additional layer of security by mitigating the risk of client-side script attacks like Cross-Site Scripting (XSS).

Identity Provider Single Sign-On (IdP SSO) is a service that allows users to authenticate once and gain access to multiple applications and services without needing to log in separately to each one.

Integration refers to the process of connecting different systems, applications, or services to work together seamlessly, enabling data exchange and functional cooperation.

An Isolated user-pool is a user management system where each application has its own separate pool of user accounts, ensuring isolation and independence between applications.

A JSON Web Token (JWT) is a compact, URL-safe token used for securely transmitting information between parties as a JSON object, commonly used in authentication and authorization.

Least Privilege Access is a security principle where users, applications, and systems are granted the minimum access necessary to perform their tasks, reducing risk.

A Loader Function is a function that fetches or prepares data needed for rendering a component or page in a web application.

Magic Links are a passwordless authentication method where users receive a link via email or SMS that, when clicked, automatically logs them into the application.

Middleware is software that acts as a bridge between an operating system or database and applications, especially on a network, enabling communication and data management.

Monthly Active Users (MAUs) is a metric that counts the number of unique users who interact with an application or service within a given month, indicating user engagement and growth.

Multi-factor Authentication (MFA) is a security process that requires users to provide two or more verification factors to gain access to a resource, enhancing security beyond just a username and password.

Multi-Tenancy is an architecture in which a single instance of software serves multiple customers (tenants), with each tenant’s data isolated and invisible to others.

Next.js is a React-based framework that enables server-side rendering and static site generation for building fast, scalable web applications.

Node Package Manager (NPM) is a package manager for JavaScript that allows developers to install, share, and manage dependencies for their projects.

OAuth is an open standard for access delegation commonly used as a way to grant websites or applications limited access to user information without exposing passwords.

OAuth Scopes define the specific permissions granted to a client application, determining the actions or resources it can access when interacting with a protected API.

One-Time Passcodes (OTP) are temporary codes sent via email or SMS that users enter to verify their identity, commonly used in two-factor authentication processes.

An opaque token is a type of access token that is not human-readable and cannot be easily inspected or decoded. It is used to authenticate requests to a protected resource. Opaque tokens are normally verified with a network call to the issuer rather than a digital signature verification, and can be revoked immediately -- both properties that are different from JWTs.

OpenID Connect is an identity layer on top of the OAuth 2.0 protocol, allowing clients to verify the identity of end-users based on authentication performed by an authorization server.

Organizations in user management refer to groups or entities that manage multiple users, roles, and permissions within a larger structure, often used in enterprise applications.

The OWASP Application Security Verification Standard (ASVS) is a framework for testing the security of web applications and ensuring they meet specific security requirements. It provides a basis for designing, building, and testing secure applications by defining levels of security controls. ASVS is widely used by developers and security professionals to standardize security requirements and assessments.

The OWASP Testing Guide is a resource by the Open Web Application Security Project that outlines best practices for testing web application security. It covers vulnerabilities like authentication, data validation, and session management, helping security professionals enhance web application security.

A Pages Router is a routing mechanism that maps URLs to specific pages or components in a web application, often used in frameworks like Next.js.

Passkeys are cryptographic keys used for secure authentication, replacing traditional passwords with more secure alternatives like biometrics or hardware tokens.

Path Routing is a routing method that uses the URL path to determine which component or page to render in a web application.

A Pen Test (Penetration Test) is a simulated cyber attack against a system to check for exploitable vulnerabilities, helping to identify and fix security weaknesses.

A personal account is a user’s unique, individual space within the application, independent of any organization.

Primitives are the basic building blocks or fundamental elements used in programming and design, such as data types in a programming language or basic UI components in a design system.

Public Metadata refers to metadata that is publicly accessible and can be used to store additional information about users or resources in a transparent manner.

A Publishable Key is a public API key used to identify a client application in API requests, typically safe to expose in client-side code.

Rails (Ruby on Rails) is a server-side web application framework written in Ruby, designed to make web development faster and easier by providing default structures for databases, web services, and pages.

Rate Limiting is a technique used to control the amount of incoming or outgoing traffic to or from a network, API, or web service, preventing abuse and ensuring fair usage.

React is a popular JavaScript library for building user interfaces, particularly single-page applications, using a component-based architecture.

React Server Components are a feature in React that allows developers to build components that run on the server, providing better performance and improved user experience.

Recovery Codes are backup codes provided during the setup of two-factor authentication, allowing users to regain access to their accounts if they lose their primary authentication method.

Redwood is a full-stack JavaScript framework designed to help developers build and deploy modern web applications quickly, integrating React, GraphQL, and Prisma.

Remix is a full-stack web framework that enables developers to build fast, scalable, and dynamic web applications with a focus on user experience and performance.

Role Based Access Control (RBAC) is a security model that restricts system access based on roles assigned to users, ensuring that users have appropriate permissions for their roles.

Roles define a set of permissions and access levels assigned to users within an application, determining what actions they can perform and what resources they can access.

A Root Loader is a function or component that loads initial data or performs setup tasks when the root of an application or route is accessed.

rootAuthLoader is a specific loader function responsible for handling authentication logic at the root level of an application, ensuring that user authentication state is properly managed.

Route-Specific Authentication is the practice of applying authentication requirements to specific routes or endpoints within an application, ensuring secure access to sensitive resources.

A Secret Key is a cryptographic key used to secure data, often involved in encryption, decryption, and authentication processes, and should be kept confidential.

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider.

A session represents an instance in which a user has signed in and is authenticated. Normally, when a user signs in successfully, a session is created and typically stored in a database, along with the user's ID, a status (active, revoked, expired, etc) and an expiration time, at miniumum. The session must be active and not expired in order for the user to be seen as authenticated. One user can, and typically does, have multiple sessions. Each time the user signs in, whether on the same or a different device, creates a new session.

Session Fixation is a security vulnerability where an attacker tricks a user into using a known session ID, allowing the attacker to hijack the session once the user logs in.

Session Leak Protection involves measures to prevent the unintended exposure of session identifiers, which could be exploited by attackers to hijack user sessions.

Session Lifecycle refers to the stages a user session goes through from creation, maintenance, and termination, including management of session state and expiration.

Session Management is the process of handling user sessions in a web application, ensuring secure creation, maintenance, and termination of sessions to prevent unauthorized access.

Session Revocation is the process of invalidating a user session, typically used to force logout a user or end a session due to security concerns.

A Shared user-pool is a user management system where multiple applications share the same pool of user accounts, allowing for centralized authentication and user management.

Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials, simplifying user management and enhancing security.

SMS Passcodes are one-time codes sent via SMS to a user’s mobile phone, used for verifying identity and enhancing security in two-factor authentication processes.

SOC 2 (Service Organization Control 2) is a set of standards for managing customer data based on five "trust service principles"—security, availability, processing integrity, confidentiality, and privacy.

A Software Development Kit (SDK) is a collection of tools, libraries, and documentation that developers use to create applications for specific platforms or frameworks.

Source Code is the human-readable set of instructions that define what a software program does, written in a programming language and maintained in a version control system.

Supabase is an open-source backend-as-a-service that provides developers with a real-time database, authentication, and storage solutions, simplifying the creation of modern web applications.

Tailwind CSS is a utility-first CSS framework that provides low-level utility classes to build custom designs directly in the markup, offering flexibility and efficiency in styling web applications.

Testing Tokens are tokens used in the development and testing phases to simulate authentication and authorization processes without using real user credentials.

User enumeration is a technique to determine whether a user account exists on an application, by detecting when failed authentication attempts still return information about the existence or non-existence of user accounts.

User Interface Components are reusable building blocks used to create the visual elements of a web application, such as buttons, forms, and navigation bars.

User Management involves the processes and tools for managing user accounts, roles, permissions, and authentication within an application, ensuring secure and efficient access control.

A User Profile is a collection of personal data and preferences associated with a user account, providing a personalized experience within an application.

useSession is a React hook used in web development to manage user session state, providing authentication status and session details, and enabling sign-in and sign-out actions. It helps conditionally render content based on user login status.

Virtual Routing is a routing technique that manages navigation and rendering of views in a web application without changing the URL, often used in client-side routing libraries.

A Webhook is an HTTP callback that allows one system to send real-time data to another system as soon as an event occurs, commonly used for integrating different services.