Skip to main content

CIAM glossary

Access token

The access token is a term defined by the [OAuth 2.0 protocol](, it is a credential that an application can use to access an API. It tells the API that the token bearer is authorized to access the API and that it can perform actions specified in the scope granted. The access token can be in any format, two popular options are opaque strings and JSON Web Tokens (JWT). These are sent to the API as a Bearer credential in an HTTP Authorization header. Identity Cloud issues access tokens in JWT format.

Authentication factor

An authentication factor is some kind of evidence helping verify a user’s identity. The most common authentication factors are

  • Knowledge, also referred to as “What you know”, for example, passwords or PIN codes.
  • Possession, also referred to as “What you have”, for example, registered devices and security keys.
  • Biometric, also referred to as “what you are”, for example, fingerprints and facial recognition.

Authentication server

The authentication server verifies that a user or entity is who they say they are, by username and password, email link or passwordless authentication for example. The authentication server is not responsible for defining the level of access a user or entity has to protected resources after they have been authenticated. This is then handled by the authorization server.

Authenticator app

Authenticator apps are for example mobile applications, or any piece of software that implements the TOTP OATH algorithm. It helps securely verify your identity. With Identity Cloud the Time-based one-time password method uses passwords generated by a third-party authenticator application for authentication of the users.

Authorization code

The authorization code is a code generated by the authentication server for single-use, presented to the client. This code is exchanged by the client for an access token with the token endpoint when using the authorization code grant type.

Authorization endpoint

The authorization endpoint can be used to request an authorization code by performing an end-user authentication. You can exchange this code at the token endpoint for an access token. Depending on the requested scopes, an ID token or refresh token can additionally be retrieved.

Bearer token

A bearer token implies that the party that possesses the bearer token is authorized and can use it to access protected APIs.

Biometric authentication

Biometric authentication completes the validation of a person’s identity based on certain physical or behavioral characteristics. Biometric authentication examples include fingerprints, and facial recognition. With Identity Cloud, authentication with Passkeys and authentication with Access app use biometric authentication.


A claim is a statement that an entity, a user or an application makes about itself or another entity. Claims are attributes included in tokens and are used by applications to define the correct level of access to grant.

Client ID

Client ID is the unique public identifier of your application. Identity Cloud generates the Client ID for you.

Client secret

The Client secret is used by applications with a server-side component. Client secrets increase security as they are only known by your application and the authorization server. Identity Cloud generates a random Client secret for you.

Client-to-authentication protocol

The Client-to-Authenticator Protocol (CTAP) is a protocol hosted by the FIDO Alliance. It governs the communication between roaming authenticators and client applications. The latest version of the protocol (CTAP2) is part of the FIDO2 specification, and helps organizations to achieve passwordless authentication.

Customer identity and access management (CIAM)

Customer identity and access management (CIAM) is an identity technology type that helps organizations manage customer identities. It provides security and enhances user experience. The primary purpose of CIAM is to help organizations provide a great experience to their customers, while protecting their user data. It provides a centralized platform to handle registration, authentication, authorization and profile management across digital channels.

Federated identity

Federated identity is a method that links a user’s identity across multiple identity management systems. With federated identity, authorized users can access multiple applications without having to provide dedicated credentials for each application. Federated identity management protocols and standards include SAML, OAuth 2.0, and OpenID Connect.


FIDO2 is an open standard that enables passwordless login to applications for users on desktop and mobile environments. User identity validation happens with registered devices or FIDO2 security keys. The two FIDO2 components are Web Authentication API (WebAuthn) and the Client-to-Authenticator Protocol (CTAP2). Learn more about FIDO2.

ID token

An ID token is a Base 64 encoded token introduced by OpenID Connect (OIDC). It confirms to the client that the user is authenticated, and passes certain claims about the user.

Identity proofing

Identity proofing verifies that the identity a user claims matches their actual identity. Identity proofing happens based on information aggregated from public and proprietary data sources. It is usually done before the user is presented with credentials or parallel to the authentication process.

Identity provider (IdP)

An identity provider is the entity that completes user authentication and passes authentication and authorization attributes on to the service provider. Learn more about the involved entities here.

JSON web token

A JSON Web Token (JWT) (pronounced “jot”) is an industry standard method for transmitting claims information securely between two parties. According to OpenID Connect, an ID token is always a JWT, which is usually more compact and easier to process than other tokens.

Magic links, also referred to as email links are URLs with embedded tokens that allow users to log in without having to present a password. These links are most commonly delivered to the user’s email, sent via SMS and other messaging services.

Multi-factor authentication (MFA)

Multi-factor authentication provides an additional layer of authentication on top of logging in with a password. It requires that users provide two or more pieces of evidence to verify their identity.

Identity cloud supports the following second factors for Multi-factor authentication:


OAuth 2.0 is an authorization framework that grants users access to a protected resource, to a third-party application or client. Learn more about OAuth 2.0.

OpenID connect

OpenID Connect (OIDC) extends the OAuth 2.0 authorization protocol to be used as an additional authentication protocol. OIDC can be used to enable single sign-on (SSO) between OAuth-enabled applications by using ID tokens.


Passwordless authentication is verifying the identity of a user without using a passwords. One-time passwords, biometric authentication, magic links, and social logins are some examples of passwordless authentication.

Identity cloud supports the following authentication methods for Passwordless authentication:

Proof key for code exchange (PKCE)

Proof Key for Code Exchange (PKCE) extends the OAuth 2.0 protocol by adding an extra layer of security to the authorization code flow. Unauthorized access is prevented with the dynamic secret keys generated to exchange the authorization code for an access token.

Refresh token

A refresh token is an opaque string that can be exchanged for an Access Token. Refresh tokens typically have a long lifetime to avoid that users have to log in frequently. With Identity Cloud you can configure the lifetime of refresh tokens on theApplication settings screen.

Relying party

A relying party is a server handling the requests for access to protected resources. It is also called a “claims-based application” as it relies on claims about the entity requesting access, made by a user, device, or that are passed on from an identity provider.


The relying party can be SAML or FIDO

Resource owner

The resource owner is an entity, a user or application that is able to authorize the client application to access their account or protected resources.

Resource server

Resource Server is a term used in OAuth 2.0 and OpenID Connect. It refers to a server-side component that provides (or controls access to) a REST API.


A role logically groups a set of application permissions. The administrator can manage the permissions of users by assigning roles to them. The permission concept provides an overview of how permissions, applications, roles, and users are connected.

Role based access control (RBAC)

Role-based access control (RBAC) is the concept assigning permissions to users based on roles within a business entity. It is a simple, manageable approach for access management with less error probability than individual permission assigning.

Security assertion markup language (SAML)

Security Assertion Markup Language (SAML) is an XML-based open standard with which users can access multiple web applications using one set of login credentials. It enables the identity provider and the service provider to exchange authentication details without the use of passwords. SAML is the standard for SSO.


Scopes are OAuth standard-defined mechanisms that allow an application to request limited, granular access to users data. A client application can request one or more allowed scopes. The scope information is then added to the claim scope of the access token issued to the client application. In Identity Cloud, consent to requested scopes is always implicitly given, as there is no user-consent page.

Service provider

A service provider is what the user wants to access, an application or an entity. Before it grants access, the service provider needs to receive trusted authentication and authorization attributes from the identity provider. Typically used in the context of SAML.


A session is a set of intercommunications between a consumer and an application within a given time frame. For example, when a user performs a new login, it creates a user session. The session determines whether the user is authenticated each time a request is made.

Single sign-on (SSO)

Single sign-on (SSO) is an authentication method for users to securely log into multiple applications using one set of login credentials. It is often used in business context as it helps reduce the need for users to create and remember passwords for every individual application.

Social login

Social login is an authentication method where users can log into third-party applications using already existing login credential from social networking sites such as Google, Facebook, Apple and Microsoft.

Token endpoint

The token endpoint is used by the client to obtain an access token, by presenting its authorization grant or refresh token.

The token endpoint is provided by Identity Cloud and is used with every authorization grant.


A One-time password (OTP) is a password used in a credential pair valid for only one login session. They are used to minimize risks of traditional, static password-based authentication. It makes passwords variable by operation. A Time-based One-time Password (TOTP) is an OTP that is time-based. The algorithm that generates it uses the current time as one of its authentication factors.

Two-factor authentication (2FA)

*Two-factor authentication is an authentication method that requires two, separate forms of identification to access user accounts or data. With this method, a trusted device or phone number can verify the identity of a user at an access attempt. Therefore, two-factor authentication provides an extra layer of security to your system.

Universal authentication framework (UAF)

The Universal Authentication Framework (UAF) is an authentication standard that was created by the FIDO Alliance. In UAF, users authenticating to a service or solution use one or more security factors on their devices to release a private key. This private key is used to sign the challenge the FIDO UAF Server issues. The user verification mechanism to unlock the private key on the devices can be biometric, knowledge-based, or possession-based. The FIDO UAF protocol is used by the Nevis Access app.

User agent

A user agent is a software or program acting on behalf of the user, for example web browsers, or email readers.

User authentication

User authentication is the process of verifying that a user is who they claim they are. It is typically the first step when a user interacts with an application.

Web authentication (WebAuthn)

Web Authentication API (WebAuthn) is an open standard that uses public-key cryptography to register and authenticate users during their interactions with an application. WebAuthn uses possession-based and biometric authentication, for example registered devices and hardware security keys to make the user experience more secure and convenient.