Skip to content

Glossary

Short definitions for SigID product, OAuth, identity, tenant, agent, wallet, and webhook terms. Values shown in backticks use the API, token, or serialized spelling.

Term Meaning
AAL Authentication Assurance Level. SigID uses assurance levels such as AAL1, AAL2, and AAL3 to describe how strongly a user authenticated.
ACR Authentication Context Class Reference. OIDC clients can request ACR values when they need a minimum authentication assurance level.
Access token Token presented to APIs as proof that the caller has authenticated and has been granted specific scopes or authorization context.
Active organization Organization context selected for the current user session. Tokens may include an org claim when an organization is active.
Actor claim The OAuth token exchange act claim that records the actor, often an agent, acting for the token subject. Nested actor claims represent a delegation chain.
Agent Software principal with its own SigID identity, lifecycle, keys, anchors, and optional capabilities. Agents are distinct from human users.
Agent key Cryptographic key registered to an agent for challenge-response authentication, signing, or key rotation.
Agent status Agent lifecycle state such as pending, active, suspended, deleted, or revoked.
AMR Authentication Methods References. Token claim describing methods used during authentication, such as password, MFA, OTP, federation, or proof-of-possession.
API key User-owned credential for calling SigID APIs where API key authentication is enabled. The self-service API key flow returns the raw key only once at creation.
Application OAuth client configuration inside a tenant. Applications define client IDs, redirect URIs, token endpoint auth method, scopes, origins, and related OAuth settings.
Audience Token recipient that an API must validate before accepting a token. The aud claim should match the protected resource.
Audit log Record of security-relevant, administrative, or operational activity used for investigation, compliance, and support.
Authorization Code with PKCE OAuth flow for browser, mobile, desktop, and native app login without exposing client secrets to public clients.
Authorization snapshot version Token version claim that records authorization state at mint time, such as tenant, subject, organization, or actor authorization version when present.
Break-glass administrator Emergency administrator account or recovery path kept outside normal enforcement failure modes.
Chain family Blockchain address and signing family for wallets. SigID wallet code supports evm and solana families.
Chain ID Wallet network identifier that includes the chain family, such as evm:1 or solana:mainnet-beta.
CIBA OpenID Connect Client-Initiated Backchannel Authentication for clients that cannot redirect the user through a browser.
Claims parameter OIDC request parameter used to ask for specific ID token or UserInfo claims.
Client credentials OAuth flow for service clients acting as themselves rather than on behalf of a human user.
Client secret Secret value used by confidential clients at the token endpoint. It must stay on the server side.
Confidential client OAuth client that can keep credentials secret, such as a backend web application or server-side service.
cnf claim Confirmation claim used for sender-constrained tokens, including DPoP-bound tokens with a public key thumbprint.
Consent User approval for an application to receive scopes, profile claims, connected-app access, or delegated authority.
Consent grant Stored authorization showing that a user approved an application or delegated access until it expires or is revoked.
Connected app Application with an active consent grant or connection to the user's SigID account.
Delegation Scoped authority granted from one subject to another, often from a human to an agent. Delegation can be narrowed by scopes, expiry, policy, rate limits, and wallet spend controls.
Delegation chain Multi-level delegation path represented by parent delegation records and nested act claims in delegated tokens.
Device Authorization OAuth flow for CLIs, televisions, and input-constrained devices where the user approves a device code on another screen.
DPoP Demonstrating Proof of Possession. OAuth mechanism that binds a token to client-held key material.
Dynamic Client Registration OAuth/OIDC mechanism for creating clients through a registration endpoint when the deployment enables it.
Enterprise SSO Organization-managed sign-in through an external OIDC identity provider, routed by verified domains or organization policy.
Event type Dotted event name such as auth.login.success or tenant_user.suspended.
Global account User-owned SigID account reused across tenant applications. Tenant applications should still store tenant-local subjects for app identity.
Hosted auth SigID-hosted authentication and consent surface where applications redirect users for login, MFA, SSO routing, consent, and OAuth authorization.
ID token OIDC token containing claims about the authenticated user for the client. APIs should generally authorize with access tokens, not ID tokens.
Identity anchor Agent identity proof or registration method, such as erc8004, did_web, did_key, or client_credentials.
Identity portal User-facing surface for account security, authenticators, sessions, app permissions, linked sign-in providers, delegations, and related user settings.
Identity session Global SigID session used by first-party identity surfaces. OAuth application sessions are separate application-owned sessions.
Idempotency key Client-provided retry key, sent as idempotency-key, that lets supported write endpoints avoid duplicate side effects.
Introspection OAuth endpoint for trusted backends to check whether a token is active and inspect returned token metadata.
JTI JWT ID claim used to identify a specific token for tracking, replay defense, and revocation-related workflows.
JWKS JSON Web Key Set used by applications and APIs to validate JWT signatures.
Known device Device record recognized by SigID from prior sign-in activity. Known devices help users review and manage account access.
MCP Model Context Protocol, used by agents and MCP servers to expose tools and resources to AI clients.
MFA policy Tenant policy that controls when multi-factor authentication is required: optional, required for all users, or required for admins only.
OAuth Protected Resource Metadata Discovery metadata that helps OAuth-aware clients understand a protected resource's issuer and authorization requirements.
OpenAPI Machine-readable API description exposed by deployments for generated clients, documentation, and integration tooling.
Organization Shared business account, workspace, department, or customer unit inside a tenant.
Organization member User membership inside an organization, with organization-specific role and access context.
Pairwise subject Tenant- or sector-scoped OIDC sub value used for eligible third-party user or agent tokens. First-party, system, and some client-credentials tokens may use non-pairwise subjects.
Passkey Phishing-resistant WebAuthn credential used for primary sign-in.
Security key Device-bound hardware WebAuthn credential used as a second factor.
Policy Conditional authorization rule applied after authentication and scope checks.
Principal Authenticated subject plus tenant-scoped authorization context, including scopes, roles, tenant, session, organization, and delegation data when present.
Problem Details RFC 7807 style API error response shape used by SigID API errors, alongside OAuth-compatible error fields where applicable.
Provisioning source Source that created or linked a tenant user, such as manual, invite, scim, sso, domain_auto_join, or self_service.
Public client OAuth client that cannot safely keep a client secret, such as a browser-only, mobile, desktop, or CLI app. Public clients should use PKCE.
Pushed Authorization Request OAuth request pattern where authorization parameters are posted to the server before browser redirect.
Refresh token Credential used to obtain new access tokens without another interactive login, when the flow and policy allow it.
Refresh-token family Group of related refresh tokens created through rotation. Family-level revocation can invalidate access tokens minted by that family when token claims include the family ID.
Revocation OAuth endpoint or action used to revoke refresh tokens, token families, or other credentials.
Rich Authorization Request OAuth request parameter for structured, fine-grained authorization details.
Role Named tenant or organization authorization bundle used by policies and management APIs.
Scope Permission string requested by an application, API, or agent and carried in tokens when granted.
SCIM Directory provisioning protocol for creating, updating, suspending, and removing users from an external identity system.
SIWE Sign-In with Ethereum wallet authentication.
SigID Passport User-facing name for the global SigID account that can activate access across tenant applications.
Signing backend Where wallet signing keys are held and used. SigID wallet backends include software, hsm, and tss.
SSO policy Policy controlling whether sessions are tenant-wide or app-scoped, with app-level overrides able to override tenant defaults.
SSO provider Enterprise identity provider used by an organization for login.
Subject Actor in authorization. SigID subject types are human, agent, system, and anonymous.
Subject type Classification attached to a subject or token so APIs can distinguish human users, agents, system principals, and anonymous subjects.
Tenant Isolation and administration boundary that owns applications, users, organizations, policies, agents, webhooks, billing, and audit context.
Tenant-local subject Stable subject identifier within one tenant. It may be pairwise in eligible third-party contexts; use the validated sub claim together with tenant context as an application user key.
Tenant user Membership record connecting a global account or invited email to a tenant. It is not the same as the global SigID account.
Tenant user status Tenant membership state such as pending, active, suspended, or removed.
Token endpoint auth method Method an OAuth client uses at /oauth/token, such as none, client_secret_post, client_secret_basic, or configured private_key_jwt.
Token exchange OAuth flow used to mint a reduced delegated token from a subject token and, when required, an actor token.
Trusted device Device trusted for a bounded period so policy may skip repeated MFA prompts. Trust can expire, be cleared, or be revoked.
UserInfo OIDC endpoint that returns user claims based on the access token and granted scopes.
Vault Credential store for third-party service secrets, tokens, and tool access.
Vault grant Authorization that allows a subject to access a specific stored credential without exposing broader vault contents.
Verification flags Additive agent verification proofs such as key ownership, proof-of-work, ERC-8004 verification, DID verification, reputation threshold, and owner verification.
Verified domain Organization domain that has passed ownership verification and can be used for SSO routing or domain-based membership behavior.
Wallet Managed or referenced account used for signing blockchain transactions under SigID authorization controls.
Wallet budget Per-transaction, daily, monthly, and allowlist limits applied to managed wallet signing operations.
Wallet model Wallet custody and execution model. SigID wallet models include delegated_eoa, self_custody, and smart_account.
Webhook delivery Signed HTTP event sent to a tenant receiver, with delivery state tracked for retries and troubleshooting.
Webhook signing secret Secret used by a receiver to verify that webhook deliveries came from SigID.
Webhook subscription Tenant configuration that selects an endpoint and subscribed event types.